sbrl/Linux-101
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity
Linux-101/Linux-201/Lab-Sheet.md
Closebracket 08890c90b0
All checks were successful
continuous-integration/laminar-elessar Build 51 succeeded in 1 minute .
Details
More info on basic security
2019-08-15 17:07:11 +01:00

4.9 KiB
Raw Blame History

Linux 201: Web Server Setup

Introduction

  • Goals

    • Understand the process of setting up a web server
    • Understand why security is important when setting a web server.
    • Setup a basic web server to serve static files

  • Non-goals - links to useful tutorials will be provided at the end of this lab sheet

    • Setting up HTTPS - This requires a domain name

Things to mention in the slide deck

  • Apache vs Nginx
    • Thread-based vs event-based servers

Basic Security

  • Creating a non-root account:

    adduser "yourusername"

    As root, we should create a new user. This is because root has all permissions over the system and can therefore be used, even accidentally to damage or destory the system. Having seperate accounts, such as "yourusername" increases accountability and decreases the likelihood of system damage.

    During the setup, you may be asked for a password along with other information. You may customise this information as you wish.

    usermod -aG sudo yourusername

    Now that the user has been created, we should ensure that that user can execute commands with escalated permissions. These are called sudo permissons.

    • The Linux security model: Knowing why you're typing your password

  • SSH

    • Disable root login
    • SSH Keys

Setting up a firewall

Firewalls control how data is allowed to travel in and out of your computer. In Ubuntu, a firewall called ufw, the 'uncomplicated firewall' is already present. It acts as a nice front-end to iptables, which I find to be difficult to understand and use. We will be using that as our firewall. If for some reason it is not installed already, install it like so:

sudo apt install ufw

Activation

Ufw, by default, allows all outgoing connections and denies all incoming connections. This means that if you are using ssh to connect to your server, you will need to open the appropriate ports first before enabling ufw. Do that like this:

sudo ufw allow 22/tcp

ufw will automatically configure iptables to allow incoming connections on port 22 that use tcp. I will talk more about allowing and denying different connections later.

Just in case ufw blocks your ssh connection and you are unable to get back in, you can use another program called at to schedule the disabling of the ufw so that you can get back in again. If you don't have it installed, you can install it with sudo apt install at.

sudo at -vM now +10 minutes
ufw disable
^D

Where ^D stands for CTRL + D. Now that you have it set such that ufw will disable itself in 10 minutes time, we go ahead and turn ufw on:

sudo ufw enable

It will warn you that this may disrupt any existing ssh connections you have open. Reply yes to this. Once it have been enabled successfully, you should check that you can still ssh into your server (if that is the method that you are using to control it). If yes, great! If not, ufw will disable itself in 10 minutes and then you can try again.

Now that we have ufw enabled, we can cancel the at job we created to disable ufw. Type sudo atq to list the jobs you have schedules, and sudo atrm <number> to remove it, where <number> is the number of the jobs that you want to delete.

You may also want to check the status of ufw to make sure that it is enabled, or to get a list of the rules that are currently in force. You can do that like this:

sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere

Allowing connections

Since we're going to be setting up a web server, we'll need to allow ti through ur new firewall. Doing so is easy. Simply do this:

sudo ufw allow 80/tcp

Ufw will automatically configure iptables, in this example, to allow all connections on port 80 that use TCP. It will also configure it appropriately for both ipv4 and ipv6.

If you ever want to incoming connections on another port in the future, replace 80 with the port number you want to allow and tcp with udp if needed.

Ufw also understands several protocol names, and can configure itself accordingly:

sudo ufw allow http
sudo ufw allow imap

Installing a Web Server

With our server secured, we can now install our web server. In this tutorial, we'll be using Nginx.

  • systemd services
    • Nginx is a service
  • Installing Nginx
    • sudo apt install nginx

Configuration

  • /etc/nginx/nginx.conf
  • /etc/nginx/sites-available/*
  • /etc/nginx/sites-enabled/*

References and Further Reading