One place for hosting & domains

      How to Install Ghost CMS on Ubuntu 18.04 LTS


      Updated by Linode

      Written by Linode

      Ghost is an open source blogging platform that helps you easily create a professional-looking online blog. Ghost is a robust content management system (CMS) with a Markdown editor, an easy-to-use user interface, and beautiful themes. It is easy to install and update with Ghost-CLI.

      In This Guide

      In this guide, you’ll set up, deploy, and secure a Ghost v3.5.1 blog on a Linode running Ubuntu 18.04 LTS, using NGINX, MySQL, Node.js, NPM, Ghost-CLI, and Let’s Encrypt. For installation instructions for other distributions, click here.

      Note

      This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, consult our Users and Groups guide.

      Replace each instance of example.com in this guide with your site’s domain name.

      Before you Begin

      1. This guide assumes that you’ve followed the steps in our Getting Started and Securing Your Server guides and have created a new user for Ghost with elevated sudo privileges. The example username used in this guide is ghostexample.

      2. Ensure that you have a valid domain name and properly configured DNS records for your domain.

      3. Ensure that your system is up to date:

        sudo apt update && sudo apt upgrade
        
      4. Install build-essential:

        sudo apt install build-essential
        

      Install Prerequisites

      Install NGINX

      NGINX will be used as a reverse proxy for your Ghost application:

      sudo apt install nginx
      

      Install MySQL

      1. Download and install MySQL:

        sudo apt install mysql-server
        
      2. Log into MySQL:

        sudo mysql
        
      3. Set a password for the root user with this command, replacing password with a strong password:

        ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
        
      4. Exit MySQL:

        quit
        

      Install Node.js and NPM

      Ghost is built on Node.js and follows Node’s Long Term Support (LTS) plan. Ghost only supports LTS versions of Node.js.

      Download and install Node.js:

      curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
      sudo apt install nodejs
      

      Install and Configure Ghost

      Install Ghost-CLI

      Ghost-CLI is a command line interface (CLI) tool that makes installing and updating Ghost easy. It sets up the database, configures NGINX as a reverse proxy, enables TLS/SSL security using Let’s Encrypt CA, automatically renews your SSL, and initializes Ghost as a systemd service.

      Install Ghost-CLI:

      sudo npm install -g [email protected]
      

      Install Ghost

      Install Ghost using the Ghost-CLI tool.

      1. Create the document root directory:

        sudo mkdir -p /var/www/ghost
        
      2. Change ownership of the /var/www/ghost directory to the non-root user with sudo privileges that you created. In this example, ghostexample is our username:

        sudo chown ghostexample:ghostexample /var/www/ghost
        sudo chmod 775 /var/www/ghost
        
      3. Navigate to the Ghost root directory:

        cd /var/www/ghost
        

        Note

        Installing Ghost in the /root or /home/{user} folder won’t work and results in a broken setup. Only use /var/www/{folder} because it has the correct permissions.

      4. Ensure that the directory is empty to avoid file conflicts:

        ls -a
        
      5. Install Ghost in production mode:

        ghost install
        
      6. Answer each question as prompted. For more information about each question, visit the Ghost documentation:

          
        ? Enter your blog URL: https://example.com
        ? Enter your MySQL hostname: localhost
        ? Enter your MySQL username: root
        ? Enter your MySQL password: thePasswordYouEnteredForRoot
        ? Enter your Ghost database name: exampleGhost
        Configuring Ghost
        Setting up instance
        
        Setting up "ghost" system user
        ? Do you wish to set up "ghost" mysql user? yes
        ? Do you wish to set up Nginx? yes
        ? Do you wish to set up SSL? yes
        ? Enter your email (used for Let's Encrypt notifications) [email protected]
        ? Do you wish to set up Systemd? yes
        ? Do you want to start Ghost? yes
        
        
      7. After installation is complete, run ghost ls to view running Ghost processes:

        ghost ls
        

      In the future when a newer version of Ghost is released, run ghost update from the /var/www/ghost directory to update to the newest version.

      Complete the Setup

      To complete the setup process, navigate to the Ghost configuration page by appending /ghost to the end of your blog’s URL or IP. This example uses https://example.com/ghost.

      1. On the welcome screen, click Create your account:

        Ghost Welcome Screen

      2. Enter your email, create a user, password, and blog title:

        Create Your Account Screen

      3. Invite additional members to your team. If you’d prefer to skip this step, click I’ll do this later, take me to my blog! at the bottom of the page.

        Invite Your Team Screen

      4. Navigate the Ghost admin area to create your first post, change your site’s theme, or configure additional settings:

        Ghost Admin Area

      Troubleshooting

      1. Troubleshoot the system for any potential issues when installing or updating Ghost:

        ghost doctor
        
      2. Get help about Ghost:

        ghost --help
        

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      This guide is published under a CC BY-ND 4.0 license.



      Source link

      How to Install MariaDB on Ubuntu 18.04 LTS


      Updated by Linode Contributed by Ryan Syracuse

      MariaDB is a fork of the popular cross-platform MySQL database management system and is considered a full drop-in replacement for MySQL. MariaDB was created by one of MySQL’s original developers in 2009 after MySQL was acquired by Oracle during the Sun Microsystems merger. Today MariaDB is maintained and developed by the MariaDB Foundation and community contributors with the intention of it remaining GNU GPL software.

      Note

      This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, you can check our Users and Groups guide.

      Before You Begin

      1. Ensure that you have followed the Getting Started, the Securing Your Server guides, and the Linode’s hostname is set.

        To check your hostname run:

        hostname
        hostname -f
        

        The first command should show your short hostname, and the second should show your fully qualified domain name (FQDN) if you have one assigned.

      2. Update your system:

        sudo apt update
        

      Install and Setup MariaDB

      Install MariaDB using the package manager.

      sudo apt install mariadb-server
      

      MariaDB will bind to localhost (127.0.0.1) by default. For information on connecting to a remote database using SSH, see our MySQL remote access guide, which also applies to MariaDB.

      Note

      Allowing unrestricted access to MariaDB on a public IP not advised but you may change the address it listens on by modifying the bind-address parameter in /etc/mysql/my.cnf. If you decide to bind MariaDB to your public IP, you should implement firewall rules that only allow connections from specific IP addresses.

      MariaDB Client

      The standard tool for interacting with MariaDB is the mariadb client, which installs with the mariadb-server package. The MariaDB client is used through a terminal.

      Root Login

      1. Log into MariaDB as the root user:

        sudo mysql -u root -p
        
      2. When prompted for login credentials, hit enter. By default MariaDB will authenticate you via the unix_socket plugin and credentials are not required.

        You’ll then be presented with a welcome header and the MariaDB prompt as shown below:

          
        MariaDB [(none)]>
        
        
      3. To generate a list of commands for the MariaDB prompt, enter h. You’ll then see:

          
        General information about MariaDB can be found at
        
        MariaDB Foundation
        List of all MySQL commands: Note that all text commands must be first on line and end with ';' ? (?) Synonym for `help'. clear (c) Clear the current input statement. connect (r) Reconnect to the server. Optional arguments are db and host. delimiter (d) Set statement delimiter. edit (e) Edit command with $EDITOR. ego (G) Send command to mysql server, display result vertically. exit (q) Exit mysql. Same as quit. go (g) Send command to mysql server. help (h) Display this help. nopager (n) Disable pager, print to stdout. notee (t) Don't write into outfile. pager (P) Set PAGER [to_pager]. Print the query results via PAGER. print (p) Print current command. prompt (R) Change your mysql prompt. quit (q) Quit mysql. rehash (#) Rebuild completion hash. source (.) Execute an SQL script file. Takes a file name as an argument. status (s) Get status information from the server. system (!) Execute a system shell command. tee (T) Set outfile [to_outfile]. Append everything into given outfile. use (u) Use another database. Takes database name as argument. charset (C) Switch to another charset. Might be needed for processing binlog with multi-byte charsets. warnings (W) Show warnings after every statement. nowarning (w) Don't show warnings after every statement. For server side help, type 'help contents' MariaDB [(none)]>

      Securing the Installation

      1. After accessing MariaDB as the root user of your database, enable the mysql_native_password plugin to enable root password authentication:

        USE mysql;
        UPDATE user SET plugin='mysql_native_password' WHERE user='root';
        FLUSH PRIVILEGES;
        exit;
        
      2. Run the mysql_secure_installation script to address several security concerns in a default MariaDB installation:

        sudo mysql_secure_installation
        

      You will be given the choice to change the MariaDB root password, remove anonymous user accounts, disable root logins outside of localhost, and remove test databases. It is recommended that you answer yes to these options. You can read more about the script in the MariaDB Knowledge Base.

      Using MariaDB

      Create a New MariaDB User and Database

      1. Login to the database again. This time, if you set a password above, enter it at the prompt.

        sudo mysql -u root -p
        
      2. In the example below, testdb is the name of the database, testuser is the user, and password is the user’s password. You should replace password with a secure password:

        CREATE DATABASE testdb;
        CREATE user 'testuser'@localhost IDENTIFIED BY 'password';
        GRANT ALL ON testdb.* TO 'testuser' IDENTIFIED BY 'password';
        

        You can shorten this process by creating the user while assigning database permissions:

        CREATE DATABASE testdb;
        GRANT ALL ON testdb.* TO 'testuser' IDENTIFIED BY 'password';
        
      3. Then exit MariaDB:

        exit;
        

      Create a Sample Table

      1. Login as testuser, entering the password when prompted:

        sudo mysql -u testuser -p
        
      2. Create a sample table called customers:

        USE testdb;
        CREATE TABLE customers (customer_id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, first_name TEXT, last_name TEXT);
        
        • This creates a table with a customer_id field of the type INT for integer.
          • This field is auto-incremented for new records and used as the primary key.
        • Two other fields are created, first_name and last_name for storing the customer’s name.
      3. View the new table:

        SHOW TABLES;
        
          
        +------------------+
        | Tables_in_testdb |
        +------------------+
        | customers        |
        +------------------+
        1 row in set (0.00 sec)
        
        
      4. Add some data:

        INSERT INTO customers (first_name, last_name) VALUES ('John', 'Doe');
        
      5. View the data:

        SELECT * FROM customers;
        
          
        +-------------+------------+-----------+
        | customer_id | first_name | last_name |
        +-------------+------------+-----------+
        |           1 | John       | Doe       |
        +-------------+------------+-----------+
        1 row in set (0.00 sec)
        
        
      6. Then exit MariaDB:

        exit;
        

      Reset the MariaDB Root Password

      If you forget your root MariaDB password, it can be reset.

      1. Stop the current MariaDB server instance.

        sudo systemctl stop mariadb
        
      2. Then execute the following command which will allow the database to start without loading the grant tables or networking.

        sudo systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
        
      3. Restart MariaDB:

        sudo systemctl start mariadb
        
      4. Login to the MariaDB server with the root account, this time without supplying a password:

        sudo mysql -u root
        
      5. Use the following commands to reset root’s password. Replace password with a strong password:

        FLUSH PRIVILEGES;
        UPDATE mysql.user SET password = PASSWORD('password') WHERE user = 'root';
        
      6. Update the authentication methods for the root password:

        UPDATE mysql.user SET authentication_string = '' WHERE user = 'root';
        UPDATE mysql.user SET plugin = '' WHERE user = 'root';
        exit;
        
      7. Revert the environment settings to allow the database to start with grant tables and networking:

        sudo systemctl unset-environment MYSQLD_OPTS
        
      8. Then restart MariaDB:

        sudo systemctl restart mariadb
        
      9. You should now be able to log into the database with your new root password:

        sudo mysql -u root -p
        

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      This guide is published under a CC BY-ND 4.0 license.



      Source link

      How to Use One-Time Passwords for Two-Factor Authentication with SSH on Ubuntu 18.04 LTS


      Updated by Linode

      Contributed by
      Linode

      In this guide, you’ll learn how to use one-time passwords for two-factor authentication with SSH on Ubuntu 18.04 LTS. No matter what kind of data you’re hosting, securing access to your Linode is a critical step in preventing your information from being compromised. By default, you will need a password to log in, and you may also configure an authentication key-pair for even greater security. However, another option exists to complement these methods: time-based one-time passwords (TOTPs).

      TOTPs allow you to enable two-factor authentication for SSH with single-use passwords that change every 30 seconds. By combining this method with a regular password or publickey (or both), you can add an extra layer of security, further ensuring your server is sufficiently protected.

      This guide will explain how to install the necessary software, configure your system to use two-factor authentication (2FA), and use your new time-based one-time password (TOTP) in combination with existing security features.

      Before You Begin

      1. This guide is meant to be used with a Linode running Ubuntu 18.04 LTS. Familiarize yourself with our Getting Started guide and complete the steps for setting your Linode’s hostname, updating your system’s hosts file, and setting the timezone.

      2. Complete the sections of our Securing Your Server guide to create a standard user account, and remove unnecessary network services. This guide will explain a different way to harden SSH access, but you can also use public key authentication in addition for even greater protection. That method will be covered in the optional section, Combine Two-Factor and Public Key Authentication.

        Note

      3. You will need a smartphone or another client device with an authenticator application such as Google Authenticator or Authy. Many other options exist, and this guide should be compatible with nearly all of them.

      4. Update your system:

        sudo apt-get update && sudo apt-get upgrade
        

        Note

        This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, you can check our Users and Groups guide.

      Install Google Authenticator

      In this section, we’ll install the Google Authenticator package, which is included in the default repository of Ubuntu 18.04 LTS. This software will generate keys on your Linode, which will then be paired with an app on a client device (often a smartphone) to generate single-use passwords that expire after a set period of time.

      1. Install Google Authenticator:

        sudo apt-get install libpam-google-authenticator
        

        Although we are using the Google Authenticator package, the keys it generates are compatible with other authentication apps.

      Generate a Key

      Now that you’ve installed the Google Authenticator package, you’ll use it to generate keys. These keys are then used by software on client devices to generate time-based one-time passwords (TOTPs). To understand the difference between these passwords and the ones you already use, let’s break down the concept of a TOTP:

      • Time-based – The generated password will change every 30-60 seconds. This means that if an attacker tries to use brute force, they’ll almost certainly run out of time before new credentials are needed to gain access.
      • One-time – The password will be valid for a single authentication only, thus minimizing the risk of a replay attack. Even if your TOTP is intercepted upon sending it to the server, it will no longer be valid after you’ve logged in.

      The following instructions will generate a password for the user running the commands. If you are configuring two-factor authentication for multiple users, perform these steps for each user.

      Note

      Be sure to have your phone or mobile device ready, since this is where you’ll add the password to your authenticator app. If you haven’t downloaded an authenticator app, do so before proceeding.
      1. Run the google-authenticator program. A prompt will appear asking you to specify whether you’d like to use a time-based authentication (as opposed to one-time or counter-based). Choose “yes” by entering y at the prompt.

        google-authenticator
        
      2. You should see a QR code in your terminal:

        The Google Authenticator QR Code and keys on Ubuntu 18.04.

        Using the authenticator app on your phone or mobile device, scan the code. A new entry should be added to your authenticator app in the format [email protected].

        You’ll also see a “secret key” below the QR code. You may enter this into the app manually, instead of scanning the QR code, to add your account.

      3. Record your emergency scratch codes in a secure location. These codes can be used for authentication if you lose your device, but be aware that each code is only valid once.

      4. You’ll be prompted to answer the following questions:

          
        Do you want me to update your "/home/exampleuser/.google_authenticator" file (y/n)
            
        

        This specifies whether the authentication settings will be set for this user. Answer y to create the file that stores these settings.

          
        Do you want to disallow multiple uses of the same authentication
        token? This restricts you to one login about every 30s, but it increases
        your chances to notice or even prevent man-in-the-middle attacks (y/n)
            
        

        This makes your token a true one-time password, preventing the same password from being used twice. For example, if you set this to “no,” and your password was intercepted while you logged in, someone may be able to gain entry to your server by entering it before the time expires. We strongly recommend answering y.

          
        By default, a new token is generated every 30 seconds by the mobile app.
        In order to compensate for possible time-skew between the client and the server,
        we allow an extra token before and after the current time. This allows for a
        time skew of up to 30 seconds between authentication server and client. If you
        experience problems with poor time synchronization, you can increase the window
        from its default size of 3 permitted codes (one previous code, the current
        code, the next code) to 17 permitted codes (the 8 previous codes, the current
        code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
        between client and server.
        Do you want to do so (y/n)
            
        

        This setting accounts for time syncing issues across devices. Unless you have reason to believe that your phone or device may not sync properly, answer n.

          
        If the computer that you are logging into isn't hardened against brute-force
        login attempts, you can enable rate-limiting for the authentication module.
        By default, this limits attackers to no more than 3 login attempts every 30s.
        Do you want to enable rate-limiting (y/n)
            
        

        This setting prevents attackers from using brute force to guess your token. Although the time limit should be enough to prevent most attacks, this will ensure that an attacker only has three chances per 30 seconds to guess your password. We recommend answering y.

      5. Before you log out, review the next section carefully to avoid getting locked out of your Linode.

      You have finished generating your key and adding it to your client, but some additional configuration is needed before these settings will go into effect. Carefully read the following section in this guide for instructions on how to require two-factor authentication for all SSH login attempts.

      Configure Authentication Settings

      The TOTP authentication methods in this guide use PAM, or Pluggable Authentication Modules. PAM integrates low-level authentication mechanisms into modules that can be configured for different applications and services. Because you’re using additional software (i.e., programs that aren’t built into the Linux distro), you’ll need to configure PAM to properly authenticate users.

      Caution

      • It is strongly recommended that you have another terminal session open while configuring your authentication settings. This way, if you disconnect to test authentication and something is not properly configured, you won’t be locked out of your Linode. You can also use Lish to regain access.

      • If you or a user on your system use this method, be sure that the SSH key and authenticator app are on different devices. This way, if one device is lost or compromised, your credentials will still be separate and the security of two-factor authentication will remain intact.

      1. Open /etc/pam.d/sshd with sudo privileges, and add the following lines to the end of the file:

        /etc/pam.d/sshd
        1
        2
        
        auth    required      pam_unix.so     no_warn try_first_pass
        auth    required      pam_google_authenticator.so

        The first line tells PAM to authenticate with a normal Unix user password before other methods. The second line specifies an additional method of authentication, which in this case, is the TOTP software we installed earlier.

      2. Edit /etc/ssh/sshd_config to include the following lines, replacing example-user with any system user for which you’d like to enable two-factor authentication. Comments (preceded by #) are included here, but should not be added to your actual configuration file:

        /etc/ssh/sshd_config
        1
        2
        3
        4
        5
        6
        7
        8
        
        # This line already exists in the file, and should be changed from 'no' to 'yes'
        ChallengeResponseAuthentication yes
        
        ...
        
        # These lines should be added to the end of the file
        Match User example-user
            AuthenticationMethods keyboard-interactive

        If you created TOTPs for multiple users, and you’d like to have them all use two-factor authentication, create additional Match User blocks for each user, duplicating the command format shown above.

        Note

        If you want to enforce two-factor authentication globally, you can use the AuthenticationMethods directive by itself, outside of a Match User block. However, this should not be done until two-factor credentials have been provided to all users.

      3. Restart the SSH daemon to apply these changes:

        sudo systemctl restart ssh
        

        Two-factor authentication is now enabled. When you connect to your Linode via SSH, the authentication process will proceed as shown in the diagram.

        Two-factor authentication with SSH login.

      4. Open a new terminal session and test your configuration by connecting to your Linode via SSH. You will be prompted to enter in your standard user account’s password and then, you will be prompted to enter in a Verification Code. Open your authorization app, select the account you created in the Generate a Key section and enter in the password that is displayed. You should authenticate successfully and gain access to your Linode.

      Note

      If your SSH client disconnects before you can enter your two-factor token, check if PAM is enabled for SSH. You can do this by editing /etc/ssh/sshd_config: look for UsePAM and set it to yes. Don’t forget to restart the SSH daemon.

      Combine Two-Factor and Public Key Authentication (Optional)

      This section is optional. If you’d like to use public key authentication instead of a password authentication with TOTP, follow the steps in this section.

      Note

      1. Set PasswordAuthentication to no and modify the AuthenticationMethods line in /etc/ssh/sshd_config to include publickey:

        /etc/ssh/sshd_config
        1
        2
        3
        4
        
        PasswordAuthentication no
        ...
        Match User example-user
            AuthenticationMethods publickey,keyboard-interactive

        Configure this setting in the AuthenticationMethods directive for each user as appropriate. When any of these users log in, they will need to provide their SSH key and they will be authenticated via TOTP, as well.

      2. Restart your SSH daemon to apply these changes.

        sudo systemctl restart ssh
        
      3. Next, you’ll need to make changes to your PAM configuration. Comment out or omit the following lines in your /etc/pam.d/sshd file:

        /etc/pam.d/sshd
        1
        2
        3
        
        # @include common-auth
        ...
        # auth    required      pam_unix.so     no_warn try_first_pass

        You should now be able to log in using your SSH key as the first method of authentication and your verification code as the second. To test your configuration, log out and try to log in again via SSH. You should be asked for your 6-digit verification code only, since the key authentication will not produce a prompt.

      Next Steps

      First, be sure you have followed our guide to Securing Your Server. Although there is no single, foolproof method to protecting your data, firewalls and services like Fail2Ban are a great way to minimize risk.

      When you use two-factor authentication with TOTPs, an important point to consider is the physical security of the device on which you’ve configured your authenticator app. Be sure your phone or device is secured with a passphrase, so that even if it falls into the wrong hands, it can’t easily be used to compromise your server. If you lose the phone or device that stores your credentials, you can use Lish to access your Linode and disable two-factor authentication. If this happens, you should switch to a different, hardened method of SSH access, such as public key authentication, in the interim.

      While two-factor authentication may be a valuable security feature, total security is an ongoing process, not an end goal that can be achieved by adding extra layers of authentication. To provide the best protection for your data, take care to follow security best practices at all times.

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      This guide is published under a CC BY-ND 4.0 license.



      Source link