Server Management for Beginners

#

You may have noticed over the last few years the rise of companies focused solely on WordPress hosting like WPEngine, Flywheel and Pagely. While these services are awesome, they can be a tad on the pricey side when compared to a Virtual Private Server (VPS).

In part one of this series, I will go over the main steps to setting up and managing your own server. You can think of this tutorial as a prequel to Ashley’s series, with a little more explanation of some of the details and tailored more towards a beginner.

Setting up Linode

For this tutorial we’re going to use Linode, as it’s affordable and fairly easy to setup. They actually have a promo code you can use for a $10 discount, essentially paying for your first month. Bonus!

Use promo code DOCS10 for $10 Credit on a new account.

Alright, so the very first thing we’ll need to do is create an account at Linode. Once you have created an account, start with the Getting Started tutorial they provide. We are going to follow this guide, highlighting some of the key parts along the way.

When setting up your Linode, start with the lowest end for now (Linode 2048), you can always resize your Linode if you need more resources down the line.

Once you’ve set up your account and created your first Linode, follow along with the steps in the Getting Started guide, selecting Ubuntu 16.04 LTS as the image to start from. An image is just a pre-configured ‘snapshot’ of an operating system that is specifically tailored to work in Linode’s VM environment.

Like Ashley recommends in his tutorial series, we’re going to use Ubuntu for our server, version 16.04 LTS to be specific. The Ubuntu distribution (or ‘distro’) is a good choice because it’s very popular, which means there are plenty of ‘Google-able’ support docs on the web.

We’ll use the entire disk for our server, so we’ll leave the defaults for the main disk and swap disk.

Finish off by entering a root password and clicking ‘Deploy’. Make sure to remember what that password is! Once that’s done click that ‘Boot’ button and get that server running!

SSH Access

Next up we’ll connect to our new server through SSH. SSH, or Secure SHell is how you login to your remote server. As Linode mentions, it’s an encrypted tunnel to your server.

We’ll follow Linode’s instructions to get connected as it varies depending on if you’re using a Mac or Windows PC. I’ll wait here while you do.

SSH root login

Hey you’re back, that was cool right!? Ok, so now that we’re connected to the server there are a few things we should do right off the bat. As Linode recommends, you’ll want to start by updating all your packages (software) on your server. In Linux-land, installed software is managed through a system called a ‘package manager’.

Like other operating systems you can download programs and install them manually, but the common method of adding software in Linux is by using the built-in package manager. There are several common package managers in use by the various flavors of Linux. On Debian-based distros (like Ubuntu), the package manager is called Apt.

To install the latest packages and updates run the following command:

apt-get update && apt-get upgrade

You’ll see a bunch of things go by on the screen, and you might get a prompt to confirm the installation of some updates. Enter Y and hit enter.

Package updates

Did that go ok? Ok, great. Now on to the next step, setting the hostname!

So what do you want to call the server and what address do you want to use to access it? We’ll set a hostname for the server so it’s easier to remember when we log in. Note the name doesn’t have to have anything to do with the sites hosted on the server.

For our version of Ubuntu (16.04 LTS), the following command should be used to set the hostname.

hostnamectl set-hostname mars.petetasker.com

Obviously, replace mars.petetasker.com with your own hostname.

We’ll then update our /etc/hosts file with this address pointing to our server’s IP. The rules in this hosts file take higher priority than DNS, so if we refer to mars.petetasker.com on our own server this addition will let our server know what we’re talking about.

We’ll use the following command to update that file:

nano /etc/hosts

And add the following line, replacing the values with your IP and desired hostname used earlier:

0.0.0.0 mars.petetasker.com mars

As a side note, the editor we’re using here is called Nano, and it’s included by default on most Linux distros. It’s a beginner friendly text editor, so we’ll stick with it here. The great part about Nano is it includes the list of commands at the bottom of the editor window.

hosts-file
Ok, now that we have the hosts file updated, let’s update our own DNS so that we can access the server from anywhere. I won’t cover this step in detail here, but essentially this is adding an ‘A’ record with your DNS provider. I use Cloudflare to manage my DNS, so the setting looks like this:

Cloudflare

The next step is setting the timezone. Technically this is optional, but necessary if you want the time of the server to match your timezone. Updating the timezone is easy though, and can be done with the following command and then following the prompts:

dpkg-reconfigure tzdata

If you run the date command now you should see the correct time and date.

Security

We’ve covered a lot of ground so far, but we’re not done yet. Now we have a server that’s accessible on the internet, but it’s completely unsecured! Yikes! Let’s secure this puppy before we do anything else.

Ashley covers the steps for securing your server in his guide, and essentially the steps are as follows:

  1. Add a non-root user
  2. Disable password based login
  3. Disable root login
  4. Install other security tools

The Power of Root

The root user or ‘super user’ in Linux is like the ‘super admin’ role in other systems. The basic premise is that root can do anything on the server. In general, we don’t want to be logged in as root just to limit any accidental damage if we make a mistake. We can still be root temporarily by using something called ‘super user do’ (sudo). We’ll cover that a bit later.

Add a Non-root User

The first thing we want to do is create a user that isn’t root. Superman is awesome, so he’ll be our user.

adduser superman
mkdir /home/superman/.ssh
chmod 700 /home/superman/.ssh

Going over the above set of commands, one per line, we use adduser superman to create a new user named superman. This command will prompt you to enter values for the new user’s password and name. There are a few other values it prompts for, but feel free to leave those empty.

dduser

Next we use the mkdir (make directory) command to create the .ssh folder, inside the /home/superman folder.

In Linux, the home folder is normally where most user-specific config and settings are stored. This folder was created for us when we ran the adduser command above.

We then change the file permissions of the .ssh folder to only be writable by the owner. (As file permissions in Linux are a whole topic in their own right, I won’t cover them here). The .ssh folder is where our SSH config settings are stored, so we’ll only allow the owner to access this folder. Permissions of 700 mean the owner has full read/write/execute access (7) and everyone else has no privileges to the folder (0).

Disable Password Based Login

Next up we’re going to take some steps to disable password-based login to the server and enable key-based authentication.

An SSH key pair is a much more secure way to authenticate with a remote server than a password. It consists of a private key that stays in the ~/.ssh folder on your local computer and a public key that’s placed on the remote server.

The first step to setting up key-based authentication is to copy your public key to the server. If you don’t have a key pair yet, create one by following this guide.

Once that’s complete, on your new server, run nano /home/superman/.ssh/authorized_keys to create the authorized_keys file. Then, copy the contents of your local ~/.ssh/id_rsa.pub file into this file. Save the authorized_keys file and run the following commands:

chmod 600 /home/superman/.ssh/authorized_keys
chown superman:superman /home/superman -R

The above commands set the permissions on the authorized_keys file to only be editable by superman, and changes the ownership of the superman’s home folder to, you guessed it, superman.

The authorized_keys file is just that, a list of authorized keys to your server. If you want to access the server from another computer just follow the steps above but add the public key from the new computer to the bottom of the authorized_keys file.

Now, let’s open a new terminal as the superman user (in case we get locked out), and see if we can log in without a password:

SSH Login

Nice! Ok, we’re almost there. A few more things to do!

Switch back to your terminal still logged in as root and run:

usermod -aG sudo superman

The usermod command is the command we use to edit an existing user in Linux. We’re using the -aG flag here to add the user to the sudo group.

Now, in your terminal logged in as superman, logout and log back in again. The permissions and groups should now be applied.

Disable Root Login

The last step is to disallow password and root logins.

To do this we’ll edit the SSH config file by running the following as superman:

sudo nano /etc/ssh/sshd_config

When prompted, enter your password for superman.

Notice now we have to use the sudo command here to make administrative changes? As I noted before, sudo let’s us run a command as root, and since we’re no longer logged in as root, we need to use it here.

In the /etc/ssh/sshd_config file, the only lines you’ll need to edit are PermitRootLogin and PasswordAuthentication as below:

PermitRootLogin no
PasswordAuthentication no

Save and exit out of that file and then run sudo service ssh restart to apply the changes.

Now if you try and login as root you should be blocked.

Root SSH login blocked

Install Other Security Tools

The last 2 steps I’ll let you follow the guide in Ashley’s article, as they’re fairly straightforward:

A firewall is an additional layer of security that can prevent unauthorized access to your server. It works by explicitly enabling and disabling certain ports on your server. For example, if you’re not running a mail server, there’s no need to keep the default mail handling ports open.

Fail2ban is a neat little program that automatically locks users out after too many failed login attempts.

I should note that this isn’t the be-all and end-all of security for your server, but serves as a good starting point. I do recommend you do your own homework and research server security best practices.

And that’s it for now! We’ve covered a lot of information so far, from selecting a host to enabling passwordless SSH access. Look at you go!

In part 2 I’ll go over installing PHP and MySQL so that you can actually get WordPress running up there.

What were some of the things you learned as a beginner setting up your server? Let us know in the comments below.

About the Author

Peter Tasker

Peter is a PHP and JavaScript developer from Ottawa, Ontario, Canada. In a previous life he worked for marketing and public relations agencies. Love's WordPress, dislikes FTP.