Apache is the most popular web server software in use today. Its popularity is earned through its stability, speed, and security. Most likely if you are building out a website or any public facing app, you’ll be using Apache to display it. At the time of this writing, the most current offering of Apache is 2.4.39, and it is the version we will be using to install on our Ubuntu 18.04 LTS server. Let’s get started! Continue reading “How to Install Apache 2 on Ubuntu 18.04”
After spinning up a new Ubuntu server you may find yourself looking for a guide of what to do next. Many times the default setting do not provide the top security that your server should have. Throughout this article, we provide you security tips and pose questions to help determine the best kind of setup for your environment.
Apache Tomcat is an accessible, open-source application server used to house many of today applications. It’s free, stable, lightweight and is utilized to render Java coding as well a range of other applications.
Today we will be focusing on how to install Apache Tomcat 9 on our Liquid Web Ubuntu server, specifically Ubuntu 18.04 LTS. Continue reading “How to Install Apache Tomcat 9 on Ubuntu 18.04”
When choosing a server operating system, there are a number of factors and choices that must be decided. An often talked about and referenced OS, Ubuntu, is a popular choice and offers great functionality with a vibrant and helpful community. However; if you’re unfamiliar with Ubuntu and have not worked with either the server or desktop versions, you may encounter differences in common tasks and functionality from previous operating systems you’ve worked with. I’ve been a system administrator and running my own servers for a number of years, almost all of which were Ubuntu, here are the top four lessons I’ve learned while running Ubuntu on my server.
What is a Redirect?
A redirect is a web server function that will redirect traffic from one URL to another. Redirects are an important feature when the need arises. There are several different types of redirects, but the more common forms are temporary and permanent. In this article, we will provide some examples of redirecting through the vhost file, forcing a secure HTTPS connection, redirection to www and non-www as well as the difference between temporary and permanent redirects.
Common Methods for Redirects
Temporary redirects (response code: 302 Found) are helpful if a URL is temporarily being served from a different location. For example, these are helpful when performing maintenance and can redirect users to a maintenance page.
However, permanent redirects (response code: 301 Moved Permanently) inform the browser there was an old URL that it should forget and not attempt to access anymore. These are helpful when content has moved from one place to another.
How to Redirect
When it comes to Nginx, that is handled within a .conf file, typically found in the document root directory of your site(s), /etc/nginx/sites-available/directory_name.conf. The document root directory is where your site’s files live and it can sometimes be in the /html if you have one site on the server. Or if your server has multiple sites it can be at /domain.com. Either way that will be your .conf file name. In the /etc/nginx/sites-available/ directory you’ll find the default file that you can copy or use to append your redirects. Or you can create a new file name html.conf or domain.com.conf.
The first example we’ll cover is redirection of a specific page/directory to the new page/directory.
Temporary Page to Page Redirect
# Temporary redirect to an individual page
rewrite ^/oldpage$ http://www.domain.com/newpage redirect;
Permanent Page to Page Redirect
# Permanent redirect to an individual page
rewrite ^/oldpage$ http://www.domain.com/newpage permanent;
Permanent www to non-www Redirect
# Permanent redirect to non-www
rewrite ^/(.*)$ http://domain.com/$1 permanent;
Permanent Redirect to www
# Permanent redirect to www
rewrite ^/(.*)$ http://www.newdomain.com/$1 permanent;
Sometimes the need will arise to change the domain name for a website. In this case, a redirect from the old sites URL to the new sites URL will be very helpful in letting users know the domain was moved to a new URL.
The next example we’ll cover is redirecting an old URL to a new URL.
Permanent Redirect to New URL
# Permanent redirect to new URL
rewrite ^/(.*)$ http://newdomain.com/$1 permanent;
We’ve added the redirect using the rewrite directive we discussed earlier. The ^/(.*)$ regular expression will use everything after the / in the URL. For example, http://olddomain.com/index.html will redirect to http://newdomain.com/index.html. To achieve the permanent redirect, we add permanent after the rewrite directive as you can see in the example code.
When it comes to HTTPS and being fully secure it is ideal for forcing everyone to use https:// instead of http://.
Redirect to HTTPS
# Redirect to HTTPS
server_name domain.com www.domain.com;
return 301 https://example.com$request_uri;
After these rewrite rules are in place, testing the configuration prior to running a restart is recommended. Nginx syntax can be checked with the -t flag to ensure there is not a typo present in the file.
Nginx Syntax Check
If nothing is returned the syntax is correct and Nginx has to be reloaded for the redirects to take effect.
service nginx reload
For CentOS 7 which unlike CentOS 6, uses systemd:
systemctl restart nginx
Redirects on Managed WordPress/WooCommerce
If you are on our Managed WordPress/WooCommerce products, redirects can happen through the /home/s#/nginx/redirects.conf file. Each site will have their own s# which is the FTP/SSH user per site. The plugin called ‘Redirection’ can be downloaded to help with a simple page to page redirect, otherwise the redirects.conf file can be utilized in adding more specific redirects as well using the examples explained above.
Due to the nature of a managed platform after you have the rules in place within the redirects.conf file, please reach out to support and ask for Nginx to be reloaded. If you are uncomfortable with performing the outlined steps above, contact our support team via chat, ticket or a phone call. With Managed WordPress/WooCommerce you get 24/7 support available and ready to help you!
What is Webmin?
Webmin is a browser-based graphical interface to help you administrate your Linux server. Much like cPanel or Plesk, Webmin allows you to set up and manage accounts, Apache, DNS zones, users and configurations. As these configurations can get somewhat complicated Webmin works to simplify this process. The result is fewer issues during server and domain setup. Which results in a stable server and a pleasant administration experience. Unlike Plesk or cPanel, Webmin is completely free and open to the public. Unfortunately, here at Liquid Web, we do not offer managed support for Webmin, but we are always willing to assist as much as possible when issues arise. You can download Webmin from their site. Also, you can find some excellent documentation on this interface.
Before beginning “if you have not already” you will need to install Webmin on your server. For this article, we will mainly be working with Webmin installed on a Ubuntu server. However, it is very similar to CentOS, therefore, we have included instructions for both operating systems below.
- First, you will need to access your server SSH. If you are not sure how to SSH into your server, please visit our link on the subject.
- Once you are logged into your server SSH, please run the following commands in order or copy and paste the entire syntax.
sudo sh -c 'echo "deb http://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list'wget -qO - http://www.webmin.com/jcameron-key.asc | sudo apt-key add -
sudo apt-get updatesudo apt-get install webmin
(echo "[Webmin] name=Webmin Distribution Neutral
yum -y install webmin)
Webmin is a web-based application. So once Webmin is installed, you can access Webmin by using a browser of your choice. Be sure to make sure port 10000 is open on your server as Webmin utilizes this port to function. We have included steps below to ensure the correct port is open for iptables and firewalld.
iptables-save > /tmp/tabsavYou should be able to use the command above to alter you iptables to look something like what we have included below.
iptables-restore < /tmp/tabsav
# Generated by iptables-save v1.4.7 on Thu Jan 3 00:02:49 2019
:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3044:1198306] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# Completed on Thu Jan 3 00:02:49 2019
firewall-cmd --zone=public --add-port=10000/tcp --permanent
Once you have made sure port 10000 is open, you should be able to access the Webmin interface by entering in your servers IP address followed by the port number “10000”
Example: https://192.168.1.100:10000 <—— 192.168.1.100 should be replaced with your server IP.
Installing PHP Versions in Webmin
There is a lot of situations where we may need to use multiple PHP versions. For example, you may have multiple domains or applications on your server that require an older version of PHP while at the same time you may have newer domains that are configured for newer versions of PHP. For this article, we will be installing PHP7 and PHP5.6 on Debian.
Step 1: First, you will want to SSH into your server and run the following command.
apt-get install php7.0-cli php7.0-fpmYou can check the installation after it has completed by running php –v in your terminal.
Step 2: Now here is where things tend to get tricky. By default, Debian only offers a single PHP version in the official repository. So, we will have to add an additional repository for Debian. While adding this repository, it is good practice to enable HTTPS for APT and register the APT key. You can accomplish this by executing the commands we have included below.
apt-get install apt-transport-https
curl https://packages.sury.org/php/apt.gpg | apt-key add -
echo 'deb https://packages.sury.org/php/ stretch main' > /etc/apt/sources.list.d/deb.sury.org.list
Once the repository is added, we can go ahead and add our second PHP version to the server.
apt-get install php5.6-cli php5.6-fpmWe can now check both PHP versions on the server by running these commands.
Now that we have confirmed both PHP versions are installed you can access their configuration files in the following directories.
Step 3: To make things easier, later on, we will want to add the location of the configuration files to Webmin. This can be done from within the Webmin interface.
- Log into Webmin
- Navigate to Others >> PHP Configuration
- Add the PHP configuration file location
- Click Save
You can use this tool to add and edit directives for different PHP versions. For example, you’ll be able to edit PHP’s memory limit, timeout length, extensions and more. This simply helps consolidate configurations within one interface. From here we can just use a .htaccess file to specify what version of PHP a site should use.
Step 4: If you do not have this file already within your document root you can add this file by navigating to /var/www/exampledomain/ and running the following command to indicate which PHP version you are going to use.
echo "AddHandler application/x-httpd-php56 .php" > .htaccess | chown exampleuser. .htaccess
echo "AddHandler application/x-httpd-php70.php" > .htaccess | chown exampleuser. .htaccess
Step 5: Once you have completed this, you can test to see if your site is running on the desired PHP version. You can accomplish this by creating a PHP information page. by making a file in your document root, usually in the path of /var/www/html/
You will want to insert the code below and save the file.
<? phpinfo(); ?> After you have created this file, you can view the page by visiting your domain followed by the name of the file you created. For example, www.example.com/phpinfo.php.
Congratulations you can now use Webmin to accomplish your daily admin tasks! Take a look at our Cloud VPS servers for 24/7 support and lightning speed servers!
Configuring Multi-User FTP with User Isolation
This article is intended to give an overview of a chroot environment and configuring your FTP service for user isolation. This is done with a few lines within the main configuration file of the FTP service.
This article is also intended as a guide for our Core-Managed servers running CentOS or Ubuntu without a control panel. Our Fully Managed servers that utilize the cPanel software already have the FTP user isolation configured by default and also provide utilities for creating FTP users.
What is Chroot?
Chroot or change-root is the implementation of setting a new root directory for the environment that a user has access to. By doing this, from the user’s perspective, there will appear to be no higher directory that the user could escape to. They would be limited to the directory they start in and only see the contents inside of that directory.
If a user were to try and list the contents of the root (/) of the system, it would return the contents of their chroot environment and not the actual root of the server. Read more about this at the following link.
As there are many FTP options available, ProFTPd, Pure-FTPd, vsftpd, to name a few, this article will only focus on the use of ProFTPd for simplicity and brevity. This is also not intended to be a guide for installing an FTP service as it’s covered in our Knowledge Base articles below.
User Isolation with ProFTPd
By default, ProFTPd will read the system /etc/passwd file. These users in this file are the normal system users and are not required to be created outside of normal user creation. There are many ways to create additional FTP users, but this is one way to get started.
Here are some typical entries from the system passwd file. From left to right, you can see the username the user and group IDs, the home directory and the default shell configured for that user.
To create these users, you would use the useradd command from the command line or whatever other methods you would typically use to create users on the server.
Create the user
useradd -m -d /home/homedir newuser
Set the user password
If you are setting up multiple users that all need to have access to the same directory, you will need to make sure that the users are all in the same group. Being in the same group means that each user can have group level access to the directory and allow everyone in the group to access the files that each user uploads. This level of user management is beyond the scope of this article, but be aware that things of this nature are possible.
ProFTPd User Configuration
To jail a user to their home directory within ProFTPd, you have to set the DefaultRoot value to ~.
With this set, it tells the FTP service to only allow the user to access their home directory. The ~ is a shortcut that tells the system to read whatever the user’s home directory is from the /etc/passwd file and use that value.
Using this functionality in ProFTPd, you can also define multiple DefaultRoot directives and have those restrictions match based on some criteria. You can jail some users, and not others, or jail a set of users all to the same directory if desired. This is done by matching the group that a user belongs to.
When a new user is created, as shown above, their default group will be the same as their username. You can, however, add or modify the group(s) assigned to the user after they are created if necessary.
Jail Everyone Not in the “Special-Group”
DefaultRoot ~ !special-group
Jail Group1 and Group2 to the Same Directory
DefaultRoot /path/to/uploads group1,group2
After making these changes to the proftpd.conf file you’ll need to restart the FTP service.
CentOS 6.x (init)
CentOS 7.x (systemd)
systemctl restart proftpd
User Isolation with SFTP (SSH)
You can also isolate SFTP users or restrict a subset of SSH users to only have SFTP access. Again, this pertains to regular system users created using the useradd command.
While you can secure FTP communications using SSL, this is an extra level of setup and configuration. SFTP, by contrast, is used for file transfers over an SSH connection. SSH is an encrypted connection to the server and is secure by default. If you are concerned about security and are unsure about adding SSL to your FTP configuration, this may be another option to look into.
SFTP User Setup
Create the user and their home directory just like with the FTP user, but here we make sure to set the shell to not allow normal SSH login. We are presuming that you are looking for SFTP-only users and not just regular shell users, so we add the restriction on the shell to prevent non-SFTP logins.
useradd -m -d /home/homedir/ -s /sbin/nologin username
We need to make sure that permissions and ownership are set for the home directory to be owned by root, and the upload directory is owned by the user.
chmod 755 /home/homedir/
chown root. /home/homedir/
mkdir -p /home/homedir/upload-dir/
chown username. /home/homedir/upload-dir/
Hereby setting the ChrootDirectory to the %h variable, we are confining the user to their home directory as set up when the user was created. Using the ForceCommand directive also limits the commands the user is allowed to execute to only SFTP commands used for file transfers, again eliminating the possibility that the users will be able to break out of the jail and into a normal shell environment.
Subsystem sftp internal-sftp
Match User user1,user2,user3
Jail Multiple FTP Users to a Location
Alternatively, if you wanted to have multiple users all jailed to the same location, you can set them all to be in the same group, have the same home directory, and then use a Match Group directive within the SSH configuration.
Subsystem sftp internal-sftp
Match Group groupname
After making these changes to the sshd_config file, restart the SSH service. One of the following commands should work for you.
CentOS 6.x (init)
CentOS 7.x (systemd)
systemctl restart sshd
Further Reading can be found at:
Our last article on Ubuntu security suggestions touched on the importance of passwords, user roles, console security, and firewalls. We continue with our last article and while the recommendations below are not unique to Ubuntu specifically (nearly all discussed are considered best practice for any Linux server) but they should be an important consideration in securing your server. Continue reading “How Do I Secure My Linux Server?”
Thank you for taking the time to review this important information. You will find this guide broken down into six major sections that coincide with Ubuntu’s security policy guide. The major topics we talk on throughout these articles are as follows:
- User Management
- Console Security
- Encrypted LVM
- More security considerations…
Adding a user and granting that user root privileges is one of the many tasks of a system admin. Once a user has been added and granted root privileges they’ll be able to login to your Ubuntu 18.04 and perform vital functions for the upkeep of the system. Afterward, they’ll be able to use sudo before commands to perform elevated tasks. In this quick tutorial, we’ll show you how to add a new user and grant root permissions. Continue reading “How To Add a User and Grant Root Privileges on Ubuntu 18.04”