Getting Logged In

The following is a post laying out my learnings from setting up a basic Wordpress blog and LAMP stack as part of Privasec’s Hackcelerator Program.

I began my journey by simply SSHing into the provided VPS.

ssh root@my-ip

While I hadn’t had any prior experience with hardening a Linux server, what I did have was an almost instinctual fear of the root account that had been instilled within me by a number of previous Arch install attempts that had gone catastrophically wrong. So based on this alone, I knew my first order of business would be to set up a new account.

useradd cyrus 

Under a minute in and I had already screwed up. After a few minutes of prodding around and wondering why my new account wasn’t working, I realised I had forgotten the -m flag and had thus left my poor new user without a humble directory to call home. I deleted my homeless user, swallowed my pride and began following the steps provided in the Hackcelerator guide.

I added my user.

adduser cyrus

And then added that user to the sudo group.

adduser cyrus sudo

I then switched to that user, added a password and breathed a sigh of relief before updating the packages on my machine.

su cyrus
sudo paswd cyrus
sudo apt update
sudo apt upgrade

I then went back to my own machine and copied over my ssh public key to this new account.

ssh-copy-id cyrus@my-ip

Following the guide had already taught me something new about this process, I previously had no idea ssh-copy-id actually existed and had always copied my keys using scp instead, this new method is significantly more convenient.

My next course of action was to set up a domain name for my server, primarily so I didn’t have to keep copying and pasting my IP every time I wanted to login to it. This process was relatively simple, I started off by following the provided guide, but quickly found that the process of setting up a DNS record on No-IP was pretty intuitive even without the guide.

Setting Up LAMP and Wordpress

With my DNS record set up, I then set about the pretty full on task of setting up my LAMP server and Wordpress. This was a fairly involved process so I won’t go into a massive amount of detail other than to list the guides I followed and some of the things I learned from them.

Initial Set Up

I followed this guide to ensure my server was properly set up. Whilst following this guide I learned the basics of using Uncomplicated FireWall to set up firewall rules on a Linux machine, something I had not previously known how to do. Key commands I learnt included:

ufw app list # Listing available firewall rules for installed applications

ufw allow * # Adding an allow rule

ufw delete * # Deleting a firewall rule

ufw enable # Activating the firewall rules

ufw disable # Disabling the firewall rules

ufw status # Showing currently active firewall rules

LAMP Set Up

To set up my LAMP stack I followed this guide, I took the following steps.

Installing Apache

sudo apt update
sudo apt install apache2 # Installing the Apache2 packages
sudo ufw app list # Viewing available Apache firewall rules
sudo ufw allow in "Apache" # Adding a firewall rule for Apache

Navigating to my domain name revealed a sight for sore eyes.

Installing MySQL

sudo apt install mysql-server
sudo mysql_secure_installation
sudo mysql

And just like that, MySQL is installed. Installing php was another fairly simple process:

sudo apt install php libapache2-mod-php php-mysql
php -v # Check installation

Configuring All of The Above

This process was… rather involved. It essentially involved involved configuring a directory that Apache could use to host my website that wasn’t 000-default and then checking all my configs were correct. I found this experience to be quite valuable, my main experience with HTTP servers prior to this had mainly been with Flask so it was insteresting to see how this process is handled by slightly more widely used software.

Setting Up HTTPS via Let’s Encrypt

This was definitely one of biggest things I learnt while setting up my server. While I was previously aware of how certificates and HTTPS worked, I had never been fully aware of how you actually acquire and configure and HTTPS certificate. The following are the basic steps I followed to set up a certificate with certbot.

sudo apt install certbot python3-certbot-apache # Acquiring the cerbot packages
sudo vim /etc/apache2/sites-available/your_domain.conf # Checking Apache configuration is correct
sudo certbot --apache # Acquiring our SSL certificate

The process was considerably more simple than I had expected, although I did run into one issue with my Apach config file, it turned out the your_domain referred to the whole address for your website, not just your subdomain. I also set up the certificate auto renewal service as follows.

sudo systemctl status certbot.timer
sudo certbot renew --dry-run

Setting up Wordpress

Finally, I was ready to actually set up Wordpress itself, to do this I followed this guide. Again, this was another fairly involved process, but the basic steps were as follows:

1. Configuring MySQL for use with Wordpress
2. Installing the necessary PHP extensions
3. Configuring Apache so the Wordpress can access .htaccess
4. Downloading and configuring Wordpress
5. Setting up Wordpress via the web interface

The thing that struck me most about this installation process was just how complex it was and how much configuration needed to be done. A lot of the time I found myself making configurations that I wasn’t entirely clear on the purpose of. The most prominent example of this was using the key generator, I vaguely understood the purpose of the instructions, but I still wasn’t entirely clear on the ramifications of what I was actually doing by taking keys from the Wordpress API and adding them to my config file, this is definitely something I’d like to take the time to look at with a bit more depth.

The ultimate lesson I learned from this exercise was just how difficult it is to both set up a web server and ensure you’re doing it securely. My confidence in my server’s security can only really extend as far as my confidence in the guides I was given and that was as someone who was setting up the server with security as front of mind. I can easily imagine how the average web administrator may make misconfigurations and frankly I wouldn’t be able to blame them. An important lesson in the necessity of dedicated security experts, as well as the importance of empathy for the poor web admins who are regularly subjected to this inhumane installation process.