Today a friend (from a Windows background – still a friend?! :P) asked me how to go about setting up a LAMP (Linux, Apache, MySQL & PHP) server. I wrote him a few notes, not only on how to configure the LAMP stack, but also on how to configure a Linux system properly from scratch, and how to do so securely. There are millions of guides out there that explain how to serve web pages with Apache, but not many of them explain the basics of setting up a secure system too.
I’ve edited these notes slightly to make them suitable for a wider audience, but in essence it’s the same stuff. Hope it’s useful!
OS installation
I recommend using CentOS. It doesn’t really matter whether you choose 32-bit (i386) or 64-bit (x86_64) but use ideally use 64-bit unless there’s a reason not to.
Boot from the CD or DVD of your choice. It doesn’t matter whether you use the full DVD, or the network install CD.
Choose the text-based installer from the boot prompt by typing linux text. The text installer doesn’t install as much extra rubbish as the GUI installer.
In most cases the default options are good enough. One option you should change is to use an NTP time server. This is especially important with virtual machines, since they suffer badly from clock drift.
Choose a strong root password. You will only need it once again. After that, you won’t even even need it for logging on, so there is no need to pick anything memorable. In fact, you are best off choosing a long, random string of mixed-case letters and numbers.
When it comes to choosing packages, deselect as many of the groups as possible. We will add the packages we need individually later on.
Let the installer run its course, and reboot.
Users and passwords
Upon first boot, log in as root using the password you picked before. Now create new user accounts and set passwords:
useradd yourusername passwd yourusername
Now for setting sudo access. This is like “run as admin” on Windows. Type visudo. In the text file that opens, read down to the line that says
root ALL=(ALL) ALL
Duplicate it twice by pressing yyp. Go into insert mode by pressing i and change the username root to your username. When you are done, hit Esc and type :wq to save and exit. Gotta love vi commands 😉
To disable remote root login via ssh, edit the file /etc/ssh/sshd_config using your favourite editor. If you don’t already have a favourite editor, use vi.
Find the line:
#PermitRootLogin yes
and uncomment it and change the value to no:
PermitRootLogin no
Restart the ssh daemon by doing
sudo /sbin/service sshd restart
From now on you can gain root access by using the sudo command, and you won’t need to log in as root again. Log out now by typing exit and re-login as your own user. Forget the root password forever.
Installing packages
First we add a couple of third-party software repositories that have useful stuff.
sudo rpm -Uvh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm
Let’s get rid of the stuff we don’t want or need. There are no doubt more than things that can be removed than I’ve listed here, but they can be removed later.
sudo yum remove bluez* pcsc*
Update the system so you’re sure that that latest versions of all software are installed.
sudo yum update
Now we can install the stuff we want for LAMP!
sudo yum install httpd mysql-server php php-mysql
If you are wanting to use any PHP modules/libraries they can be installed here too, such as the commonly-used graphics library gd.
Services
Let’s start the two daemons for Apache and MySQL, and tell them to start on boot.
sudo /sbin/service httpd start sudo /sbin/service mysqld start sudo /sbin/chkconfig httpd on sudo /sbin/chkconfig mysqld on
Apache in its default state will run out of the box. MySQL just needs a root password setting.
mysqladmin -u root password NEWPASSWORD
From now on it’s advisable to GRANT access to specific users on specific databases/tables. Go read about MySQL users.
Firewall
Let’s assume you want HTTP on port 80 open to the world. Open /etc/sysconfig/iptables for editing, and add this line.
-A RH-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Save and close, and run this to make the changes live.
sudo /sbin/service iptables restart
Editing configs
The main config file for Apache is at /etc/httpd/conf/httpd.conf. It doesn’t need any changes for basic operation, but if you edit it you need to restart the httpd service to pick up the changes.
If you get serious with web publishing from a LAMP platform, you will probably want to read about name-based virtual hosts.
Adding content
In its basic configuration, you should add PHP scripts, HTML pages and other content like images and stylesheets to /var/www/html/. You do not need to restart the daemon for it to pick up new content.
When debugging pages, you will probably find it handy to refer to the error log, at /var/log/httpd/error_log.
Tip: Open two SSH windows to the server – one for editing stuff, and the other for watching the log scroll by as events occur. Use Ctrl-C to break out of it. Do this:
sudo tail -f /var/log/httpd/error_log
Jonathan Gazeley 
Many thanks for this simple guide. It took a day to install CentOS and figure what it was, but we got there in the end. I can now see my first text page over the internet. A great feeling.
But, if you have a further minute, two questions:
What sotware does one use to create properly formatted web pages and attach photos, etc?
And how does one connect to the server remotely to put them there?
(I see you mention SSH, and while I don’t know what that is I guess it’s part of the answer.)
Alastair
LikeLike
Yep, SSH is the de-facto way of connecting to a Linux server. On Windows you’ll need to download an SSH client to connect to a Linux server – look at PuTTY for example. With SSH you can access the command line to enter commands and you can also transfer files using scp/sftp. If you’re not sure what this is, I suggest searching for a PuTTY tutorial.
Linux doesn’t really have any specific tools for formatting web pages. Some people prefer to write their own pages in a text editor but if you are looking at something a bit more fancy, you might want to check out something like WordPress, which can be installed and used to host web content. It’s quite complex though, and requires you to run your own database server and to do some other quite tricky stuff to set it up. If you don’t set it up securely, you run the risk of being hacked!
LikeLike
Thanks for the SSH advice Jonathan. It works like a charm.
This is the final time that I bug you, but if you have time to suggest a solution I’ll be out of the woods.
Joomla is now working in /var/www/html but I cannot work out what the file permissions there need to be.
Originally /var/www/html and its contents were owned by root:root and Joomla couldn’t do anthing. So I changed them to apache:apache and it works.
But that’s probably unsafe. And Filezilla cannot drop stuff there, which is a nuisance.
So what is the answer? I’m guessing I need to create a group that both user apache and user alastair (my login) are members of, and then to revert ownership of /var/www/html to root:root. Yes? How?
I’ve searched hard online but cannot find the answer clearly explained, even though plenty of beginners seem to have this trouble.
LikeLike
It’s fine to have
/var/www/htmlowned byapache:apache. You just need to add yourself to theapachegroup, by doingusermod -aG apache yourusername. Just make sure that’s a capital G or you’ll break your user account 😉Likewise, you can add the Filezilla user to the
apachegroup but that will bring security hazards. FTP is insecure as passwords and data are transmitted in plain text, not encrypted. Do you really want random people off the internet dropping arbitrary files into your web root? You could easily find yourself unknowingly distributing malware or worse.The only method of putting files on a web server that I can recommend is secure FTP (SFTP, not to be confused with FTPS) which is part of SSH. The Filezilla client can natively handle SSH/SFTP connections via your existing SSH setup, with no need for further modification. You’ll be able to transfer files onto your server via an encrypted connection. This guide explains everything, but there really isn’t much to it.
LikeLike