In this part of the series we will be conducting the preliminary setup of a virtual private server running the CentOS server operating system.
In the first part of our tutorial series on setting up and optimising a VPS for WordPress we will be going through the steps of setting up a CentOS based server. In this series will be setting up a virtual private server provided by Digital Ocean (signing up via this link will provide you with $10 worth of free credit), however you can use a VPS from any provider for this same tutorial although be warned a few things may be a little different for different providers.
Throughout this tutorial we will be using CentOS, the reasons for this include the long support duration of releases and the close relation of CentOS with Red Hat Enterprise adding even greater security. Otherwise we also have a little more familiarity with the ins and outs of CentOS than other operating systems such as Fedora and Ubuntu.
Setting Up a VPS
When greeted with the “Create Droplet” panel we suggest picking a configuration with at least 1GB of RAM since we need a little overhead to run the Varnish Cache server. When choosing a region we recommend choosing a location close to home for better latency, however if your site receives a majority of its users from elsewhere, you may wish to choose a location closer to them.
Once the option to choose an OS image is presented we suggest choosing CentOS 6.5. Both 32 bit and 64 bit versions of CentOS are available and truthfully either flavour is fine although there is very little advantage of using the 64 bit version of CentOS unless you have more than 4GB of RAM.
For this tutorial we will be ignoring setting up an SSH Key as it may lead to a few conflicts and issues with users who are using different operating systems and SSH clients to connect to their VPS from. Ideally for top notch security it is advisable to use an SSH key rather than a password as it is much more secure and pretty much impossible to hack. Nonetheless a lengthy password consisting of various letters, numbers and symbols is still considered to be very secure. To finish up simply click “Create Droplet” and your VPS will quickly spring into life.
To login to your VPS you will have received a password from Digital Ocean along with the IP address of your server. To connect to your VPS you will need a SSH client, for Windows I use PuTTY and on OS X the Terminal application has its own built in SSH client. When you first login to your VPS you will probably notice that it asks for you to change your root password. This is a common security practice for added security, when choosing a new password make sure that it is complex enough so that it is reasonably hard to guess and familiar enough such that you can remember it. If you do choose to make a note of your password for safe keeping we recommend using a secure password manager.
Logging in on OS X
Open up a new Terminal window and type the following, removing your_server’s_ip_address with the IP address that was sent to you via Digital Ocean’s welcome email.
If everything checks out your server should ask you for the root user’s password. Simply copy and paste the password was sent you and hit enter. You should now be logged in to your very own VPS.
Logging in on Windows
After you have downloaded PuTTY or have a SSH of your liking ready, we can login to our server. To login to your VPS type root@your_server’s_ip into the host name input, leaving the port as its default 22 and ensure that everything looks more or less similar to the image below.
If everything has worked out correctly you should be presented with a SSH session window which prompts you for the root user’s password. Simply copy and paste (to paste into the PuTTY window you must right-click) the default password you received from Digital Ocean’s welcome email and hit enter. If you have trouble copying and pasting, try entering the password manually. Be aware that CentOS and other Linux Distributions do not replace entered characters with asterisks like in many other operating systems – in many cases the password field will appear to be blank.
Securing the Server From Intruders
Any server connected to the internet is at risk to being hacked or compromised, in reality nothing is infallible, but we can make a few changes to ensure that the risk of our server being compromised is as minimal as possible. To do this we will be going through the process of disabling remote root access to the server and setting up a secondary account with sudo privileges.
Adding a New User
The first step we must take to securing our VPS is to make a new user with sudo privileges. To do this type in the command below whilst changing the username of what follows from the “adduser” command. Make sure you press enter on completion of each command.
Unfortunately we will not receive any sort of acknowledgement of the command being successful, but alas that is just how Linux is. Now we have added this new user, we must now add them to the sudoers file to give them more or less unlimited access to system commands.
Editing the Sudoers File
This is were it can get a little tricky if you don’t have a great deal of experience working with Linux systems, so if you do get stuck leave a comment below or contact us via the “Get in Touch” page for some advice. The first command we need to enter is:
chmod +w /etc/sudoers
This command makes the sudoers file writeable such that we can edit it and add our new user account to have sudo privileges. Next enter the following command:
This command opens the following sudoers file with Vim, a common file editor used on many Linux distributions. To navigate through a text file using Vim simply use the up and down arrow keys, and to begin editing press the ‘a’ key once. This part can seem a little tricky, although fortunately we only need to edit and add a couple of lines. Find the following lines in the sudoers file as seen below:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
c3po ALL=(ALL) ALL
Simply replace “c3po” with the username you created earlier on in the tutorial, and you should be good to go. Once you have added the above line hit the escape key and type :wq and hit enter. To make the sudoers file unwritable once again type the following command below:
chmod -w /etc/sudoers
Disabling Root SSH Access
We now have a new username account with full sudo privileges, however the root account is still accessible via SSH leaving a small but significant security vulnerability. To get around this issue we must edit just one more file, just one more file we swear. Open up the SSH Config file:
Navigate to the line that says:
As you’ll probably notice there is a hashtag in front of this line, this means that this statement is ignored by the server and is viewed simply as a comment. As with before press the ‘a’ key once to enable editing mode and remove the hashtag before the line, whilst also changing the ‘yes’ to ‘no.’ To finish editing the file press escape and type :wq and hit enter. Before these changes are parsed we must restart the SSH service, to do this enter the command below:
service sshd restart
To finish up type logout into the console and once again log back in with your new user account to make sure everything is working as it should. To log back into the root account you must type su of which you will then be required to enter the root account’s password.
Part 1 of our WordPress web hosting series has now finally come to an end. We hope all of you who have followed this tutorial through have had success and if you haven’t comment below in order for us to provide you with further advice. In the next instalment of the series we will be going through configuring IPTables and installing services such as Apache, PHP and MySQL ready for a WordPress Installation.