Ubuntu server

Installing and configuring the Ubuntu server 16.04

Return to the list of tool configurations

Define a password for root user

ubuntu is the root user. The password can be useful in case SSH doesn't work any more, for recovery with VNC.

2
 
1
2

Mount the 2nd hard drive in /var/www

5
 
1
2
3
4
5

Remplacer l'UUID par celui donné par blkid pour /dev/sdb

2
 
1
2

Set Time zone

3
 
1
2
3
2
 
1
2

And restart the system or just MySQL : service mysql reload

Set Locale

sudo /usr/share/locales/install-language-pack fr_FR

Schedule server restart every month automaticaly

1
 
1

Add :

2
 
1
2

Security

Firewall

4
 
1
2
3
4

OSSEC

Newest version : https://github.com/ossec/ossec-hids/ (Server/Agent Unix)

2
 
1
2

if stops at ``

7
 
1
2
3
4
5
6
7
4
 
1
2
3
4

choose local (not server) enter email choose default for all others options

nano /var/ossec/etc/ossec.conf add :

2
 
1
2

And check email_to and email_from

nano /var/ossec/rules/local_rules.xml add :

17
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

Automaticaly add IP in white list

Source

  1. create approved_humhub_list and chmod 666 in order to apache to be able to edit this file :
2
 
1
2
  1. edit nano /var/ossec/etc/ossec.conf and in <rules></rules> add:
1
 
1
  1. service ossec restart
  2. In /var/ossec/rules/local_rules.xml, add:
5
 
1
2
3
4
5

id="100016" must be unique, change it if necessary ! 6. Update automaticaly /var/ossec/lists/approved_humhub_list.cdb every minutes adding this in root crontab:

1
 
1

Call this script in your website if current user is admin :

23
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

GUI

Newest version : https://github.com/ossec/ossec-wui/releases

9
 
1
2
3
4
5
6
7
8
9

choose www-data

2
 
1
2

http://serverIp/ossec

More details here

Fail2ban

3
 
1
2
3
27
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
1
 
1
5
 
1
2
3
4
5
2
 
1
2

Monitoring

2
 
1
2

Munin

3
 
1
2
3

Uncomment :

5
 
1
2
3
4
5

And replace email address

1
 
1

Replace :

4
 
1
2
3
4

By :

2
 
1
2
9
 
1
2
3
4
5
6
7
8
9

Go to http://IPAdress/munin If it doesn't work, create a Vhost in /etc/apache2/sites-available :

93
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

Monit

4
 
1
2
3
4
5
 
1
2
3
4
5
2
 
1
2

Got to http://IpAdress:2812

user 'admin' / password 'monit'

LAMP

Follow this documentation except the PHP paragraph

Install PHP7.1 (instead of 7.0 in Ubuntu 16.04)

8
 
1
2
3
4
5
6
7
8

Select 7.1 version

List enabled apache2 modules : apachectl -t -D DUMP_MODULES Enable URL rewriting module : a2enmod rewrite

nano /etc/php/7.1/apache2/php.ini :

7
 
1
2
3
4
5
6
7

session.gc_maxlifetime enables to stay connected 1 month

sudo nano /etc/apache2/apache2.conf (replace xxx.xxx.xxx.xxx by IP server address) : Add to the end of the file : ServerName xxx.xxx.xxx.xxx

1
 
1

A bug can make Apache crash. Workaround : nano /etc/logrotate.d/apache2 Replace reload with restart

PHP 5.6 (for Communect)

https://phpraxis.wordpress.com/2016/05/16/install-php-5-6-or-5-5-in-ubuntu-16-04-lts-xenial-xerus/

4
 
1
2
3
4

Optimize MySQL

1
 
1
3
 
1
2
3
2
 
1
2

More info

Changing values for Ubuntu 16.04

Report for optimization software

phpMyAdmin

https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-on-ubuntu-16-04 : use the same password for phpMyAdmin as for MySQL

Email

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-16-04

1
 
1

Enter domain name here (ex : domain.ext)

1
 
1
4
 
1
2
3
4

Access to the server with authentication (SSH and SFTP)

On your local computer, if you don't already have, create a public (~/.ssh/id_rsa.pub) and a private key (~/.ssh/id_rsa) (give a long pass phrase), protect your private key, save the pass phrase to avoid typing it at each connexion and display your public key :

4
 
1
2
3
4

Add the public key on the distant server file ~/.ssh/authorized_keys by pasting it in a new line. Connect by SSH or SFTP : ssh web@83.166.144.90 or ssh ubuntu@83.166.144.90

If you want to create your keys in specific files :

2
 
1
2
3
 
1
2
3

www-data account

source

7
 
1
2
3
4
5
6
7

add

1
 
1
2
 
1
2

Add this line just before exit 0

1
 
1

IMPORTANT : Now, to write in /var/www as www-data user, you must use the web user and access /var/www threw /home/web/www

DNS

https://wiki.gandi.net/fr/dns/zone/a-record

and then

https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04

SSL for HTTPS with Letsencrypt

source

6
 
1
2
3
4
5
6

Add : 15 3 * * * /usr/bin/certbot renew --quiet

To create a certificate to a domain (must be setup on apache2 with a2ensite /etc/apache2/sites-avalaible/domain.ext.conf; service apache2 reload;)

1
 
1

If doesn't work :

1
 
1

webroot is the folder where the website is installed

A new file is created : /etc/apache2/sites-available/domain.ext-le-ssl.conf

Node.Js

Each web app needs a specific version of Node.js. So create a new user for each web app and install Node.Js locally.

  1. Install NVM (Node version manager) : https://github.com/creationix/nvm#install-script
  2. edit the package.json file of the web app, look at the node version, and install node : nvm install 6.x.x; nvm use 6.x.x;. If you want the stable version : nvm install stable; nvm use stable;. LTS (recommanded) : nvm install --lts; nvm use --lts;
  3. Node.Js and NPM (Node Package Manager) will be installed

But if Node.js is executed by apache (using the system() or exec() command), Node.Js needs to be installed globally :

1
 
1

LDAP

Not finalized, to resume

Warning before apt-get install phpldapadmin ! Check afterwards weather apache server still works, otherwise you have to do an apt-get remove --purge apache2 then reinstall, add modules that are missing a2enmod and show the list ls /etc/apache2/mods-available/ , add sites-availables, reconfigure HTTPS

Warning : it will appear only at install, it is necessary to choose a subdomain not to interact with another site, but I'm not sure.

First create the subdomain under apache a2ensite ldap.make.social.conf and publish it in HTTPS : certbot --apache -d ldap.make.social

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-openldap-and-phpldapadmin-on-ubuntu-16-04

If apache does not work anymore after the installation : https://support.plesk.com/hc/en-us/articles/213946305-Apache-crashes-on-reload-and-websites-show-502-Bad-Gateway-seg-fault-or-similar-nasty-error-detected-in-the-parent-process

local backups

HackMd

Note the postgress container ID :

1
 
1

Create a backup script in the file /var/www/backups/scripts/hackmd.sh :

12
 
1
2
3
4
5
6
7
8
9
10
11
12

Then schedule the daily backups of the database :

1
 
1

and add :

1
 
1

MongoDb

Create a backup script in the file /var/www/backups/scripts/mongodb.sh :

4
 
1
2
3
4

Then schedule the daily backups of the database :

1
 
1

and add :

1
 
1

Nextcloud and the other PHP/MySQL applications

20
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Edit the file *.inc.php

sudo crontab -e :

5
 
1
2
3
4
5

Backups on the Hubic cloud server

  1. Create an account Hubic (we use the account contact@openappecosystem.cc)
  2. Create a folder called "backups"

On the server as root user :

  1. Install rclone
  2. Configure rclone for Hubic (leave blank "Hubic Client Id" and "Hubic Client Secret" and open to the URL asked at the end of the process in a second SSH terminal using elinks)
  3. crontab -e :
1
 
1

Interesting article if you want to encrypt backups : http://nogues.pro/blog/backup-hubic-duplicity-rsync.html

Copies of system files

su root; crontab -e :

6
 
1
2
3
4
5
6

su web; crontab -e :

6
 
1
2
3
4
5
6

sudo nano /etc/rc.local :

7
 
1
2
3
4
5
6
7

Increase partition size

If disk space has been increased with Infomaniak, the partition must be increased to the new size (check if partition system is XFS) :

1
 
1

Remove old kernels

8
 
1
2
3
4
5
6
7
8

List largest installed packages

1
 
1