How to Set Up Multiple SSLs on One IP With Nginx

Reading Time: 6 minutes

With the shortage of available address space in IPv4, IPs are becoming increasingly difficult to come by, and in some cases, increasingly expensive. However, in most instances, this is not a drawback. Servers are perfectly capable of hosting multiple websites on one IP address, as they have for years.

But, there was a time when using an SSL certificate to secure traffic to your site required having a separate IPv4 address for each secured domain. This is not because SSLs were bound to IPs, or even to servers, but because the request for SSL certificate information did not specify what domain was being loaded, and thus the server was forced to respond with only one certificate. A name mismatch caused an insecure certificate warning, and therefore, a server owner was required to have unique IPs for all SSL hosts.

Luckily, IPv4 limitations have brought new technologies and usability to the forefront, most notably, Server Name Indication (SNI).

 

Why Do I Need an SSL?

Secure Socket Layer (SSL) certificates allow two-way encrypted communication between a client and a server. This allows any data protection from prying eyes, including sensitive information like credit card numbers or passwords. SSLs are optionally signed by a well-known, third-party signing authority, such as GlobalSign. The most common use of such certificates are to secure web traffic over HTTPS.

When browsing an HTTPS site, rather than displaying a positive indicator, modern browsers show a negative indicator for a site that is not using an SSL. So, websites that don’t have an SSL will have a red flag right off the bat for any new visitors. Sites that want to maintain reputation are therefore forced to get an SSL.

Luckily, it is so easy to get and install an SSL, even for free, that this is reduced to a basic formality. We’ll cover the specifics of this below.

 

What is SNI?

Server Name Indication is a browser and web server capability in which an HTTPS request includes an extra header, server_name, to which the server can respond with the appropriate SSL certificate. This allows a single IP address to host hundreds or thousands of domains, each with their own SSL!

SNI technology is available on all modern browsers and web server software, so some 98+% of web users, according to W3, will be able to support it.

 

Pre-Flight Check

We’ll be working on a CentOS 7 server that uses Nginx and PHP-FPM to host websites without any control panel (cPanel, Plesk, etc.). This is commonly referred to as a “LEMP” stack, which substitutes Nginx for Apache in the “LAMP” stack. These instructions will be similar to most other flavors of Linux, though the installation of Let’s Encrypt for Ubuntu 18.04 will be different. I’ll include side-by-side instructions for both CentOS 7 and Ubuntu 18.04.

For the remainder of the instructions, we’ll assume you have Nginx installed and set up to host multiple websites, including firewall configuration to open necessary ports (80 and 443). We are connected over SSH to a shell on our server as root.

Note
If you have SSLs for each domain, but they are just not yet installed, you should use Step 3a to add them manually. If you do not have SSLs and would like to use the free Let’s Encrypt service to order and automatically configure them, you should use Step 3b.

 

Step 1: Enabling SNI in Nginx

Our first step is already complete! Modern repository versions of Nginx will be compiled with OpenSSL support to server SNI information by default. We can confirm this on the command line with:

nginx -V

This will output a bunch of text, but we are interested in just this line:

...
TLS SNI support enabled
...

If you do not have a line like this one, then Nginx will have to be re-compiled manually to include this support. This would be a very rare instance, such as in an outdated version of Nginx, one already manually compiled from source with a different OpenSSL library. The Nginx version installed by the CentOS 7 EPEL repository (1.12.2) and the one included with Ubuntu 18.04 (1.14.0) will support SNI.

Step 2: Configuring Nginx Virtual Hosts

Since you have already set up more than one domain in Nginx, you likely have server configuration blocks set up for each site in a separate file. Just in case you don’t, let’s first ensure that our domains are set up for non-SSL traffic. If they are, you can skip this step. We’ll be working on domain.com and example.com.

vim /etc/nginx/sites-available/domain.com

Note
If you don’t happen to have sites-enabled or sites-available folders, and you want to use them, you can create /etc/nginx/sites-available and /etc/nginx/sites-enabled with the mkdir command. Afterward,  inside /etc/nginx/nginx.conf, add this line anywhere inside the main http{} block (we recommend putting it right after the include line that talks about conf.d):

include /etc/nginx/sites-enabled/*;

Otherwise, you can make your configurations in /etc/nginx/conf.d/*.conf.

At the very least, insert the following options, replacing the document root with the real path to your site files, and adding any other variables you require for your sites:

server {
listen 80;
server_name domain.com;
root /var/www/domain.com;
...
}

A similar file should be set up for example.com, and any other domains you wish to host. Once these files are created, we can enable them with a symbolic link:

ln -s /etc/nginx/sites-available/domain.com /etc/nginx/sites-enabled/

ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Now, we restart Nginx…

systemctl reload nginx

This reloads the configuration files without restarting the application. We can confirm that the two we just made are loaded using:

nginx -T

You should see your server_name line for both domain.com and example.com.

Note
The listen line included in the server block above will allow the site to listen on any IP that is on the server. If you would like to specify an IP instead, you can use the IP:port format instead, like this:

server {
listen 123.45.67.89:80;
...
}

Step 3a: Add Existing SSLs to Nginx Virtual Hosts

Now that we have valid running configurations, we can add the SSLs we have for these domains as new server blocks in Nginx. First, save your SSL certificate and the (private) key to a global folder on the server, with names that indicate the relevant domain. Let’s say that you chose the global folder of /etc/ssl/. Our names, in this case, will be /etc/ssl/domain.com.crt (which contains the certificate itself and any chain certificates from the signing authority), and /etc/ssl/domain.com.key, which contains the private key. Edit the configuration files we created:

vim /etc/nginx/sites-available/domain.com

Add a brand new server block underneath the end of the existing one (outside of the last curly brace) with the following information:

server {
listen 443;
server_name domain.com;
root /var/www/domain.com;
ssl_certificate /etc/ssl/domain.com.crt;
ssl_certificate_key /etc/ssl/domain.com.key;
...
}

Note the change of the listening port to 443 (for HTTPS) and the addition of the ssl_certificate and ssl_certificate_key lines. Instead of rewriting the whole block, you could copy the original server block and then add these extra lines, while changing the listen port. Save this file and reload the Nginx configuration.

systemctl reload nginx

We again confirm the change is in place using:

nginx -T

For some setups you’ll see two server_name lines each for domain.com and example.com, one using port 80 and one using port 443. If you do, you can skip to Step 4, otherwise continue to the next step.

Step 3b: Install and Configure Let’s Encrypt

Let’s next set up the free SSL provider Let’s Encrypt to automatically sign certificates for all of the domains we just set up in Nginx. On Ubuntu 18.04, add the PPA and install the certificate scripts with aptitude:

add-apt-repository ppa:certbot/certbot

apt-get update

apt-get install certbot python-certbot-nginx

In CentOS 7, we install the EPEL repository and install the certificate helper from there.

yum install epel-release

yum install certbot python2-certbot-nginx

On both systems, we can now read the Nginx configuration and ask the Certbot to assign us some certificates.

certbot --nginx

This will ask you some questions about which domains you would like to use (you can leave the option blank to select all domains) and whether you would like Nginx to redirect traffic to your new SSL (we would!). After it finishes it’s signing process, Nginx should automatically reload its configuration, but in case it doesn’t, reload it manually:

systemctl reload nginx

You can now check the running configuration with:

nginx -T

You should now instead see two server_name lines each for domain.com and example.com, one using port 80 and one using port 443.

Let’s Encrypt certificates are only valid for 90 days from issuance, so we want to ensure that they are automatically renewed. Edit the cron file for the root user by running:

crontab -e

The cron should look like this:

45 2 * * 3,6 certbot renew && systemctl reload nginx

Once you save this file, every Wednesday and Saturday at 2:45 AM, the certbot command will check for any needed renewals, automatically download and install the certs, followed by a reload of the Nginx configuration.

Step 4: Verify Installation and Validity

We should now check the validity of our SSLs and ensure that browsers see the certificates properly. Visit https://sslcheck.liquidweb.com/ and type in your domain names to check the site’s SSL on your server. You should see four green checkmarks, indicatating SSL protection.

We hope you’ve enjoyed our tutorial on how to install SSLs on multiple sites within one server. Liquid Web customers have access to our support team 24/7.  We can help with signed SSL or ordering a new server for an easy transfer over to Liquid Web.

How to Install and Configure Puppet on CentOS, Fedora, Ubuntu or Opensuse

Reading Time: 4 minutes

What is Puppet?

Puppet: A Closer Look At Who Holds The Strings

Puppet is an intuitive, task-controlling software which provides a straightforward method to manage Linux and Windows server functions from a central master server. It can perform administrative work across a wide array of systems that are primarily defined by a “manifest” file, for the group or type of server(s) being controlled.

System Requirements

Puppet uses a master/client setup to communicate between the master and client servers. The master server will require more resources than the client servers utilize. The resources needed on the master server will mainly depend on:

  • The number of remote agents (servers) being utilized
  • How frequently those remote agents check in to the master server
  • How many resources are being managed on each remote agent
  • The complexity of the manifest files and modules in use
Note
A Puppet master server must run on UNIX variants known as  “ *nix ” operating systems. Currently, Puppet masters CANNOT run in a Windows environment.
Master Hardware Requirements

The minimum hardware requirements for the Puppet master servers will be based on multiple factors as stated above and noted in Puppet’s guidelines.

 

Client Software Platforms

The Puppet-agent (or client) packages are available for these platforms:

 

Dependencies

If you are installing the Puppet client using an official distribution package via a repository then your system’s package manager usually ensure that the proper dependencies are installed. If you install the agent on a platform without a supported package, you must also manually install the dependent packages, libraries, and gems:

  • Ruby 2.5.x
  • CFPropertyList 2.2 or later
  • Facter 2.0 or later
  • The msgpack gem from MessagePack, if you’re using msgpack serialization

 

Timekeeping and Name Resolution

Before installing the client, there are certain network requirements which you will require you to preparie, review and consider. The most important aspects include time syncing and implementing an idea for name resolution.

Timekeeping

You will want to make sure that the Network Time Protocol (NTP) service is in place to ensure that the time is in sync between the master server, (which acts as the certificate authority) and clients. This is recommended due to the issues that can develop if the servers time drifts out of sync. You may encounter odd certificate issues. A service like NTP (available on most servers) assures accurate timekeeping and will reduce the risk of error like this occurring.

Name resolution

The second part of this component is to decide on an iterable naming convention. For example, by using a master name like puppet.domain.com establishes the continuity of this naming convention. This also allows optimal master communication and that all future agents can reach the master. You can simplify this by utilizing a CNAME record (a name forwarding DNS entry) to ensure the master is always reachable.

 

Firewall Configuration

In a master/client setup, the master server must have port 8140 open to allow for incoming connections from the remote clients. You can use either of the following commands to check that the port is open and listening:

root@master [~]# netstat -tulpn | grep LISTEN |grep 8140
root@master [~]# lsof -i -P -n | grep LISTEN |grep 8140

If nothing is returned with the above command then you’ll need to open port 8140. To open the port in the UFW firewall, use the following command:

root@master:~# ufw allow 8140/tcp
Rules updated
Rules updated (v6)
root@master:~#

 

Puppet Installation

Usually, Puppet uses approximately 2 GB of RAM by default. Plan on this amount plus any additional RAM needed to run the server’s OS itself. If you plan on creating a 2 GB server, opt for one that has 4GB of RAM if you are going to use it as a Puppet master.

Puppet is available on multiple OS variants including:

  • Red Hat/CentOS/Fedora
  • Debian/Ubuntu
  • SUSE Linux Enterprise Server

The basic install steps across all of the above mentioned OS is as follows:

Available Puppet Repositories

root@master [~]# wget https://apt.puppetlabs.com/puppet-release-bionic.deb
root@master [~]# dpkg -i puppet-release-bionic.deb
root@master [~]# apt update
root@master [~]# apt install puppetserver

Note
Our Fully Managed servers (cPanel or Plesk) wouldn’t be good options for Puppet implementation since additional repositories may conflict.

Install the Puppet Master’s Software

Red Hat/CentOS/Fedora

yum install puppetserver

Debian/Ubuntu

apt-get install puppetserver

SUSE/Opensuse

zypper install puppetserver

 

Start the Puppet Master Service

Red Hat/CentOS/Fedora

systemctl start puppetserver

Debian/Ubuntu

service puppetserver start

SUSE/Opensuse

/etc/rc.d/puppetmaster start

 

Install the Puppet Client’s Software

Yum:

yum install puppet-agent

Apt:

apt-get install puppet-agent

Zypper:

zypper install puppet-agent

 

Puppet Configuration

Puppet contains around 200 different configuration settings located within the puppet.conf file. For most servers, you will only need to adjust about 20 settings or less in the file depending on your server’s setup. You can use the command below to set the needed values.

puppet config

We’ve listed the 5 most requested settings to suit your specific needs:

  • dns_alt_names – This is a list of allowed hostnames acting as the Puppet master.
  • environment_timeout – This setting is defaulted to 0 and should be untouched unless you have a particular cause to alter it. You can adjust this setting to unlimited to make master refreshes a part of your standard code deployment process.
  • environmentpath –  The environment path defines the locations where Puppet can find the specific directories for any unique environments. T
  • basemodulepath – This is a list of directories that contains the Puppet modules used in various environments.
  • reports – Directs which report handlers, listed below, to use.
    • HTTPS – Sends reports via HTTP/HTTPS as a POST request to the address defined in the reporturl setting.
    • Log – Sends reports to the local default log destination (usually syslog)
    • Store – Hosts will send a YAML dump of data to a local directory (defined by the reportdir setting in the puppet.conf)

The config reference provides a more comprehensive array of available options in modifying your server to suit your specific needs

 

More Information

Overall, Puppet is an attractive addition to your everyday toolset for managing and automating tedious tasks. Once it is installed and configured, it will maintain your day to day servers tasks with ease. You may want to consult the Puppet documentation for more in-depth information on this topic or consult the following resources for additional info.

 

How Can We Help?

If you would like more information on how this software can benefit your current setup, simply reach out to us via a phone call, chat or ticket, and one of our Most Helpful Humans in Hosting will follow up with you to advise on how best you can integrate this process into your existing infrastructure! We are looking forward to speaking with you!

 

 

How to Set Up A Firewall Using Iptables on Ubuntu 16.04

Reading Time: 5 minutes

This guide will walk you through the steps for setting up a firewall using iptables in Ubuntu 16.04. We’ll show you some common commands for manipulating the firewall, and teach you how to create your own rules.

 

What are Iptables in Ubuntu?

The utility iptables is a Linux based firewall that comes pre-installed on many Linux distributions. It is a leading solution for software-based firewalls. It’s a critical tool for Linux system administrators to learn and understand. Any publicly facing server on the Internet should have some form of firewall enabled for security reasons. In a typical configuration, you would only open ports for the services that you wish to be accessible via the Internet. All other ports would remain closed and inaccessible via the Internet. For example, in a typical server, you may want to open ports for your web services, but you probably would not want to make your database accessible to the public!

 

Pre-flight

Working with iptables requires root privileges on your Linux box. The rest of this guide assumes you have logged in as root. Please exercise caution, as commands issued to iptables take effect immediately. You will be manipulating how your server is accessible to the outside world, so it’s possible to lock yourself out from your own server!

Note
If you’re a Liquid Web customer, check out our VPN + IPMI remote management solutions. These solutions can help you restore access to your server even if you’ve blocked out the outside world. We have a VPN configuration guide to get you started. Of course, our support staff is also standing by 24×7 in the event you get locked out.

 

How Do Iptables Work?

Iptables works by inspecting predefined firewall rules. Incoming server traffic is compared against these rules, and if iptables finds a match, it takes action. If iptables is unable to find a match, it will apply a default policy action. Typical usage is to set iptables to allow matched rules, and deny all others.

 

How Can I See Firewall Rules in Ubuntu?

Before making any changes to your firewall, it is best practice to view the existing rule set and understand what ports are already open or closed. To list all firewall rules, run the following command.

iptables -L

If this is a brand new Ubuntu 16.04 installation, you may see there are no rules defined! Here is an example “empty” output with no rules set:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you’re running Ubuntu 16.04 on a Liquid Web VPS, you’ll see we’ve already configured a basic firewall for you. There are usually three essential sections to look at in the iptables ruleset. When dealing with iptables rulesets, they are called “chains”, particularly “Chain INPUT”, “Chain FORWARD”, and “Chain OUTPUT”. The input chain handles traffic coming into your server while the output chain handles the traffic leaving your server. The forwarding chain handles server traffic that is not destined for local delivery. As you can surmise, the traffic is forwarded by our server  to its intended destination.

 

Common Firewall Configurations

The default action is listed in “policy”. If traffic doesn’t match any of the chain rules, iptables will perform this default policy action. You can see that with an empty iptables configuration, the firewall is accepting all connections and not blocking anything! This is not ideal, so let’s change this. Here is an example firewall configuration allowing some common ports, and denying all other traffic.

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -s 192.168.0.100 -j ACCEPT

iptables -A INPUT -s 192.168.0.200 -j DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

We will break down these rules one at a time.

iptables -A INPUT -i lo -j ACCEPT

This first command tells the INPUT chain to accept all traffic on your loopback interface. We specify the loopback interface with -i lo. The -j ACCEPT portion is telling iptables to take this action if traffic matches our rule.


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Next, we’ll allow connections that are already established or related. This can be especially helpful for traffic like SSH, where you may initiate an outbound connection and wish to accept incoming traffic of the connection you intentionally established.


iptables -A INPUT -p icmp -j ACCEPT

This command tells your server not to block ICMP (ping) packets. This can be helpful for network troubleshooting and monitoring purposes. Note that the -p icmp portion is telling iptables the protocol for this rule is ICMP.


How Do I Allow a Port in Ubuntu?

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

TCP port 22 is commonly used for SSH. This command allows TCP connections on port 22. Change this if you are running SSH on a different port. Notice since SSH uses TCP, we’ve specified the protocol using -p tcp in this rule.


iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

These two commands allow web traffic. Regular HTTP uses TCP port 80, and encrypted HTTPS traffic uses TCP port 443.


iptables -A INPUT -p udp --dport 1194 -j ACCEPT

This is a less commonly used port, but here is an example of how to open port 1194 utilizing the UDP protocol instead of TCP. Note that in this example we’ve specified UDP by using -p udp.


How Do I Allow an IP Address in Ubuntu?

iptables -A INPUT -s 192.168.0.100 -j ACCEPT

You can configure iptables to always accept connections from an IP address, regardless of what port the connections arrive on. This is commonly referred to as “whitelisting”, and can be helpful in certain circumstances. We’re whitelisting 192.168.0.100 in this example. Typically you would want to be very restrictive with this action and only allow trusted sources.


How Do I Block an IP Address in Ubuntu?

iptables -A INPUT -s 192.168.0.200 -j DROP

You can also use iptables to block all connections from an IP address or IP range, regardless of what port they arrive on. This can be helpful if you need to block specific known malicious IPs. We’re using 192.168.0.200 as our IP to block in this example.


How Do I Block All Other Ports?

iptables -P INPUT DROP

Next, we tell iptables to block all other inputs. We’re only allowing a few specific ports in our example, but if you had other ports needed, be sure to insert them before issuing the DROP command.


How Do I Forward Traffic in Ubuntu?

iptables -P FORWARD DROP

Likewise, we’re going to drop forwarded packets. Iptables is very powerful, and you can use it to configure your server as a network router. Our example server isn’t acting as a router, so we won’t be using the FORWARD chain.


How Do I Allow All Outbound Traffic?

iptables -P OUTPUT ACCEPT

Finally, we want to allow all outgoing traffic originating from our server. We’re mostly worried about outside traffic hitting our server, and not blocking our own box from accessing the outside world.


How Do I Permanently Save IP Rules?

To make your firewall rules persist after a reboot, we need to save them. The following command will save the current ruleset:

/sbin/iptables-save


How Do I Reset My Iptable?

To wipe out all existing firewall rules and return to a blank slate, you can issue the following command. Remember that an empty iptables configuration allows all traffic to your server, so you typically would not want to leave your server unprotected in this state for very long. Nevertheless, this can be very helpful when configuring new firewall rulesets and you need to revert to a blank slate.

iptables -F

 

We’ve covered a lot of ground in this article! Configuring iptables can seem like a daunting process when first looking at an extensive firewall ruleset, but if you break down the rules one at a time, it becomes much easier to understand the process. When used correctly, iptables is an indispensable tool for hardening your server’s security. Liquid Web customers enjoy our highly trained support staff, standing by 24×7, if you have questions on iptables configurations. Have fun configuring your firewall!

How to Change Your Hostname in Ubuntu 16.04

Reading Time: 5 minutes
Image result for ubuntu logo

Times are changing, and possibly your hostname is too if you are reading this article.  You may have come across a scenario within your business that requires you to change your hostname.  You might ask yourself why you would need to change your hostname? The most common scenarios would be due to a domain name change, your business has changed its course, or because you have thought of something better.

Sometimes you might forget to renew the domain names before they expire. Unfortunately, this can be a time where a domain brokers purchases you domain name.  These are agencies who take popular sites and purchase with the intent of holding the domain until their inflated price is met.  As unfortunate as this may be, sometimes it is best to purchase a new domain name for cost efficiency.

Note
When purchasing domains from Liquid Web you can always select the option to Auto Renew within our portal Domains >> My Domains

 

Benefits to using a Fully Qualified Domain Name for your Hostname

It is good practice to use your FQDN Fully Qualified Domain Name as your hostname. Following this practice creates more options for securing your hostname with an SSL.  This will allow services like email to function using a secured connection. Using a hostname with a registered domain will allow you to add a corresponding DNS entry.  This will prevent unpredictable behavior by some services that use the hostname. This would allow you to set up a reverse lookup DNS entry. It can be very important especially with services like email verfication.  For example, when an email is sent the receiving server runs a reverse lookup on the sender’s hostname. The reverse lookup allows receivers server to ensure the hostname resolves to the matching IP address. This is just one preventive measure servers now use to reduce email spoofing incidents.

By using a unique domain name, you can reduce editing time. You may have a script that calls to the servers IP, instead of the hostname, to correctly function.  Best practice is to use the hostname because future migrations may change IP addresses/ranges.  Using the hostname can save you a lot of time in the long run, depending on your infrastructure and coding.

 

Using SSH for Windows 10, 7/8, and Mac OS X

We’ll need to connect to your server.  For this article, we will be using SSH “Secure Shell” to access the server and issues commands.  SSH is a powerful tool that will allow us to establish a secure connection with your server, diagnose, and issue remote commands.  For more information on the SSH protocol, you can visit the following links.

There are a few ways to use SSH depending on your operating system. We’ve have included some examples below followed by links with more information.

Windows 10

Using SSH client in Windows 10

Note
Note: Because the OpenSSH client was introduced in the Windows 10 Fall Creators Update, you’ll need to first update to at least that version of the operating system.

Windows 7/8

Unfortunately, for older versions of Windows, it is not exactly possible to set up an SSH natively to connect to your server.  Thankfully, applications were created to assist. We like to use MobaXterm, but Putty is a safe choice as well. Both of these applications are free to use and simple to set up. We’ve included links below with more information on these applications.

Mac OS X

Newer Mac operating systems come with an excellent utility to access SSH called Terminal. To access Terminal navigate to your Applications folder >> Utilities folder >> Terminal.

In case Terminal is inefficient for your preference, there are other options available in the App store or through a quick search on Google . Putty is also available on Mac!

 

Changing the Hostname in Ubuntu 16.04

At this point, you should be able to access your server using SSH.  Once you have accessed your server, you will want to either switch to the root user or run these commands using sudo.  The files you will be accessing are owned by root. Because of this, you will need root privileges.

To start things off, we will want to edit /etc/hostname and the /etc/hosts files.  You can do so by using a text editor of your choice. We will demonstrate how to accomplish this task using the text editor called VIM.  Some of these command line text editors can seem complicated, we will include the “sed” command to make things even easier.

Switching to root user:

# su – root  

Editing the hostname and hosts file:

# vim /etc/hostname  

# vim /etc/hosts  

Once you have opened these files, you will need to change your hostname as follows:

  1. Press the i key to insert.  This will allow you to edit.  You will notice the editor says “Insert” at the bottom of the page.
  2. Use the arrow keys to navigate the cursor to your old hostname.
  3. Backspace to delete single characters
  4. Replace with the new hostname.  Be sure the syntax is correct.
  5. When done editing hit the ESC key to exit insert mode.
  6. Then hold shift andpress the : key
  7. Finally, type wq and press enter key. This will write to the file and quit the editor
  8. Repeat for /etc/hostname                                                            

As we mentioned earlier, the command line text editors can appear to be overly complicated, especially when you’re used to programs like Word and the Window’s text editor.  Because of this, we have included the command below.

Note
Change host.example.com to your old hostname. Change host.newhostname.com to your new hostname

# sed -i 's/host.example.com/host.newhostname.com/g' /etc/hosts

# sed -i 's/host.example.com/host.newhostname.com/g' /etc/hostname

After editing these files, you’ll need to reboot the server. If you wish to reboot at a later time but still want your new hostname to take immediate effect click on this sentence to skip ahead. Otherwise, you can do so by running

# reboot

Your SSH session should be terminated.  Depending on your server it can take a few minutes to boot back up.  Once the server is back online you can check your changes by running the following command:

# hostname  

If all went well, the terminal should output your new hostname.

If you wish to reboot at a later time but still want your new hostname to take immediate effect, you can use the hostname command to temporarily set the hostname until the next reboot.  From there, the changes in /etc/hosts and /etc/hostname will take permanent effect.

# hostname host.newhostname.com

There is also an alternative available.  The hostnamectl command is default for both Desktop and Server versions. They combine setting the hostname via the hostname  command, editing  /etc/hostname and setting the static hostname. Unfortunately, editing /etc/hosts  still has to be done separately.

Example:

# hostnamectl set-hostname host.newhostname.com

 

Common Issue after Hostname Update

The “Failed to start hostname.service: Unit hostname.service is masked” error can happen when there is a syntax error within the /etc/hostname, or /etc/hosts file, or when the hostname does not match between these two files.  Be sure to check both of these files for mistakes and correct them as needed. In newer versions of Ubuntu, you will also want to use the hostnamectl command mentioned earlier.  

# hostnamectl set-hostname host.newhostname.com

Once corrected, be sure to start the hostname service to see if the issue has been corrected. You can do so by running the command that we have included below. Afterward, we would recommend rebooting your server.  This is not always necessary, but in some cases, it is required.

# systemctl restart hostname  

As always, Liquid Web customer’s enjoy 24/7 technical support with changing your hostname. Reach out to our sales team to see how you can get into our lightening fast servers today!

 

How to Install Nextcloud 15 on Ubuntu 18.04

Reading Time: 2 minutes

Similar to Dropbox and Google Drive, Nextcloud is self-hosting software that allows you to share files, contacts, and calendars. But, unlike Dropbox and Google Drive, your files will be private and stored on your server instead of a third party server. Nextcloud is HIPAA and GDPR compliant, so your files will be encrypted along with the ability to audit. For this tutorial, we’ll be installing our Nextcloud instance on our Ubuntu 18.04 LTS server. Continue reading “How to Install Nextcloud 15 on Ubuntu 18.04”

How to Install phpMyAdmin on Ubuntu 18.04

Reading Time: 1 minute

Working with a database can be intimidating at times, but phpMyAdmin can simplify tasks by providing a control panel to view or edit your MySQL or MariaDB database.  In this quick tutorial, we’ll show you how to install phpMyAdmin on an Ubuntu 18.04 server. Continue reading “How to Install phpMyAdmin on Ubuntu 18.04”

How to Setup Let’s Encrypt on Ubuntu 18.04

Reading Time: 3 minutes

Sites with SSL are needed more and more every day. It’s ubiquitious enforcement challenges website encryption and is even an effort that Google has taken up. Certbot and Let’s Encrypt are popular solutions for big and small businesses alike because of the ease of implementation.  Certbot is a software client that can be downloaded on a server, like our Ubuntu 18.04, to install and auto-renew SSLs. It obtains these SSLs by working with the well known SSL provider called Let’s Encrypt. In this tutorial, we’ll be showing you a swift way of getting HTTPS enabled on your site.  Let’s get started! Continue reading “How to Setup Let’s Encrypt on Ubuntu 18.04”

How to Install MariaDB on Ubuntu 18.04

Reading Time: 1 minute

MariaDB is a drop in replacement for MySQL, and its popularity makes for several other applications to work in conjunction with it. If you’re interested in a MariaDB server without the maintenance, then check out our high-availability platform. Otherwise, we’ll be installing MariaDB 10 onto our Liquid Web Ubuntu server, let’s get started! Continue reading “How to Install MariaDB on Ubuntu 18.04”

How to Install Apache 2 on Ubuntu 18.04

Reading Time: 2 minutes

Apache is the most popular web server software being used today.  Its popularity is earned through its stability, fast service, and security.  Most likely if you are building out a web page or any public facing app, you’ll be using Apache to display it. At the time of writing, the most current offering of Apache is 2.4.38, and it is the version we will be using to install on our Ubuntu 18.04 LTS server.  Let’s get started! Continue reading “How to Install Apache 2 on Ubuntu 18.04”

Things to Do After Installing a Ubuntu Server

Reading Time: 5 minutes

After spinning up a new Ubuntu server you may find yourself looking for a guide of what to do next.  Many times the default setting do not provide the top security that your server should have. Throughout this article we provide you security tips and pose questions to help determine the best kind of setup for your environment.

 

1. Secure the Root User

This should be the very first thing you do when setting up a fresh install of Ubuntu server. Typically setting up a password for the root user is done during the installation process. However, if you should ever find yourself in a position where you have assumed the responsibility of a Ubuntu server, it’s best to reset the password keeping in mind the best practices for passwords.

  • Don’t use English words
  • Use a mixture of symbols and alphanumeric characters
  • Length – based on probability and odds of guessing or cracking a password you can provide the best security after a password gets to a certain length. More than ten characters long is good practice, but even longer passwords with complex characters is a safer way to go.

You can also lock the root user password to effectively keep anything from running as root.

Warning:
Please be sure you already have another administrative user on the system with root or “sudo” privileges before locking the root user.

Depending on your version of Ubuntu the root account may be disabled, simply setting or changing the password for root will enable it with the following.

sudo passwd root

Now we can lock the root account by locking the password with the “-l” flag like the following. This will prevent the root user from being used.

sudo passwd -l root

To unlock the root account, again, just change the password for root to enable it.

sudo passwd root

 

2. Secure SSH Access

Many times, once a server is up and running the default configuration for SSH remote logins are set to allow root to log in. We can make the server more secure than this.

You only need to use the root user to run root or administration level commands on the server. This can still be accomplished by logging into a server over SSH with a regular user, and then switching to the root user after you are already logged into the server.
ssh spartacus@myawesomeserver.com

Once logged in you can switch from the user “spartacus” to the root user.

su -

You can disable SSH login for the root user by making some adjustments in the sshd_config file. Be sure to run all of the following commands as root or with a user with sudo privileges.

vim /etc/ssh/sshd_config

Within this file find the Authentication section and look for the following line:

PermitRootLogin yes

Just change that to:

PermitRootLogin no

For the changes to take effect you will need to restart the SSH service with:

/etc/init.d/ssh restart

You can now test this by logging out of the server and then log in again over SSH with the root user and password. It should deny your attempts to do so. This provides a lot more security as it requires a different user (one that others won’t know and probably cannot guess) to log in to the server over SSH. This provides two values that an attacker would need to know, instead of one vaule, as most hackers know that the root user exists on a Linux server.

Also, the following can also be changed to make SSH access more secure.

vim /etc/ssh/sshd_config

PermitEmptyPasswords no

Make sure that directive is set to “no” so that users without a password can’t log in. Otherwise, the attacker would need only one piece of information while also giving them the ability to get in with just knowledge of a user. This, of course, would also mean they could keep attempting guesses at users as well and very easily log in.

A final caution is to adjust any router or firewall settings to make sure that remote SSH access is forwarded to port 22 and does not directly access port 22. This will eliminate a lot of bots or scripts that will try to log in over SSH directly on port 22 with random usernames and passwords. You may need to refer to your router or server firewall documentation on making sure you forward a higher port than port 22.

 

3. Install a Firewall

By default, later versions of Ubuntu should come with Uncomplicated Firewall or UFW. You can check to see if UFW is installed with the following:

sudo ufw status

That will return a status of active or inactive. If it is not installed you can install it with:

sudo apt-get install ufw

It’s a good idea to think through a list of components that will require access to your server. Is SSH access needed? Is web traffic needed? You will want to enable the services through the firewall that are needed so that incoming traffic can access the server in the way you want it to.

In our example let’s allow SSH and web access.

sudo ufw allow ssh

sudo ufw allow http

Those commands will also open up the ports. You can alternatively use the port method to allow services through that specific port.

sudo ufw allow 80/tcp

That will essentially be the same as allowing the HTTP service. Once you have the services you want listed you can enable the firewall with this.

sudo ufw enable

This may interrupt the current SSH connection if that is how you are logged in so be sure your information is correct, so you don’t get logged out.

Also, ensure you have a good grasp on who really needs access to the server and only add users to the Linux operating system that really need access.

 

4. Understand What You Are Trying to Accomplish

It’s important to think through what you will be using your server for. Is it going to be just a file server? Or a web server? Or a web server that needs to send an email out through forms?

You will want to make a clear outline of what you will be using the server for so you can build it to suit those specific needs. It’s best to only build the server with the services that it will require. When you end up putting extra services that are not needed you run the risk of having outdated software which will only add more vulnerability to the server.

Every component and service you run will need to be secured to it’s best practices. For example, if you’re strictly running a static site, you don’t want to expose vulnerabilities due to an outdated email service.

 

5. Keep the File System Up-To-Date

You will want to make sure your server stays up to date with the latest security patches. While a server can run for a while without much maintenance and things will “just work” you will want to be sure not to adapt a “set it and forget it” mentality.

Regular updates on a Ubuntu server can make sure the system stays secure and up to date. You can use the following to do that.

sudo apt-get update

While installing an Ubuntu server is a great way to learn how to work with a Linux it’s a good idea to learn in an environment that is safe. Furthermore, it’s best not to expose the server to the Internet until you are ready.

A great way to get started is at home where you can access the server from your own network without allowing access to the server through the Internet or your home router.

If and when you do deploy a Ubuntu server you’ll want to keep the above five things in mind. It’s important to know the configuration of the server once it’s deployed so you know what type of access the public can get to and what yet needs to be hardened.

Enjoy learning and don’t be afraid to break something in your safe environment, as the experience can be a great teacher when it’s time to go live.