Greetings Linode Forum!

I've installed a LAMP stack and gotten WINSCP connected to my host, but I'm having trouble determining where to upload a set of folders and files I downloaded for the application, "Tinyboard."

There's an Install.php I need to use to get things rolling and I'm not sure where to house this file, and the rest of the relevant folders.

The best I got from a Linode guide was to look for a "public" folder but I could not find this - and I guess I don't understand if this is shorthand for another folder that's staring at me right in the face.

Where would you install this?



Thank you in advance and please let me know if I'm not approaching this properly.

Most likely in /var/www/ but it depends on how your web server is set up.

Thank you for that! I was caught up in analysis paralysis!

Just curious - why are you using a UNMANGED VPS service?

If you don't know the basics of installing a web app, how will you ever hope to secure your server?

It's not rocket surgery, but it is a skill that takes some time and effort to learn, and while you're learning (assuming you make the effort) your server will be wide open for hackers/crackers to take it over.

If you're interested in learning how to be a system administrator, then you're on the right track, but if you're just trying to host something and not have to worry about the details (and security is ALL about the details) you'd probably be better off with either a shared host & control panel, or a managed VPS where someone else worries about the details.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Its a really good point! I knew this would be the best way to learn the details of securing a server. There's definitely a learning curve, but I'm working my way through the documentation provided by Linode. I'm pretty nervous about something malicious happening, but figure the worst case scenario I can dump everything and start over.

Keep in mind the "worse case" is that your server gets compromised, it's used to send out spam/porn/malware, and your IP and Domain name is black listed.

If you don't know how to secure it, how will you know how if it's been compromised (until it's way way way too late)?

Learning on a PRIVATE SERVER is a much safer route.

But if you continue with a unmanaged VPS - the first thing to learn is how to setup the FIREWALL so that ONLY TCP80 is open to the public, and ONLY your IP is allowed for SSH (and only via certificates not passwords).

After that, you need to keep your OS patched to date ALWAYS, and your web apps (like tinyboard) updated and you need to subscribe to that app's security mailing list so you know if there's any security loopholes.

Remember that security is an ongoing process not a single procedure (i.e. it never ends, you're never done).

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Im in a similar boat to OP. I've never been a sysadmin, but I'm attempting to run a linode server hosting some basic joomla sites. I'm using the linode guides which have already had me secure the server using iptables and remove default accounts.

However, I'm very interested in more about intrusion detection. What are some monitoring tools that people use? I've been reviewing my access and error logs and can see people attempting to find holes constantly. Any good guides on the next steps besides what you've mentioned (TCP80 and SSH without passwords)?

IDS (intrusion detection system) are usually way more effort (both in time and system resources) then they're worth.

They're like examining your cars windshield after driving thru a summer night looking for that one (and only one) golden mosquito.

If you're on the internet, you're going to get a bazillion probe attempts, and IDS will be happy to scream "Wolf" at the top of it's lungs for each and every one of them. What does that tell you - nothing, the danger is lost in the noise.

System and Application log monitoring, is a better indication of what's happening on/to your system.

Personally, instead of futzing around with IDS/IPS cry-wolf-ware, I spend my time keeping everything up to date, removing services I don't need, locking down what I do need, and making sure (via verification and testing) that my backup/restore procedures are complete, uptodate, and KNOWN good (and stored off system).

Of course, opinions vary, so the YMMV certainly applies here.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.