Sieppaa

Own server on DigitalOcean

15.9.2018 10.59

Make an account on https://www.digitalocean.com/ (or use google account). Sign in and go straight to “Droplets” in the sidebar.

Here choose the newest LTS version of Ubunutu. Which is at the time of writing 18.04. Take the smallest packet with 1GB of ram and 5$/month.

If you are not doing a real server for use just skip backups and block storage. They will cost extra. Take the closest server to you or your customers. We don’t need additional options for this one. You can add them later if you need.

SSH keys should be created for maximum security. You can make them on windows with Puttygen https://putty.org/. When generating keys move your mouse around to make a cryptographic key. Save the public and private key with a password. Paste the publickey string to Digitalocean SSH keys. After that just choose a host name if you like and click create

Then open the actual putty program (not puttygen). In putty put your droplet IP in the first screen.

Putting login as root in putty connections/data

And give the private SSH key. In connections/ssh/auth

Then just clicked open and were in! (or give the ssh decryption password if needed). After logging in you should make a new sudo user and lock the root user.

$ sudo adduser Akseli

$ sudo adduser Akseli sudo

$ sudo adduser Akseli admin

$ sudo adduser Akseli adm

And to disable the root user put like told in https://help.ubuntu.com/14.04/serverguide/user-management.html

$ sudo passwd -l root

 

Side note ssh user?

16.9.2018 12.16

Now that the root password is locked I tried to go in with newly created “Akseli” user but putty said that ssh key refused. So I tried root again and it let me in. I guess that you can still sign in with root with ssh key? I’m not sure how to sign in now with Akseli using only ssh. So in this blog we will just change the user to Akseli with “$ su Akseli”

Installing firewall and update

To update everything to the latest version run and enable firewall

$ sudo apt update && sudo apt upgrade -y

$ sudo ufw enable

Then we need to open ports for SSH and apache webserver with sudo ufw allow (you can also use “ssh”, “http” instead of numbers.

$ sudo ufw allow 22

$ sudo ufw allow 80

$ sudo ufw enable

Installing Apache

Just

$ sudo apt install apache2 -y

Make public_html folder in your home folder. (not in root user)

$ mkdir public_html

Enable user folders in Apache

$ sudo a2enmod userdir

Change the default website folder to your own folder you just created with

$ sudoedit /etc/apache2/sites-available 000-defaut____ (press tab to to choose the right file)

And restart apache with

$ systemctl restart apache2

Side note 2 users?

I wrote systemctl restart apache2 and this happened

Adding domain to your server

We use free subdomains on https://freedns.afraid.org. just log in go to subdomains section add the name you want and paste your server Ip in it. Easy as that.

Now our server answers from http://firstwebsite.chickenkiller.com/ And also on http://copy.chickenkiller.com/

ATTACKS ATTACKS ATTACKS!

If you go in to syslogs in var/log/syslog you see your precious little apache server gets attacked almost immediately. You can checkout where the originate from with https://www.geoiptool.com/

Adding letsencrypt SSL to the website

17.9.2018 14.11

I’m following the tutorial on https://certbot.eff.org/lets-encrypt/ubuntubionic-apache for the certbot letsencrypt automation and renewal.

$ sudo apt-get update

$ sudo apt-get install software-properties-common

$ sudo add-apt-repository ppa:certbot/certbot

$ sudo apt-get update

$ sudo apt-get install python-certbot-apache

$ sudo certbot --apache

After the last command it will ask you questions like your email and what is your domain you want to put the ssl certificate on.

After that we need to go back to the firewall to open the https port 443 with

$ sudo ufw allow https

$ sudo ufw enable

For automatic letsencrypt renewals you should run

$ sudo certbot renew --dry-run

Now we have domains pointing to the same website and the https://copy.chickenkiller.com/ has forced encryption enabled and http://firstwebsite.chickenkiller.com/ doesn’t have HTTPS support at all.

 

Sources:

Assignment: http://terokarvinen.com/2017/aikataulu-%e2%80%93-linux-palvelimet-ict4tn021-7-ti-ja-6-to-alkukevat-2018-5-op I did assignment parts a)-i) and N)

Hosting site: https://www.digitalocean.com/

Putty: https://putty.org/

Lock root user: https://help.ubuntu.com/14.04/serverguide/user-management.html

Free (sub)domain: https://freedns.afraid.org

GeoIP: https://www.geoiptool.com/

Letsencrypt: https://certbot.eff.org/lets-encrypt/ubuntubionic-apache

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Leave a Reply

Your email address will not be published. Required fields are marked *