Securing your Mautic Installation

Securing your Mautic Installation

This is part 2 of the Mautic installation tutorial, in part 2 we will secure our server in order to make it production ready. 

This is a slightly more advanced installation process allowing for a more secure install of Mautic 2.15.1 on a Virtual Private Server (VPS) with PHP 7.2 on top of Ubuntu 18.04 LTS. This tutorial should take you between 10 and 20 minutes depending on your level of expertise with Mautic and Linux.


If you are a total newbie to the Linux command line, try first this simpler Mautic tutorial: Mautic Installation in 3 Simple Steps, it’s the best way to get started as I carefully designed it to have the fewer amount of commands possible, so it’s easier to understand and the probability of anything going sideways is minimal. It’s designed to give you a quick success using the command line so you can have an easy victory and gain the confidence to later advance with this second part.

NOTE: This step by step Mautic tutorial is based on Ubuntu 18.04 and might not work on other OSs.
Because we’re using PHP 7.2, this guide will not work if you choose any Mautic version older than 2.15.0 as Mautic support for PHP 7.2 was added in 2.15.0

This is a basic but mostly production ready Mautic installation tutorial, that you can run in a SMALL production environment with real data from your customers. This tutorial keeps everything as simple as possible but could require some basic understanding of the Linux command line, I have carefully designed it to have the fewer amount of commands possible, so it’s easier to understand and the probability of anything going sideways is minimal.

If you don’t yet have a VPS, this tutorial was made and tested using a Digital Ocean Droplet (VPS), I recommend you to use the same.
You can use this link to get $100 free credit to spend on DO servers: https://m.do.co/c/7a85b33e64cf

Pre-Installation

In order to have a secure server, you have to start securing it even before you start that server. The first thing you need to do is NOT TO USE A PASSWORD but a KEY instead at the time you create (buy) your new Droplet (VPS).
Having a key greatly increases your security against brute force attacks and has also a very nice extra advantage: You will never, ever have to type your password to access your VPS.

Create a Private and Public Key pair:
Keys and passwords are not that different, however a key is 256 or 512 or 1024 characters long (up to 4096 currently) and is designed to be communicated in a more secure fashion and stored only in your computer (preferably encrypted).

I know, creating a private and public key pair is not that fun the first time you do it, I remember how confused I was, back in 2008, when I tried to launch my first AWS instance, a key was required…  Luckily today there are many good tutorials, including several ones from the DO blog that will get you ready in no time.

If you create your key beforehand, you will be able to use it when you creating a new droplet and all the key setup process will be automated for you, if you want to reuse an existing VPS that was previously using a password, you will have to install the key in the droplet manually by yourself. In all cases, this page has all the information you might require: https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/

Having a key increases your security almost as much as all the rest of the steps in this tutorial together. If despite that, for whatever reason you choose to use a password, make it at least 32 random characters long.

Another very important step before you start installing Mautic is securing your new server with a firewall.

Configuring a firewall:
There are 2 main options for this, external firewall and internal firewall. An external firewall is provided by your cloud company, the internal firewall is one you set up inside your VPS.

a) Using an external firewall: Most cloud providers will offer you an external firewall, most probably for free. External firewalls on AWS, Google Cloud and other top tier providers are excellent. The main advantage of using a good external firewall is that you can set up your firewall rules before you even start your new VPS, hence protecting it since the very instant of its creation.
Digital Ocean’s firewall is relatively simple to configure, however, you cannot assign a firewall rule to a new droplet before it exists, hence leaving the droplet unprotected for the few minutes that it takes to configure it. This is a huge design flaw that I am sure they will fix soon enough, but in the mean-time, their firewall is no better than an internal firewall.

Since every external firewall works slightly differently than the rest, I am not going to detail the steps, each cloud provider has its own tutorials for their own firewalls, check those. Here is how to set up a firewall on DO.

b) Using an internal firewall: This option is simpler and faster to configure, it does the job perfectly in our situation, and it’s a good practice to set it up even if you also use an external one.

Ubuntu comes with UFW (Uncomplicated FireWall) preinstalled, which makes securing your VPS a snap.
The UFW closes all ports by default, so basically, it closes all possible points of entry to your server, making it quite secure. Since all ports will be closed, unless we “punch a hole” (open a port) on the firewall, nobody is going to be able to reach your VPS, not even you. Since we’re using the SSH protocol to connect to our server, we will need to open port 22 before we activate the firewall or we would be unable to reach our own VPS.
To configure the firewall so port 22 is open:

sudo su

ufw allow 22

If you decided to enable an external firewall this is the time to open port 22 ALSO on the external firewall. In fact, every time we open a port on the internal firewall with the ufw allow command, you have to remember to open the same port on the external firewall.

Now we can start the firewall:

ufw enable

Here’s how ports work: Every computer has about 65.000 ports, if there is a service listening to that port, this service is responsible for the security of that port, for example, if you start an SSH server, it takes control of port 22 and it’s responsible for whatever information comes and goes through that port. If you enable Apache or NginX, they will take ownership of ports 80 and 443, every service uses one or more ports to communicate with the outside world.

What happens to the rest of those 65.ooo ports? if there is no service listening on a port… then there’s “nobody” in charge for of what happens on those ports, which leaves 65K doors open to anyone, a huge security risk.
A firewall takes care of that by blocking any ports that you don’t need to use.

Check this article if you want to learn more about UFW

 
Not using the root user:

On the first tutorial, for simplicity sake, we used the root account to issue all the commands, this is considered a bad practice security-wise, so consider creating a new user and giving it enough rights to do all the required tasks.
I personally believe that creating a new user and then giving it sudo access is just as dangerous as using the root account directly, so I don’t use this technique except when there will be several users managing a server, then it makes much more sense to have a finer control over who can do what and a log of who did what.
If you decide to create a new user, make it a sudoer, close your current (root) connection and connect back with the new user.

OK, the pre-installation is now complete, we can proceed with the Mautic installation.

Installing Mautic:

Most of the following steps are exactly the same as in the first tutorial, if you already followed it, you can skip directly to the “Securing your MySQL server” section below.

Make sure our server is up to date by updating the Ubuntu installation.

apt update && apt upgrade -y

Installing all the required packages (Applications) that are needed to run Mautic.

apt install apache2 libapache2-mod-php php unzip mariadb-server php-xml php-mysql php-imap php-zip php-intl php-curl ntp -y

Activating certain Apache 2 modules that are not active by default after installation.

a2enmod rewrite

Downloading and uncompressing the Mautic files.

cd /var/www/html

wget https://github.com/mautic/mautic/releases/download/2.15.1/2.15.1.zip
unzip 2.15.1.zip
rm 2.15.1.zip

Making sure Apache and Mautic, both have ownership and write access to the files.

chown -R www-data:www-data /var/www/html

chmod -R 775 /var/www/html

Configuring Apache:

wget https://mauteam.org/images/000-default.txt

mv 000-default.txt /etc/apache2/sites-available/000-default.conf

Creating a database for Mautic.
mysql -u root 

This command will connect you to your database, the only difference you will notice is that the text before your command prompt will change to “MariaDB [(none)]>”

MariaDB [(none)]> CREATE DATABASE mautic DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
MariaDB [(none)]> GRANT ALL ON mautic.* TO 'root'@'localhost' IDENTIFIED BY 'password';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;

After the “EXIT;” command you will return to the normal mode…

Securing your MySQL server:

Securing your MariaDB (MySQL) server is very simple and can be done with just one command, this is just a very basic security script, that will ask you some questions in order to make your server more secure but keep it usable for your purposes. For this type of setup it will perfectly do the job.

mysql_secure_installation

This will start the interactive script, you just have to answer the questions with these answers:

Enter current password for root (enter for none):  (enter)
Change the root password? [Y/n] y
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

You are done, as you see, you basically just have to answer yes to all questions and let the script do the work for you XD.

Almost done, the Mautic server is now installed and secured, befor we run the Mautic Configuration Wizard, we need to open port 80 on the firewall to be able to connect to our server from a browser:

ufw allow 80

Now let’s reload Apache configuration to apply our changes.

 service apache2 reload

Run the Mautic Configuration Wizard.

Mautic is now ready to be configured, you just need to use a browser, like Chrome or Firefox, and navigate to the IP of your server, for example, if the server was: 123.12.123.12 you would type this in your browser:

http://123.12.123.12 (Change the IP to the one of your VPS or droplet) 

 Here’s an excerpt of your configuration for the Mautic Installation Wizard

  • Database driver: MySQL PDO
  • Database Host: localhost
  • Database port: 3306
  • DB name: Mautic
  • Database Table Prefix: Leave empty
  • DB User: root
  • DB Password: password
  • Backup existing tables: No

If you need help with the wizard steps, check this other post with step by step instructions:

Mautic Installation: The Configuration Wizard 

Enable HTTPS with certbot

It’s important to enable secure connections to the users connecting to Mautic from a browser, Certbot is about the simplest way to enable SSL on your server. 

Before being able to proceed with enabling HTTPS, you need to have a domain enabled for Mautic, so if your domain is called yourdomain.com, you will need to create a subdomain for Mautic, for example: mautic.yourdomain.com. This is usually configured in the control panel of your domain registrar (the website where you purchased your domain). If someone else is doing it for you, just ask them to: “Add an A record for mautic.yourdomain.com” Of course, change “yourdomain.com” for your real domain name. They will ask you something like, “What’s the IP?”, or maybe “Where do I point the record to?” Whatever they formulate the question, the answer is always the IP of your VPS 😉 

OK then, so Certbot is another automated script that does a lot of work for you and automatically installs the required certificates and automatically modifies your Apache 2 configuration so you don’t have to, it also runs a verification process that requires port 80 to be open in order to make a request from the Open SSL servers to verify your ownership of the server, and during the installation process we will want to force SSL redirection, hence we will also need access to port 443.

Since we already had open port 80 before, we will now open port 443 for secure https connections.

ufw allow 443

You can verify which ports are open with:

ufw status

To install required packages for Certbot to work, since Certbot is not found in the default Ubuntu repositories, we will first need to add 
the Certbot repository to your server’s list:

sudo add-apt-repository ppa:certbot/certbot

Since we added a new repo, it’s important to make sure all packages are up to date: 
apt update && apt upgrade -y

We can now finally install Cerbot for Apache 2:
sudo apt-get install python-certbot-apache

Now let’s launch Certbot’s interactive setup:

certbot --apache -d mautic.yourdomain.com

 
Now answer the questions and certbot will take care of the rest…
Once the setup is done, you’ll want to enable automatic renewal of the certificate
sudo certbot renew --dry-run

You are good to go, open your browser and try to connect to your Mautic server with HTTPS.

Install the cron jobs.

Mautic is now working and you can navigate to all the sections and explore, but if you want working segments and campaigns you will also need to install the Mautic cron jobs:

wget https://mauteam.org/images/cron-jobs.txt

crontab cron-jobs.txt

Done! Simplest way to install cron jobs, ever…
Got any questions? stuck on one of the steps? anything not working as planned?
Don’t hesitate to ask in the comments here below!!

You might also be interested in these other posts:
Mautic Self Hosted Best Practices.
Please Stop Using Bitnami and Cpanel to Install Mautic.
Download Mautic: Which Version to Use?
Mautic cron jobs for dummies & marketers.
Mautic Cron Jobs: Which Ones to Use.
Install Mautic Plugin for dummies.

Leave a Reply

Your email address will not be published.