Preparing a Server for Aegir

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
You are viewing a wiki page. You are welcome to join the group and then edit it. Be bold!

This page shows you how to get a server ready to install Aegir. We'll do some basic updating and hardening of the OS, and install Apache, PHP and MySQL.

Setup the LAMP stack

The easiest route to setup the stack in the first place is to use an appliance from Turnkey Linux - they offer a LAMP stack which has much of the configuration done.
Download the appliance here: http://www.turnkeylinux.org/appliances/lamp
Follow though their setup instructions. A stack like this already includes Apache, MySQL and PHP.

Otherwise ensure you have a Linux server setup - eg Ubuntu 8.04LTS Hardy.

You will need root access to that server and the server must be reserved for Aegir. Sharing the server with other control panels such as Cpanel, Plesk or AlternC will very likely create problems and is not supported.

That webserver should run some UNIX flavour because the majority of functionality in this system occurs in the back-end, through command line scripting. There are also several features (such as symlinks), that are not available to users on Windows. There are no plans currently to add Windows support.

VPS servers are suitable. Aegir has been tested successfully on VPS.net, Linode.com, and slicehost.com.

In the following instructions we'll assume that you have a brand new server with Ubuntu 8.04LTS Hardy.

Configure the OS

Login to the server as root, and then follow these instructions to do the remaining configuration and some basic hardening for security...

Set locale

For me, this is en_GB, but set your choice of locale:

sudo locale-gen en_GB.UTF-8 
sudo /usr/sbin/update-locale LANG=en_GB.UTF-8 

Not a security measure, but worth doing, especially before we do the upgrades etc.

Set timezone

It may be set to your timezone or the timezone of the bulk of your users. If you're unsure which timzone would be best, consider using universal coordinated time (or UTC, ie. Greenwich Mean Time). Run the following command to set it:
dpkg-reconfigure tzdata

Set Hostname

The hostname is what your machine calls itself; in this example, we will call it "myserver".
echo "myserver" > /etc/hostname
hostname -F /etc/hostname

Now we can set up hostname resolution so that our server associates its hostname with the public IP. We do this by editing the /etc/hosts file so that the first section of the file looks something like this (use your servers public IP address instead of 12.34.56.78):

vim /etc/hosts
127.0.0.1 localhost.localdomain localhost
12.34.56.78 myserver.example.com myserver

Update and upgrade

sudo apt-get update 
sudo apt-get upgrade 

This is just an initial update/upgrade. You need to do this on a regular basis as part of your server maintenance.

Now add some basic things:

sudo apt-get install build-essential 
sudo apt-get install wget 
sudo apt-get install aptitude apt-utils
sudo apt-get install cvs subversion 
sudo apt-get install openssh-server

We need a mail transfer agent for the server to communicate with the outside world...

sudo apt-get install postfix 

select the option 'internet site' when prompted.
More info on postfix is at:
https://help.ubuntu.com/8.04/serverguide/C/postfix.html
http://www.scalix.com/wiki/index.php?title=HowTos/Complete_Postfix
Sendmail can be used as well, but is regarded by some as less secure.

To configure postfix for using googlemail as the smtp server, use this:
http://prantran.blogspot.com/2007/01/getting-postfix-to-work-on-ubuntu-w...

Restrict access to root user

First, change the password
passwd
And make this a secure password. Record it somewhere safe.

Then add another user (this can be anything you like, I've set it as 'onlyme' here. Don't make it something obvious like 'admin'):
useradd onlyme

Then set the password for this user:
passwd onlyme
Make this a secure password, different from the root login

Grant this user sudo rights:
visudo

Use the arrow keys to go to the last line. Press 'a' to add a line. Type:
onlyme ALL=(ALL) ALL
Hit Esc. Type ':'. type 'wq' and hit ENTER.

Then we want to prevent the root user from being able to login directly:
sudo vim /etc/ssh/sshd_config

and set the settings in file to be as follows (don't remove any other existing settings, just change or add to make the following):

Port 9876
PermitRootLogin no
X11Forwarding no
UseDNS no
UsePAM yes
PasswordAuthentication yes
AllowUsers onlyme

Note that the Port setting is to change the SSH/SFTP port from 22. I've used 9876 to illustrate this, but you can choose something else. This port should then be set in the settings of your SFTP programme to access the server.

Then reload ssh
sudo /etc/init.d/ssh reload

Now logout of your shell session and ftp programme. Try to login again as root. It shouldn't work.
Log in now using the new onlyme user and the onlyme password.
If you need to have root authority in the future, simply issue the su - command in a bash shell and enter the root password. It's just that you can't login directly as root.
Su - to the root user now.

Firewall

Install the iptables firewall (it may turn out to be there already, so this won't do anything)
sudo apt-get install iptables

Open ports should be kept to 80 and 443 (http and https) and 9876 (our custom SSH port) on the external network card. On the internal loopback 3306 also needs to be allowed for MySQL. On outbound allow only port 53 UDP (for DNS) and 80 TCP (for access to updates etc via HTTP). Close down other ports unless absolutely necessary. Set any firewall to drop packets rather than reject them.

Ubuntu has a layer ontop of iptables called UFW, making setting up a basic firewall easier, which we'll enable and configure...

sudo apt-get install ufw 
sudo ufw allow 80/tcp 
sudo ufw allow 443/tcp 
sudo ufw allow 9876/tcp 
sudo ufw allow 22/tcp
sudo ufw logging on 
sudo ufw enable 
sudo ufw status 

This sets up a default deny (DROP) firewall for incoming connections, with all outbound connections allowed with connections tracking.

The ufw framework is capable of doing anything that iptables can do. This is achieved by using several sets of rules files, which are nothing more than iptables-restore compatible text files. Fine-tuning ufw and/or adding additional iptables commands not offered via the ufw command is a matter of editing various text files:
* /etc/default/ufw: high level configuration, such as default policies, IPv6 support and kernel modules to use
* /etc/ufw/before[6].rules: rules in these files are evaluated before any rules added via the ufw command
* /etc/ufw/after[6].rules: rules in these files are evaluated after any rules added via the ufw command

If you do edit any of the above files, activate the new settings with:

sudo ufw disable 
sudo ufw enable 

More Info on UFW:
https://help.ubuntu.com/8.04/serverguide/C/firewall.html
https://wiki.ubuntu.com/UbuntuFirewall
Debian beginner's filewall setup
http://articles.slicehost.com/2007/9/5/debian-etch-setup-page-1

Configure Apache

First, install apache2:

sudo apt-get install apache2

Users and Groups

One of the first things to ensure is that Apache does not run as root because if Apache is cracked then an attacker could get control of the root account.

To test what user and group apache is running as, type:
ps auwwfx | grep apache
does the first column on the lines say 'www-data'? If so this section is okay, move on.

If it says 'root' you need to do the following:

Add the user and group:
groupadd www-data
useradd -g www-data www-data
vim /etc/apache2/envvars (that's env vars together)
In this file, set the APACHE_RUN_USER and GROUP to 'www-data'.

Do a reload to effect the change:
sudo /etc/init.d/apache2 reload

Permission to serve files

sudo vim /etc/apache2/apache2.conf

Make sure the following are set:
ServerTokens Prod
ServerSignature Off

Do a reload to effect the change:
sudo /etc/init.d/apache2 reload

Enable/Disable some Apache Modules

Some modules aren't needed, so we can disable them for performance and security:

a2dismod cgi 
a2dismod autoindex 

And some modules we'd like to enable.

a2enmod deflate
a2enmod rewrite
a2enmod vhost_alias

Now restart apache
sudo /etc/init.d/apache2 restart

Advanced things to consider for the future:

Install mod_security (http://www.modsecurity.org/)
Install mod_chroot (http://core.segfault.pl/~hobbit/mod_chroot/)

Configure PHP

First, install PHP:

sudo apt-get install php5 php5-cli php5-mysql php5-gd php-pear

Get the path to sendmail

Issue the command:
sudo postconf -d sendmail_path
Note down this path.

Edit PHP.ini

All changes need to be performed in both:
/etc/php5/apache2/php.ini
and
/etc/php5/cli/php.ini

Change the settings in these files to read as follows:

safe_mode = Off 
expose_php = Off 
memory_limit = 128m 
display_errors = Off 
log_errors = On 
error_log = /var/log/php/php.log  (or php_cli.log) 
sendmail_path = /usr/sbin/sendmail -t -i

where the sendmail_path is actually the path you noted down above, but keep the -t and -i switches.

Edit Apache/PHP settings

In /etc/apache2/mods-enabled/php5.conf add:
AddType application/x-httpd-php .inc .module .class

so it becomes something like:

<IfModule mod_php5.c> 
  AddType application/x-httpd-php .php .phtml .php3 
  AddType application/x-httpd-php .inc .module .class 
  AddType application/x-httpd-php-source .phps 
</IfModule>

the addition of these additional filetypes to be handled as php scripts means the code of those types of files can't be directly downloaded from webroot folders, revealing site code, passwords etc.

Setup log files

Then

mkdir /var/log/php 
touch /var/log/php/php.log 
touch /var/log/php/php_cli.log 
chown -R www-data:www-data /var/log/php 
chmod -R 0755 /var/log/php 

To make sure that the log files exist and can be written to.

Log files should then be checked regularly to look for problems!

Restart Apache

/etc/init.d/apache2 restart

Configure MySQL

Start by installing MySQL:

sudo apt-get install mysql-server

Edit MySQL configuration file

sudo vim /etc/mysql/my.cnf

In the [mysqld] section add this:

set-variable=local-infile=0 

check that

user = mysql 

If this is not set then mysql is set to run as root which is dangerous. A new user needs to be setup, given limited privileges (inc access to the mysql directories) and then specified here. Ubuntu usually has this set by default.

Change Root password and username

Now type

mysql -u root -p 

It will prompt for a password, this is the original root password from when the server was setup, and will show in the vps control panel if setup via a vps image. In more basic settings you may just need to press return here.

We'll change this password now:

mysql> SET PASSWORD FOR root@localhost=PASSWORD('new_password'); 

make a note of this new password.

Now we're changing the 'root' username to 'onlyme' which makes it harder to do brute force dictionary attacks on the password:

mysql> use mysql; 
mysql> update user set user="onlyme" where user="root"; 
mysql> flush privileges; 

Check for crud

SHOW DATABASES;
On a clean install if there are any databases other than mysql or information_schema then delete them - eg test databases.

SHOW GRANTS;
This will show which users have which permissions on the system. Get rid of defaults, demo users etc.

Type 'exit' to log out of mysql.

Remove History

Now we remove the content of the mysql history file in which all executed SQL commands are stored inc passwords in plain text.

cat /dev/null > ~/.mysql_history 

Install Aegir

Now you are ready to install the Aegir(Hostmaster) system. --> http://groups.drupal.org/node/25485

Aegir hosting system

Group organizers

Group categories

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week