FSND-P5-Linux-Server-Configuration
IP, SSH port of my Server
- IP: 52.36.32.89
- SSH port: 2200
- login via
$ ssh -i ~/.ssh/grader.rsa [email protected] -p 2200
- login via
1 & 2 - Create Development Environment: Launch Virtual Machine and SSH into the server
- Create new development environment.
- Download private keys and write down your public IP address.
- Move the private key file into the folder ~/.ssh:
$ mv ~/Downloads/udacity_key.rsa ~/.ssh/
- Set file rights (only owner can write and read.):
$ chmod 600 ~/.ssh/udacity_key.rsa
- SSH into the instance:
$ ssh -i ~/.ssh/udacity_key.rsa [email protected]
grader
and give permission to sudo
3 & 4 - User Management: Create new user - Create a new user:
$ adduser grader
- Give new user the permission to sudo
- Open the sudo configuration:
$ visudo
- Add the following line below
root ALL...
:grader ALL=(ALL:ALL) ALL
5 - Update and upgrade all currently installed packages
- Update the list of available packages and versions:
$ sudo apt-get update
- Install newer vesions of packages you have:
$ sudo sudo apt-get upgrade
- Include cron scripts to automatically manage package updates
- Install the unattended-upgrades package:
$ sudo apt-get install unattended-upgrades
- Enable the unattended-upgrades package:
$ sudo dpkg-reconfigure -plow unattended-upgrades
6 - Change the SSH port from 22 to 2200 and configure SSH access
- Change ssh config file:
- Open the config file:
$ vim /etc/ssh/sshd_config
- Change to Port 2200.
- Change
PermitRootLogin
fromwithout-password
tono
. - Temporarily change
PasswordAuthentication
fromno
toyes
. - Append
UseDNS no
. - Append
AllowUsers grader
. - Restart SSH Service:
$ service ssh restart
- Generate a SSH key pair on the local machine:
$ ssh-keygen
- Copy the public id to the server:
$ ssh-copy-id [email protected] -p 2200
- Login with the new user:
$ ssh -v [email protected] -p2200
- Open SSHD config:
$ sudo vim /etc/ssh/sshd_config
- Change
PasswordAuthentication
back fromyes
tono
.
7 - Configure the Uncomplicated Firewall (UFW) to only allow incoming connections for SSH (port 2200), HTTP (port 80), and NTP (port 123)
- Check firewall status
$ sudo ufw status
- Allow incoming TCP packets on port 2200 (SSH):
$ sudo ufw allow 2200/tcp
- Allow incoming TCP packets on port 80 (HTTP):
$ sudo ufw allow 80/tcp
- Allow incoming UDP packets on port 123 (NTP):
$ sudo ufw allow 123/udp
- Enable firewall
$ sudo ufw enable
7.2 - Configure Firewall to monitor for repeated unsuccessful login attempts and ban attackers
- Install Fail2ban:
$ sudo apt-get install fail2ban
- Copy the default config file:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Check and change the default parameters:
- Open the local config file:
$ sudo vim /etc/fail2ban/jail.local
- Set the following Parameters:
set bantime = 1800 destemail = YOURNAME@DOMAIN action = %(action_mwl)s under [ssh] change port = 2200
- Open the local config file:
- Install needed software for our configuration:
$ sudo apt-get install sendmail iptables-persistent
- Stop the service:
$ sudo service fail2ban stop
- Start it again:
$ sudo service fail2ban start
8 - Configure the local timezone to UTC
- Open the timezone selection dialog:
$ sudo dpkg-reconfigure tzdata
- Then chose 'None of the above', then UTC.
9 - Install and configure Apache to serve a Python mod_wsgi application
- Install Apache web server:
$ sudo apt-get install apache2
- Open a browser and open your public ip address, e.g. http://52.25.0.41/ - It should say 'It works!' on the top of the page.
- Install mod_wsgi for serving Python apps from Apache and the helper package python-setuptools:
$ sudo apt-get install python-setuptools libapache2-mod-wsgi
- Restart the Apache server for mod_wsgi to load:
$ sudo service apache2 restart
- Get rid of the message "Could not reliably determine the servers's fully qualified domain name" after restart
- Create an empty Apache config file with the hostname:
$ echo "ServerName HOSTNAME" | sudo tee /etc/apache2/conf-available/fqdn.conf
- Enable the new config file:
$ sudo a2enconf fqdn
11 - Install git, clone and setup your Catalog App project
11.1 - Install and configure git
- Install Git:
$ sudo apt-get install git
- Set your name, e.g. for the commits:
$ git config --global user.name "liuderchi"
- Set up your email address to connect your commits to your account:
$ git config --global user.email "[email protected]"
11.2 - Setup for deploying a Flask Application on Ubuntu VPS
-
Extend Python with additional packages that enable Apache to serve Flask applications:
$ sudo apt-get install libapache2-mod-wsgi python-dev
-
Enable mod_wsgi (if not already enabled):
$ sudo a2enmod wsgi
-
Create a Flask app:
-
Move to the www directory:
$ cd /var/www
-
Setup a directory for the app, e.g. catalog: 1.
$ sudo mkdir catalog
2.$ cd catalog
and$ sudo mkdir catalog
3. Create the file that will contain the flask application logic:$ sudo nano __init__.py
- NOTE file name must be
__init__.py
4. Paste in the following code:python from flask import Flask app = Flask(__name__) @app.route("/") def hello(): return "Message From Flask!" if __name__ == "__main__": app.run() # must in the main block
-
Install Required Packages
-
Install pip installer:
$ sudo apt-get install python-pip
-
Install required packages -
$ apt-get -qqy install postgresql python-psycopg2
-$ apt-get -qqy install python-sqlalchemy
-$ pip install Flask==0.9
-$ pip install oauth2client==1.5.2
-$ pip install requests
-$ pip install httplib2
-
Configure and Enable a New Virtual Host#
-
Create a virtual host config file
$ sudo nano /etc/apache2/sites-available/catalog.conf
-
Paste in the following lines of code and change names and addresses regarding your application:
<VirtualHost *:80>
ServerName 52.36.32.89
ServerAdmin [email protected]
WSGIScriptAlias / /var/www/catalog/catalog.wsgi
<Directory /var/www/catalog/catalog/>
Order allow,deny
Allow from all
</Directory>
Alias /static /var/www/catalog/catalog/static
<Directory /var/www/catalog/catalog/static/>
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
- Enable the virtual host:
$ sudo a2ensite catalog
- Create the .wsgi File and Restart Apache
- Create wsgi file:
$ cd /var/www/catalog
and$ sudo vim catalog.wsgi
- Paste in the following lines of code:
#!/usr/bin/python
import sys
import logging
logging.basicConfig(stream=sys.stderr)
sys.path.insert(0,"/var/www/catalog/")
from catalog import app as application
- Restart Apache:
$ sudo service apache2 restart
11.3 - Clone GitHub repository and make it web inaccessible
- Clone project 3 solution repository on GitHub:
$ git clone https://github.com/liuderchi/fsnd_p3_travel_catalog.git
- Move all content of created FSND-P3_Music-Catalog-Web-App directory to
/var/www/catalog/catalog/
-directory and delete the leftover empty directory. - Make the GitHub repository inaccessible:
- Create and open .htaccess file:
$ cd /var/www/catalog/
and$ sudo vim .htaccess
- Paste in the following:
RedirectMatch 404 /\.git
10 - Install and configure PostgreSQL
- Install PostgreSQL:
$ sudo apt-get install postgresql postgresql-contrib
- Check that no remote connections are allowed (default):
$ sudo vim /etc/postgresql/9.3/main/pg_hba.conf
- Open the database setup file:
$ sudo vim database_setup.py
- Change the line starting with "engine" to (fill in a password):
python engine = create_engine('postgresql://catalog:mypassword@localhost/catalog')
- Change the same line in application.py respectively
- Rename application.py:
$ mv application.py __init__.py
- Create needed linux user for psql:
$ sudo adduser catalog
(choose a password) - Change to default user postgres:
$ sudo -u postgres -i
- Connect to the system:
$ psql
- Add postgre user with password:
- Create user with LOGIN role and set a password:
# CREATE USER catalog WITH PASSWORD 'mypassword';
(# stands for the command prompt in psql) - Allow the user to create database tables:
# ALTER USER catalog CREATEDB;
- *List current roles and their attributes:
# \du
- Create database:
# CREATE DATABASE catalog WITH OWNER catalog;
- Connect to the database catalog
# \c catalog
- Revoke all rights:
# REVOKE ALL ON SCHEMA public FROM public;
- Grant only access to the catalog role:
# GRANT ALL ON SCHEMA public TO catalog;
- Exit out of PostgreSQl and the postgres user:
# \q
, then$ exit
- Create postgreSQL database schema: $ python database_setup.py
11.5 - Run application
- Restart Apache:
$ sudo service apache2 restart
- Open a browser and put in your public ip-address as url, e.g. 52.25.0.41 - if everything works, the application should come up
- If getting an internal server error, check the Apache error files:
- View the last 20 lines in the error log:
$ sudo tail -20 /var/log/apache2/error.log
- If a file like 'g_client_secrets.json' couldn't been found
- add
os.chdir()
beforeopen()
11.6 - Get OAuth-Logins Working
- Open http://www.hcidata.info/host2ip.cgi and receive the Host name for your public IP-address, e.g. for 52.25.0.41, its ec2-52-25-0-41.us-west-2.compute.amazonaws.com
- Open the Apache configuration files for the web app:
$ sudo vim /etc/apache2/sites-available/catalog.conf
- Paste in the following line below ServerAdmin:
ServerAlias HOSTNAME
, e.g. ec2-52-25-0-41.us-west-2.compute.amazonaws.com - Enable the virtual host:
$ sudo a2ensite catalog
- To get the Google+ authorization working:
- Go to the project on the Developer Console: https://console.developers.google.com/project
- Navigate to APIs & auth > Credentials > Edit Settings
- add your host name and public IP-address to your Authorized JavaScript origins - e.g. http://52.36.32.89
- add your host name and public IP-address + oauth2callback to Authorized redirect URIs - e.g. http://ec2-52-36-32-89.us-west-2.compute.amazonaws.com/oauth2callback
- download latest credentials json file and update content of my old
client_secret.json
in catalog directory
List of 3rd Party resource, and Special Thanks
Thanks to stueken, preparing so much detailed walkthrough of project 5.
most of 3rd Party resource is come from his walkthrough