How to secure your Ubuntu server

As you may know, already there are many ways to secure Ubuntu server based on your environment and version of OS. Double checking to be sure you are secure does not hurt at all, but don’t go overboard by locking your self from accessing own server. I have been working with Ubuntu server since Ubuntu 5.04 back in 2007, but have not done any post about it and was not using that much as I am now. Ubuntu Linux system has come a long way for sure, now even power users start using their desktop version. For the most part default security secures your server from any major attack to your server. There are many attacks are from within your own environments and some lazy admin or management who don’t want to pay for support or just keeps post ponding updates. Anyways here I have some list of tweaks I have been using and learning more from other Linux admins on internet.

Keep your server up to date:


sudo apt-get update This will search for an update of your current version and packages that in installed
sudo apt-get upgrade This will install the updates and packages
sudo apt-get dist-upgrade This will look for newer next LTS version

Check supported Releases:
https://wiki.ubuntu.com/Releases

Remove unnecessary packages

sudo apt-get auto-remove
sudo apt-get purge NameOfPackage

Enable built-in basic Uncomplicated Firewall (ufw): by allowing only need services name or ports

ufw allow ssh
ufw allow 80
ufw allow ftp

Disabled telnet: very old but have seen people still using it
apt-get remove telnet

Check for hidden open ports with:

netstat

Set a shorter timeout for root sessions

edit /etc/profiles
[ $UID -eq 0 ] && TMOUT=600.
The $UID -eq 0 part refers to the user with the ID of 0 — always root.
The TMOUT=600 or 900 part sets the timeout limit to 10-15 minutes (600-900 seconds)

Change default SSH port from 22 to something else and disable Root user:

Port 22 > Port 90xx or whatever port you want (don’t forget to add a new port to your firewall)
edit /etc/ssh/sshd_config:
PermitRootLogin yes > PermitRootLogin no

Limiting allowed users to login via SSH:

edit /etc/ssh/sshd_config to have ssh login for specific users
bottom of the file, add the line x=device you going to log in from IP or just type User1 User2, etc…
AllowUsers YourUserName@192.xxx.xxx.x
if you need to use a wildcard: to allow any username and from x=network:
AllowUsers @192.xxx.xxx.*

You could also add a Group:
Create group:
groupadd -r SSHGroupName

Add allowed group to /etc/ssh/sshd_config
AllowGroups SSHGroupName

Then add user to the group:
usermod -a -G SSHGroupName user1

service ssh restart

edit /etc/ssh/sshd_config to have ssh login for specific users
bottom of the file, add the line x=device you going to log in from IP
AllowUsers YourUserName@192.xxx.xxx.x
if you need to use a wildcard: to allow any username and from x=network:
AllowUsers @192.xxx.xxx.*

service ssh restart

Add Login Banner which displays before user login:

edit /etc/issue.net
add your own warning message whomever login can see

Then edit /etc/ssh/sshd_config and uncomment the line:
Banner /etc/issue.net

some more options to disable server info by comment out:

edit /etc/pam.d/sshd
session optional pam_motd.so motd=/run/motd.dynamic

network messages to allow or disable (like ICMP, redirects, SYN, etc..):
edit /etc/sysctl.conf

Blocking IP spoofing:


edit /etc/host.conf
change from “multi on” to “nospoof on”

To Turn off Server Signature:

edit /etc/apache2/apache2.conf and add these 2 lines at the end of the config file. Most cases user types wrong URL or by IP address, it display’s your web server info by default.
ServerSignature Off
ServerTokens Prod

service apache2 restart

Hide PHP Version

edit (your version of PHP maybe different) /etc/php/7.0/apache2/php.ini
expose_php = Off

You may have older version of PHP:
/etc/php5/apache2/php.ini
expose_php = Off

Also youcould add to your .htaccess file:
# Disable server signature
ServerSignature Off

will add more later on



How to setup WordPress for website

WordPress is a very popular platform for websites and very easy to use.  All you need is a web server that supports PHP, then setup database.  Download WordPress from https://wordpress.org/download/ to your web server and extract it.

To start go to your domain URL to run the installation of WordPress, select Language of your choice and click Continue

WordPress getting start, at this point setup database and user name, which you will need on next screen, then click Let’s go!

Fill in Database information, then click Submit

Checking communication for the database info you enter, if everything went well, then click Run the installation

Welcome to new site, fill in your website information and click Install WordPress

Successfully installed WordPress

That’s it, now just customize it to the way you like it and enjoy it
You may need to check some settings and update it

Recommended Permissions:

  • Directories: 0755
  • Files: 0644
  • owner: www-data

Here are some quick list of feature which can easy to customize your WordPress site:
It also has a new editor called “Gutenberg”, which is very easy to use, if you want to use it, click Install Gutenberg

Appearance> it will change the look of your site, based on Theme
Themes – it will list all your themes
Customize– It will bring you to your current theme, to be customizing
Widgets – list all Available Widgets, which you can activate or disable
Menus – It will list Menu options and able to customize it
Header – It will bring you to your current theme, to customize your header
Editor – It will bring you to Them files


Settings> common settings changes to your site
Genaral– Site Title, Tagline, URL,Timezone, etc..
Writing -Default Post Category, Format, etc..
Reading– Homage Displays, Blog pages show options, Search engine Visibility, etc…
Discussion– Article, Comments, and other settings
Media– image size settings when you upload
Permalinks– URL link display settings
Privacy – set custom policy page


Tools> some tools to deal with your data
Available Tools – list of tools
Import
– options to import data into your WordPress
Export – options to export your data outside of your WordPress
Export Personal Data – to export user data
Erase Personal Data – to erase user data

if you want official version of WordPRess installation you can find it here



osTicket installation on Ubuntu 16.04

osTicket is one of the great open source support system, very easy to install and use.  I have noted the whole process, short version, and detailed version.  What you will need from start to finish.  This installation is fresh, without any add-ons or any customization osTicket version 1.10.1.  I have written this installation based on Ubuntu 16.04 with Apache as a web server, it may work just fine with other versions of Ubuntu servers or similar to other flavors of Linux systems.  Assuming you have your web server and domain up and running without any issues.  So, let’s get started

What you will need

  • Server requirements:  You can get up to date from official docs from osTicket very well documented
    • PHP 5.6 (or better I am going to be using PHP7.0)
    • MySQL 5.0 (or better)
    • 2GB memory recommended 4GB or more
  • Access to web/database server via SSH
  • Access to site file via (FTP, SFT, GUI, SSH, etc. …)

Getting server ready to install osTicket:

Installing requirements, you may need to run add this to repository void error, log in to your web server via SSH

Commands:
sudo apt-add-repository ppa:ondrej/php
sudo apt-get install php7.0-gd php7.0-imap php7.0-xml php7.0-mbstring php7.0-intl phpapcu

Downloading osTicket:

https://osticket.com/download/
Once you have downloaded then extract it or upload it to your web server common location: /var/www/

Then set the permission:

commands: make sure to change /var/www/ to your path
sudo chown -R www-data:www-data /var/www/

Click Continue once you have fixed any issues, please correct it before going forward

Setup osTicket Database and give full permission using whichever tool you are comfortable with it, then fill in details and click Install now

if everything went well you should see Congratulation, then just change the permission of your config file

You should be able to login to your osTicket support system with the information you used earlier, see my notes, where I have put in some common issues you may encounter when installing.

Notes and common errors/solution: 

You may need to do these if you get errors or other settings changes


If you have not copied the ost-sampleconfig.php to include/ost-config.php
then you will get the following message


You will also need to make sure that ost-config.php has correct permission, otherwise, you will get this message:


if you have already installed the PHP IMAP extension and still gives you an error, take a look at your php.ini file and enable it by uncommenting /etc/php/php.ini:
;extension=imap.so
to
extension=imap.so


You may need to restart the web service after making changes to take effect:
sudo systemctl restart apache2


error: Valid CSRF Token Required OsTicket:
then need to edit file class.ostsession.php round line 191
catch (DoesNotExist $e) {
$this->data = new SessionData([‘session_id’ => $id]);
$this->data->session_data = “”;


error: Php 7.2 compatibility issue (not recommended to use this version of PHP on osTicket 1.10.1 or 1.10.4, it should support on new version 1.11)
then need to edit file class.ostsession.php round line 197

if(!is_string($this->data->session_data)) { $this->data->session_data = strval($this->data->session_data);

}


These commands to install PHP version 7.0 extensions manually one at a time:
Sudo apt-get install php7.0-gd
Sudo apt-get install php7.0-imap
Sudo apt-get install php7.0-xml
Sudo apt-get install php7.0-mbstring
Sudo apt-get install php7.0-intl
Sudo apt-get install php-apcu


Make sure to protect your ost-config after the installation by changing the permission:
sudo chmod 0644 /var/www/include/ost-config.php



Moving your WordPress site to new server via All-in-one WP Migration

Here is another way of moving your new WordPress site to a new server.  I had written one post called How to move your WordPress site to a new server which was the manual way of doing, without the use of any plugin, like this one called All-in-One WP Migration.  It’s a very simple process to do move using this plugin, please make sure you have a good backup before doing anything.  I like said before, use whatever you feel comfortable.  As always I do recommend doing a full backup of your site file and database, just in case you need to go back to it.  In this post, will go through the whole process of moving your WordPress site, using third party plugin called All-in-One WP Migration. Remember, using this third-party plugin is easier, but have to be aware, it may have the restriction on function/size of database or type, which may change at any time.

I am assuming you already have a good working website, permission, and backup.  Will keep this simple and jump right onto moving site.

Install a plugin called All-in-One WP Migration by going to your WordPress admin panel and clicking on Plugins tab>Then Plugins Add New

Search: all in one WP, once you find it click Install, then Activate it.

Then let’s create a backup using the new All-in-one WP Migration plugin, by clicking on Create Backup under All-in-one WP Migration plugin

It will give you many options where you want to back up to, I am going to select the file

Once, it finishes back up it will give you the option to download it, click on it and save, then click close.

In case you want to download the backup via FTP/SFTP: \wp-content\ai1wm-backups

Then log in to the new WordPress site and install the same plugin installation

Now let’s import your data to the new site

Go to All-in-one WP Migration Plugin>Import>Then select the file and find your backup

You will get this warning if you are ready to override, click Proceed

Once it’s done, you should see Successfully message

That’s it.



How to move your WordPress site to new server

There are many ways to move your WordPress site to a new server.  Whatever you feel comfortable use it, there is no right or wrong way of doing it.  I do recommend doing a full backup of your site file and database, just in case you need to go back to it.  It’s a good idea to have more than one version of backup and keep the backup in a different location.  We will go through the whole process of moving your WordPress site, without using third party tools. Using third-party tool is easier, but have to be aware, it may have the restriction on function/size of database or type.

What you will need:

  • Internet access to download WordPress, go to https://wordpress.org/download/
  • Web server I am using Apache
  • Access to web/database server (mostly its same server, but it can be two different servers)
  • Access to site file via (FTP, SFT, GUI, etc. …)
  • SSH access to MySQL/Web server

WordPress Requirements: “We recommend servers running version 7.2 or greater of PHP and MySQL version 5.6 OR MariaDB version 10.0 or greater”

Backup:

MySQL Database exporting:
command: mysqldump  -u UserName -p DatabaseName > databaseBackupName.sql

Setting up new WordPress:

Copy WordPress installation files to your web server (default location /var/www/Your_WordPress) that you have downloaded from WordPress.org

Give ownership to the web server system user www-data.
command: chown -R www-data:www-data /var/www/Your_WordPress/

Go to URL of your WordPress, if everything is correct you should see Installation screen.  Choose your Language then click Continue

If you have any error correct it, then click let’s go

Login to your Mysql server and create a database:

Command: create database wpdb_name;

Grant access to the new database:

Command: grant all privileges on wpdb_name.* to UserName@localhost;
Command: flush privileges;
Then you can exit

Go to URL of your WordPress and fill in the Database, username, password, and hostname, then click Submit

If all is good, you should be able to click “Run the installation”

Fill in the information then click Install WordPress

if everything went well you should see the Success screen, click Login

Login to your fresh installation of your WordPress to make sure it’s all is up to date

Now let’s import the database to your WordPress, so you get your data:

Login to your web server or SSH to it: Then run this command to import the database
mysql -u SQLuserName-p NameOfDataBase < /LocationOfBackUPDatabase/WordPressDataBase.sql

Then update the URL:

Otherwise you will get: HTTP ERROR 404

Then Login to your Mysql:
command:use NameOfWordPressDB;
WordPress Address (URL):
command: mysql> update wp_options set option_value = ”http://URLofYourSite/’ where option_id = 1;

Site Address (URL):
command: mysql> update wp_options set option_value = ”http://URLofYourSite/’ where option_id = 2;

Check to verify if changes were made:
command: mysql> select * from wp_options where option_value = ‘http://URLofYourSite/’;

Images URL update:
UPDATE wp_posts SET post_content=(REPLACE (post_content, ‘https://OldDomain’,’https://NewDomain’));

To exit type \q:
command: mysql> \q

Or

if you want to hard coded: inside: wp-config.php top of the file

define(‘WP_HOME’,’https://yourdomain.com’);
define(‘WP_SITEURL’,’https://yourdomain.com’);

Or via GUI admin panel:
/wp-admin/options-general.php

If you have custom themes, you need to copy it to the new site:

Default Location: \wp-content\themes

Don’t’ forget to copy the media (images/videos you may have):

Default location: \wp-content\uploads

Also, if you have hardcoded any URL within your site, you will have to update it, all the post and any internal URL should be updated automatically

You may have issues, links not redirecting
in your .htaccess you may have to change it to make it work
example: https://YourDomainName.com/public_html/
then you will need to put /public_html/ because by default it only has /

That should be it, hope you find this useful