Skip to content

Instantly share code, notes, and snippets.

@codeasashu

codeasashu/install_ftp.sh

Last active February 11, 2017 05:51
Show Gist options
  • Save codeasashu/f2d969a6768f5beb3674069aa3c6b62f to your computer and use it in GitHub Desktop.
Save codeasashu/f2d969a6768f5beb3674069aa3c6b62f to your computer and use it in GitHub Desktop.
Download ZIP
Lamp installation instructions on amazon ami
Raw
install_ftp.sh
#!/bin/bash
## You may also want to add new users and give only FTP access
## Lets start by installing popular FTP server: vsftp
sudo yum install vsftpd
## We will be modify vsftpd configurations, hence lets act smart and take a backup
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.backup
## You will need public IP address of your instance. Note it down by going to console
## Now edit vsftp config
## $sudo vim /etc/vsftpd.conf
## Main things to change are
## anonymous_enable=NO
## listen=YES
## write_enable=YES
## chroot_local_user=YES
## also, comment this line: chroot_list_enable=YES
## I know I haven't added passive mode settings, have patience
## After making changes, restart vsftp
sudo /etc/init.d/vsftpd restart
## Now that we have FTP server setup, you can verify by logging in using your SSH creds. Add you .pem file
## (provided by aws) in SFTP settings for filezilla. Now make following settings to connect:
## Host: <your-ami-public-ip-address>
## Port: 22 (or select SFTP)
## user: ec2-user (or whatever username you have on ami)
## Now hit "Connect" and you should be able to get in your home directory
## Lets create new user to have access via FTP
## I am naming my new user as "dev" (ofcourse without quotes)
## But, lets be root ourselves, so we dont have to sudo aroudnd all the time
sudo su -
useradd dev
## Lets generate a keypair for this user
## This will create two files: devkey and devkey.pub in .ssh directory for root user
ssh-keygen -b 2048 -t rsa -f devkey -C dev
cat devkey.pub
## and copy the output you have on terminal. You can also use any clipboard-copy utility to copy the contents
## Lets be dev for sometime
sudo su - dev
## Dev doesn't have .ssh directory yet in his home directory. Lets create one. Dont use sudo
mkdir .ssh && cd .ssh
## sudo vim authorized_keys and past the content you copied above into it. Save changes using :wq
## The file we created doesn't have good permissions as of now. Lets fix
chmod 0700 ~/.ssh; chmod 0600 ~/.ssh/authorized_keys
## Now dev ssh is good. Lets switch to root again
exit ## logout dev and we are root again
## Lets give private key to dev user.
cat > ~/devkey.pem < ~/.ssh/devkey
## Handover devkey.pem to dev user. Now ask dev to login by adding this pem file in SFTP settings
## (The way we did it for ourselves at starting of this script). Settings now will be
## Host: <your-ami-public-ip-address>
## Port: 22 (or select SFTP)
## user: dev
## Add dev user to "www" so he can also able to edit/add/delete /var/www contents
sudo usermod -aG www dev
## Now dev can login to FTP and can chroot to (or go to) /var/www/ by typing in address bar. He can now edit/add files
## Happy Hacking!!!
Raw
install_lamp.sh
#!/bin/bash
#Commands may vary between centos and ubuntu variants
##Step1: Update package manager
## sudo apt-get update for ubuntu
sudo yum update -y
##Step2: Install PHP, MySql, Apache
## sudo apt-get install php5.6 apache2 php5.6-mysql mysql-server
## For Debian, you may have to add php5.6 PPA
sudo yum install -y httpd24 php56 mysql55-server php56-mysqlnd
##Step3: Start HTTP server (apache)
## sudo service apache2 start (on debian)
sudo service httpd start
##Step4: Set file permissions so you can just allow new users to edit files, while having www-data permissions
## Tested only on centos, Have to actually test this on debian
## Step 4.1 - Add 'www' group
sudo groupadd www
## Step 4.2 - Add current user to www group
## sudo usermod -aG www ubuntu (for debian)
sudo usermod -a -G www ec2-user
## NOTE: you may want to logout and log back in so changes can take place.
## exit to logout and ssh back again and execute $sudo groups to see if www is listed (groups will list groups current user
## have). To see groups for any other user, switch to that user by $sudo su - username and then $sudo groups
## Step 4.3 - Change group ownership of /var/www dir to www group
sudo chown -R root:www /var/www
## Step 4.4 - Change permissions of /var/www
sudo chmod 2775 /var/www
find /var/www -type d -exec sudo chmod 2775 {} \; #Dir permissions
find /var/www -type f -exec sudo chmod 0664 {} \; #Files permissions
## At this point, current logged in user can edit/add/delete files in /var/www
## Lets fast forward to final step: phpMyAdmin installation
## But first, we would like to secure mysql. Lets do that
sudo service mysqld start #start mysql so we can modify its settings
## You will be asked too many questions such as changing root pass etc. Just press Y to all if
## this is your first time and you are lazy af.
sudo mysql_secure_installation
## Great, mysql is now secured, lets restart it
sudo service mysqld restart
## Install PHPMyadmin
## sudo apt-get install phpmyadmin php-mbstring php-gettext (debian)
## (For centos based distros, we need to enable epel repo to get this package)
sudo yum-config-manager --enable epel
sudo yum install -y phpMyAdmin
## For CentOS, generally PHPMyAdmin is configured in a way that you need to enter your public IP address to access
## Otherwise, 403 error will popup. Hence, lets add our IP address to PHPMyAdmin configuration
## use service such as www.whatismyip.com to know your public IP address
## sudo vim /etc/httpd/conf.d/phpMyAdmin.conf
## You will see <RequireAny> directive having two lines such as 'Require ip 127.0.0.1'. Add your public IP address
## below that line in same format. So, it will look like:
## <RequireAny>
## Require ip 127.0.0.1
## Require ip 125.xxx.xxx.xxx
## ::1
## </RequireAny>
##
## After editing file, press :wq to write changes to file and quit
## Lets restart our server once for all and we are ready to launch in cloud
## sudo service apache2 restart (debian)
sudo service httpd restart
## SideNote: Just to check if you're changing any config and if that is correct, use following command:
## sudo chkconfig <servicename> on
## For ex- to check config for mysql deamon (mysqld), we will do - $sudo chkconfig mysqld on
## Happy Hacking!!
Raw
phpmyadmin.conf
## This file describes how to allow phpmhyadmin access from any ip address
## Just so you know, PHPMyAdmin, by default, allows only from the IPs mentioned in config files (This is default
## behaviour on Amazon AMI.). Use this config file to update phpmyadmin conf and allow any ip
## That is pain in the ass when you have dynamic IP (although its less secured solution). So, Here you go
# phpMyAdmin - Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
AddDefaultCharset UTF-8
<IfModule mod_authz_core.c>
# Apache 2.4
Order Allow,Deny
Allow from All
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
# These directories do not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/lib/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
<Directory /usr/share/phpMyAdmin/setup/frames/>
Order Deny,Allow
Deny from All
Allow from None
</Directory>
# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc. This may break your mod_security implementation.
#
#<IfModule mod_security.c>
# <Directory /usr/share/phpMyAdmin/>
# SecRuleInheritance Off
# </Directory>
#</IfModule>
Raw
userconfig.md

This file is to tell how to configure /var/www/ dir. So, here is the plan Lets say we have 3 developers working in a company:

  1. Alice
  2. Bob
  3. Mac

Our main site is at http://example.com Each dev will work in their own environments:

  1. Alice => alice.example.com
  2. Bob => bob.example.com
  3. Mac => mac.example.com

Directory Structure

Assuming we setup each devs directory like this:

/var/www
    /example.com #Main serving site
    /alice.example.com
    /bob.example.com
    /mac.example.com

We consider following requirements:

  1. Alice should not be able to enter into bob's and mac's directory. Bob cant in alice's and mac's. Each user should be confined to his directory only and their home directory.

  2. apache process should be able to access all the directories within /var/www

  3. Users can read+write in their dev directories, as well as apache can read and execute files and directories and can write in defined directories such as uploads.

Process

  1. Add all three users: (same for bob and mac)

useradd alice

  1. Create group for users:

groupadd alice

  1. Add each user to their own group

usermod -aG alice alice

  1. Add apache user (the default user for apache) to each user's group

note: use ps aux | grep httpd (or apache2) to know the user for apache

usermod -aG alice apache

Now, execute following commands to give alice permission

sudo find /var/www/alice.example.com -type d -exec chmod 2775 {} +
sudo find /var/www/alice.example.com -type f -exec chmod 0664 {} +
sudo chmod -R 750 /var/www/alice.example.com
sudo chgrp -R apache /var/www/alice.example.com
sudo chown -R alice /var/www/alice.example.com
sudo chmod g+s /var/www/alice.example.com

To make some directory writeable by apache (server), run following command:

`sudo chmod -R 775 /var/www/alice.example.com/uploads`

Finally, you should get following output for la -al /var/www/alice.example.com:

drwxr-s--- 21 alice apache 4096 Feb 11 02:48 . (for directories) -rwxr-x--- 1 alice apache 4518 Dec 30 11:24 README.txt (for files)

#Granting User access from their home directories We can create symlinks in their respective home directories. Better, use a subdirectory in user's home directory to serve their content on their subdomains

ln -s /var/www/alice.example.com /home/alice/

#Generating user's key for SSH and SFTP logins:

  1. Switch to user sudo su - alice
  2. Create .ssh in user's home dir mkdir ~/.ssh && cd ~/.ssh sudo touch authorized_keys
  3. Logout from user exit
  4. Generate user's key ssh-keygen -b 2048 -t rsa -f alicekey -C alice cat > /home/alice/.ssh/authorized_keys < alicekey.pub chmod 0700 /home/alice/.ssh; chmod 0600 /home/alice/.ssh/authorized_keys cat > ~/alicekey.pem < alicekey
  5. Handover alicekey.pem secretly (also keep a copy to yourself). Ask alice to login using the above key like this: ssh -i /path/to/alice/pemkey/on/her/machine [email protected] if she can login, we are good to go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment