I took a note of the information needed to set up a server on Linux (Ubuntu) for myself. In other words, just set up a server on Ubuntu. It's a bit strange configuration because it's for myself, but the first half is the cheat sheet of Linux itself, and the second half is related to the Web server/Apache.
Linux operations are performed in the shell. Shell ≠ OS, shell ≠ kernel. The shell is the UI, which is completely separate from the core kernel.
sh (shell startup) → bash (shell startup) → exit (shell exit) → exit (same as left) → exit (Linux exits when the first bash ends)
echo Hello →Hello
All information on Linux is treated as a file. Drivers are also treated as files.
/ bin Command executable file / dev device file (drivers in windows) / etc Various setting files (windows folder in win) / home Home directory for each user / sbin Executable file for administrator commands / tmp Temporary file directory Some distributions delete important files regularly, so do not put important files. / usr: There are recursive bins, sbins, etc. as this subdirectory where applications are placed. / var Directory of various data
To move the directory, use pwd (display your current location)/cd (move)/ls (file list). cd can be complemented with Tab. If there is no argument, it returns to the home directory. It is convenient to combine ls with pathname expansion (\ * /?). Argument -l: Attribute display, Argument -a: Hidden file display, Argument -F: File type display
mkdir directory creation Since it is a command to create a touch file creation time stamp, it can be used with confidence because it does not overwrite the existing file. rm/rmdir file/directory erase Copy/move cp/mv files recursively with -r for each directory find file can be searched locate Searches from the index, so you can search at high speed. In ubuntu, create with sudo apt-get install mlocate.
Ctl + k cuts to the end of the line, Ctl + u cuts to the beginning of the line Ctl + y is "yank" (paste)
If you lock the screen with Ctl + s, return it with Ctl + q Force termination of command with Ctl + c If the display is strange, use Ctl + l to reset the screen → reset command → log in again.
Tab is a call for input completion, and if there are multiple candidates, many will appear.
You can go back in history with the arrow or Ctl + p or Ctl + n, and you can also search the command history with Ctl + r. When searching for a command: Execute with Enter, go to the command while holding the result with Esc, and abandon the result with Ctrl + g
--help Option to see the help of the command You can search for similar products by adding -k, a command to check how to use the command of the man argument. LANG = C Can be executed in English by prepending each command, and you can see English help.
: q end : w Save file Argument is new file name : q! Exit without saving i Input mode started Esc input mode end
hjkl cursor movement Delete x/J characters/delete line breaks w/b Move word by word 0/$ Move to beginning/end of line gg/G/Number + G Move to first line/Move to last line/Move to any line y/d/p copy/cut/paste u/Ctr + r Undo/Redo
/ Search n for the next search result, N for the previous search result
%/
vimtutor /: help tutorial, help
The file has owner/group/permissions. You can control read, write, and execute permissions. The directory has similar privileges. Note that whether files can be deleted or not depends on the permissions of the directory. You can change it with chmod u/g/o/a, +/-/ =, r/w/x file name.
Superuser ≒ root user can operate any file. Also includes system files. Therefore, basically, it is better to operate the general user and use the superuser with the sudo command etc. only when necessary. To set the authority of the su/sudo command to a general user, operate/etc/sudoers. At that time, a special command is required.
A program that is running on memory is called a process. Each process has an independent memory area and ID and can be executed in parallel.
ps You can check the running process. If you add an option, you can see the process running behind the scenes.
A line of command is called a job. When you connect commands with a pipe, the entire command line becomes a job, and each command becomes a process. The command ID is unique for each shell.
Ctrl + Z job pause jobs List of running jobs fg% job number Job return bg% job number keeps the job running in the background Ctrl + C Force termination of running job kill% job number: Forcibly terminate the background job
The kill command can also kill a process and is used in some cases. * Originally a command that sends a specific signal to a process
When the command is executed, three channels of standard input/standard output/standard error output are opened.
Standard I / O redirection is possible. For example, if cat <file, the file will be entered instead. If you do ls >> a.txt, the file will be output instead. If you set ls 2 >> a.txt, the file will be output instead when an error occurs. If you set ls >> a.txt 2 >> & 1, it will be output to the same file during normal execution and error.
A special file called/dev/null is prepared in linux, and it has the property that it is empty even if it is specified as an input destination, and nothing remains even if it is specified as an output destination. Used during command test.
Archive and compression are separate words on Linux. Just combine the archives into one file. Compression is done after the basic archive, and the file is further shrunk.
tar cf b.tar dirA Create a compressed file called b.tar from dirA tar tf b.tar View the contents of b.tar tar xf b.tar Restore the contents of b.tar.
gzip a.txt Create a.gz gunzip a.gz Unzip zip/unzip Linux can be installed with sudo apt-get install zip unzip etc.
A package is a collection of software. For Redhat, rpm is used, and for Debian, deb files are used. For Debian, install using apt commands. Dependency resolution is selfish.
A site that collects and distributes packages is called a repository.
SSH SSH is an abbreviation for Secure Shell. It is a protocol for communicating with remote machines and can be operated safely because it has authentication and encryption functions. Normally, TCP22 port is used.
I will use Sakura VPS this time. Reason: I knew, only cheap, I didn't make a solid comparison
As per the official document, it seems that security is insufficient if it is the default setting, and security measures are necessary first considering the risk of inconvenience to people. Then put Apache in.
Install Ubuntu 20 with standard installation.
The following is the information I heard from the mentor referral service, which I used as a guide for this article. Please point out because the credibility is incomplete.
--The key to security is opening and closing ports. Closes tightly. Especially, the risk level can be controlled by the type of port, and complicated attacks on HTTP ports are difficult. --SSH key authentication is incomparably more secure than password authentication. Set properly. Business and large-scale services go through stepping stones when connecting to SSH --Root is still dangerous for erroneous operation and hijacking, basically sealed --Apply security patches/updates regularly --Additional Linux security software may exist for business use, but it should be high at the corporate budget level, so I don't think much about it.
Things to do on a regular basis. sudo apt update OS update sudo apt upgrade package update sudo reboot After doing two things, restart with this command
The user ubuntu prepared by default in Sakura VPS official seems to be a general user.
Introduced because teraTerm seems to be good as an SSH client/console emulator.
In addition, we have prepared software called a terminal multiplexer that can manage multiple terminals. Although it is a little different from the original purpose, it is useful because the session is maintained when you enter a command and process it overnight.
ubuntu server already has a well-known terminal multiplexer called tmux. Start with the tmux command. When logging in again, use tmux attach to return to the previous session. Since it lives when SSH is disconnected, try to move it from tmux as much as possible.
Default port 22 seems to have a lot of unauthorized access.
From vi/etc/ssh/sshd_config, add "Port n" under the description #Port 22. sudo systemctl restart Reboot by sshd, Confirmed by sudo systemctl status sshd. After checking if you can log in from the new port with teraterm, cancel the packet filter.
Set with ufw, the interface software of a security tool called iptables.
Enable ufw with sudo ufw enable. Confirm that it is valid with sudo ufw status numbered. Open the ssh port with sudo ufw allow sshPort.
Start teraterm and exit from the connection wizard at the start by canceling. setup → Start the ssh key generator wizard. It seems that RSA2048 is okay, so generate it as it is. Enter your passphrase, save and close your public and private keys.
Insert the public key into the Home directory of ubuntu mkdir -p ~/.ssh cat ~/id_rsa.pub >> ~/.ssh/authorized_keys rm ~/id_rsa.pub
sudo vim /etc/ssh/sshd_config Uncomment PubkeyAuthentication yes Set PasswordAuthentication to no reset ssh with sudo systemctl restart ssh
WinSCP
SCP (file transfer using SSH) can be used with teraterm, but as written in various places, teraterm's SCP is the minimum simple one. Put WinSCP. Can be exchanged by dragging and dropping.
Create a setting by entering only the user name in the initial startup wizard, and register the private key with SSH → Authorization in Advanced. It seems that a .ppk file is required, so create it as it is. After that, you can access the home directory along the way.
Apache
Install apache with sudo apt install apache2. At this point, if you remove ufw and then access the server URL with a browser, the Apache default will be displayed.
Changed the contents of www/html with WinSCP. In addition, when transferring sudo chown -r user Change the owner to yourself as the WWW folder of apache.
If the characters are garbled, check the HTML header for the time being. vim /etc/apache2/conf-available/charset.conf Also check the default character encoding.
Besides, the so-called httpd.conf file is currently distributed in etc/apache2 /, so grep the same setting items collectively.
Open the port for Apache with sudo ufw allow'Apache Full' and check this as well. (I feel that it is dangerous to leave it to the software if it is an amateur's idea, so I think that sudo ufw allow 80/tcp, sudo ufw allow 443/tcp is better, but since it was as above with multiple sources, this is probably correct)
SSL
Turn on SSL with Let's encrypt. https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-20-04-ja https://weblabo.oscasierra.net/letsencrypt-2/ (※CentOS) There are various methods when you look at it officially, but these two seem to be good for the time being.
Use sudo apt install certbot python3-certbot-apache to insert certbot into apache. Check ServerName and ServerAlias from sudo vim /etc/apache2/sites-available/your_domain.conf. Test the syntax with sudo apache2ctl configtest. (Confirm Syntax OK) Execute sudo certbot --apache. When asked about the e-mail address, whether or not the e-mail newsletter is delivered, which domain should be enabled (blank recommended), and whether to redirect to HTTPS (probably a good redirect), HTTPS conversion is complete.
The display of sudo systemctl status certbot.timer is active and If there is no error with sudo certbot renew --dry-run, there should be no problem with automatic update.
You should have https access to the completed, server URL or registered domain.
I would appreciate it if you could point out. Especially in the latter half, we cannot guarantee the correctness, so please give us your opinion especially for studying.
I'm currently studying the web on twitter. I will continue to do so, so I would appreciate it if you could tell me various things. https://twitter.com/kisihara_c
--New Linux textbook https://www.sbcr.jp/product/4797380941/ It was a nice book. Thank you very much. --Shell script Linux server started with Ubuntu https://shell-mag.com/portal-linuxserver/ --Until the web application is released on Sakura VPS https://qiita.com/ryo-futebol/items/09fb52e0d204a70895d0 --Sakura Internet Official Document
Recommended Posts