LAMP setup: Beginning

How to install and configure Linux as a Web server? What are the main steps to go? This post should cover the main configuration steps of LAMP – Linux Apache MySQL PHP server.

1. Which Linux distribution to install?
2. Before installation
3. Partitioning
4. Package selection
5. Set runlevel to 3
6. Turn off needless services
7. Firewall
8. Forbid ssh access for root

1. Which Linux distribution to install?
List of Linux distributions are huge, please see Linux distribution list (after page load, click on Go button). Among that list, there exists several main Linux distributions (streams): RedHat, Debian, Suse, Ubuntu … Choose the one that looks most familiar to you. In my case for Web server, I choose CentOS from RedHat family. CentOS is an Enterprise-class Linux Distribution derived from freely provided sources. It should be stable distribution with minimum bugs and large community. The most important thing is – I have experience with RedHat tools and the way of RedHat system configuration.

2. Before installation
Check if server has redundant components: power supply, RAID, Ethernet adapters … It is good to have at least RAID arrays. Linux will see hardware RAID as one disk that should be partitioned. Depending on number of disks in RAID array, you can create RAID1 (mirroring) or RAID5 (striped disks with parity). In case of 4 disk, it will be wise to take 3 disks and create RAID5 array, and define last disk as a spare disk. In such RAID5 configuration, if one disk fails, RAID controller should automatically reuse spare disk and start content reconstruction. If your server doesn’t have hardware RAID, you have software RAID/LVM option during Linux installation process – but this is more advanced task.

3. Partitioning
Linux installation is easy. Nice graphical interface with built in help and wizards. This could proceed everyone with windowsland installation experience, but be careful with disk partitioning. If you click on “Next” at partitioning step, installer will create default disk partitions which will be generally OK – swap, /boot and / (slash) partition, but in any serious LAMP installation, choose Manually partitioning and create seven partitions. In case of 140GB disk size, partition arrangement can be:

1GB  swap  # mark as primary
1GB  /     # mark as primary
1GB  /tmp  # mark as primary
1GB  /home
8GB  /usr
70GB /var 
58GB /backup

Swap size depends on amount of memory and as I was monitoring server with 4GB of RAM, 1GB of swap is good enough. Web server should not dive deep to swap. If it does, increase RAM memory or reduce running services. In old Linux school, good practise was to create big enough / (slash) partition because of kernel upgrade. /boot was only directory beneath / (slash) partition. As you know, new kernel installation doesn’t overwrite old kernel. Administrator will have to manually delete old kernel. Frequently used partitions are marked as primary to minimize access time. I usually give 1GB to /tmp which is maybe oversized, but in case of database export or unpacking tars it is very handy. /home partition size depends on Web server purpose. If users should exist on the Web server, you will have to dimension size of /home partition with more care. 8GB for /usr partition is enough for LAMP server and it will not be in use more than 50%. After sizing swap, / (slash), /tmp, /home and /usr all remaining free space share between /var and /backup partition. /var partition contains MySQL files, log files, spool mail and Web document root, so in case of 140GB disk space, I give 70GB to /var and 58GB to the /backup (because of arrangement to hold 3 days of database export – one database export is 15GB). Good practise is also to save daily backup of configuration files (whole /etc directory), document root, MySQL dump (export), cron files and /root directory. I call it first backup level. Real backup plan should not stop here. All tars from /backup partition should be placed on backup dedicated server or simply copied with scp to another (physically distant) server.

4. Package selection
After disk partitioning, there come few easy tasks: root password (set strong password), create users, IP address, DNS … and then package selection. Don’t forget to check Web server and database MySQL or PostgreSQL. Web server package contains Apache with PHP module. If needed, FTP server can be also included in installation and that will be all for package LAMP setup. Installer will include all dependencies, so relax and enjoy in Linux installation – coffee time. :)

5. Set runlevel to 3
After installation and first restart, server will probably boot to runlevel 5 – if you have installed GNOME or KDE. Nice graphic interface gdm will wait for users to login. Open /etc/inittab and find line with initdefault. Simply replace number 5 with 3 and save file. After reboot, system will boot to the runlevel 3 (without X server). In older Linux systems, inside inittab you will also find definition of spawn 6 gettys in standard runlevels. You can leave only 2 ttys because server configuration and monitoring will mostly go through ssh.

# Default runlevel. The runlevels used by RHS are:
#   0 - halt (Do NOT set initdefault to this)
#   1 - Single user mode
#   2 - Multiuser, without NFS (The same as 3, if you do not have networking)
#   3 - Full multiuser mode
#   4 - unused
#   5 - X11
#   6 - reboot (Do NOT set initdefault to this)
id:3:initdefault:
...
...
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6

In FC9, configuration of gettys are handled by /etc/event.d/tty[1-6] so you only have to move tty[3-6] files from /etc/event.d/ directory. In recent Linux systems, open /etc/sysconfig/init file and make the following change:

# before
ACTIVE_CONSOLES=/dev/tty[1-6]

# after
ACTIVE_CONSOLES=/dev/tty[1-2]

6. Turn off needless services
It is good to check which services will be started during booting to runlevel 3. In RedHat family, there is utility chkconfig and in combination with grep, list runlevel 3 services. You will see long list of services and many of them are needless for the LAMP setup.

chkconfig --list | grep 3:on

Minimum and sufficient list of running services for LAMP setup should look like:

> chkconfig --list | grep 3:on
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
irqbalance      0:off   1:off   2:on    3:on    4:on    5:on    6:off
microcode_ctl   0:off   1:off   2:on    3:on    4:on    5:on    6:off
mysqld          0:off   1:off   2:on    3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off

All other services can be turned off by executing “chkconfig <service> off” command:

chkconfig cups off
chkconfig gpm off
...

After turning off needless services and before production launch, reboot server to see if everything works as expected.

7. Firewall
Web server will be probably placed behind DMZ’s firewall, but it is good to protected LAMP server with his own firewall. This firewall should accept HTTP requests from any source and SSH request from intranet side only (in example from one IP address). All other types of connections will be forbidden. You can use system-config-securitylevel utility to create /etc/sysconfig/iptables file

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 123.123.123.123 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

… or you can open file /etc/sysconfig/iptables and copy/paste this iptables configuration.

8. Forbid ssh access for root
Before production, create at least one user without any administration rights – normal user with strong password (if you didn’t in step 4.).

useradd <username>

In /etc/ssh/sshd_config find option PermitRootLogin and write it to:

PermitRootLogin no

Restart sshd and root will no longer be able to access LAMP server through ssh – that’s why additional user exists. To obtain administrator rights, execute “su -” (substitute user) command.

After finishing all this steps, LAMP server should be secured with minimum running services, firewall and disabled root ssh access. Now it’s time for Apache and PHP configuration …