First logon
Open the terminal in the local device, execute the SSH command, log on to the server.
ssh [email protected]
Enter the root user password and press ENTER to confirm.
Upgrade software
To ensure that the default software in the operating system has the latest updates and patches installed, we need to upgrade the system software. In the terminal, enter:
apt-get update
apt-get upgraded
Install PHP
#确保操作系统中有add-apt-repository, this command installs the Software-properties-common package that contains the add-apt-repository binaries. Now it's time to add a custom PPA.
sudo apt-get install software-properties-common
#添加ppa: ondrej/php5-5.6 PPA
sudo add-apt-repository ppa:ondrej/php5-5.6
#ubuntu会缓存所有可用的软件, so when you add a new software source, you refresh the cache
sudo apt-get update
#安装PHP
sudo apt-get install php5
#安装apache2
sudo apt-get install apache2
#libapache2-MOD-PHP5 is designed to allow Apache to support PHP5
sudo apt-get install libapache2-mod-php5
#可选, open the GD library support, such as WordPress upload images need GD library.
sudo apt-get install php5-gd
#enable Rewrite module
sudo a2enmod rewrite
#重启apache2
sudo service apache2 restart
Configure Apache (enable HTTPS only)
-
Copy the WWW.TEST.COM.CRT certificate to the/etc/ssl/certs/folder
-
Copy the key www.test.com.key to/etc/ssl/private/ folder under
-
Copy the ROOT_BUNDLE.CRT to the/etc/ssl/certs/folder
Create a Test-ssl.config file under the-available folder
cd/etc/apache2/sites-available
Touch test-ssl.config The
copies the following to the Test-ssl.config file.
<virtualhost *:443>
ServerAdmin www.test.com
ServerName www.test.com
documentroot/var/ Www/test
Errorlog/var/www/logs/error.log
Customlog/var/www/logs/access.log
Combined
Sslengine on
Sslprotocol all-sslv2-sslv3
Sslhonorcipherorder on
sslciphersuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 eecdh+arsa+sha256 eecdh+arsa+rc4 EECDH EDH+aRSA RC4!aNULL! Enull! Low!3des! MD5! Exp! Psk! SRP! Dss! RC4 "
Sslcertificatefile/etc/ssl/certs/www.test.com.crt
sslcertificatekeyfile/etc/ssl/private/ Www.test.com.key
Sslcertificatechainfile/etc/ssl/certs/root_bundle.crt
</virtualhost>
If you just turn on HTTP, you can name the file Test.config, the port is changed to 80 or other required ports, and the config file does not require sslengine on the settings below.
#重启apache2
sudo service apache2 restart
Non-root users
We need to create a non-root user to enhance the security of the server. We should try to make it impossible for others to access the server because the root user has super privileges in the server and can execute any command.
#创建非根用户
adduser deploy
#把deploy用户加入sudo用户组, let the deploy user have sudo permissions so that the # tasks requiring special permissions can be performed after password authentication.
usermod –a –G sudo deploy
SSH Key pair Authentication
The local device execution can execute the following command to log on to the server as a non-root user:
ssh [email protected]
This command will ask you to enter the password of the deploy user and then log on to the server. Because password authentication is subject to brute force attacks, SSH login servers should be authenticated using an SSH key pair.
Execute the following command on the local device to generate the ~/.ssh/id_rsa.pub (public key) and ~/.ssh/id_rsa (private key).
ssh-keygen
The private key is saved locally, and the public key is copied to the server:
#注意, the last colon must have
scp ~/.ssh/id_rsa.pub [email protected]:
Log on to the server, make sure that the ~/.ssh folder exists, and if it does not, execute the following command to create the ~/.ssh folder.
mkdir ~/.ssh
#创建authorized_keys文件
touch ~/.ssh/authorized_keys
#该文件的内容是一系列登录这台远程服务器的公钥, execute the following command to add the newly uploaded public key to the file
cat ~/id_rsa.pub>> ~/.ssh/authorized_keys
Disable password, prevent root user from logging in
Open the/etc/ssh/sshd_config file in a text editor, locate the Permitrootlogin setting, and change its value to No. Look for the Passwordauthentication setting and change its value to No. Enter the following command in the Terminal window to make the change effective:
sudo service ssh restart