How to install Joomla! on your Ubuntu/Linux server with basic security

This how to shorty explains how to set-up a Joomla! hosting on a shared hosting server you own to have basic security. This instructions apply for Debian/Ubuntu based systems, but can be generalized to any Linux based system like Fedora.
In this how to we use the following software versions
  • Joomla 1.5
  • Apache 2.2
  • MySQL 5.1
  • Ubuntu 8.04 Hardy Heron server edition

The instructions may apply for other versions too.

1. Prerequisitements

What you need to have in order to use this how to

  • Basic UNIX file permissions knowledge
  • Basic UNIX shell knowledge
  • You have a Linux server (Ubuntu / Debian) for which you have root user access and you plan to use this server to host one or several Joomla! sites
  • Apache and MySQL instaleld on your server

User setup

2. Set-up an UNIX user on a dedicated server for Joomla! hosting. The user can SSH in the box and write to his home folder, /tmp and /var/www site folder.

We create a user called “user” in this instructions. Replace it with the username you desire. We also use the example site name (www).yoursite.com.

Create new UNIX user and /home/user folder.
sudo adduser user # Asks for the password and created /home/user
Create corresponding /var/www/user folder.
sudo mkdir /var/www/user
sudo chmod -R user:user /var/www/user # Only user has writing access to this folder

3. Setup MySQL user account

Install MySQL as per Debian/Ubuntu instructions.

Login as MySQL admin user (may vary depending how your MySQL is configured). Note that first you will be asked for sudo password, then for MySQL administrative user password.

sudo mysql -u admin -p
Then create a new database with the same name as new as the UNIX user. Make sure that we use UTF-8 character encoding so we avoid irritating encoding problems in the future.
CREATE DATABASE user DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
Create a MySQL user with the same name as the UNIX user. Use  a random password and give it all rights for the database. Note that this password should differ from the UNIX username password as this must be stored as plain-text in Joomla PHP files. Also MySQL differs users whether they came from localhost or other IP address. Here we use localhost so that the database is connectable only from the same server as  Apache is running.
GRANT ALL ON user.* TO 'user'@'localhost' identified by 'zxc123zxc'; 

4. Extract Joomla! installation files

Enter the folder which will contain web site PHP files.

sudo -i -u user # pose yourself as UNIX user who runs the site
cd /var/www/user
Load the latest Joomla! source code to the server using wget command. Check the download URL from joomla.org web site.
wget http://joomlacode.org/gf/download/frsrelease/12350/51111/Joomla_1.5.18-Stable-Full_Package.zip
Unzip it.
unzip Joomla_1.5.18-Stable-Full_Package.zip

Exit posing yourself as user UNIX user.

exit

5. Set file permission

In order to secure your server
  • Configuration files and upload directory must be writable by Apache user (www-data for Ubuntu/Debian, httpd for Fedora/Red Hat)
  • Other .php files should be read-only

Note that during Joomla’s browser based installation Apache’s www-data must have write access to folder in order to create configuration.php file. We will later remove this access right.

We will set Joomla! files under UNIX group group www-data so that Apache can read them. Certain files are set to be writable. This must be done as root user.

sudo chown -R user:www-data /var/www/user # Make user group to www-data
sudo chmod g+wrx /var/www/user # Read only access to www-data user. Write access for installation, will be later removed.

Now ls -l command in /var/www/user should give you something like this for fil masks:

drwxr-xr-x 11 user www-data    4096 2010-05-28 10:22 plugins
-rwxr--r--  1 user www-data     304 2010-05-28 10:21 robots.txt
drwxr-xr-x  6 user www-data    4096 2010-05-28 10:22 templates

6. Creating Apache configuration

This allows serving Joomla! by Apache and starting the browser based configuration.
First create Apache configuration file under /etc/apache2/sites-enabled as root user. We assume nano terminal base text editor is installed on the server.
sudo nano /etc/apache2/sites-enabled/yoursite.conf
Below is a sample configuration file. You may need to match your server public IP in <virtualhost, so that Apache knows for which IP address sites are served. We use virtual hosting: every site on the server is identified by incoming HTTP request.
<VirtualHost *>
   ServerName yoursite.com
   ServerAlias www.yoursite.com
   ServerAdmin info@yourcompany.com

   LogFormat       combined
   TransferLog     /var/log/apache2/yoursite.log

   # Make sure this virtual host if capable of executing PHP5
   Options +ExecCGI
   AddType application/x-httpd-php .php .php5

   # Point to www folder where Joomla! is extracted
   DocumentRoot /var/www/yoursite

   # Do not give illusion of safety
   # as PHP safe_mode really is a crap
   # and only causes problems
   php_admin_flag safe_mode off

   #
   # This entry will redirect traffic www.yoursite.com -> yoursite.com
   # Assume mod_rewrite is installed and enabled on Apache
   # 301 is HTTP Permanent Redirect code
   RewriteEngine On
   RewriteCond %{HTTP_HOST} ^www\.yoursite\.com [NC]
   RewriteRule (.*) http://yoursite.com$1 [L,R=301]

</VirtualHost>

7. Faking the DNS entry

If you have not yet reserved a domain name for your site, but still want to get the virtual host working, you can add a DNS name entry into a hosts file on your local computer. The following assumes you are using Ubuntu desktop, but hosts file is available on Windows and OSX too.
sudo gedit /etc/hosts
Then add the lines like the example below. Do not forget to remove this from hosts file when the actual DNS has been set up.
# Force this hostname to go to your server public IP address from your local computer
123.123.123 yoursite.com www.yoursite.com

8. Start Joomla! browser based installation

Then enter the URL of your site to the browser:
http://yoursite.com
Joomla! installation page should appear.
  • Fill in MySQL database values as created before.
  • If you plan to use SSH for file transfer do not enable FTP layer (unsecure).
  • Use a random password as Joomla! administrator user and store it somewhere in safe.
  • When Joomla! browser based installation goes to the point it asks you to remove the installation directory follow the instructions below.

Secure the configuration

Now remove extra permissions from Apache’s www-data user so that in the case there is a PHP / Joomla security hole, your site files cannot get compromised.
Some folders must remain writable as Joomla! will upload or write files in them.
sudo chmod -R g-w /var/www/user # Remote write permission
sudo rm -rf /var/www/user/installation # Remove installation directory
# Add write permission to folders which contain writable files
sudo chmod -R g+x /var/www/user/logs
sudo chmod -R g+x /var/www/user/images
sudo chmod -R g+x /var/www/user/tmp
sudo chmod -R g+x /var/www/user/images

9. Setting up htaccess files

Joomla! comes with a sample htaccess file which has some security measurements by having RewriteRules to prevent malformed URL access.

To install this file do the following

sudo -i
cd /var/www/user
cp htaccess.txt .htaccess
chmod user:www-data .htaccess # Set file permission to be readable by Apache and writable by the UNIX user

Then we create a .htaccess file which we will place in all folders with Joomla! write access to prevent execution of PHP files in these folders. First we create htaccess.limited file which we use as a template.

sudo -i
cd /var/www/user
nano htaccess.limited # Open text editor

Use the following htaccess.limited content

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI -Indexes

And put the master template htaccess.limited  to proper places

cp htaccess.limited media/.htaccess
chown -R user:www-data media/.htaccess 

cp htaccess.limited tmp/.htaccess
chown -R user:www-data tmp/.htaccess 

cp htaccess.limited logs/.htaccess
chown -R user:www-data logs/.htaccess

cp htaccess.limited images/.htaccess
chown -R user:www-data images/.htaccess

10. Start using the site

Now go to your site with the browser again and Joomla! start page should come up.
Login as administration account you gave in Joomla! browser based installation.
Type URL http://yoursite.com in your browser.

11. Setting outgoing email

This is probably first thing you want to do as Joomla! administrator. You configure the SMTP server which will be used for outgoing email. The server  is usually provided by network operator who provides the internet connection for your server.
Login as Joomla! administrator user.
Go to Site  -> Global Configuration -> Server.
Choose SMTP mail mode.
Enter SMTP details.

11. Test outgoing email

Create a new user with an email address you control The user should receive New User Details email message from the site on the moment the user is created.

12. Maintaining file permission

If you modify or create any files (e.g. upload a new theme) to your server you need to set file permissions for it.
  • UNIX  user: user (your site username)
  • UNIX group: www-data
To make it possible to set the group ownership with user user you first need to add it to www-data group.
sudo usermod -a -G www-data user # Add user to www-data group so that it can set group permissions
Then you can fix the permissions for uploaded files (templates and libraries folders assumed)
sudo -i -u user # Login as your UNIX user
chgrp -R www-data templates libraries # Fix group ownership
chmod -R g+rx libraries templates # Set read access for the group
This way secure file permissions are fixed after files have been changed. Alternatively, if your secure SFTP program supports setting permissions during the file upload, you can use that option

Buy open source friendly bitcoins  Subscribe to this blog in a reader Follow me on Twitter Follow me on Facebook Follow me Google+

14 thoughts on “How to install Joomla! on your Ubuntu/Linux server with basic security

  1. Nice write up. How does this affect Joomla’s FTP layer? Can I install vsftpd and have it work correctly with Joomla? Does this even matter since the server isn’t shared? Care to elaborate on this?

  2. Use SFTP / SCP / SSH to transfer and access files. It is just

    sudo apt-get install openssh-server

    FTP in insecure, more difficult to configure and otherwise pain in the ass. There is no reason why anyone should use FTP nowdays.

    Also, SFTP clients are much better to manage file permissions and ownership issues than FTP clients.

  3. Please get some one to fix the multiple errors in your
    website. It got joomla! installed, but there are scores or
    errors in the use of chmod/chown, file edits and explanation

    I appreciate the ubuntu 2010 tutorial.

    ed

  4. Hi Ed,

    Thank you for finding the tutorial useful. If you find errors in the post please comment them so we fix them. Unfortunately we are not making money out of writing tutorials. it is more like of “write this down that the world will know”, so we have little time to invest to maintain them.

    If you are talented I suggest you take this post as a starting point and make a good tutorial at ubuntu-forums.com how to section.

    Thanks

  5. Hi Mikko!

    Thanks for the excellent tutorial. I find it very simple to follow, as I am a complete newbie to Linux.
    To the point. I’ve installed joomla, and created the apache yoursite.conf file (oh, btw you’be put the outside of the box with the example output) and falsified the nds entry on my laptop. But when point my web browser to my site the apache welcome screen appears and not jommla. Any suggestions?

    Best regards
    Urban

  6. The writeup was very helpful, I’ve gotten most of the way there. Two questions on this block:

    # Add write permission to folders which contain writable files
    sudo chmod -R g+x /var/www/user/logs
    sudo chmod -R g+x /var/www/user/images
    sudo chmod -R g+x /var/www/user/tmp
    sudo chmod -R g+x /var/www/user/images

    1) Should that be chmod -R g+w?
    2) You have /var/www/user/images listed twice. Should there be some other directory instead?

    –Bryan

  7. yeah, looks like it’s typo

    should be sudo chmod -R g+rx

    … and images listed twice must be an issue.

    Joomla control panel info page itself has a sanity check which tells whether directory permissions are configured correctly for core Joomla (not necessary for add-ons)

  8. Hmm, maybe sudo chmod g+rwx? The comment says ‘add write permission’.

  9. Pingback: Install Joomla! on Ubuntu server with basic security | TurboLinux Blog

  10. Thanks for the guide. This is a bit protective guide. I figured out several hours why Joomla/TinyMCE editor would not open HTML link popup window.

    Reason is that .htaccess file which prevents *.js executing /media directory where the TinyMCE html-link editor is. Maaaaan, I was hunting this problem for hours. End users surely want to edit the articles html links.
    Anyway, clear error in this guide.

  11. You have to be a genius using user as a user with user examples and config, great :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>