How to set up a Linux/Apache/MySQL/Php (LAMP) environment using Ubuntu server
If you have an old Windows-compatible PC lying around, it's a fun exercise to set it up as a web server. It's also not too difficult if you have a guide such as this one to hand, and it doesn't matter if the PC is pretty old. Even something with 64 MB of RAM and an 8 GB hard disk is plenty.
If you're undertaking such an exercise, a server-oriented version of Linux is a good choice. Why server-oriented? Because the added GUI desktop is totally unnecessary. Why not Windows? Because, unless you have a spare copy of Windows Server around, you’ll be limited in the number of simultaneous connections your server can support (Windows XP Home and Professional are deliberately crippled in this respect). And Windows doesn’t run very well on old hardware anyway.
The only thing you need to check is that your computer has a built-in Ethernet connector. If its networking capability comes via a USB or PCMCIA plug-in adaptor, chances are that it won't work without you getting involved in some substantial fiddling.
I'm going to use Ubuntu Server 7.10 for this project. It’s ideally suited to the task, and it (and all the other components we’ll be installing) is available totally free of charge. So if you fancy giving it a go, here’s what you need to do.
Our Goal
Once you have followed this document, you’ll have a working Web server onto which users can safely and securely upload files via ftp. You’ll also have Webmin installed, for remote admin functionality, plus Webalizer for generating web usage stats. Plus, you’ll be able to host PHP/MySQL sites too.
Note that commands you need to type are in a bold courier typeface like this.
By the way, if this is the first time you’ve done anything like this (which it probably is, hence needing this document) you are strongly advised to keep your new web server within the confines of your own LAN and use it purely for your own education and experimentation. Assuming your new server is connected to the internet via a broadband router, it won’t be accessible by the world in general unless you change your firewall settings in order to allow incoming connections on port 80. And frankly, that’s the way it should stay! If you want to host real live web sites, leave it to the professionals.
First Install the OS
Get hold of a Ubuntu Server 7.10 CD, which you can download from http://releases.ubuntu.com/7.10/ubuntu-7.10-server-i386.iso. Yes, I know that this isn't the very latest version, but it's perfectly acceptable for this project and it works well. If you really want to get the latest version of Ubuntu Server instead then feel free, but the instructions below might not work exactly as you expect.
To get started, boot the PC from the CD-ROM.
When asked, name your machine. I called mine webtest, but the precise name that you choose doesn't really matter.
Your PC is probably connected to the internet via a broadband or cable router that handles DHCP, in which case the Ubuntu installer should be able to make contact with the internet automatically and obtain from the router an IP address for your server. If it can't, you’ll be asked to enter an IP address, netmask and gateway address. If this works, then that's just fine.
A word of advice: If Ubuntu can't detect a working network connection at all, that's probably because it doesn't have the necessary drivers available for your computer's ethernet socket. In which case, to be brutally frank, you should probably give up at this point. You won't have messed up your PC with a half-installed copy of Linux yet, and trying to troubleshoot Ubuntu networking is not something for amateurs. Trust me.
Anyway, assuming that Ubuntu detected a network connection, you'll now be asked how to format the hard disk. Choose "guided – use entire disk".
When asked, choose a name and password for your day-to-day user account.
From the software selection menu, select only LAMP server. That's Linux, Apache, MySQL and PHP.
Next you’ll be asked for a mysql root password. Be aware that you’ll only be asked once (no confirmation required) and that the password you enter isn’t shown on screen. So make sure you know what you’re typing!
That's the basic Linux installation over. Remove the CD when prompted and the machine will restart. If you don’t see a login: prompt after a minute or so, press Return and one should appear. Remember that this is a server installation so there's no pretty graphical interface here (and thus no need to connect a mouse to this PC).
At the login: prompt, log in with the username and password you created earlier.
If the server acquired its own IP address using DHCP, you’ll need to know what address it was allocated. Type ifconfig and have a look at what’s listed for inet addr. You’ll need to know this address in order to connect to the machine, unless you register a domain name that points to it or you add an entry to your company’s internal DNS servers. If there's more than one entry under ifconfig, make an intelligent guess as to which is the right one. You may find, for example, that a non-existent wifi connection with an IP address of 127.0.0.1 is also shown.
From now on we'll assume that your server is on 192.168.1.10. Whenever you see this address mentioned below, substitute the correct address for your server.
So far, we’ve only got one account set up. We also need to set a password for the root (ie, administrator) account for when we need to do things that require root access. So type sudo passwd root, specify your current password when asked, then choose a password for the root username.
Linux doesn’t normally allow you to log in as root directly so if/when you need to use your root privileges, log in with your normal user account and then type su, then enter the root password when prompted. In case you're wondering, it stands for super-user. If you ever forget who you’re logged in as, the whoami command will tell you. Or look at the command prompt, which will end with $ for a normal user and # for a root user.
Some Useful Commands
Here are some useful commands to get you started, now that you’ve got a usable Linux system:
shutdown –h now turns off the computer.
exit logs you out. You’ll need to do this twice if you used su. Remember that the web server is still running when you log out, so web/telnet connections to it will still work just fine. There’s no need to remain logged in all the time.
ls shows a directory listing (that's LS).
ls –la shows a better one (that's LS -LA).
cd / switches to the root directory.
cd dirname switches to the specified directory name, eg cd /etc.
clear clears the screen, like cls does in Windows.
cat is the linux version of the Windows "type" command if you want to display the contents of a text file.
rm deletes a file
cp is the linux equivalent of the DOS/Windows copy command.
find / -name xyz.ext will search the entire system for a file named xyz.ext
pwd (print working directory) tells you which directory you’re currently in
Within an ls –la directory listing, lines that start with a "d" are directories, otherwise they’re files. The other characters at the start of the line (such as rwxr--rw-) tell you who has permission to read, write, and execute the file. A google search for chmod will tell you how to understand and change these.
Get Updated
Now we need to scan the internet for any important updates. The list of locations in which Ubuntu Server searches for updates is stored in a text file at /etc/apt/sources.list but the first entry in this file points to the Ubuntu Server CD-ROM. We need to remove this entry, otherwise we’ll keep getting prompted to insert the CD whenever we perform an update.
This file is read-only, so you’ll need to be logged in as root (via su) to proceed beyond this point. In fact, everything that follows is best done as root (this is an exception rather than a rule - if you're not doing server maintenance, never log in as root).
Type cd /etc/apt
Type vi sources.list
You’ll now find yourself facing vi, undoubtedly the worst editor ever invented. But without a GUI on your server you have little choice. Plus, it’s very handy to know the basics of vi because it's part of every Linux and unix system.
To move the cursor up, down, left and right, use the k, j, h and l keys (I told you it was bad). To delete the character under the cursor, press x. That should be enough to allow you to delete any line that makes reference to "deb cdrom" and which isn’t already commented out (ie, which doesn’t have a # at the start).
If you mess up, type :q! and press return to abandon vi. If you manage to make it work, type :w to save the file and then :q to quit vi.
You won’t have to use vi very often. Later on we’ll install Webmin, which lets you maintain your server from another machine via a web browser. There’s a proper file manager and editor built into Webmin, thankfully.
It’s now time to update the system so that you’re running the latest versions of everything.
Type apt-get update to update the catalog of possible updates.
Then type apt-get upgrade to download and install any that need installing.
Note that apt-get may not work if your internet connection goes via a proxy server. Even if you entered the name of a proxy server when you first set up the machine and configured it with an IP address, apt-get doesn’t take any notice. To fix this, type:
export http_proxy="http://yourproxy.com:80"
specifying the address (and port) of your company’s proxy server. Then try the apt-get again.
Test Your Web Server
You should now have a basic working web server, although we’re not finished yet. But you can test that everything is working by typing the server’s IP address into a web browser on another machine on your LAN. You should see a web page with a link to apache2-default, and clicking on the link will bring up a brief message. Depending on your web browser, you may need to add http:// at the start of the address, eghttp://192.168.1.10.
Next we’ll install a telnet server so that we can connect to the machine remotely over the LAN in command-prompt mode without the need to actually be seated at the server itself.
Install the Telnet Server
Type apt-get install telnetd
This will download and install the telnet server. Now we need to kick-start it, by typing:
/etc/init.d/openbsd-inetd restart
You can now log out by typing exit (you need to type it twice because you used the su command, and the first time just takes you back into non-root mode).
Everything we do from now on can be done remotely via telnet, so if you want to install the server in a hard-to-reach cupboard that’s no problem. You won’t need physical access to the server again unless something goes wrong or if you need to turn it back on after a shutdown command.
To access your server type telnet 192.168.1.10 (or whatever the IP address of your server is) from any machine on your LAN and you’ll get a login prompt. You can do this from Windows or Linux or even a Mac.
Install the ftp server and set up a Web User account
Next, we need to install an ftp server so that people can upload html pages to your new web server. An ideal tool for this particular job is proftpd (that’s Unix-speak for the Pro FTP Daemon).
If you haven’t done so already, telnet to your server and type su to get root access. Or you can work on the server directly if it’s easier, of course.
We need to take a little care to set up the ftp server in a reasonably secure manner, even though this is only for test or educational purposes. We need to ensure that a user who logs into the ftp server in order to upload web pages can’t browse the entire server but is locked into one directory. Also, we need to ensure that a user who has an ftp username and password with which to upload web pages can’t use those credentials to access the system via telnet, as that would grant them far too much power.
Type apt-get install proftpd to install the ftp server. You’ll be asked whether to choose an inetd installation or standalone. Choose inetd.
The basic ftp server is now up and running, and you should be able to log into it with your non-root account. But we still need to set up an account that will allow someone to upload their web pages without having access to any other parts of the system.
First, switch to the /etc directory by typing cd /etc. We need to edit the file called shells and add a new line that says /bin/false to the file. Then, when we set up a new user account for our web user, we’ll configure their account so that /bin/false is their command shell. Because there’s no such shell, they won’t be able to log in with telnet.
Type vi shells to edit the file. Use the cursor keys (h,j,k,l) to move the cursor to the start of a new line, then press i to enter insert mode. Press Return to insert a new line, and add /bin/false as a new line in the file. Press Esc to leave insert mode, save the file with :w then exit vi with :q and you’re done.
Each user has a home directory which contains their various files. It’s like My Documents in Windows and normally it resides in the /home directory. For web users, rather than setting their home directory to be somewhere within /home we’ll put it under /var/www, which is the root of the web server.
Let’s make an account for a user called webuser1 with a password of flintstone. These are the steps that you need to do for each web user account you want to create:
cd /var/www
mkdir webuser1
useradd webuser1 –p xxxx –d /var/www/webuser1 –s /bin/false
chown webuser1 webuser1
passwd webuser1 and, when asked, choose flintstone as the password.
Note that xxxx above is your root password, not the one that you want to assign for the webuser1 account.
Also note the chown command which changes the ownership of the webuser1 directory from root (which created it) to webuser1. If you don’t do this, webuser1 won’t be able to upload files.
Just to make sure that everything is working, verify that you can’t telnet to the server using the webuser1 account.
Now create a simple index.html file and use ftp to upload it, using the webuser1/flintstone account. Then surf to http://192.168.1.10/webuser1 from any machine on your LAN and you should see the uploaded page.
Before we leave proftpd, there are a couple of changes that we need to make to its configuration file in order to improve security and make things neater.
Type cd /etc/proftpd and then vi proftpd.conf to edit the config file. Move the cursor up and down with j and k until you reach the DefaultRoot line, and remove the # symbol from the start of the line by pressing the x key. This will lock all ftp users into their home directory (eg /var/www/webuser1) and won’t let them view files that are further up the tree. Without this step, our webuser account holders could use their ftp software to browse the entire server's directory structure.
While you're in proftpd.conf, add a new line near the top of the file which says:
IdentLookups off
This will fix the problem which you’ll no doubt have noticed, of a few seconds’ delay when logging into the ftp server or uploading files.
You may also wish to change the ServerName entry from Debian to the name of your server, to make the welcome message more relevant. With vi, remember that typing i puts you into insert mode, for typing text, and Esc then puts you back into command mode from where you can type :w to save the file and :q to quit vi.
Webmin
Now that ftp is working, let’s install Webmin so that we can remotely administer the server from anywhere on our LAN via a web browser. It’s more fun and friendly than using telnet, and a great way to explore the machine.
First, make sure you’re logged in as root (via your normal user account and su) then type the following, all on one line:
apt-get install openssl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl libmd5-perl
Then type:
Note that wget probably won't work if your internet connection goes through a proxy server. In which case, type export http_proxy="http://yourproxy.com:80" first, and then issue the wget command.
Finally type dpkg -i webmin_1.380_all.deb and Webmin should be installed and ready to use.
From another machine on your LAN, surf to https://192.168.1.10:10000 and log in as root, using your server’s root password. Note the https bit – it won’t work with plain http. Also note the :10000, which is essential.
Ignore the warning about a missing SSL security certificate – you can trust this server unconditionally because it’s yours. You will, though, need Java installed on the PC from which you intend to use Webmin, otherwise it won’t work.
Possibly the most useful part of Webmin is the file manager, which also lets you edit files. You’ll find it in the “others” category at the bottom of the left-hand menu.
Webalizer
Now we’ll install Webalizer, which is a great tool that produces graphical stats to show your web site usage. Even if you’re only using your server for test/educational purposes, it’s useful to be able to see the sort of stats that are available with such programs.
To install webalizer type apt-get install webalizer
You need to tweak the Webalizer config file before the program will work. Type cd /etc/webalizer then vi webalizer.conf and delete the .1 from the end of the LogFile entry.
Webalizer produces its reports by analyzing the Apache web server log file on a regular basis. To make it do this, you need to set up what’s called a cron job in order to run /usr/bin/webalizer regularly. Every 15 minutes should do nicely, and the easiest way to do this is via Webmin.
Go into Webmin via https://192.168.1.10:10000 from another PC and, under the System category, click on "Scheduled Cron Jobs". Then click "Create A New Scheduled Cron Job".
Choose to execute the job as root. The command to execute is /usr/bin/webalizer. Click on "Times And Dates Selected Below". Under the minutes, tick "Selected" and choose 0, 15, 30 and 45. For hours, days, months and weekdays, select "All".
Now click the Create button and close your web browser. After 15 minutes or so, surf tohttp://192.168.1.10/webalizer and you should see the reports and stats. Wait another 15 minutes and you should see an updated version.
PHP and MySQL
Now we need to make PHP and MySQL work, to ensure that we can host not just static html sites but also dynamic database-driven ones. PHP should already be working just fine, so we need to test that. Create a file called test.php which contains:
<?
echo “this is a test file”;
?>
Upload it using the webuser1 account. Surf to http://192.168.1.10/webuser1/test.php and check that you see a web page containing just the message “this is a test file”. If it works, PHP is working on your web server.
To allow users to create database-driven sites we’ll install phpMyAdmin, which is a graphical web-based tool for managing MySQL databases. It’s best if we don’t allow web users to create their own databases, but we do want them to be able to manage the databases that we set up for them. PhpMyAdmin will work for both of these tasks. IE, for us to create databases and for our web users to maintain the tables within their allocated database.
As root, type apt-get install phpmyadmin
When asked which web server you’re using, choose apache2.
To use phpMyAdmin, surf to http://192.168.1.10/phpmyadmin and log in with a username of root and the MySQL root password that you set up right at the start of this document.
On the front page of phpMyAdmin, scroll down to the Privileges link and click it. Then click "Add A New User". Enter their username (webuser1 in this case), and assign them a password. This will be used for them to log into phpmyadmin, and they’ll also use it in their PHP code in order to connect to their database (using a host name of localhost). It’s up to you whether you make it the same as their ftp password (flintstone). In this example, let’s set the password as barney.
Click "Create database with same name and grant all privileges" and all the hard work will be done for you. A database called webuser1 will be created, with permission for the webuser1 account to do everything except creating new databases.
Log out of phpmyadmin (just close your browser), and then log in again. This time, use a username of webuser1 and a password of barney. You should see only the webuser1 database and no others, and you should find that you can create tables on the database but you can’t create new databases.
You may also find that you can see a database called information_schema as well as your webuser1 database. However, this is harmless and can be ignored – it’s not a security risk.
And that's it. You now have a fully working web server that you can use for test, development and training purposes.
If you want to tell people about this, please link to this page rather than copying the text elsewhere, as this document is frequently updated.
You can contact me with comments or criticisms via my web site at www.securitysavvy.com
