Jonathan's blog

Today a friend (from a Windows background – still a friend?! ) asked me how to go about setting up a LAMP (Linux, Apache, MySQL & PHP) server. I wrote him a few notes, not only on how to configure the LAMP stack, but also on how to configure a Linux system properly from scratch, and how to do so securely. There are millions of guides out there that explain how to serve web pages with Apache, but not many of them explain the basics of setting up a secure system too.

I’ve edited these notes slightly to make them suitable for a wider audience, but in essence it’s the same stuff. Hope it’s useful!

OS installation

I recommend using CentOS. It doesn’t really matter whether you choose 32-bit (i386) or 64-bit (x86_64) but use ideally use 64-bit unless there’s a reason not to.

Boot from the CD or DVD of your choice. It doesn’t matter whether you use the full DVD, or the network install CD.

Choose the text-based installer from the boot prompt by typing linux text. The text installer doesn’t install as much extra rubbish as the GUI installer.

In most cases the default options are good enough. One option you should change is to use an NTP time server. This is especially important with virtual machines, since they suffer badly from clock drift.

Choose a strong root password. You will only need it once again. After that, you won’t even even need it for logging on, so there is no need to pick anything memorable. In fact, you are best off choosing a long, random string of mixed-case letters and numbers.

When it comes to choosing packages, deselect as many of the groups as possible. We will add the packages we need individually later on.

Let the installer run its course, and reboot.

Users and passwords

Upon first boot, log in as root using the password you picked before. Now create new user accounts and set passwords:

useradd yourusername
passwd yourusername

Now for setting sudo access. This is like “run as admin” on Windows. Type visudo. In the text file that opens, read down to the line that says

root    ALL=(ALL)       ALL

Duplicate it twice by pressing yyp. Go into insert mode by pressing i and change the username root to your username. When you are done, hit Esc and type :wq to save and exit. Gotta love vi commands

To disable remote root login via ssh, edit the file /etc/ssh/sshd_config using your favourite editor. If you don’t already have a favourite editor, use vi.

Find the line:

#PermitRootLogin yes

and uncomment it and change the value to no:

PermitRootLogin no

Restart the ssh daemon by doing

sudo /sbin/service sshd restart

From now on you can gain root access by using the sudo command, and you won’t need to log in as root again. Log out now by typing exit and re-login as your own user. Forget the root password forever.

Installing packages

First we add a couple of third-party software repositories that have useful stuff.

sudo rpm -Uvh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm

Let’s get rid of the stuff we don’t want or need. There are no doubt more than things that can be removed than I’ve listed here, but they can be removed later.

sudo yum remove bluez* pcsc*

Update the system so you’re sure that that latest versions of all software are installed.

sudo yum update

Now we can install the stuff we want for LAMP!

sudo yum install httpd mysql-server php php-mysql

If you are wanting to use any PHP modules/libraries they can be installed here too, such as the commonly-used graphics library gd.

Services

Let’s start the two daemons for Apache and MySQL, and tell them to start on boot.

sudo /sbin/service httpd start
sudo /sbin/service mysqld start
sudo /sbin/chkconfig httpd on
sudo /sbin/chkconfig mysqld on

Apache in its default state will run out of the box. MySQL just needs a root password setting.

mysqladmin -u root password NEWPASSWORD

From now on it’s advisable to GRANT access to specific users on specific databases/tables. Go read about MySQL users.

Firewall

Let’s assume you want HTTP on port 80 open to the world. Open /etc/sysconfig/iptables for editing, and add this line.

-A RH-INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Save and close, and run this to make the changes live.

sudo /sbin/service iptables restart

Editing configs

The main config file for Apache is at /etc/httpd/conf/httpd.conf. It doesn’t need any changes for basic operation, but if you edit it you need to restart the httpd service to pick up the changes.

If you get serious with web publishing from a LAMP platform, you will probably want to read about name-based virtual hosts.

Adding content

In its basic configuration, you should add PHP scripts, HTML pages and other content like images and stylesheets to /var/www/html/. You do not need to restart the daemon for it to pick up new content.

When debugging pages, you will probably find it handy to refer to the error log, at /var/log/httpd/error_log.

Tip: Open two SSH windows to the server – one for editing stuff, and the other for watching the log scroll by as events occur. Use Ctrl-C to break out of it. Do this:

sudo tail -f /var/log/httpd/error_log

A few months ago I set up a website, Memories of Korea, to showcase some slides I inherited. Naturally I was keen to find out how many visitors I’d had, so I set about finding something that could draw pretty graphs.

Based on my experiences setting up website statistics with AWstats, I’ve now prepared a guide for anyone else wishing to do the same.

This guide assumes you are running either Fedora or CentOS, with Apache httpd web server. The majority of the AWstats config will apply on any distro, and with several different web servers, but paths and installation procedures may vary.

Installing AWstats

First things first, let’s install AWstats. On Fedora:

sudo yum install awstats

On CentOS, you need to jump through a hoop first by enabling the EPEL repository:

sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
sudo yum install awstats

Tweaking your Apache logs

AWstats works by reading your httpd access logs. Somewhere in your httpd.conf you should have a line like this.

CustomLog logs/access_log common

or

CustomLog logs/access_log combined

If you have virtual servers, each server is likely to have its own log file and associated CustomLog directive, too. For now, just pick one set of logs to work with and do the rest later. If your CustomLog directive ends in common, change it to combined. This keeps the log format the same, but causes a couple of extra fields to be logged.

Don’t worry if you can’t change the log format for one reason or another – AWstats will still work but you won’t get quite as many juicy stats.

While you’re nosing around in httpd.conf, make a note of the path and filename of the access log – you’ll need it in a second. In my case it’s /var/log/access_log, which is the default for non-virtual Apache servers.

Go into /etc/awstats. There should be a sample config file called awstats.model.conf. This contains most of the default options you will need, so let’s make a copy of it and work on that. Give the copy the same name as your website

cp awstats.model.conf awstats.www.memoriesofkorea.com.conf
vi awstats.www.memoriesofkorea.com.conf

You don’t need to change many options to get it going, so I will outline the basics here. Find the following directives in the config file, and change their values appropriately. Leave everything else alone – for now!
Tell AWstats where your Apache log file is:

LogFile="/var/log/httpd/access_log"

Leave this as 1 if you are using combined Apache logs. Change it to 4 if you are using common Apache logs.

LogFormat=1

Set this to the main name of your website.

SiteDomain="www.memoriesofkorea.com"

If your website has other names, add them here. Usually the only “other” name is simply omitting the www. Leave in 127.0.0.1 and localhost, which may be important if you access your website from the server it is running on.

HostAliases="memoriesofkorea.com 127.0.0.1 localhost"

Save your changes and exit.

Run AWstats for the first time

When you installed AWstats, it was automatically configured to run and collect log information hourly, but you’re too impatient to wait for cron, run the first AWstats update now:

/usr/share/awstats/tools/awstats_updateall.pl now

Grant access to the AWstats page

You need to edit the file /etc/httpd/conf.d/awstats.conf. This just tells Apache who can view the statistics. Somewhere in the middle of the file there should be a block like the one below. By default only 127.0.0.1 (the web server itself) is allowed to view the page, so if your web browser isn’t running on the server, you will need to change something.

You might want to add a single IP address, an IP address range (e.g. 192.168.0.1/24 for a home network) or simply all to grant access to the world.

    Options None
    AllowOverride None
    Order allow,deny
    Allow from 127.0.0.1
    Allow from 192.168.0.0/24
    Allow from all

Save the file and exit. Restart Apache.

service httpd restart

See your statistics

Assuming all went well, you should be able to view your statistics page at http://www.mysite.com/awstats/awstats.pl

Other options

You no doubt saw in the /etc/awstats.conf file that there are many, many more configurable options for AWstats, including user authentication to name but one.

The config file is well commented and there is plenty of documentation online to help you along.