If you are not familiar with Linode, they are a provider of VPS (Virtual Private Servers) which is basically a semi-private version of shared hosting. You generally don’t have to share the box with hundreds of other people and even if you do you are guaranteed a certain share of the resources (CPU / RAM / etc). Not to mention the server hardware itself is extremely beast as far as power. You are in your own little private eco-system meaning you and only you have access to your machine (or slice of a machine rather). You will not experience the same horrible load times and transfer rates that you would get at companies like Go Daddy and Dreamhost (shudder). The only down side is you do not have a CPanel or Plesk panel (though you can install one if you wish, but I do not use them and will not go into that here) so you have to install and manage everything yourself. It’s not as hard as you might think if you can get used to searching Google and reading a lot of tutorials.
Command line can be a tricky beast for beginners, this blog aims to help ease some of that pain by sharing the procedures that I usually take when setting up my web server. Please be advised that with every new version of Linux the steps can vary a bit due to packages being upgraded or removed from the repositories.
This guide focuses on configuring the latest and greatest (at the time of this article) version of Ubuntu on a freshly provisioned Linode server. The exact system specs do not matter that much, you can use the lowest 1G plan if you like, the steps will be the same. I’m using the 2G plan that costs $20 a month. You can check out Linode’s prices and decide for yourself.
Provision your Linode
This is the easiest step thanks to Linode’s user friendly UI. Simply add a new Linode, select your desired size from the options presented. You can always increase the size at a later date so feel free to select the smallest size you are comfortable with. On the dashboard for the newly created Linode you will need to find the link “Deploy a Linux Distribution”. Select the latest version of Ubuntu which is at the time of this article “Ubuntu 14.04 LTS”. Type a root password in the input box and hit the Deploy button. Wait for the tasks in the job queue to all show success and then click the “boot” button to fire your machine up.
The first stage is finished, congratulations! Now for the real fun stuff!
Connect to your server
Open up a terminal so you can connect to your newly created Linode server. If you are on Linux or Mac this should be pretty self explanatory, but on Windows you have to install a third party software called Putty. In putty you will have a GUI to type in the IP address and user. You can get your IP address from the Linode Manager simply click “Linodes” on the top menu and it should list your Linodes with the IP address visible. It is also visible on the “Remote Access” tab of your Linode’s Dashboard.
You will then be prompted to provide the root password that you specified when you provisioned the Linode. This will log you into the server and drop you at the command line.
Basic Ubuntu Setup
The following stuff is some pretty basic Ubuntu configuration you should make before doing anything else.
Set the hostname
This can be anything, generally I just specify a short version of the full domain. (i.e. mydomain.com would become cooldomain)
echo "mydomain" > /etc/hostname
hostname -F /etc/hostname
You can verify it was set correctly by typing:
Set the fully qualified domain name
Now you can set the FQDM by making sure the following is in the /etc/hosts file.
127.0.0.1 localhost.localdomain localhost
Set the time
You can verify that it’s correct by typing:
Now is a good time to make sure you have all the latest system updates
I generally like to modify swappiness so it only uses swap if it absolutely has to. You can do this pretty simply like this
sudo swapoff -a
echo 0 | sudo tee /proc/sys/vm/swappiness
sudo swapon -a
Now we need to add a line on sysctl.conf to make sure it keeps the setting after a reboot. So edit /etc/sysctl.conf and add this line to the bottom
Here’s some basic steps you can take to improve the security of your server a bit.
Create new user
You should not be connecting as root on a regular basis, so we will create a new user that you can use from now on.
Then you are going to want to put that user into the sudo group so you can execute commands as root
usermod -a -G sudo
Now we need to test your new account to make sure it’s working because the next step is to disable logging in as root.
Disable root login
If you can log in successfully then we are good to go for the next stage, lets disable root login.
sudo nano /etc/ssh/sshd_config
Look for the line that says “PermitRootLogin” and change it to “no”
NOTE You can also change the SSH port in the sshd_config file if you desire. Just change “Port” to whatever you like. The default is 22.
Save the file and restart sshd
sudo service ssh restart
If you changed your port you will have to login as follows from now on:
Enabling a firewall is a pretty crucial part of any secure server. You can use either iptables or ufw. I have recently started using ufw because it’s really easy and no fuss.
sudo apt-get install ufw
This will install the firewall now we need to configure it.
Open some ports
Now lets open some common ports that we want to use. http, https, ssh, ftp, mail, etc
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 587/tcp
sudo ufw allow 22/tcp
sudo ufw allow 21/tcp
sudo ufw allow 25/tcp
sudo ufw allow 110/tcp
sudo ufw allow 143/tcp
Lets enable it now
sudo ufw enable
Pretty simple eh?
Fail2Ban is a security tool to prevent dictionary attacks. It works by monitoring important services (like SSH) and blocking IP addresses which appear to be malicious (i.e. they are failing too many login attempts because they are guessing passwords).
sudo apt-get install fail2ban
Now we need some basic configuration.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Find the “[ssh-ddos]” section and make sure “enabled” is “true“. If you changed your ssh port you will also need to modify “port” in this file under both the “[ssh-ddos]” and “[ssh]” sections.
Save the file and restart the service for the changes to take effect.
sudo service fail2ban restart
Reboot server on out-of-memory condition
This is a really neat feature to turn on. Basically if your server runs out of memory it will throw an exception and reboot, which will cause a few minutes of downtime but that is waaaaay better than sitting there swapping for hours and basically being non-functional anyways. Add the following to the end of the file “/etc/sysctl.conf“:
Setting vm.panic_on_oom to 1 tells the server to throw a kernel panic when it runs out of memory. Setting kernel.panic to 10 tells it to reboot 10 seconds after panicking.
Install FTP server
FTP server is a useful thing to have for numerous reasons, one being some software like wordpress uses it to update itself or install plugins.
sudo apt-get install vsftpd
Now edit the config:
sudo nano /etc/vsftpd.conf
Make sure these settings are uncommented and or created
Save the file and restart vsftp:
sudo service vsftpd restart
Install some useful software
These aren’t required but this is a running list of some stuff I generally install on new servers
sudo apt-get install build-essential screen htop unrar-free unzip git-core zip zlibc rsync dnsutils mcrypt libtool libyaml-dev tcl8.5 libreadline-gplv2-dev libssl-dev libpcre3-dev libbz2-dev cmake libjson0-dev make gcc libboost1.55 libexpat1 libexpat1-dev libyajl-dev libyajl2 git cmake libgcrypt11-dev libjson0-dev libcurl4-openssl-dev build-essential automake autoconf libtool pkg-config libcurl4-openssl-dev intltool libxml2-dev libgtk2.0-dev libnotify-dev libglib2.0-dev libevent-dev checkinstall
Forward domain e-mail to Gmail
Setting up an e-mail server is a very complicated and often frustrating experience. For that reason I do not use it myself. Instead I simply want email sent to my various domains to be forwarded to my personal Gmail address. This is what I will cover below. We start by installing postfix
sudo apt-get install postfix
Just leave all the settings default
Now we need to do a little tweaking to the config file.
sudo nano /etc/postfix/main.cf
Add the following lines at the end (replace
virtual_alias_maps = hash:/etc/postfix/virtual
You will also need to add any domains you wish to forward emails from onto the mydestination line like so
Save the file and open up the virtual config:
sudo nano /etc/postfix/virtual
Now you can configure your forwarding rules. The most basic is a catch-all but you can also input specific email addresses and where you want them forwarded. Here is a catch all example:
For a specific address you just add the preceeding mailbox
Save the file when you are finished and run postmap, this will load the new forwarding rules.
sudo postmap /etc/postfix/virtual
Go ahead and restart postfix for good measure.
sudo service postfix restart
It’s important to note that if you are forwarding to a gmail account any test e-mails you try sending to the domains from the same address the server is forwarding to will not reach your e-mail box. This is something on gmails end. To properly test forwarding you will need to send an email to your server from a different gmail account or from a non-gmail account.
Forward mail to system accounts to /dev/null
You may want any mail sent to specific system users to be sent to the void (aka deleted). You can’t directly send mail to /dev/null with the virtual file but you can create a system alias and have it sent there.
sudo nano /etc/aliases
Add this line to the file
Now edit your virtual database to add the forward rule
sudo nano /etc/postfix/virtual
Add a line for each box you want sent to /dev/null
Run postmap again and you are good to go
sudo postmap /etc/postfix/virtual