Basic Debain LAMP setup
This is how I generally setup a new debian server
or vps. This process normally only takes a few minutes to have a nice,
secure, production worthy lamp setup and running quickly. This is one of
the main reasons I love debian so much. In this I assume that you have a
bare newly rented server without any prior installations and I cover a
few of my common practices that make my life as a sysadmin a little bit
easier. We will forget for now that some of their policy decisions seem
to be motivated by to much coffee and estrogen.
Update sources
Screen
GNU screen will be something you learn to love as you become more experienced with it. The following UI setup I found somewhere a long time ago and have been using it ever since.
Control +a c adds a new window
Control +a n switches to the next window
Control +a p switches to the previous window
Control +a x locks the screen session
Control +a k kills the current window
Install fail2ban
fail2ban is a great piece of software that monitors a log file for a given pattern(e.g. failed ssh logins, failed ftp logins, etc) and will block them for a variable amount of time depending on your requirements. This is great for preventing bruteforce attacks.
IPtables
This is where I differ from some sysadmin. Most seem create a shell script that holds all of their iptables rules but I use two nifty packages shipped by default with debian(iptables-restore & iptables-save)
First we save the default fail2ban rules somewhere that is easy to remember
And now we add our two basic rules to allow web and ssh traffic
You will notice that we added the following 4 lines. Which accepts all web and ssh traffic and drops everything else.
Now we update our iptables rules
MySQL
Now we install MySQL
Just follow the on screen instructions anda you will be given the chance to create a root password. I would make note of this password if I were you.
Apache and PHP5
Here we install apache2 and php5 along with php5-suhosin for added security
Now the basic suhosin setup
Now we setup ssl
The vhost configs are in /etc/apache2/sites-available/default. If you are planning on having several domains the common practice on debian servers is to have the document root under /var/www and a corrisponding config in /etc/apache2/sites-available/.
As an example if my site was named domain.com I would do the following
This is all really pretty easy and should only take a few minutes to have a basic and secure lamp setup up and running
Update sources
#most of the following should be executed as root apt-get update apt-get upgrade
Screen
GNU screen will be something you learn to love as you become more experienced with it. The following UI setup I found somewhere a long time ago and have been using it ever since.
vi ~/.screenrc hardstatus on hardstatus alwayslastline hardstatus string '%{gk}[ %{G}%H %{g}][%= %{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}][%{Y}%l%{g}]%{=b C}[ %m/%d %c ]%{W}'
Control +a c adds a new window
Control +a n switches to the next window
Control +a p switches to the previous window
Control +a x locks the screen session
Control +a k kills the current window
Install fail2ban
fail2ban is a great piece of software that monitors a log file for a given pattern(e.g. failed ssh logins, failed ftp logins, etc) and will block them for a variable amount of time depending on your requirements. This is great for preventing bruteforce attacks.
apt-get install fail2ban
IPtables
This is where I differ from some sysadmin. Most seem create a shell script that holds all of their iptables rules but I use two nifty packages shipped by default with debian(iptables-restore & iptables-save)
First we save the default fail2ban rules somewhere that is easy to remember
iptables-save > /etc/iptables
And now we add our two basic rules to allow web and ssh traffic
vi /etc/iptables # Generated by iptables-save v1.4.2 on Wed Nov 9 22:16:52 2011 *mangle :PREROUTING ACCEPT [2507975:1707373020] :INPUT ACCEPT [2507975:1707373020] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2481524:1683726521] :POSTROUTING ACCEPT [2481524:1683726521] COMMIT # Completed on Wed Nov 9 22:16:52 2011 # Generated by iptables-save v1.4.2 on Wed Nov 9 22:16:52 2011 *filter :INPUT ACCEPT [2507975:1707373020] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2481524:1683726521] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT -A INPUT -p tcp -j DROP -A INPUT -p udp -j DROP -A fail2ban-ssh -j RETURN COMMIT # Completed on Wed Nov 9 22:16:52 2011 # Generated by iptables-save v1.4.2 on Wed Nov 9 22:16:52 2011 *nat :PREROUTING ACCEPT [11674:749649] :POSTROUTING ACCEPT [11773:720169] :OUTPUT ACCEPT [11773:720169] COMMIT # Completed on Wed Nov 9 22:16:52 2011
You will notice that we added the following 4 lines. Which accepts all web and ssh traffic and drops everything else.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT -A INPUT -p tcp -j DROP -A INPUT -p udp -j DROP
Now we update our iptables rules
iptables-restore /etc/iptables
MySQL
Now we install MySQL
apt-get install mysql-server mysql-client
Just follow the on screen instructions anda you will be given the chance to create a root password. I would make note of this password if I were you.
Apache and PHP5
Here we install apache2 and php5 along with php5-suhosin for added security
apt-get install apache2 php5 php5-mysql libapache2-mod-php5 php5-suhosin
Now the basic suhosin setup
vi /etc/php5/apache2/php.ini [suhosin] extension=suhosin.so ;Disable session encryption (required for most login scripts) suhosin.session.encrypt = Off ;Log all errors suhosin.log.syslog=511 ;Max traversal depth ie '../../' suhosin.executor.include.max_traversal=4 ;Disable eval suhosin.executor.disable_eval=On ;Disable /e modifier suhosin.executor.disable_emodifier=On ;Disallow newlines in Subject:, To: headers and double newlines in additional headers suhosin.mail.protect=2 ;Recommend Settings ;Silently fail all failed sql queries. You may want to disable this for a development environment suhosin.sql.bailout_on_error=On
Now we setup ssl
a2enmod ssl apache2 -k restart
The vhost configs are in /etc/apache2/sites-available/default. If you are planning on having several domains the common practice on debian servers is to have the document root under /var/www and a corrisponding config in /etc/apache2/sites-available/.
As an example if my site was named domain.com I would do the following
mkdir /var/www/domain.com chown www-data:www-data /var/www/domain.com chmod ug+r /var/www/domain.com cp /etc/apache2/sites-available/default /etc/apache2/sites-available/domain.com vi /etc/apache2/sites-available/domain.com #......edit accordingly apache2 -k restart
This is all really pretty easy and should only take a few minutes to have a basic and secure lamp setup up and running
No comments:
Post a Comment