logoXWMS DOCS
Server

Server Setup

Learn how to manage and setup your linux server

Rebuilding and Securing the Strato Server

1. Reinstalling the Server

  1. Go to PackageOverview in your Strato control panel.
  • Scroll down and click Reinstall.
  • A modal window titled VM Reinstall will appear.
  1. Select Operating System
  • Select Ubuntu 22.04 (do not use Ubuntu 24).
  • Set a strong password for the root user.
  • Create an SSH key (explained below).
  1. Creating an SSH Key with PuTTYgen
  2. Download and open PuTTYgen.exe if you don't already have it.
  3. Click Generate and move your mouse anywhere within the window to generate the key.
  4. Once the key is generated, enter a strong passphrase for additional security of your private key.
  5. Save the private key in a safe place.
  6. Copy the public key from the field at the top (under Key, not the menu bar).
  7. Paste this public key into the Strato installation screen next to the SSH key.
  8. Start the installation.

2. Configure the Firewall

  1. Once the installation is complete, log in to your server and immediately activate the firewall:
  • Open the firewall configuration.
  • Add the default rules for HTTP (port 80) and HTTPS (port 443).
  • Add a rule for SSH access:
  • Protocol: TCP
  • IPv4: Leave blank
  • Port from: 22
  • Port to: 22

3. Convert the SSH key for use

  1. Reopen PuTTYgen.exe.
  2. Go to ConversionsImport key and select your previously saved .ppk file.
  3. Export the key as OpenSSH key via ConversionsExport OpenSSH key.
  4. Enter the passphrase and save the file with a meaningful name, for example, yourname_openssh.

4. Log in to your server via SSH

Now use the OpenSSH key to log in:

ssh -i "[path/to/your/ssh-key]" root@[your-server-ip]

5. Basic security and user management

  1. We don't want to log in as root, so we'll create a new user. You'll log in with this user from now on. - Create a new user:
adduser yourusername
  • Add this user to the sudo group:
usermod -aG sudo yourusername
  1. (Optional) Disable root login via SSH:
  • Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
  • Locate the line PermitRootLogin and remove the comment (#) so that it reads:
PermitRootLogin prohibit-password
  • Restart the SSH service:
sudo systemctl restart ssh
  1. Configure and enable the firewall:
  • Update package list and install UFW:
sudo apt update
sudo apt install ufw -y
  • Set default rules:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
  • Enable the firewall:
sudo ufw enable
  • Check the status:
sudo ufw status verbose
  1. Protection against brute force attacks:
  • Install fail2ban:
sudo apt install fail2ban -y
  1. Enable automatic updates:
  • Install unattended-upgrades:
sudo apt install unattended-upgrades -y
  • Configure unattended-upgrades:
sudo dpkg-reconfigure --priority=low unattended-upgrades
  1. Make firewall rules persistent:
  • Install iptables-persistent:
sudo apt install iptables-persistent -y
  1. Protection against malware and rootkits:
  • Install ClamAV (virus scanner):
sudo apt install clamav
sudo freshclam # Update virus definitions
sudo clamscan -r -i /path # Recursively scan a path
  • Install rkhunter (rootkit hunter):
sudo apt install rkhunter
sudo rkhunter --update
sudo rkhunter -c # System check
  • When you first use rkhunter, you will see a screen with "no configuration or internet site." Select internet site and enter your domain name.

6. Making applications work

  1. Update your package list and upgrade all packages:
sudo apt update && sudo apt upgrade -y
  1. Install PHP (possibly add a new repository first):
sudo add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install apache2 libapache2-mod-php8.3 php8.3 php8.3-mysql php8.3-mbstring php8.3-curl php8.3-xml php8.3-bcmath php8.3-zip php8.3-cli unzip curl git -y
  1. Install additional PHP modules:
sudo apt install php-{xml,mbstring,curl,zip,gd,intl,bcmath,mysql,tokenizer,imagick,intl}
  1. Check PHP version and

Apache status:

php -v
sudo systemctl restart apache2
sudo systemctl status apache2
  1. Make sure MySQL is running:
sudo systemctl status mysql
  • If MySQL isn't running, start it with:
sudo systemctl start mysql
  • If the command isn't found, install MySQL:
sudo apt update
sudo apt install mysql-server
sudo systemctl status mysql
  1. Install and configure PhpMyAdmin:
sudo apt install phpmyadmin
  • At the "Yes or No" screen, select No.
  • Check that phpMyAdmin is running:
sudo nano /etc/apache2/conf-available/phpmyadmin.conf
  • If the file is empty, add the following:
Alias ​​/phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php

<IfModule mod_php7.c>
AddType application/x-httpd-php.php

php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_admin_flag allow_url_fopen Off

php_value include_path

</IfModule>

</Directory>
  • Enable the configuration and reload Apache:
sudo a2enconf phpmyadmin
sudo systemctl reload apache2
  1. Create a .bat script for local database access via SSH tunnel:
@echo off
REM Adjust these variables to your situation
set PRIVATE_KEY=""
set REMOTE_USER=root
set REMOTE_HOST=
set LOCAL_PORT=8080
set REMOTE_PORT=80

echo Starting SSH tunnel...
ssh -i %PRIVATE_KEY% -L %LOCAL_PORT%:127.0.0.1:%REMOTE_PORT% %REMOTE_USER%@%REMOTE_HOST%

pause
  • Then open in your browser: http://127.0.0.1:8080/
  1. If you can't log in to MySQL, you can reset the password:
mysql -u root
  • In the MySQL console, run:
USE mysql;
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'new_password';
FLUSH PRIVILEGES;
  • Test it with:
mysql -u root -p
  1. Put the project in /var/www:
ssh -T git@github.com

if it does not work

ssh-keygen -t rsa -b 4096 -C "email@example.com"
cat ~/.ssh/id_rsa.pub
ssh -T git@github.com
  1. Cloning a project:
  • Create the directory and clone the repository using the user:
mkdir -p /var/www/websitedomain
cd /var/www/websitedomain
sudo git clone git@github.com:X-WMS/yourname.git /var/www/websitedomain

always use the user to perform a git pull.

  1. Add a group for file permissions:
sudo groupadd [groupname]
sudo usermod -aG yournamegroup www-data
sudo usermod -aG yournamegroup [username]
  1. Set file permissions (repeat if necessary):
sudo chmod -R 775 /var/www/websitedomain
sudo find /var/www/websitedomain -type f -exec chmod 664 {} \;
sudo find /var/www/websitedomain -type d -exec chmod 775 {} \;
sudo chmod g+s /var/www/websitedomain
sudo chown -R yourname:yournamegroup /var/www/websitedomain
sudo chmod -R g+rw /var/www/websitedomain
sudo chmod -R g+s /var/www/websitedomain
  1. Check if it worked using the user:
ls -l composer.json

7. Install Composer and other tools and publish the website

  1. Install Composer:
sudo apt install composer
  1. Switch to the user:
su -username
  1. In the project folder, run:
composer install
  1. Install Node.js (for frontend builds):
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs
  1. Install frontend dependencies and run the build:
npm install
npm run build
  1. Run Laravel setup (make sure you've set up the .env):
php artisan key:generate
php artisan migrate --seed
php artisan storage:link
  1. Configure the website in Apache:
sudo nano /etc/apache2/sites-available/websitedomain.conf

add the following configuration (change `websitedomain` to your domain):

<VirtualHost *:80>
ServerAdmin webmaster@websitedomain
ServerName websitedomain
ServerAlias ​​www.websitedomain

DocumentRoot /var/www/website
edomain/public

<Directory /var/www/websitedomain/public>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/websitedomain_error.log
CustomLog ${APACHE_LOG_DIR}/websitedomain_access.log combined
</VirtualHost>
  1. Activate the site and reload Apache:
sudo a2ensite websitedomain.conf
sudo systemctl reload apache2
  1. Set up HTTPS with Certbot:
  • Install Certbot if you don't have it already:
sudo apt install certbot python3-certbot-apache
  • Check that your firewall allows HTTP and HTTPS:
sudo ufw status
  • If not allowed, add:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload
  • Run Certbot:
sudo certbot --apache -d domainname -d www.domainname
  • Enter your email address (e.g., info@xwms.nl)
  • Select Yes to accept the terms
  • Select No to subscribe to the newsletter
  1. Set permissions for Laravel cache and storage:
sudo chown -R www-data:www-data /var/www/websitedomain/storage
sudo chown -R www-data:www-data /var/www/websitedomain/bootstrap/cache
sudo chmod -R 775 /var/www/websitedomain/storage
sudo chmod -R 775 /var/www/websitedomain/bootstrap/cache
  1. Restart Apache:
sudo systemctl restart apache2

Your website is now online and accessible via HTTPS. Check your browser to see if everything is working correctly.

Client OAuth Setup

Secure, advanced login and authentication APIs for businesses

Server With Github

In this tutorial, we'll explain how to place a GitHub project on your server, so it's in /var/www and ready to use.