One place for hosting & domains

      How To Install the Latest MySQL on Debian 9


      Introduction

      MySQL is a prominent open source database management system used to store and retrieve data for a wide variety of popular applications. MySQL is the M in the LAMP stack, a commonly used set of open source software that also includes Linux, the Apache web server, and the PHP programming language.

      In Debian 9, MariaDB, a community fork of the MySQL project, is packaged as the default MySQL variant. While, MariaDB works well in most cases, if you need features found only in Oracle’s MySQL, you can install and use packages from a repository maintained by the MySQL developers.

      To install the latest version of MySQL, we’ll add this repository, install the MySQL software itself, secure the install, and finally we’ll test that MySQL is running and responding to commands.

      Prerequisites

      Before starting this tutorial, you will need:

      Step 1 — Adding the MySQL Software Repository

      The MySQL developers provide a .deb package that handles configuring and installing the official MySQL software repositories. Once the repositories are set up, we’ll be able to use Ubuntu’s standard apt command to install the software. We’ll download this .deb file with wget and then install it with the dpkg command.

      First, load the MySQL download page in your web browser. Find the Download button in the lower-right corner and click through to the next page. This page will prompt you to log in or sign up for an Oracle web account. We can skip that and instead look for the link that says No thanks, just start my download. Right-click the link and select Copy Link Address (this option may be worded differently, depending on your browser).

      Now we’re going to download the file. On your server, move to a directory you can write to. Download the file using wget, remembering to paste the address you just copied in place of the highlighted portion below:

      • cd /tmp
      • wget https://dev.mysql.com/get/mysql-apt-config_0.8.10-1_all.deb

      The file should now be downloaded in our current directory. List the files to make sure:

      You should see the filename listed:

      Output

      mysql-apt-config_0.8.10-1_all.deb . . .

      Now we're ready to install:

      • sudo dpkg -i mysql-apt-config*

      dpkg is used to install, remove, and inspect .deb software packages. The -i flag indicates that we'd like to install from the specified file.

      During the installation, you'll be presented with a configuration screen where you can specify which version of MySQL you'd prefer, along with an option to install repositories for other MySQL-related tools. The defaults will add the repository information for the latest stable version of MySQL and nothing else. This is what we want, so use the down arrow to navigate to the Ok menu option and hit ENTER.

      The package will now finish adding the repository. Refresh your apt package cache to make the new software packages available:

      Now that we've added the MySQL repositories, we're ready to install the actual MySQL server software. If you ever need to update the configuration of these repositories, just run sudo dpkg-reconfigure mysql-apt-config, select new options, and then sudo apt-get update to refresh your package cache.

      Step 2 — Installing MySQL

      Having added the repository and with our package cache freshly updated, we can now use apt to install the latest MySQL server package:

      • sudo apt install mysql-server

      apt will look at all available mysql-server packages and determine that the MySQL provided package is the newest and best candidate. It will then calculate package dependencies and ask you to approve the installation. Type y then ENTER. The software will install.

      You will be asked to set a root password during the configuration phase of the installation. Choose and confirm a secure password to continue. Next, a prompt will appear asking for you to select a default authentication plugin. Read the display to understand the choices. If you are not sure, choosing Use Strong Password Encryption is safer.

      MySQL should be installed and running now. Let's check using systemctl:

      • sudo systemctl status mysql

      Output

      ● mysql.service - MySQL Community Server Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2018-09-05 15:58:21 UTC; 30s ago Docs: man:mysqld(8) http://dev.mysql.com/doc/refman/en/using-systemd.html Main PID: 12805 (mysqld) Status: "SERVER_OPERATING" CGroup: /system.slice/mysql.service └─12805 /usr/sbin/mysqld Sep 05 15:58:15 mysql1 systemd[1]: Starting MySQL Community Server... Sep 05 15:58:21 mysql1 systemd[1]: Started MySQL Community Server.

      The Active: active (running) line means MySQL is installed and running. Now we'll make the installation a little more secure.

      Step 3 — Securing MySQL

      MySQL comes with a command we can use to perform a few security-related updates on our new install. Let's run it now:

      • mysql_secure_installation

      This will ask you for the MySQL root password that you set during installation. Type it in and press ENTER. Now we'll answer a series of yes or no prompts. Let's go through them:

      First, we are asked about the validate password plugin, a plugin that can automatically enforce certain password strength rules for your MySQL users. Enabling this is a decision you'll need to make based on your individual security needs. Type y and ENTER to enable it, or just hit ENTER to skip it. If enabled, you will also be prompted to choose a level from 0–2 for how strict the password validation will be. Choose a number and hit ENTER to continue.

      Next you'll be asked if you want to change the root password. Since we just created the password when we installed MySQL, we can safely skip this. Hit ENTER to continue without updating the password.

      The rest of the prompts can be answered yes. You will be asked about removing the anonymous MySQL user, disallowing remote root login, removing the test database, and reloading privilege tables to ensure the previous changes take effect properly. These are all a good idea. Type y and hit ENTER for each.

      The script will exit after all the prompts are answered. Now our MySQL installation is reasonably secured. Let's test it again by running a client that connects to the server and returns some information.

      Step 4 – Testing MySQL

      mysqladmin is a command line administrative client for MySQL. We'll use it to connect to the server and output some version and status information:

      • mysqladmin -u root -p version

      The -u root portion tells mysqladmin to log in as the MySQL root user, -p instructs the client to ask for a password, and version is the actual command we want to run.

      The output will let us know what version of the MySQL server is running, its uptime, and some other status information:

      Output

      mysqladmin Ver 8.0.12 for Linux on x86_64 (MySQL Community Server - GPL) Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Server version 8.0.12 Protocol version 10 Connection Localhost via UNIX socket UNIX socket /var/run/mysqld/mysqld.sock Uptime: 6 min 42 sec Threads: 2 Questions: 12 Slow queries: 0 Opens: 123 Flush tables: 2 Open tables: 99 Queries per second avg: 0.029

      If you received similar output, congrats! You've successfully installed the latest MySQL server and secured it.

      Conclusion

      You've now completed a basic install of the latest version of MySQL, which should work for many popular applications.



      Source link

      How To Secure Nginx with Let’s Encrypt on Debian 9


      Introduction

      Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.

      In this tutorial, you will use Certbot to obtain a free SSL certificate for Nginx on Debian 9 and set up your certificate to renew automatically.

      This tutorial will use a separate Nginx server block file instead of the default file. We recommend creating new Nginx server block files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.

      Prerequisites

      To follow this tutorial, you will need:

      • One Debian 9 server, set up by following this initial server setup for Debian 9 tutorial, along with a sudo non-root user and a firewall.
      • A fully registered domain name. This tutorial will use example.com throughout. You can purchase a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
      • Both of the following DNS records set up for your server. You can follow this introduction to DigitalOcean DNS for details on how to add them.

        • An A record with example.com pointing to your server’s public IP address.
        • An A record with www.example.com pointing to your server’s public IP address.
      • Nginx installed by following How To Install Nginx on Debian 9. Be sure that you have a server block for your domain. This tutorial will use /etc/nginx/sites-available/example.com as an example.

      Step 1 — Installing Certbot

      The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.

      Certbot is in very active development, so the Certbot packages provided by Debian with current stable releases tend to be outdated. However, we can obtain a more up-to-date package by enabling the Debian 9 backports repository in /etc/apt/sources.list, where the apt package manager looks for package sources. The backports repository includes recompiled packages that can be run without new libraries on stable Debian distributions.

      To add the backports repository, first open /etc/apt/sources.list:

      • sudo nano /etc/apt/sources.list

      At the bottom of the file, add the following mirrors from the Debian project:

      /etc/apt/sources.list

      ...
      deb http://deb.debian.org/debian stretch-backports main contrib non-free
      deb-src http://deb.debian.org/debian stretch-backports main contrib non-free
      

      This includes the main packages, which are Debian Free Software Guidelines (DFSG)- compliant, as well as the non-free and contrib components, which are either not DFSG-compliant themselves or include dependencies in this category.

      Save and close the file when you are finished.

      Update the package list to pick up the new repository’s package information:

      And finally, install Certbot's Nginx package with apt:

      • sudo apt install python-certbot-nginx -t stretch-backports

      Certbot is now ready to use, but in order for it to configure SSL for Nginx, we need to verify some of Nginx's configuration.

      Step 2 — Confirming Nginx's Configuration

      Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches your requested domain.

      If you followed the server block setup step in the Nginx installation tutorial, you should have a server block for your domain at /etc/nginx/sites-available/example.com with the server_name directive already set appropriately.

      To check, open the server block file for your domain using nano or your favorite text editor:

      • sudo nano /etc/nginx/sites-available/example.com

      Find the existing server_name line. It should look like this:

      /etc/nginx/sites-available/example.com

      ...
      server_name example.com www.example.com;
      ...
      

      If it does, exit your editor and move on to the next step.

      If it doesn't, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:

      If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file syntax is correct, reload Nginx to load the new configuration:

      • sudo systemctl reload nginx

      Certbot can now find the correct server block and update it.

      Next, let's update the firewall to allow HTTPS traffic.

      Step 3 — Allowing HTTPS Through the Firewall

      If you have the ufw firewall enabled, as recommended in the prerequisite guides, you'll need to adjust the settings to allow for HTTPS traffic.

      You can see the current setting by typing:

      It will probably look like this, meaning that only HTTP traffic is allowed to the web server:

      Output

      Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx HTTP ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx HTTP (v6) ALLOW Anywhere (v6)

      To let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

      • sudo ufw allow 'Nginx Full'
      • sudo ufw delete allow 'Nginx HTTP'

      Your status should now look like this:

      Output

      Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)

      Next, let's run Certbot and fetch our certificates.

      Step 4 — Obtaining an SSL Certificate

      Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:

      • sudo certbot --nginx -d example.com -d www.example.com

      This runs certbot with the --nginx plugin, using -d to specify the names we'd like the certificate to be valid for.

      If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for.

      If that's successful, certbot will ask how you'd like to configure your HTTPS settings.

      Output

      Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

      Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

      Output

      IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

      Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser's security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

      Let's finish by testing the renewal process.

      Step 5 — Verifying Certbot Auto-Renewal

      Let's Encrypt's certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that's within thirty days of expiration.

      To test the renewal process, you can do a dry run with certbot:

      • sudo certbot renew --dry-run

      If you see no errors, you're all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

      Conclusion

      In this tutorial, you installed the Let's Encrypt client certbot, downloaded SSL certificates for your domain, configured Nginx to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, their documentation is a good place to start.



      Source link

      How to Install and Configure VNC on Debian 9


      Introduction

      Virtual Network Computing, or VNC, is a connection system that allows you to use your keyboard and mouse to interact with a graphical desktop environment on a remote server. It makes managing files, software, and settings on a remote server easier for users who are not yet comfortable with the command line.

      In this guide, you’ll set up a VNC server on a Debian 9 server and connect to it securely through an SSH tunnel. You’ll use TightVNC, a fast and lightweight remote control package. This choice will ensure that our VNC connection will be smooth and stable even on slower internet connections.

      Prerequisites

      To complete this tutorial, you’ll need:

      • One Debian 9 server set up by following the Debian 9 initial server setup guide, including a non-root user with sudo access and a firewall.
      • A local computer with a VNC client installed that supports VNC connections over SSH tunnels.
        • On Winows, you can use TightVNC, RealVNC, or UltraVNC.
        • On macOS, you can use the built-in Screen Sharing program, or can use a cross-platform app like RealVNC.
        • On Linux, you can choose from many options, including vinagre, krdc, RealVNC, or TightVNC.

      Step 1 — Installing the Desktop Environment and VNC Server

      By default, a Debian 9 server does not come with a graphical desktop environment or a VNC server installed, so we’ll begin by installing those. Specifically, we will install packages for the latest Xfce desktop environment and the TightVNC package available in the official Debian repository.

      On your server, update your list of packages:

      Now install the Xfce desktop environment on your server:

      • sudo apt install xfce4 xfce4-goodies

      During the installation, you'll be prompted to select your keyboard layout from a list of possible options. Choose the one that's appropriate for your language and press Enter. The installation will continue.

      Once that installation completes, install the TightVNC server:

      • sudo apt install tightvncserver

      To complete the VNC server's initial configuration after installation, use the vncserver command to set up a secure password and create the initial configuration files:

      You'll be prompted to enter and verify a password to access your machine remotely:

      Output

      You will require a password to access your desktops. Password: Verify:

      The password must be between six and eight characters long. Passwords more than 8 characters will be truncated automatically.

      Once you verify the password, you'll have the option to create a a view-only password. Users who log in with the view-only password will not be able to control the VNC instance with their mouse or keyboard. This is a helpful option if you want to demonstrate something to other people using your VNC server, but this isn't required.

      The process then creates the necessary default configuration files and connection information for the server:

      Output

      Would you like to enter a view-only password (y/n)? n xauth: file /home/sammy/.Xauthority does not exist New 'X' desktop is your_hostname:1 Creating default startup script /home/sammy/.vnc/xstartup Starting applications specified in /home/sammy/.vnc/xstartup Log file is /home/sammy/.vnc/your_hostname:1.log

      Now let's configure the VNC server.

      Step 2 — Configuring the VNC Server

      The VNC server needs to know which commands to execute when it starts up. Specifically, VNC needs to know which graphical desktop it should connect to.

      These commands are located in a configuration file called xstartup in the .vnc folder under your home directory. The startup script was created when you ran the vncserver in the previous step, but we'll create our own to launch the Xfce desktop.

      When VNC is first set up, it launches a default server instance on port 5901. This port is called a display port, and is referred to by VNC as :1. VNC can launch multiple instances on other display ports, like :2, :3, and so on.

      Because we are going to be changing how the VNC server is configured, first stop the VNC server instance that is running on port 5901 with the following command:

      The output should look like this, although you'll see a different PID:

      Output

      Killing Xtightvnc process ID 17648

      Before you modify the xstartup file, back up the original:

      • mv ~/.vnc/xstartup ~/.vnc/xstartup.bak

      Now create a new xstartup file and open it in your text editor:

      Commands in this file are executed automatically whenever you start or restart the VNC server. We need VNC to start our desktop environment if it's not already started. Add these commands to the file:

      ~/.vnc/xstartup

      #!/bin/bash xrdb $HOME/.Xresources startxfce4 &

      The first command in the file, xrdb $HOME/.Xresources, tells VNC's GUI framework to read the server user's .Xresources file. .Xresources is where a user can make changes to certain settings of the graphical desktop, like terminal colors, cursor themes, and font rendering. The second command tells the server to launch Xfce, which is where you will find all of the graphical software that you need to comfortably manage your server.

      To ensure that the VNC server will be able to use this new startup file properly, we'll need to make it executable.

      • sudo chmod +x ~/.vnc/xstartup

      Now, restart the VNC server.

      You'll see output similar to this:

      Output

      New 'X' desktop is your_hostname:1 Starting applications specified in /home/sammy/.vnc/xstartup Log file is /home/sammy/.vnc/your_hostname:1.log

      With the configuration in place, let's connect to the server from our local machine.

      Step 3 — Connecting the VNC Desktop Securely

      VNC itself doesn't use secure protocols when connecting. We'll use an SSH tunnel to connect securely to our server, and then tell our VNC client to use that tunnel rather than making a direct connection.

      Create an SSH connection on your local computer that securely forwards to the localhost connection for VNC. You can do this via the terminal on Linux or macOS with the following command:

      • ssh -L 5901:127.0.0.1:5901 -C -N -l sammy your_server_ip

      The -L switch specifies the port bindings. In this case we're binding port 5901 of the remote connection to port 5901 on your local machine. The -C switch enables compression, while the -N switch tells ssh that we don't want to execute a remote command. The -l switch specifies the remote login name.

      Remember to replace sammy and your_server_ip with the sudo non-root username and IP address of your server.

      If you are using a graphical SSH client, like PuTTY, use your_server_ip as the connection IP, and set localhost:5901 as a new forwarded port in the program's SSH tunnel settings.

      Once the tunnel is running, use a VNC client to connect to localhost:5901. You'll be prompted to authenticate using the password you set in Step 1.

      Once you are connected, you'll see the default Xfce desktop.

      VNC connection to Debian 9 serverSelect Use default config to configure your desktop quickly.

      You can access files in your home directory with the file manager or from the command line, as seen here:

      Files via VNC connection to Debian 9

      On your local machine, press CTRL+C in your terminal to stop the SSH tunnel and return to your prompt. This will disconnect your VNC session as well.

      Next let's set up the VNC server as a service.

      Step 4 — Running VNC as a System Service

      Next, we'll set up the VNC server as a systemd service so we can start, stop, and restart it as needed, like any other service. This will also ensure that VNC starts up when your server reboots.

      First, create a new unit file called /etc/systemd/system/vncserver@.service using your favorite text editor:

      • sudo nano /etc/systemd/system/vncserver@.service

      The @ symbol at the end of the name will let us pass in an argument we can use in the service configuration. We'll use this to specify the VNC display port we want to use when we manage the service.

      Add the following lines to the file. Be sure to change the value of User, Group, WorkingDirectory, and the username in the value of PIDFILE to match your username:

      /etc/systemd/system/vncserver@.service

      [Unit] Description=Start TightVNC server at startup After=syslog.target network.target [Service] Type=forking User=sammy Group=sammy WorkingDirectory=/home/sammy PIDFile=/home/sammy/.vnc/%H:%i.pid ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i ExecStop=/usr/bin/vncserver -kill :%i [Install] WantedBy=multi-user.target

      The ExecStartPre command stops VNC if it's already running. The ExecStart command starts VNC and sets the color depth to 24-bit color with a resolution of 1280x800. You can modify these startup options as well to meet your needs.

      Save and close the file.

      Next, make the system aware of the new unit file.

      • sudo systemctl daemon-reload

      Enable the unit file.

      • sudo systemctl enable vncserver@1.service

      The 1 following the @ sign signifies which display number the service should appear over, in this case the default :1 as was discussed in Step 2..

      Stop the current instance of the VNC server if it's still running.

      Then start it as you would start any other systemd service.

      • sudo systemctl start vncserver@1

      You can verify that it started with this command:

      • sudo systemctl status vncserver@1

      If it started correctly, the output should look like this:

      Output

      ● vncserver@1.service - Start TightVNC server at startup Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2018-09-05 16:47:40 UTC; 3s ago Process: 4977 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS) Process: 4971 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=0/SUCCESS) Main PID: 4987 (Xtightvnc) ...

      Your VNC server will now be available when you reboot the machine.

      Start your SSH tunnel again:

      • ssh -L 5901:127.0.0.1:5901 -C -N -l sammy your_server_ip

      Then make a new connection using your VNC client software to localhost:5901 to connect to your machine.

      Conclusion

      You now have a secured VNC server up and running on your Debian 9 server. Now you'll be able to manage your files, software, and settings with an easy-to-use and familiar graphical interface, and you'll be able to run graphical software like web browsers remotely.



      Source link