Tech Blog

Bitanmi Woes, a new website for Next Retail

We needed a new website

So recently I had some trouble getting the new website for nextretail.com working. We are using an EC2 server with a bitnami Wordpress image that is using Apache, highly recommended. There were some issued with the configuration file and after some time I was able to get it working, even with SFTP access! So I thought I would dump my config file here for anyone who wants to take a gander. After talking with AWS support I also set the user data under instance state to reset the file and give it permissions.

Setting up SFTP on Bitnami Wordpress Apache

In order to get the sftp working, which became a sudden necessity after our designer accidentally deleted the wpconfig file, smh, we had to make sure on the apache server the ssh file had the line

Subsystem sftp /usr/lib/openssh/sftp-server

inside our ssh.config file on the apache server itself. To SFTP then, you would open up filezilla and use the ip address and the pem file and you would have access to everything, this was a lot easier than I expected.

Setting the EC2 User Data

I had to do this specifically to make sure our ssh was accessible and had the right permissions. You do this by going to the EC2 console and selecting your instance, then, Actions->Instance Settings-> View/Change User Data. What I did in here was add some terminal commands that the server runs on startup so that all of the files always have the correct permissions, as we had some issued with file permissions in the past.

EC2 User data

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
ls -Al
ls -Al /home
ls -Al /home/bitnami
ls -Al /home/bitnami/.ssh
sudo cat /home/bitnami/.ssh/authorized_keys
chown root:root /home
chmod 755 /home
chown bitnami:bitnami /home/bitnami -R
chmod 700 /home/bitnami
chmod 700 /home/bitnami/.ssh
chmod 600 /home/bitnami/.ssh/authorized_keys
ls -Al
ls -Al /home
ls -Al /home/bitnami
ls -Al /home/bitnami/.ssh
sudo cat /home/bitnami/.ssh/authorized_keys
sudo ufw disable
sudo service sshd restart
--//

ssh Config File

This was our final version of the ssh.config file on the server, it has all of the correct permissions and set everything to what we needed it to be. I don't believe it has that many changes versus the one the server came with.

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile    %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

ClientAliveInterval 180

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com ,aes256-gcm@openssh.com ,chacha20-poly1305@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

If this helps anyone that would be great. If anything, this was fun for me to do and learn how to setup a wordpress website on AWS with SFTP access. Also check out the new website, nextretail.com

dan flan