This repository contains the code and documentation for my project on learning Linux sysadmin skills, Linux security, and DevOps. I will be hosting a Wordpress website on an Ubuntu server. This project is a great way for me to learn these important skills and to get hands-on experience with Linux.
This setup is on a local Ubuntu VM provisoned locally on my local machine. The steps can be reused for a VM that is hosted in the cloud too.
- Set up NGINX Webserver
- Configure PHP to run web application (WordPress)
- Create a MySQL database and link to WordPress
- Set up WordPress on server
- Set up the following
- Monitoring
- Automation
- Performance Optimization
- Security
- Backups
In this stage, we are going to install a few packages that will enable us run WordPress on the Ubuntu server. We need PHP (by which WordPress is powered), a MySQL database server and some other and a peculiar tool called Monit.
- Monit is an open-source and free process supervision tool for Linux and Unix. It is used to view the system status directly from the command-line or the native HTTP web server.
We need specific versions of some software packages and all are listed out in the
install.shscript. To activate it, run the following:
# change the permissions so that only user can run them
chmod +x install.sh
# run the installation
sudo ./install.shNOTE: When you encounter an error during the installation of any package in Ubuntu, use the apt-cache search <package> | grep <specific module for package> eg. when installing MySQL module for PHP, look it up with apt-cache search php | grep mysql to give you the correct module name to use.
We then install NGINX via a PPA (personal packaged archive). This way, we get the updated and stable version of the NGINX web sever straight from the developers themselves. I recommmend you use this way. Run the commands to do this:
# add the repo
add-apt-repository ppa:nginx/stable
# update the system to make sure the new repo gets updated
apt-get update
# install the NGINX package
apt-get install nginxNGINX should automatically start running on the server. Get the IP address of the server and paste it in a browser, you should get a static page welcoming you to NGINX. This confirms that NGINX is up and running and your server is accessible the network/internet.
In Linux, there are stuff that run as processes. These can either be software, services or daemons.
| Feature | Software | Service | Daemon |
|---|---|---|---|
| Definition | A computer program | A software program that provides a specific function | A type of service that runs continuously in the background |
| Control | Controlled by the user | Controlled by the operating system | Not controlled by the operating system |
| Examples | Word processor, web browser, operating system | Email, file sharing, printing | Disk monitoring, network services |
Also in Linux the way to manage services is by using the systemd. Mostly, two utility programs used to manage services with systemd are:
- systemctl: managing services
- journalctl: managing logs
In our installation we have to initialize the mysql, monit, php-fpm and nginx packages we have installed.
# using the systemd commands
systemctl start nginx php7.4-fpm php7.4-mysql monit
# check their status with this
systemctl status <service>
# enable them to persist running even after a reboot
systemctl enable <service>A couple of systemctl commands to know:
This is the structure of the entire command : systemctl <command> <service>.
- enable: makes sure the service always starts at boot
- disable: does the opposite of enable
- start: starts the service now (will not start again at boot)
- stop: stops a running service (if service is enabled, will not stop it from running at boot)
- reload: re-read the configuration files for the service
- restart: kills the service and starts it again (also re-reads the configuration files)
- status: check the status of the service (it tails the last few log lines)
For the server to be satisfactorily cleared to run and host out WordPress sites, we must make some conifguration changes mostly in the security field.
A couple of things we will be configuring are:
- SSH
- web server
- database
- interprocess communication
To ensure the security of the sites hosted on the web server, we must separate each site's running process from others. We do this so that if an attacker manages to get access to a site's running process, the attacker cannot use that as a channel to infiltrate other sites running on the same web server.
The basic way to do this is to make sure that each site is running as its own system user. Eg. If I have my blog site "GoneFishing" running, I can change the create a user - 'gonefishing' and have this user take ownership of the processes spawning by my "GoneFishing" site.
There are two ways create a user:
- with wizard (simple):
adduser <username>, then you walk through a bunch of questions and settings and you have the user configured. - wwith scripts:
useradd --uid <UID> --gid <GID> -m -s /usr/bin/bash -d /var/www/gonefishin --password <pass> <username>, this can be used in a script to automatically create users for different sites that have been provisioned on the webserver.
After the user has been created, it has to be used as the owner of the running site processess. To change the ownership and permsissions of what is able to access our site files, run the command:
# change ownership
chown -R gonefishin:www-data /home/taskmaster/public_html
# add fine-grained permissions
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;Right off the bat when NGINX is installed, it has a configuration file that powers the way it runs on the server.
In this session, we will make some slight adjustments to the configuration file to make sure that NGINX server is beefed up to perform.
- backup the original configuration and create a new
nginx.conffile.
# go to nginx dir
cd /etc/nginx
# backup
sudo mv nginx.conf nginx.conf.ORIGINAL
# create new config file
sudo touch nginx.conf
# copy confiiguraton into here.
sudo cp nginx.conf.ORIGINAL nginx.conf- Make the performance changes.
- enable compression of requests when possible to the site servers; uncomment section under 'GZIP Settings'.
- enable FastCGI caching, this code keeps a small cache for 10min.
fastcgi_cache_path /usr/share/nginx/cache/fgci levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=1h;- the above cache path is not available so we need to create it with
sudo mkdir -p /usr/share/nginx/cache/fcgi. - this file is in the
/config/initial-nginx-config.conffile.
NOTE: In the nginx.conf file is this line include /etc/nginx/conf.d/*.conf;. This line specifies where we will be placing every server confiiguration for our sites, so after processing the current global configuration, it should go to this directory and include all the configuration files in the current server configuration.
This setup is to host as many sites as possible with one NGINX web server. The individual site configurations are then pulled into this current global configuration and served.
- Check if the configuration is valid; use the command
sudo nginx -t.