Set up Ubuntu as a Linux cheat sheet and https server

Introduction

I took a note of the information needed to set up a server on Linux (Ubuntu) for myself. In other words, just set up a server on Ubuntu. It's a bit strange configuration because it's for myself, but the first half is the cheat sheet of Linux itself, and the second half is related to the Web server/Apache.

About Linux

Linux operations are performed in the shell. Shell ≠ OS, shell ≠ kernel. The shell is the UI, which is completely separate from the core kernel.

Multiple startup

sh (shell startup) → bash (shell startup) → exit (shell exit) → exit (same as left) → exit (Linux exits when the first bash ends)

echo Hello →Hello

Linux structure

All information on Linux is treated as a file. Drivers are also treated as files.

/ bin Command executable file / dev device file (drivers in windows) / etc Various setting files (windows folder in win) / home Home directory for each user / sbin Executable file for administrator commands / tmp Temporary file directory Some distributions delete important files regularly, so do not put important files. / usr: There are recursive bins, sbins, etc. as this subdirectory where applications are placed. / var Directory of various data

To move the directory, use pwd (display your current location)/cd (move)/ls (file list). cd can be complemented with Tab. If there is no argument, it returns to the home directory. It is convenient to combine ls with pathname expansion (\ * /?). Argument -l: Attribute display, Argument -a: Hidden file display, Argument -F: File type display

mkdir directory creation Since it is a command to create a touch file creation time stamp, it can be used with confidence because it does not overwrite the existing file. rm/rmdir file/directory erase Copy/move cp/mv files recursively with -r for each directory find file can be searched locate Searches from the index, so you can search at high speed. In ubuntu, create with sudo apt-get install mlocate.

bash operation

Ctl + k cuts to the end of the line, Ctl + u cuts to the beginning of the line Ctl + y is "yank" (paste)

If you lock the screen with Ctl + s, return it with Ctl + q Force termination of command with Ctl + c If the display is strange, use Ctl + l to reset the screen → reset command → log in again.

Tab is a call for input completion, and if there are multiple candidates, many will appear.

You can go back in history with the arrow or Ctl + p or Ctl + n, and you can also search the command history with Ctl + r. When searching for a command: Execute with Enter, go to the command while holding the result with Esc, and abandon the result with Ctrl + g

--help Option to see the help of the command You can search for similar products by adding -k, a command to check how to use the command of the man argument. LANG = C Can be executed in English by prepending each command, and you can see English help.

vim (text tool)

: q end : w Save file Argument is new file name : q! Exit without saving i Input mode started Esc input mode end

hjkl cursor movement Delete x/J characters/delete line breaks w/b Move word by word 0/$ Move to beginning/end of line gg/G/Number + G Move to first line/Move to last line/Move to any line y/d/p copy/cut/paste u/Ctr + r Undo/Redo

/ Search n for the next search result, N for the previous search result %//After replacement/g

vimtutor /: help tutorial, help

Linux behavior

File/directory permissions

The file has owner/group/permissions. You can control read, write, and execute permissions. The directory has similar privileges. Note that whether files can be deleted or not depends on the permissions of the directory. You can change it with chmod u/g/o/a, +/-/ =, r/w/x file name.

Superuser

Superuser ≒ root user can operate any file. Also includes system files. Therefore, basically, it is better to operate the general user and use the superuser with the sudo command etc. only when necessary. To set the authority of the su/sudo command to a general user, operate/etc/sudoers. At that time, a special command is required.

Process/Job

A program that is running on memory is called a process. Each process has an independent memory area and ID and can be executed in parallel.

ps You can check the running process. If you add an option, you can see the process running behind the scenes.

A line of command is called a job. When you connect commands with a pipe, the entire command line becomes a job, and each command becomes a process. The command ID is unique for each shell.

Ctrl + Z job pause jobs List of running jobs fg% job number Job return bg% job number keeps the job running in the background Ctrl + C Force termination of running job kill% job number: Forcibly terminate the background job

The kill command can also kill a process and is used in some cases. * Originally a command that sends a specific signal to a process

Input / output

When the command is executed, three channels of standard input/standard output/standard error output are opened.

Standard I / O redirection is possible. For example, if cat <file, the file will be entered instead. If you do ls >> a.txt, the file will be output instead. If you set ls 2 >> a.txt, the file will be output instead when an error occurs. If you set ls >> a.txt 2 >> & 1, it will be output to the same file during normal execution and error.

A special file called/dev/null is prepared in linux, and it has the property that it is empty even if it is specified as an input destination, and nothing remains even if it is specified as an output destination. Used during command test.

Archive and compression

Archive and compression are separate words on Linux. Just combine the archives into one file. Compression is done after the basic archive, and the file is further shrunk.

tar cf b.tar dirA Create a compressed file called b.tar from dirA tar tf b.tar View the contents of b.tar tar xf b.tar Restore the contents of b.tar.

gzip a.txt Create a.gz gunzip a.gz Unzip zip/unzip Linux can be installed with sudo apt-get install zip unzip etc.

Package and Ribozitori

A package is a collection of software. For Redhat, rpm is used, and for Debian, deb files are used. For Debian, install using apt commands. Dependency resolution is selfish.

A site that collects and distributes packages is called a repository.

SSH SSH is an abbreviation for Secure Shell. It is a protocol for communicating with remote machines and can be operated safely because it has authentication and encryption functions. Normally, TCP22 port is used.

Set up a server on Linux, Ubuntu

I will use Sakura VPS this time. Reason: I knew, only cheap, I didn't make a solid comparison

As per the official document, it seems that security is insufficient if it is the default setting, and security measures are necessary first considering the risk of inconvenience to people. Then put Apache in.

Ubuntu installation

Install Ubuntu 20 with standard installation.

Security

Basic guidelines

The following is the information I heard from the mentor referral service, which I used as a guide for this article. Please point out because the credibility is incomplete.

--The key to security is opening and closing ports. Closes tightly. Especially, the risk level can be controlled by the type of port, and complicated attacks on HTTP ports are difficult. --SSH key authentication is incomparably more secure than password authentication. Set properly. Business and large-scale services go through stepping stones when connecting to SSH --Root is still dangerous for erroneous operation and hijacking, basically sealed --Apply security patches/updates regularly --Additional Linux security software may exist for business use, but it should be high at the corporate budget level, so I don't think much about it.

Update

Things to do on a regular basis. sudo apt update OS update sudo apt upgrade package update sudo reboot After doing two things, restart with this command

Preparation for general users

The user ubuntu prepared by default in Sakura VPS official seems to be a general user.

teraterm, terminal multiplexer

Introduced because teraTerm seems to be good as an SSH client/console emulator.

In addition, we have prepared software called a terminal multiplexer that can manage multiple terminals. Although it is a little different from the original purpose, it is useful because the session is maintained when you enter a command and process it overnight.

ubuntu server already has a well-known terminal multiplexer called tmux. Start with the tmux command. When logging in again, use tmux attach to return to the previous session. Since it lives when SSH is disconnected, try to move it from tmux as much as possible.

Change SSH port number

Default port 22 seems to have a lot of unauthorized access.

From vi/etc/ssh/sshd_config, add "Port n" under the description #Port 22. sudo systemctl restart Reboot by sshd, Confirmed by sudo systemctl status sshd. After checking if you can log in from the new port with teraterm, cancel the packet filter.

ufw settings

Set with ufw, the interface software of a security tool called iptables.

Enable ufw with sudo ufw enable. Confirm that it is valid with sudo ufw status numbered. Open the ssh port with sudo ufw allow sshPort.

Private key creation

Start teraterm and exit from the connection wizard at the start by canceling. setup → Start the ssh key generator wizard. It seems that RSA2048 is okay, so generate it as it is. Enter your passphrase, save and close your public and private keys.

Insert the public key into the Home directory of ubuntu mkdir -p ~/.ssh cat ~/id_rsa.pub >> ~/.ssh/authorized_keys rm ~/id_rsa.pub

sudo vim /etc/ssh/sshd_config Uncomment PubkeyAuthentication yes Set PasswordAuthentication to no reset ssh with sudo systemctl restart ssh

WinSCP

SCP (file transfer using SSH) can be used with teraterm, but as written in various places, teraterm's SCP is the minimum simple one. Put WinSCP. Can be exchanged by dragging and dropping.

Create a setting by entering only the user name in the initial startup wizard, and register the private key with SSH → Authorization in Advanced. It seems that a .ppk file is required, so create it as it is. After that, you can access the home directory along the way.

Apache

Install apache with sudo apt install apache2. At this point, if you remove ufw and then access the server URL with a browser, the Apache default will be displayed.

Changed the contents of www/html with WinSCP. In addition, when transferring sudo chown -r user Change the owner to yourself as the WWW folder of apache.

If the characters are garbled, check the HTML header for the time being. vim /etc/apache2/conf-available/charset.conf Also check the default character encoding.

Besides, the so-called httpd.conf file is currently distributed in etc/apache2 /, so grep the same setting items collectively.

Open the port for Apache with sudo ufw allow'Apache Full' and check this as well. (I feel that it is dangerous to leave it to the software if it is an amateur's idea, so I think that sudo ufw allow 80/tcp, sudo ufw allow 443/tcp is better, but since it was as above with multiple sources, this is probably correct)

SSL

Turn on SSL with Let's encrypt. https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-20-04-ja https://weblabo.oscasierra.net/letsencrypt-2/ (※CentOS) There are various methods when you look at it officially, but these two seem to be good for the time being.

Use sudo apt install certbot python3-certbot-apache to insert certbot into apache. Check ServerName and ServerAlias ​​from sudo vim /etc/apache2/sites-available/your_domain.conf. Test the syntax with sudo apache2ctl configtest. (Confirm Syntax OK) Execute sudo certbot --apache. When asked about the e-mail address, whether or not the e-mail newsletter is delivered, which domain should be enabled (blank recommended), and whether to redirect to HTTPS (probably a good redirect), HTTPS conversion is complete.

The display of sudo systemctl status certbot.timer is active and If there is no error with sudo certbot renew --dry-run, there should be no problem with automatic update.

You should have https access to the completed, server URL or registered domain.

in conclusion

I would appreciate it if you could point out. Especially in the latter half, we cannot guarantee the correctness, so please give us your opinion especially for studying.

I'm currently studying the web on twitter. I will continue to do so, so I would appreciate it if you could tell me various things. https://twitter.com/kisihara_c

Key references

--New Linux textbook https://www.sbcr.jp/product/4797380941/ It was a nice book. Thank you very much. --Shell script Linux server started with Ubuntu https://shell-mag.com/portal-linuxserver/ --Until the web application is released on Sakura VPS https://qiita.com/ryo-futebol/items/09fb52e0d204a70895d0 --Sakura Internet Official Document

Recommended Posts

Set up Ubuntu as a Linux cheat sheet and https server
Set up a simple HTTPS server in Python 3
Set up a simple HTTPS server with asyncio
Set up a file server on Ubuntu 20.04 using Samba
[Part 1] Let's set up a Minecraft server on Linux
Set up a Samba server with Docker
Set up a mail server using Twisted
Set up reverse proxy to https server with CentOS Linux 8 + Apache mod_ssl
Set up a local server with Go-File upload-
Set up a test SMTP server in Python.
Set up a local server with Go-File download-
How to set up a local development server
Set up a simple SMTP server in Python
On Linux (Ubuntu), tune the Trackpad and set the function to a three-finger swipe
Linux command cheat sheet
Set up a simple local server on your Mac
Set up a Minecraft resource (Spigot) server via docker (2)
Set up a free server on AWS in 30 minutes
Set up a Minecraft resource (Spigot) server via docker
[Vagrant] Set up a simple API server with python
Set up python and machine learning libraries on Ubuntu
How to set up WSL2 on Windows 10 and create a study environment for Linux commands
How to set up Ubuntu for Windows Subsystem for Linux 2 (WSL2)
Set up a web server with CentOS7 + Anaconda + Django + Apache
Set up Python 3.4 on Ubuntu
How to set up and use OMC Log Analytics --Linux version -
Set up a dummy SMTP server in Python and check the operation of sending from Action Mailer
Set up a VPN server on AWS so that you can make a VPN connection from your Linux laptop
Set up a yum repository server on CentOS7 system and refer to it locally and from other servers.
Introduction and usage of Python bottle ・ Try to set up a simple web server with login function
Run a Linux server on GCP
Linux file server construction (Ubuntu & Samba)
Send mail with mailx to a dummy SMTP server set up with python.
Set up a Lambda function and let it work with S3 events!
Settings such as host name and netplan after installing Ubuntu Server 20.x
Build a CentOS Linux 8 environment with Docker and start Apache HTTP Server
Set up a local web server in 30 seconds using python 3's http.server
Try using a Linux server as a backup destination for Time Machine (Ver. 2020)
Set up a server that processes multiple connections at the same time