Bitanmi Woes, a new website for Next Retail
We needed a new website
So recently I had some trouble getting the new website for nextretail.com working. We are using an EC2 server with a bitnami Wordpress image that is using Apache, highly recommended. There were some issued with the configuration file and after some time I was able to get it working, even with SFTP access! So I thought I would dump my config file here for anyone who wants to take a gander. After talking with AWS support I also set the user data under instance state to reset the file and give it permissions.
Setting up SFTP on Bitnami Wordpress Apache
In order to get the sftp working, which became a sudden necessity after our designer accidentally deleted the wpconfig file, smh, we had to make sure on the apache server the ssh file had the line
Subsystem sftp /usr/lib/openssh/sftp-server
inside our ssh.config file on the apache server itself. To SFTP then, you would open up filezilla and use the ip address and the pem file and you would have access to everything, this was a lot easier than I expected.
Setting the EC2 User Data
I had to do this specifically to make sure our ssh was accessible and had the right permissions. You do this by going to the EC2 console and selecting your instance, then, Actions->Instance Settings-> View/Change User Data. What I did in here was add some terminal commands that the server runs on startup so that all of the files always have the correct permissions, as we had some issued with file permissions in the past.
EC2 User data
Content-Type: multipart/mixed; boundary="//" MIME-Version: 1.0 --// Content-Type: text/cloud-config; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="cloud-config.txt" #cloud-config cloud_final_modules: - [scripts-user, always] --// Content-Type: text/x-shellscript; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="userdata.txt" #!/bin/bash ls -Al ls -Al /home ls -Al /home/bitnami ls -Al /home/bitnami/.ssh sudo cat /home/bitnami/.ssh/authorized_keys chown root:root /home chmod 755 /home chown bitnami:bitnami /home/bitnami -R chmod 700 /home/bitnami chmod 700 /home/bitnami/.ssh chmod 600 /home/bitnami/.ssh/authorized_keys ls -Al ls -Al /home ls -Al /home/bitnami ls -Al /home/bitnami/.ssh sudo cat /home/bitnami/.ssh/authorized_keys sudo ufw disable sudo service sshd restart --//
ssh Config File
This was our final version of the ssh.config file on the server, it has all of the correct permissions and set everything to what we needed it to be. I don't believe it has that many changes versus the one the server came with.
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin prohibit-password StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes ClientAliveInterval 180 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,firstname.lastname@example.org ,email@example.com ,firstname.lastname@example.org ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,email@example.com
If this helps anyone that would be great. If anything, this was fun for me to do and learn how to setup a wordpress website on AWS with SFTP access. Also check out the new website, nextretail.com