Ubuntu 18.04 in Azure – Pt. 5: WordPress

The piece de resistance of this series has arrived! With all of the prerequisites met for WordPress and my own tinfoiled-hat nature, it’s time to let our hair down, throw caution to the wind, and install the most exploited (yet allegedly secure) blogging platform on the planet!

Based on my research, it’s largely older and unpatched instances that are exploited or ones heavily laden with every plugin available both helpful and unnecessary. Also, having unique credentials created for each and every login will help in the event that one of the few plugins I do use is hacked and those credentials pilfered.

…on a somewhat related note, isn’t pilfered a great word!?

mysql -u root -p
Provide the root password created during MySQL install previously.
mysql> CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
mysql> GRANT ALL ON wordpress.* TO ‘<uniquewordpressusername>’@’localhost’ IDENTIFIED BY ‘<uniqueWPpassword>’;
mysql> EXIT;

Install PHP extensions needed by WordPress
sudo apt install php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip
sudo systemctl restart apache2

sudo nano /etc/apache2/sites-available/<yourdomain>.conf
Add in the following lines:
<Directory /var/www/<yourdomain>/>
AllowOverride All

sudo a2enmod rewrite
sudo systemctl restart apache2

Ok…so I lied before! Now it’s time to install WordPress!

cd /tmp
curl -O http://wordpress.org/latest.tar.gz
tar xzvf latest.tar.gz
touch /tmp/wordpress/.htaccess
cp /tmp/wordpress/wp-config-sample.php /tmp/wordpress/wp-config.php
mkdir /tmp/wordpress/wp-content/upgrade
sudo cp -a /tmp/wordpress/. /var/www/<yourdomain>
sudo chown -R www-data:www-data /var/www/<yourdomain>
sudo find /var/www/<yourdomain>/ -type d -exec chmod 750 {} \;
sudo find /var/www/<yourdomain> -type f exec chmod 640 {} \;

curl -s https://api.wordpress.org/secret-key/1.1/salt/
Make a note of the provided unique values. They are one-time use and should not be shared. If you do not make a note of the values, re-run the command and be sure to copy the values somewhere safely for transcribing next.

sudo nano /var/www/<yourdomain>/wp-config.php
Find the section that contains the dummy values for the unique values provided previously and replace them accordingly.
While in the same wp-config.php file, replace the database connection settings as appropriate.

Now, with everything configured, it is time to complete the install from the WebUI.
Navigate to https://<yourdomain> and the installer wizard will proceed automatically.

This concludes the setup “instructions” for the Azure instance currently running this blog. Total cider count in writing all segments in one sitting: 3. Currently enjoying Downeast Cider. Between the Original Unfiltered, Double Filtered, and the seasonal White I am definitely enjoying myself!

Ubuntu 18.04 in Azure – Pt. 4: SSL & Let’s Encrypt

Create an A record with <yourdomain> pointing to your server’s public IP address.
Create an A record with www.<yourdomain> pointing to your server’s public IP address.
Depending on the speed of your provider, replication of these changes to the global DNS roots may take some time to complete.

sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-apache

DNS replication from above must be complete and verified before progressing. I recommend running a simple ping <yourdomain> to see if it returns the public IP of your server. Once it does, continue.
sudo certbot –apache -d <your domain> -d www.<yourdomain>
Fill out the field as prompted through the wizard. If everything is set properly, the HTTPS certificate will be created.
I recommend redirecting HTTP to HTTPS because, why not?

Verify automated certificate renewal is working:
sudo certbot renew –dry-run

If everything completes without errors, we’re done and the certificate is in-place!

Ubuntu 18.04 in Azure – Pt. 1: Setup and A/V

Getting this server running this blog I’m typing on now was the culmination of a few different blogs scattered around the good ol’ interwebz. This will be my combination of the steps to achieve where I am today.

Step 1 – Create Azure VM

Not going to spoonfeed creating a virtual machine in Azure. There are plenty of other blogs around for that.

This VM is using the default recommendation of 2vCPU, 8GB of RAM with 30GB HDD. I did select HDD to help reduce costs for the VM seeing as it is just a blog, largely static.

I selected Ubuntu 18.04 as the OS to install and allowed SSH, 22, inbound from everywhere initially using the Setup Wizard.

Rather than mess with IP-based access rules, since I am on a dynamic IP, I choose to just disable SSH whenever I am not actively using it. This also helps to completely eliminate brute-force risks.

As another tinfoil-hat-esque security measure, create a custom non-root username that is equally difficult to guess as its password; assuming you’re not using certificate-based SSH.

Step 2 – Update Ubuntu 18.04

In true Microsoft fashion, like Windows 10 telling you “looking for updates…installing updates” then greeting you with a Feature Update on first boot, a new Ubuntu 18.04 server still requires updates. Run the obligatory sudo apt update && upgrade -y command and let it run. Go grab a coffee…or a cider!

Downeast Original Blend Cider

Step 3 – Install A/V

Seeing as I do work for ESET, and they are the ones footing the bill for this Azure instance, I would be remiss if I did not install our newest release for testing. That way I can say these resource I’m hogging for my new, top-of-the-charts blog are “for research purposes”. #GameTheSystemKids

wget https://download.eset.com/com/eset/apps/business/era/agent/latest/agent-linux-x86_64.sh
chmod +x ./agent-linux-x86_64.sh
sudo ./agent-linux-x86_64.sh \
–skip-license \
–hostname=<ESMC FQDN Here> or <ESMC IP Here>
–port=2222 (default, change accordingly) \
–webconsole-user=Username \
–webconsole-password=Password \
–webconsole-port=2223 (default, change accordingly)

If all values are correct, confirm the server-provided certificate and complete the install of the management agent.

Since ESET File Security for Linux 7.x is not yet released to the installation repository, we must install it manually.
wget https://download.eset.com/com/eset/apps/business/efs/linux/latest/efs.x86_64.bin
chmod +x ./efs.x86_64.bin
sudo ./efs.x86_64.bin

Complete the install as prompted. Make note of the provided Username:Password combination at completion of install. Due to a known issue, the password cannot be changed by policy so definitely make a note of it. The password can be changed locally within the WebUI after install but you need that initial password for first-time login.

That’s it for Part 1.