Comments on LAMP Installation On Ubuntu 6.06 For Linux Noobs

As an experienced Linux user and admin (I have use Linux on the desktop exclusively for about 5 years, and have been using Linux longer; I have also setup many Linux servers), I have to recommend some changes. First, you should use Apache 1.3.x not 2. Apache 2 is insecure. Second, if you have to use a gui, XFCE is much more lightweight, and the desktop of choice for the admins who can't live without a gui. Third, you should NEVER use proftpd for your ftp server; use vsftp instead. Proftp is not secure, whereas vsftpd was designed to be secure from the start, and is the choice of "those who know." For instance, kernel.org (the site which hosts the Linux kernel itself) uses vsftp.

You should also put an iptables firewall on a publicly available webserver configured like this, and have two network cards. On one ethernet interface, you can generally leave everything open for your internal LAN. On the other, you firewall everything but your http and (if needed) ftp. This heavily firewalled interface is the one you expose to the outside world. You don't want your webmin interface and everything else to be accessible/hackable to the outside world, do you? If setting up an iptables firewall manually is beyond you, guarddog should do a good job for this I believe. I'm not positive about guarddog, though, as I do this by hand.

Port 8080 isn't, btw, the best port to recommend for an alternative port. It's a very popular port for admins to use for their proxy server, so it may cause confusion.

I would also recommend setting up a bind9 server for your internal lan, so that you can name your machine www and anything else you like, and all machines on your network will be able to find it. If you have a static IP and wish to register a domain name to your IP, this will be absolutely neccessary, as you'll have to specify both a primary and a backup dns server for your site with the registrar.

You should use apt-get to install webmin rather than installing it from a downloaded package. Using apt-get to install it will mean it will get updated automatically in case of any security updates. You do have a cron job running 'apt-get update && apt-get upgrade' on a daily basis, right?

You also must change the default root password for MySql. Otherwise, any random person on the net will be able to take control of your MySql database.

You should also have stated the need to run:

chmod 644 -R /var/www/*

to set your permissions correctly. Speaking of which, WebDAV is a nicer way to update your website than ftp. Alternatively, you could set up an ssh server (sshd) to use utilities on the server itself to edit your site. Using ssh -X from another Linux machine will allow you to run GUI apps on your webserver, with the GUI itself being displayed on your local machine.

[QUOTE] You should use apt-get to install webmin rather than installing it from a downloaded package. Using apt-get to install it will mean it will get updated automatically in case of any security updates. [/QUOTE]

The Webmin package in the repository is outdated...do not do use it....

Also, I'm curious what the point of a firewall or ip tables is if you only open the ports that have to be open anyways. Sounds to me like its counterintuitive to close ports with a firewall, which are already closed (or not being listened on)  when you need them open to gain access externally.

Seems rather pointless...

Why is Apache 1.3.x more secure than Apache2??

It isn't, except in some sort of metaphysical way. New features are not being added to the 1.3 line, in fact the 2.0 line has been dead-ended. Both are only receiving security updates any more. New features are the biggest risk for adding new holes in a program, thus a dead project is less likely to grow new holes than a live one. But a live project is more likely to find and patch security holes faster... shrug. The OpenBSD project's Apache release is a hacked version of the 1.3 line and is supposedly more security hardened than other Apache distros, but that's a whole nother can of worms not worth getting into.

If you followed the path of this article and  decided you wish to take the advice to install xfce, you will eventually discover that the ubuntu package called xubuntu is just that, but I had just installed the ubuntu daper-drake LAMP install and decided I needed the lighter xfce gui because it is "lighter". The way you get there from here is to look here: http://www.debianadmin.com/install-xfce-desktop-in-ubuntu.html

Which explains that the following command installs the lighter gui

sudo apt-get install xubuntu-desktop

Thanks, very useful

----

My project: http://www.assicuratevi.com 

The Apache1 command for restarting the server is:

apachectl graceful 

 ...which will check the configuration file for errors, and if there isn't any, restart the apache server without closing the currently open connections

One thing that I might add about this great walkthrough.  Instead of using the "dir" command to list files/folders, you should get in the habbit of using "ls".  The "dir" command is actually an alias (like a shortcut in Linux) for the "ls" command.  It's added to some distributions of Linux to make it easier for people who are used to the Windows command prompt.  But this isn't universal in Linux, and won't work on all Linux machines.  There are a few options for the "ls" command, which you can learn about by entering "man ls" in the terminal window.  The "man" command brings up the "manual" page for most linux commands, and is another good command to know.  The description is a bit lengthy, and if you just want a "refresher" of the available options, type "ls --help", which will print out the different options.

Thanks for this great tutorial, however i think since this guide is geared toward people new to linux, it seems there should be more information about security.

--------

Luca Nori
PHP Developer - http://www.rcassicura.com

I agree, every LAMP server should have some sort of security.  Firestarter would be an easy way to deploy security.

I agree that security is an important aspect to any server. As Firestarter is only a firewall, you would be well suited to look into alternative ways to secure your setup since Ubuntu already ships with all ports closed. When you install a server, only those ports are allowed open. Unless you wanted to block those ports at certain times, it would not do you any good.

There are plenty of resources on hardening your server which I very strongly recomend anyone reading my tutorial to research. Like I said in the beginning, this was for getting the server up and running but, "would nead hardening like no other".

Firestarter is NOT a firewall.  It's a GUI frontend to IPtables, which is a firewall.

Good call....I will start using that...

You have actually put li instead of ls in the walkthrough. Which is very confusing, might be a good idea to change that :)

ChrisNTR 

I blame the crack......

Well done!

Apart from maybe changing to the suggested stuff supplied by the other posters, I must commend you to a work well done! I will link to your howto when others ask about this!

Howto's are a drag to write, but a blessing to have :)

roxville from #elive on freenode 

Why not doing the normal desktop setup and adding the server packages using synaptic?
This way, you will never see the command prompt. That's what I did with my server...

Yeah, I have done it both ways and I guess it just boils down to personal preference.

If you already have the files, then you can use the text based system for performance.

You may want to double check, as i am no expert ... and things may be different if you use the ubuntu-server install as a base.

But i think the build-essential package is unneccessary in this context.
It is required when you want to compile your own binaries from source code.

And in this case, with WebAdmin there seems to be binaries in both tar and deb forms availible.

If you have the deb which should be the simplest route to take i imagine, you could just:

sudo dpkg --install package.deb

But even ubuntu has an easy deb installer now, so really you could just double click on the deb and install it within the GNOME desktop instead of resorting to the terminal or command-line. Much like an installer in windows.

But as i said things may be different with the server install. So you may want to check with the more informed on the ubuntu forums.

Yeah, you're right...But, it never hurts to have it as you may run into some packages or modules later on that might need it.

For an easy to install LAMP environment with Apache 2, PHP 5, etc, you may want to try http://bitrock.com/download_lamp_download.html

(no FTP server though) 

Here's an unofficial starter guide that I used to get started: http://ubuntuguide.org/wiki/Dapper

There is now also a .debian package available
for Webmin, so you can use that too and install it with:

sudo dpkg -i package_name.deb

Following your guide (thanks by the way) and I found that after installing the desktop (sudo apt-get install ubuntu-desktop) it did not prompt me to restart, just set me back at the command prompt. Rather than do a hard reset, I recalled my previous experiences with linux and issued the command "sudo shutdown -r now".

Try: sudo reboot

First, thanks so much for the howto!  It saved me a great deal of time.

I wanted to add a post about a problem that I had that took a while to figure out.  After adding webmin, I couldn't navigate to the http://user:10000 page.  It forced me to go to an https://user10000 page and login.  Unfortunately, you can only login as the root user, and for whatever reason, it didn't copy the root password that I assigned when I installed ubuntu intially.  After much gnashing of teeth trying every combination of root, root@user, 'root', etc.,  I decided to try changing the password for webmin.

http://www.webmin.com/faq.html Step 2. Has the instructions for doing this from the command line.

Worked like a champ after that.

Great article, great comments - thanks for the posting...

As M$ gets more expensive and unrealistic for hosting just-for-fun and personal sites, OSI resources have become more and more appealing, yet, I too have been suffering with the same findings as you have with regard to total noob install guides.

(bs.)
http://devcamp.us

Two thumps up on LAMPS tutorial.Ideally you'd want to monitor the server while making config changes from multiple locations around the world.

Thanks for this article.

I have tried these steps with and it worked for me.

Thank you again, thumbs up