Category: Uncategorized

If you start getting tired of typing the same command over and over again, the alias command is for you.
For example if you want to connect to your pi through ssh you have to type

ssh pi@[my_name].duckdns.org

You can shorten this significantly by using the alias command:

alias mypi='ssh pi@[my_name].duckdns.org'

After this, you only have to type

mypi

to connect to your pi over SSH. Like this you can create all kinds of shortcuts.

These commands are active during your session, if you want to make the persistent, you need to add the command to .bashrc

vi ~/.bashrc

With a limited amount of participants we decided to install some web tools to practice the installation.

Paste

We start with paste. The installation instruction can be found at privatebin.info It forwards you to the GitHub page of the project. Since we have installed Apache with PHP7, it seems we are ok with our server.

So we start by downloading the latest version of the the software to you www root (/var/www/html in our case) using:

sudo wget https://github.com/PrivateBin/PrivateBin/archive/refs/tags/1.4.0.tar.gz

Than extract it using tar:

sudo tar xzvf 1.4.0.tar.gz

and rename the directory to something you like (like paste):

sudo mv PrivateBin-1.4.0/ paste/

Now you just need to set the correct access rights to the directory to the webserver user:

sudo chown -R www-data:www-data paste/

You can not go to your browser and open the tool: https://pepopi.duckdns.org/paste

Dokuwiki

Another nice tool to run on your server is Dokuwiki. It is a file based wiki for your documentation needs. Like the paste solution the setup is pretty straight forward. First download the latest version in the www root:

wget https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz

Then extract the file, rename the directory and make the webserver owner of the directory:

tar xzvf dokuwiki-stable.tgz
mv dokuwiki-2020-07-29/ dokuwiki/
sudo chown -R www-data:www-data dokuwiki/

Now you can access the wiki and create your documentation at: https://pepopi.duckdns.org/dokuwiki/

WordPress CMS

Another good to have tool is a CMS for easy website creation. WordPress is a popular option. So let’s use that for this installation.
The start of the installation is pretty similar the the previous two tools. Download the latest version, extract it, move it to the correct directory and set the permissions right:

sudo wget https://wordpress.org/latest.tar.gz
sudo tar xzvf latest.tar.gz
sudo chown -R www-data:www-data wordpress/

After this you need to create a database and a database user to store the website data in.

sudo mysql
# create a user
create user 'wordpress'@'localhost' identified by '<password>';
# create a database
create datebase wordpress;
# Grant the user access to the database
grant all privileges on wordpress.* to 'wordpress'@'localhost';
# Make sure it works
FLUSH PRIVILEGES;

Now you can start the initial setup of wordpress by going to https://pepopi.duckdns.org/wordpress/ and fill in the form.
According to above created settings:
Database: wordpress
Username: wordpress
Password: <password>
Database Host: localhost
Table Prefix: wp_

Then fill in the form on how you want to name the website.

Trouble shooting

PHP Upload limit

After playing around with the WordPress installation we ran into a few issues while trying to upload a theme. This is partly due to the very modest default PHP settings. In the php.ini file enlarge the upload_max_filesize value to 16M:

sudo vi /etc/php/7.3/apache2/php.ini
# safe and restart apache2
sudo systemctl restart apache2

In the recording I ran into an issue due to my reverse proxy. It also had a maximum filesize. After I disabled that in the nginx settings the upload did work.
This is the documentation I kept from that setting:

Fix upload limit for servers behind proxy

Put the following code in /etc/nginx/nginx.conf at the bottom of the http context. Source

http {
    ...
    client_max_body_size 0;
}

FTP upload

To get rid of the FTP upload information put the following line in the wp-config.php file

define('FS_METHOD','direct');

A VPN server is a useful tool to have access to. For example to browse saver on a public hot spot or access services that are geo-restricted.

OpenVPN and Wireguard are a few good options. In this lesson we will start with OpenVPN.

Installing OpenVPN

The easiest way to install OpenVPN on a Raspberry Pi is to run the script mentioned on this website: https://raspberrytips.com/openvpn-raspberry-pi/

wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh -O openvpn-install.sh

And then run it:

sudo bash openvpn-install.sh

You should know you local IP address and when the script asks for you external IP address, please use your duckdns name, so it is automatically updated. For the rest you can keep the defaults.

Once the script is done you have created an .ovpn config which you need to connect to your VPN server. Copy this to you local machine (a simple trick is to use the cat command, copy the output and put it in a text document on you local machine.

Open a port in your firewall

Before you can test your installed VPN server you need to open port 1194 UDP in your firewall. This is similar as discussed earlier with the SSH and web server.

Install OpenVPN client

Ubuntu

Ubuntu has build-in support for OpenVPN. On older version you might need to run the following install to be able to set every up in the GUI.

sudo apt install network-manager-openvpn 

• Open the network settings
• In the VPN section click the + sign
• Pick the ‘Import from file’ section
• Open the .ovpn file
• Connect to the VPN

OSX

• Download and install the client from the official website
• Use the .ovpn file to setup the client
• Connect to your VPN

Windows

• Download and install the client from the official website
• Use the .ovpn file to setup the client.
• Connect to your VPN.

Adding/removing clients

After your initial tests, you might want to add a few more clients, like for you phone, your laptop or a friends device. This can be very easily done by rerunning the script and pick the right option.

sudo ./openvpn-install.sh

Be sure to not send these configs in plane text over the internet. So maybe the next thing we want to do is create our own paste-bin service.

In an earlier lesson we have installed an Apache web server. This is nice for serving static pages, but hardly any website consists only of static pages, so that is where a LAMP server comes in. LAMP is an abbreviation for Linux, Apache, MySQL/MariaDB, PHP/Python/Perl. So, the OS, the web server, the database and the scripting language.

OK, let’s get started: Before installing software, it is good practice to make sure the Pi is up to date:

sudo apt update && sudo apt upgrade -y

Since we already installed Apache2, we can continue with PHP. At the moment of writing version 7.4 is the main version and version 8.1 is out as well. We’ll stick to version 7 for now:

sudo apt install php libapache2-mod-php -y

To check if the installation went well, we create our first php page with the use of the echo command, so no need for an editor this time:

sudo echo "<?php phpinfo ();?>" > /var/www/html/info.php

Now, open your web browser and go to: https://[yourname].duckdns.org/info.php and you should see a large page with a lot of information about your web server.
This information is also interesting for potential hackers, so once you are done with it, it is good practice to remove the file again.

Next step is to install MariaDB, the open source version of MySQL, then we have to restart apache and we’ll secure the database server:

sudo apt install mariadb-server php-mysql -y
sudo systemctl reload apache2
sudo mysql_secure_installation

You will be asked enter current password for root (default is blank): press Enter.
Set root password, type Y and press Enter.
Type in a new password and press Enter. Important: remember this root password. (So put the password in your password manager!)
Re-enter the new password and press Enter.
Type Y and press Enter to Remove anonymous users.
Type Y and press Enter to Disallow root login remotely.
Type Y and press Enter to Remove test database and access to it.
Type Y and press Enter to Reload privilege tables now.
When complete, you will see the message All done! and Thanks for using MariaDB!.

Some basic commands that you will have to use to create a database and grant privileges:

sudo mysql -uroot -p

* create database YOURDATABASENAME;
* GRANT ALL PRIVILEGES ON YOURDATABASENAME.* TO 'root'@'localhost' IDENTIFIED BY 'YOURROOTPASSWORD';
* FLUSH PRIVILEGES;
* EXIT

As a bonus we’ll install phpmyadmin, a web frontend to administer your database:

sudo apt install phpmyadmin -y

Select Apache2 with the cursor keys and press the spacebar to highlight Apache2 > Tab > Enter.

Configure database for phpmyadmin with dbconfig-common? Select ‘No’ > Enter, we have already setup a database above with the MySQL installation.

To access phpmyadmin browse to https://[yourname].duckdns.org/phpmyadmin/ Username: root and [yourpassword]

Source:
https://www.instructables.com/Installing-LAMP-Linux-Apache-MySQL-PHP-on-a-Raspbe/

In the introduction to the course day we talked about the process so far and what would need to be done more to get a full server.
The students came up with the following list:

• Securing SSH (disable password login)
• Securing Apache (installing an SSL certificate)
• Get a real SSL certificate from Let’s Encrypt and automatically update it.
• Install a full web server with PHP and database support
  

The three security related topics will be discussed in this post. The ‘LAMP-installation’ will follow in the next post.

SSH remove password:

Login with SSH to your server, this should not ask for a password, as we have setup public-key authentication.

Use your favorite editor to edit the sshd_config file

sudo vi /etc/ssh/sshd_config

Find the following line:

PasswordAuthentication yes

And change it to:

PasswordAuthentication no

If there is a # at the beginning of that line, remove that #. An # sign comments out a line, so it is not used.

Save the file restart the SSH service using this command:

sudo systemctl restart ssh

Check in a separate terminal if you can still login to the Pi using SSH.
If all went well, you have secured SSH on you Pi.

HTTPS:

To create a secure webserver you need to enable SSL in your webserver software. In this example we use Apache.

First we need to to create a SSL certificate we will use. For this, we create a folder to save these certificates in:

sudo mkdir /etc/apache2/ssl

sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key

Fill in the form that start, you can also press enter on every option to accept the default, as we will shortly replace these values with the Let’s Encrypt certificates.
Then enable the SSL module using the following command:

sudo a2enmod ssl

Then you need to setup the correct settings in de configuration file and enable the SSL site by creating a symbolic link . We change the two lines relative to SSLCertificate as follow :

SSLCertificateFile    /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

sudo nano /etc/apache2/sites-available/default-ssl.conf

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

Lastly restart apache servers:

sudo systemctl restart apache2

You can navigate in a browser to your secure website: https://[yourname].duckdns.org

You will notice you get a warning about the certificate we have just created. By default self signed certificates are not considered safe, as the creator of the certificate cannot be verified. To fix that we’ll get to the next part:

LET’S ENCRYPT Certificate
Let’s Encrypt is an organization that allows you to create a valid certificate. It is valid for 3 months, to not have to manually update this every 3 months a script will be enabled to do this for us.

First we need to install a few packages:

sudo apt install certbot python3-certbot-apache

Certbot is looking for a few specific directives in the configuration file, so we make sure they are there: (Make sure to replace [your_domain] in this command!)

sudo vi /etc/apache2/sites-available/[your_domain].conf

and edit the following lines to match your domain name ([yourname].duckdns.org)

...
ServerName your_domain
#ServerAlias www.your_domain ## Optional
...

Test your configuretion and if you get a Syntax OK you can restart Apache2:

sudo apache2ctl configtest

sudo systemctl reload apache2

Now we can generate the actual certificates:

sudo certbot --apache

Fill in the questions asked by the script and let it generate they certificates (Choose 2: Redirect if asked)
Once done you can go to your website to check if it all worked as expected.

The last thing we do is check if the auto renew of the certificate works. I has been setup as a cron job by copying a script to /etc/cron.d when certbot was installed.

Check if the service is available and you can do a dry run:

sudo systemctl status certbot.timer

sudo certbot renew --dry-run

Your apache server is ready foor https access.

Used sources:

• https://linuxhandbook.com/ssh-disable-password-authentication/
• https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/
• https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-20-04