Ubuntu 18.04 in Azure – Pt. 5: WordPress

The piece de resistance of this series has arrived! With all of the prerequisites met for WordPress and my own tinfoiled-hat nature, it’s time to let our hair down, throw caution to the wind, and install the most exploited (yet allegedly secure) blogging platform on the planet!

Based on my research, it’s largely older and unpatched instances that are exploited or ones heavily laden with every plugin available both helpful and unnecessary. Also, having unique credentials created for each and every login will help in the event that one of the few plugins I do use is hacked and those credentials pilfered.

…on a somewhat related note, isn’t pilfered a great word!?

mysql -u root -p
Provide the root password created during MySQL install previously.
mysql> CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
mysql> GRANT ALL ON wordpress.* TO ‘<uniquewordpressusername>’@’localhost’ IDENTIFIED BY ‘<uniqueWPpassword>’;
mysql> EXIT;

Install PHP extensions needed by WordPress
sudo apt install php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip
sudo systemctl restart apache2

sudo nano /etc/apache2/sites-available/<yourdomain>.conf
Add in the following lines:
<Directory /var/www/<yourdomain>/>
AllowOverride All

sudo a2enmod rewrite
sudo systemctl restart apache2

Ok…so I lied before! Now it’s time to install WordPress!

cd /tmp
curl -O http://wordpress.org/latest.tar.gz
tar xzvf latest.tar.gz
touch /tmp/wordpress/.htaccess
cp /tmp/wordpress/wp-config-sample.php /tmp/wordpress/wp-config.php
mkdir /tmp/wordpress/wp-content/upgrade
sudo cp -a /tmp/wordpress/. /var/www/<yourdomain>
sudo chown -R www-data:www-data /var/www/<yourdomain>
sudo find /var/www/<yourdomain>/ -type d -exec chmod 750 {} \;
sudo find /var/www/<yourdomain> -type f exec chmod 640 {} \;

curl -s https://api.wordpress.org/secret-key/1.1/salt/
Make a note of the provided unique values. They are one-time use and should not be shared. If you do not make a note of the values, re-run the command and be sure to copy the values somewhere safely for transcribing next.

sudo nano /var/www/<yourdomain>/wp-config.php
Find the section that contains the dummy values for the unique values provided previously and replace them accordingly.
While in the same wp-config.php file, replace the database connection settings as appropriate.

Now, with everything configured, it is time to complete the install from the WebUI.
Navigate to https://<yourdomain> and the installer wizard will proceed automatically.

This concludes the setup “instructions” for the Azure instance currently running this blog. Total cider count in writing all segments in one sitting: 3. Currently enjoying Downeast Cider. Between the Original Unfiltered, Double Filtered, and the seasonal White I am definitely enjoying myself!

Ubuntu 18.04 in Azure – Pt. 4: SSL & Let’s Encrypt

Create an A record with <yourdomain> pointing to your server’s public IP address.
Create an A record with www.<yourdomain> pointing to your server’s public IP address.
Depending on the speed of your provider, replication of these changes to the global DNS roots may take some time to complete.

sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-apache

DNS replication from above must be complete and verified before progressing. I recommend running a simple ping <yourdomain> to see if it returns the public IP of your server. Once it does, continue.
sudo certbot –apache -d <your domain> -d www.<yourdomain>
Fill out the field as prompted through the wizard. If everything is set properly, the HTTPS certificate will be created.
I recommend redirecting HTTP to HTTPS because, why not?

Verify automated certificate renewal is working:
sudo certbot renew –dry-run

If everything completes without errors, we’re done and the certificate is in-place!

Ubuntu 18.04 in Azure – Pt. 3: Virtual Hosts

Create a new directory.
sudo mkdir /var/www/<yourdomain>
sudo chown -R $USER:$USER /var/www/<yourdomain>

Make a placeholder webpage in HTML.
sudo nano /var/www/<yourdomain>/index.html
<title>Welcome to Your_Domain!</title>
<h1> Success! The your_domain server block is working!</h1>

Make a new Apache configuration file.
sudo nano /etc/apache2/sites-available/<yourdomain>.conf
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName <yourdomain>
ServerAlias www.<yourdomain>
DocumentRoot /var/www/<yourdomain>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

sudo a2ensite <yourdomain>.conf
sudo a2dissite 000-default.conf
sudo systemctl restart apache2

Ubuntu 18.04 in Azure – Pt. 2: LAMP

Now that we’re sufficiently protected from all the bad h4x0r5 in the world, it’s time to install Apache, MySQL, and PHP for our upcoming (and obviously already completed) WordPress install.

sudo apt install apache2 -y
sudo ufw allow in “Apache Full”

Be sure, at this point, to create a firewall rule in Azure> Networking to enable inbound communication on 80 and 443.

Once Apache is installed and allowed to communicate, it is time to install MySQL.

sudo apt install mysql-server -y
sudo mysql_secure_installation
Create applicable password as prompted.
Press Y and <enter> for remaining prompts.
sudo mysql
mysql> ALTER user ‘root’@’localhost’ IDENTIFIED WITH mysql_native_password BY ‘<new very secure password>’
mysql> exit

Last but not least, time to install PHP.

sudo apt install php libapache2-mod-php php-mysql
Move index.php to the first position after DirectoryIndex within /etc/apache2/mods-enabled/dir.conf
<IfModule mod_dir.c>
index.php index.html index.cgi index.pl index.xhtml index.htm

sudo systemctl restart apache2

FIN. I love LAMP.

Image result for I love LAMP

Ubuntu 18.04 in Azure – Pt. 1: Setup and A/V

Getting this server running this blog I’m typing on now was the culmination of a few different blogs scattered around the good ol’ interwebz. This will be my combination of the steps to achieve where I am today.

Step 1 – Create Azure VM

Not going to spoonfeed creating a virtual machine in Azure. There are plenty of other blogs around for that.

This VM is using the default recommendation of 2vCPU, 8GB of RAM with 30GB HDD. I did select HDD to help reduce costs for the VM seeing as it is just a blog, largely static.

I selected Ubuntu 18.04 as the OS to install and allowed SSH, 22, inbound from everywhere initially using the Setup Wizard.

Rather than mess with IP-based access rules, since I am on a dynamic IP, I choose to just disable SSH whenever I am not actively using it. This also helps to completely eliminate brute-force risks.

As another tinfoil-hat-esque security measure, create a custom non-root username that is equally difficult to guess as its password; assuming you’re not using certificate-based SSH.

Step 2 – Update Ubuntu 18.04

In true Microsoft fashion, like Windows 10 telling you “looking for updates…installing updates” then greeting you with a Feature Update on first boot, a new Ubuntu 18.04 server still requires updates. Run the obligatory sudo apt update && upgrade -y command and let it run. Go grab a coffee…or a cider!

Downeast Original Blend Cider

Step 3 – Install A/V

Seeing as I do work for ESET, and they are the ones footing the bill for this Azure instance, I would be remiss if I did not install our newest release for testing. That way I can say these resource I’m hogging for my new, top-of-the-charts blog are “for research purposes”. #GameTheSystemKids

wget https://download.eset.com/com/eset/apps/business/era/agent/latest/agent-linux-x86_64.sh
chmod +x ./agent-linux-x86_64.sh
sudo ./agent-linux-x86_64.sh \
–skip-license \
–hostname=<ESMC FQDN Here> or <ESMC IP Here>
–port=2222 (default, change accordingly) \
–webconsole-user=Username \
–webconsole-password=Password \
–webconsole-port=2223 (default, change accordingly)

If all values are correct, confirm the server-provided certificate and complete the install of the management agent.

Since ESET File Security for Linux 7.x is not yet released to the installation repository, we must install it manually.
wget https://download.eset.com/com/eset/apps/business/efs/linux/latest/efs.x86_64.bin
chmod +x ./efs.x86_64.bin
sudo ./efs.x86_64.bin

Complete the install as prompted. Make note of the provided Username:Password combination at completion of install. Due to a known issue, the password cannot be changed by policy so definitely make a note of it. The password can be changed locally within the WebUI after install but you need that initial password for first-time login.

That’s it for Part 1.