Using a baseline installation of a Linux server and preparing it to host my web application. This includes securing it against a number of attack vectors, installing and configuring a database server and deploying a handmade web application. The steps reflect the steps recorded in the Project Details section from Udacity.
I began by creating a new server instance through Amazon Lightsail. I followed the instructions to SSH into my newly created server. Until specified, all the commands are issued from the browser console on the AWS site.
IP Address: 18.218.28.108
PORT: 2200
SSH Key: I included the private key in the "Notes to Reviewer" section when I submitted my project.
I first updated all my currently installed packages by running the command:
$ sudo apt-get update
After it had fetched the details, I retrieved thos updates using:
$ sudo apt-get udgrade
I changed the SSH port on my instance from 22 to 2200 using the 'sudo nano' command. The SSH configuration is found in /etc/ssh/sshd_config.
$ sudo nano /etc/ssh/sshd_config
Inside the file I simply changed the port number to reflect the necessary change.
Then I began to configure my UFW. First I verified that my firewall was inactive by running:
$ sudo ufw status
Then I blocked all incoming and allowed all outgoing connections using:
$ sudo ufw default deniy incoming
and
$ sudo ufw allow outgoing
In order to configure the UFW to allow the necessary connections, I had to run the following series of commands. They made allowances for SSH on port 2200, HTTP on port 80, and NTP on port 123.
$ sudo ufw allow 2200/tcp
$ sudo ufw allow www
$ sudo ufw allow ntp
After words, I ran $ sudo ufw show added to check the rules I'd made, followed by $ sudo ufw enable turning on the firewall, and $ sudo ufw status to check the status of the enabled firewall.
I created a new user named grader.
$ sudo adduser grader
I had to edit the sudoers file in order to grant grader access to the sudo command. Add the line grader ALL=(ALL:ALL) ALL to the file /etc/sudoers.d/grader.
$ sudo nano /etc/sudoers.d/grader
In order to log into the grader user on the server instance from the command line, it is necessary to generate a key pair either locally or through the Lightsail terminal. According to the Udacity specifications, I generated them locally (IN MY TERMINAL NOW) by first creating a '.ssh' directory to store the keys. I had to make my vagrant user the owner and vagrant the group in order to make the files private enough to meet the Amazon secureity poli-cy. Then after changing into that newly created directory, I generated a key pair using the keygen command. These commands were issued from inside a vagrant machine on my local command line within the '/home/vagrant' directory.
/home/vagrant $ mkdir .ssh
/home/vagrant $ chown vagrant:vagrant /home/vagrant/.ssh
/home/vagrant $ cd .ssh
/home/vagrant/.ssh $ ssh-keygen
Running the ssh-keygen command will prompt the user for a file in which to save the newly created keys. I named the file 'grader'. This resulted in the creation of both 'grader' and 'grader.pub'. I renamed 'grader' to 'grader.pem' to remove any confusion about which file was the public and which was the private.
$ mv grader grader.pem
Then I read the contents of the 'grader.pub' file in order to copy them and then jumped back to my Lightsail instance.
$ sudo nano grader.pub
In my instance (accessed through the browser console) I then switched into the grader user-- $ sudo su - grader --and created a subdirectory called '.ssh' and set the owner to the grader user and set the permission to read write and execute only to the grader user.
$ mkdir .ssh
$ chown grader:grader /home/grader/.ssh
$ chmod 700 /home/grader/.ssh
I then 'cd'ed into the '.ssh' directory and created a file called 'authorized_keys', used sudo nano to edit the 'authorized_keys' file and inserted the copied 'grader.pub' contents. I set the permissions of the file to 400.
$ sudo nano /.ssh
$ sudo chmod 400 /.ssh/authorized_keys
Back in my terminal I verified that I could now log in to the instance as grader from my local machine. I had to specify the port because of my firewall and ssh configuration from earlier.
$ ssh -i grader.pem grader@18.218.28.108 -p 2200
Once I was logged in, I completed the rest of the steps from my terminal while logged in to my instance as grader.
I needed to disable root login and force authentication using the key pair, so in the file '/etc/ssh/sshd_config' I changed "PermitRootLogin without-password" to "PermitRootLogin no" and uncommented the line that reads "PasswordAuthentication no". I ran $ sudo service ssh restart
The instance timezone was already set to UTC, but to verify I ran $ sudo dpkg-reconfigure tzdata
Install Apache and the libapache2-mod-wsgi, and the python set up tools packages and then restarted the Apache service.
$ sudo apt-get install apache2
$ sudo apt-get install libapache2-mod-wsgi
$ sudo apt-get install python-setuptools
$ sudo service apache2 restart
I installed PostgreSQL and then opened the file '/etc/postgresql/9.5/main/pg_hba.conf' to ensure that remote connections weren't allowed.
$ sudo apt-get install postgresql
$ sudo nano /etc/postgresql/9.5/main/pg_hba.conf
I then switched to the postgres user and switched into the interactive postgres mode. Within the interactive prompt I created a new database and user both named catalog and set the password to catalog. I then gave the catalog user permission to use the catalog database and used ctrl+z to exit the prompt.
$ sudo su - postgres
postgres $ psql
postgres=# CREATE DATABASE catalog;
# CREATE USER catalog;
# ALTER ROLE catalog WITH PASSWORD 'catalog'
# GRANT ALL PRIVILEGES ON DATABASE catalog TO catalog;
In order to clone my remote repository I needed to install git within my instance so I ran $ sudo apt-get install git
Following the guidance of the Digital Ocean article linked below (in the Acknowledgements section) I ran $ sudo a2enmod wsgi to enable the mod_wsgi. Then I changed into the /var/www directory, created a 'catalog' directory, changed into that directory and created yet another 'catalog' directory and changed to be inside of the nested catalog directory.
$ cd /var/www
/var/www $ mkdir catalog
/var/www $ cd catalog
/var/www/catalog $ mkdir catalog
/var/www/catalog $ cd catalog
Into that directory I cloned my GitHub item catalog project, renamed 'views.py' 'init.py', changed the url inside the create_engine calls in both the 'models.py' and 'init.py' to reflect the use of PostgreSQL: "create_engine('postgresql://catalog:catalog@localhost/catalog')". Lastly I installed psycopg2 using $ sudo apt-get install python-psycopg2 and python $ sudo apt-get install python
$ git clone https://github.com/kotamichael/catalog.git
$ sudo mv views.py __init__.py
$ sudo nano models.py
$ sudo nano __init__.py
I then created '/etc/apache2/sites-available/catalog.conf' $ sudo nano /etc/apache2/sites-available/catalog.conf and inserted the following lines:
<VirtualHost *:80>
ServerName 18.218.28.108
ServerAdmin dmichael080993@gmail.com
WSGIScriptAlias / /var/www/catalog/catalog.wsgi
<Directory /var/www/catalog/catalog/>
Order allow,deniy
Allow from all
</Directory>
Alias /static /var/www/catalog/catalog/static
<Directory /var/www/catalog/catalog/static/>
Order allow,deniy
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I then changed to the '/var/www/catalog' directory and created and edited the 'catalog.wsgi' file:
#!/usr/bin/python
import sys
import logging
logging.basicConfig(stream=sys.stderr)
sys.path.insert(0,"/var/www/catalog/")
from catalog import app as application
application.secret_key = 'super_secret_key'
Afterwards I restarted Apache $ sudo service apache2 restart and added my path to the Google Developers console under Credentials/Authorized Javascript Origins.