LAMMP Web, or App Server Setup

Note: Ubuntu 14.04, and 16.04 were used, but it should work on most Debian, and RedHat/CentOs (yum install) approach, would follow very closely as well.

This is less of a blog post and more of a how-to, brought about by recent activities on AWS.  Using MSMTP in particular was a new discovery, since it allows php.ini’s sendmail_path directive to point to, and use MSMTP instead of sendmail to send mail on a LAMMP server.  This means that you don’t need to run Postfix on the server in order to relay mail.  You can simply configure an SMTP email account such as noreply@yourdomain.com, and this is the account from which all mail from your app server will be sent.

Running Postfix as a relay comes with other hoops to jump through and MSMTP alleviates all those issues for easy app server setup.  Postfix is actually installed by the mailutils, so be aware of that, and be ready to deal with installing Postfix, if you so choose.

I recommend, that once you set up this, LAMMP Server up, that you save off a snapshot, known as an AMI in AWSso you don’t have to EVER do it again.

Amazon Web Services, will give you a free “micro” instance for a year. So go check it out!  Build the app server, then host your own WordPress web site, for free, for a year.  As for email server administration, and more server hardening, and DNS setup in AWS (otherwise, known as Route 53, cause DNS discovery typically happens on port 53), well those are good topics for a later date.

However, if you have a SMTP email account, it can be used to send all emails from your web site.  This setup works with your existing SMTP email service provider, to seamlessly allow emails to be sent from any form plugins for WordPress (or other CMS).  It can also simply be done in PHP with the built-in mail function.    Additionally, the command line mail command should work too, as demonstrated at the bottom of the page.

sudo su  # become root
apt-get update  # update repos
apt-get install screen # ... Y and wait
screen # start screen so youre not stuck and can use Ctrl+A,D to get out of it and do other admin stuff
# INSTALL PRE-REQST
apt-get upgrade # ... Y and wait, or use Ctrl+A,D and come back to check when its done (screen -R to resume)
apt-get install gnustep-gui-runtime
apt-get install mailutils git gettext texinfo
# INSTALL MYSQL
apt-get install mysql-server mysql-client  # install DB, make sure to set and store mysql root password
mysql_install_db  # initial mysql setup
mysql_secure_installation # secures mysql install; prompted for mysql root password
# INSTALL APACHE
apt-get install apache2 # next apache2
a2enmod rewrite  # enable rewrite module used by WordPress also edit apache2.conf and allowoverrides all for .htaccess files
# INSTALL PHP
add-apt-repository ppa:ondrej/php
apt-get update
apt-get install libapache2-mod-php5.6
# ADD PHP MODULES
apt-cache search php5.6-  # to see of any other php modules that maybe needed by app, then apt-get install them
# FOR EXAMPLE (adjust as needed)
apt-get install php-apcu php-gettext php-mbstring php-auth php-doc php-codesniffer php-geoip php-imagick php5.6-intl php5.6-mcrypt php5.6-mysql php5.6-curl php5.6-gd php5.6-dev
# PHPMYADMIN - TODO: configure advanced features to enable routines, and advanced relations views
apt-get install phpmyadmin  #install phpmyadmin (choose apache and NO to dbconfig-common)
# NEXT edit apache2 config files
vim /etc/apache2/mods-enabled/dir.conf  # (nano if no vim); change index.php to be first in list
service apache2 restart  # restart/reload apache2 anytime you touch a config file
# A BIT OF HARDENING: GO HERE FOR MORE: https://blog.mattbrock.co.uk/hardening-the-security-on-ubuntu-server-14-04/
dpkg-statoverride --update --add root sudo 4750 /bin/su # limit su access to sudo group only
# fail2ban needs to be configured, see source 5 for solid instructions
apt-get install xtables-addons-common iptables-persistent fail2ban
# HERE WE BLOCK KNOWN HACKER COUNTRIES IN OUR FIREWALL
cd /usr/local/src/
/usr/lib/xtables-addons/xt_geoip_dl  # downloads to csv files (may have to unzip?)
aptitude install libtext-csv-xs-perl
mkdir /usr/share/xt_geoip
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv # to test: iptables -m geoip --help
iptables -A INPUT -m geoip --src-cc KR,CN,IN,RU,SA,TR,VN,UA,BR,VE,PK,JP,DE,IT -j DROP
iptables-save > /etc/iptables/rules.v4  # make sure to save them so they are there on start-up after reboot
#see next script

The php sendmail_path directive in your php.ini (php.ini typically lives in /etc/phpX/apache2/php.ini , where X may or may not be a version number), should look as follows; of course, change what comes after the -C to reflect where you want the per-host config to live, but for a single host running in the default spot, this will do.  You’ll want to configure this after running the next script, to make sure the /etc/msmtprc file is properly created.

sendmail_path = /usr/bin/msmtp -C /etc/msmtprc -t

Next, copy and paste the next script to a file named setup-msmtp-for-smtp.sh, (or whatever you want) and run it.  It will prompt you through setup msmtp.  This example uses GoDaddy and mileage may vary for other SMTP hosts, you may find that you have to adjust it for your needs.  There’s no guarantees on any of this, so use and run at your own risk.  
 

#!/bin/sh
# Sending emails using smtp and msmtp on ubuntu (original https://gist.github.com/JosefJezek/6194563)
sudo apt-get update -q
sudo apt-get install msmtp-mta ca-certificates heirloom-mailx -yq
if command -v zenity >/dev/null; then
  ACCOUNT=$(zenity --entry --title="Smtp account name" --text="Enter the isp's name:")
  SMTP_HOST=$(zenity --entry --title="Smtp hostname" --text="Enter your smtp server's hostname (mail.myhost.com):")
  SMTP_PORT=$(zenity --entry --title="Smtp port" --text="Enter your smtp server's port (25):")
  SMTP_USER=$(zenity --entry --title="Smtp username" --text="Enter your smtp username with domain (username@host.com):")
  SMTP_PASS=$(zenity --entry --title="Smtp password" --text="Enter your smtp password:" --hide-text)
else
  read -p "Smtp account name (e.g., godaddy):" ACCOUNT
  read -p "Smtp hostname:" SMTP_HOST
  read -p "Smtp port (25):" SMTP_PORT
  read -p "Smtp username with domain (username@host.com): " SMTP_USER
  read -p "Smtp password: " SMTP_PASS
fi
echo # an empty line
if [ -z "$ACCOUNT" ]; then echo "No account given. Exiting."; exit -1; fi
if [ -z "$SMTP_HOST" ]; then echo "No smtp server given. Exiting."; exit -1; fi
if [ -z "$SMTP_PORT" ]; then echo "No smtp port given. Exiting."; exit -1; fi   # TODO: validate integer
if [ -z "$SMTP_USER" ]; then echo "No email user given. Exiting."; exit -1; fi
if [ -z "$SMTP_PASS" ]; then echo "No email password given. Exiting."; exit -1; fi
sudo tee /etc/msmtprc >/dev/null <<__EOF
# Accounts will inherit settings from this section
defaults
auth on
tls on
tls_certcheck off
# tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /var/log/msmtp.log
# A simple smtp host email address setup
account $ACCOUNT
host $SMTP_HOST
port $SMTP_PORT
from $SMTP_USER
user $SMTP_USER
password $SMTP_PASS
# Set a default account as ours
account default : $ACCOUNT
__EOF
sudo touch /var/log/msmtp.log
sudo chown www-data:www-data /var/log/msmtp.log
sudo chmod 600 /etc/msmtprc
sudo chown -R www-data:www-data /etc/msmtprc
HOST=$(hostname)
sudo mail -vs "Email relaying configured at ${HOST}" $SMTP_USER <<__EOF
The msmtp service has been configured to use host '${HOST}'.
__EOF
echo "Test email sent to $SMTP_USER"
echo "Please check your inbox."
#
  1. source
  2. source
  3. source
  4. source
  5. source
  6. source

 

Further steps to take, would be to harden it using ModSecurity for Apache, as well as a few others.  Here’s a great blog entry on hardening ubuntu server.

 

Note

  • You can also use SSMTP in place of MSMTP.

 

Doc Version 1.1
Revision History
  • 1.1 – Updated Jan. 4, 2017 – Updated to reflect new repository (ppa:ondrej/php) and PHP 5.6 instead of PHP 5. Added php-getttext php-mbstring to default php package list, to satisfy phpmyadmin’s dependencies. Now works with Ubuntu 16.04.