How to Set Up a LAMP server on Linode

Learn how to securely set up a basic LAMP server with Centos, MySQL, and Apache on a Linode machine. By Chris Lowe.

Leave a rating/review
Save for later
Share
You are currently viewing page 4 of 5 of this article. Click here to view the first page.

Installing Fail2Ban

Fail2Ban automatically prevents people from connecting when they have too many failed login attempts. Malicious automated bots out there often try thousands of username and password combinations and tie up your server; Fail2Ban stops these attempts early on.

Note: Fail2Ban provide an additional layer of security on top of the previous SSH changes you’ve made to this point by blocking malicious attempts. Additionally, Fail2Ban can be configured to block malicious activity on other services like HTTP and FTP. Visit the Official Fail2Ban Documentation for advanced configuration options.

Enter the following commands at the shell prompt:

sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
sudo yum install fail2ban

Fail2Ban isn’t available in the usual package repositories that CentOS ships with. The first line lets the system know about the Extra Packages for Enterprise Linux (or EPEL) repository, which includes many useful third-party libraries and utilities.

The second line then installs Fail2Ban itself. Accept the prompts to install the package and associated dependencies.

Next, set up the configuration file with the following commands:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Fail2Ban comes with some default configuration settings in jail.conf, but you don’t want to modify it directly because upgrading Fail2Ban later may overwrite this configuration file. To keep things clean, make a copy called jail.local which Fail2Ban reads as local customizations.

Once jail.local opens in the editor, find the line starting with ignoreip. If you have a static IP, or at least one that doesn’t change very often on your end, you can add it to this list to stop Fail2Ban from blocking you if you have too many failed logon attempts. You can Google “what is my ip address” and it will give it to you in the search results. Google FTW! :]

The line will look similar to the following once you’re done editing:

ignoreip = 127.0.0.1/8 103.209.112.213

Next, find the line starting with bantime and change it as follows:

bantime = 3600

If a system fails to authenticate itself after a certain number of attempts, Fail2Ban locks them out for 600 seconds by default. 10 minutes is not a lot of time for a persistent attacker, so this new value of 3600 bumps that up that to an hour.

Save and close your file. Since this is a fresh install of Fail2Ban, start it manually with the following command:

sudo service fail2ban start

In the future, you can edit the configuration file and use the command above with “restart” in place of “start” to have the Fail2Ban service start automatically.

If you want some late night reading material, the jail.local file defines ban parameters for every protocol on the server (Apache, FTP, etc) and examples of how to set up different options for each one for the ultimate customization possibilities.

Installing Apache

LAMP servers – Linux, Apache, MySQL, and PHP – are the de facto configuration these days and power everything from simple blogs and websites like the one you are building in this tutorial all the way up to infrastructure that companies like Facebook and Twitter built their legacy on.

Enter the following command at the prompt:

sudo yum install httpd

This installs the Apache web server. CentOS names the package httpd after the name of the executable, while other Linux distributions might call it Apache. Don’t worry, the names all refer to the same thing. :]

Next, you’ll need to set up the configuration file. Execute the commands below:

cp /etc/httpd/conf/httpd.conf ~/httpd.conf.backup
sudo nano /etc/httpd/conf/httpd.conf

Just like you did for Fail2Ban, first copy the default configuration to a backup file in case you need it in the future. Once you have the backup, you then open httpd.conf in a text editor.

In httpd.conf file, find the section for the prefork module as shown below:

<IfModule prefork.c>
StartServers       2
MinSpareServers    6
MaxSpareServers   12
ServerLimit      128
MaxClients       128
MaxRequestsPerChild  3000
</IfModule>

Change the values in your file to match the list above. These values are optimized for Apache running on the base Linode server and allow for a low number of active services/threads but allow the server to ramp up when the traffic starts flowing in.

Finally, find the ServerName line in your file, and uncomment it by removing the # character at the start of the line and change the default value to localhost. Your line should look like the following:

ServerName localhost

Save the file and exit the editor by hitting Control-X. Then start Apache with the following command:

sudo service httpd start

Open up your favorite web browser and browse to the IP address of your server to see your new web site in all its glory!

<pre lang="html">sudo yum install httpd</pre>

That’s the L and the A — there’s only two more letters to go in LAMP.

Installing MySQL

Enter these commands at the prompt to install MySQL:

sudo yum install mysql-server
sudo service mysqld start
sudo /usr/bin/mysql_secure_installation

Getting MySQL up and running requires only these three lines. It doesn’t get much easier than that! :]

The first line above installs the package and any required dependencies. The second line starts up the MySQL service. And finally, the third line runs a configuration script to secure the installation of MySQL.

When running through the mysql_secure_installation steps, you’ll be prompted for a root password for MySQL — just hit enter as you don’t have one yet. You’ll be prompted to create one, so do so. Say yes to all of the installation prompts, such as remove anonymous users, drop test database, and all others.

You might be wondering whether to allow incoming MySQL connections through your firewall. This is generally a bad idea for security reasons. The only thing connecting to your database should be your applications on your server. Allowing random strangers from the Internet to touch your MySQL database directly is a bad idea.

Up to this point, you’ve been installing software and starting it up manually. If your server is rebooted though, you’d have to manually start all the services you installed such as Apache and MySQL.

To save you the headache, enter these commands at the shell prompt to set your services to automatically start:

sudo chkconfig fail2ban on
sudo chkconfig httpd on
sudo chkconfig mysqld on

The chkconfig program is short for “check configuration” and sets up the services that should start automatically.

Chris Lowe

Contributors

Chris Lowe

Author

Over 300 content creators. Join our team.