T
tomfmason
Guest
This is how I generally setup a new debian server or vps. This process normally only takes a few minutes to have a nice, secure, production worthy lamp setup and running quickly. This is one of the main reasons I love debian so much. In this I assume that you have a bare newly rented server without any prior installations and I cover a few of my common practices that make my life as a sysadmin a little bit easier. We will forget for now that some of their policy decisions seem to be motivated by to much coffee and estrogen.
Update sources
Screen
GNU screen will be something you learn to love as you become more experienced with it. The following UI setup I found somewhere a long time ago and have been using it ever since.
Control +a c adds a new window
Control +a n switches to the next window
Control +a p switches to the previous window
Control +a x locks the screen session
Control +a k kills the current window
Control +a d detaches from the screen session
screen -ls will list the current screen sessions
screen -x xxx will reattach the given screen session
Install fail2ban
fail2ban is a great piece of software that monitors a log file for a given pattern(e.g. failed ssh logins, failed ftp logins, etc) and will block them for a variable amount of time depending on your requirements. This is great for preventing bruteforce attacks.
IPtables
This is where I differ from some sysadmin. Most create a shell script that holds all of their iptables rules, but I use two nifty packages shipped by default with debian(iptables-restore & iptables-save)
First, we save the default fail2ban rules somewhere that is easy to remember
And now we add our two basic rules to allow web and ssh traffic
You will notice that we added the following 4 lines. Which accepts all web and ssh traffic and drops everything else.
Now we update our iptables rules
MySQL
Now we install MySQL
Just follow the on screen instructions anda you will be given the chance to create a root password. I would make note of this password if I were you.
Apache and PHP5
Here we install apache2 and php5 along with php5-suhosin for added security
Now the basic suhosin setup
Now we setup ssl
The vhost configs are in /etc/apache2/sites-available/default. If you are planning on having several domains the common practice on debian servers is to have the document root under /var/www and a corrisponding config in /etc/apache2/sites-available/.
As an example if my site was named domain.com I would do the following
This is all really pretty easy and should only take a few minutes to have a basic and secure lamp setup up and running
Update sources
Code:
#most of the following should be executed as root
apt-get update
apt-get upgrade
Screen
GNU screen will be something you learn to love as you become more experienced with it. The following UI setup I found somewhere a long time ago and have been using it ever since.
Code:
apt-get install screen
vi ~/.screenrc
hardstatus on
hardstatus alwayslastline
hardstatus string '%{gk}[ %{G}%H %{g}][%= %{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}][%{Y}%l%{g}]%{=b C}[ %m/%d %c ]%{W}'
#to start a screen session simply type 'screen'
screen
Control +a c adds a new window
Control +a n switches to the next window
Control +a p switches to the previous window
Control +a x locks the screen session
Control +a k kills the current window
Control +a d detaches from the screen session
screen -ls will list the current screen sessions
screen -x xxx will reattach the given screen session
Install fail2ban
fail2ban is a great piece of software that monitors a log file for a given pattern(e.g. failed ssh logins, failed ftp logins, etc) and will block them for a variable amount of time depending on your requirements. This is great for preventing bruteforce attacks.
Code:
apt-get install fail2ban
IPtables
This is where I differ from some sysadmin. Most create a shell script that holds all of their iptables rules, but I use two nifty packages shipped by default with debian(iptables-restore & iptables-save)
First, we save the default fail2ban rules somewhere that is easy to remember
Code:
iptables-save > /etc/iptables
Code:
vi /etc/iptables
# Generated by iptables-save v1.4.2 on Wed Nov 9 22:16:52 2011
*mangle
:PREROUTING ACCEPT [2507975:1707373020]
:INPUT ACCEPT [2507975:1707373020]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2481524:1683726521]
:POSTROUTING ACCEPT [2481524:1683726521]
COMMIT
# Completed on Wed Nov 9 22:16:52 2011
# Generated by iptables-save v1.4.2 on Wed Nov 9 22:16:52 2011
*filter
:INPUT ACCEPT [2507975:1707373020]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2481524:1683726521]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Wed Nov 9 22:16:52 2011
# Generated by iptables-save v1.4.2 on Wed Nov 9 22:16:52 2011
*nat
:PREROUTING ACCEPT [11674:749649]
:POSTROUTING ACCEPT [11773:720169]
:OUTPUT ACCEPT [11773:720169]
COMMIT
# Completed on Wed Nov 9 22:16:52 2011
You will notice that we added the following 4 lines. Which accepts all web and ssh traffic and drops everything else.
Code:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP
Now we update our iptables rules
Code:
iptables-restore /etc/iptables
MySQL
Now we install MySQL
Code:
apt-get install mysql-server mysql-client
Just follow the on screen instructions anda you will be given the chance to create a root password. I would make note of this password if I were you.
Apache and PHP5
Here we install apache2 and php5 along with php5-suhosin for added security
Code:
apt-get install apache2 php5 php5-mysql libapache2-mod-php5 php5-suhosin
Now the basic suhosin setup
Code:
vi /etc/php5/apache2/php.ini
[suhosin]
extension=suhosin.so
;Disable session encryption (required for most login scripts)
suhosin.session.encrypt = Off
;Log all errors
suhosin.log.syslog=511
;Max traversal depth ie '../../'
suhosin.executor.include.max_traversal=4
;Disable eval
suhosin.executor.disable_eval=On
;Disable /e modifier
suhosin.executor.disable_emodifier=On
;Disallow newlines in Subject:, To: headers and double newlines in additional headers
suhosin.mail.protect=2
;Recommend Settings
;Silently fail all failed sql queries. You may want to disable this for a development environment
suhosin.sql.bailout_on_error=On
Now we setup ssl
Code:
a2enmod ssl
apache2 -k restart
The vhost configs are in /etc/apache2/sites-available/default. If you are planning on having several domains the common practice on debian servers is to have the document root under /var/www and a corrisponding config in /etc/apache2/sites-available/.
As an example if my site was named domain.com I would do the following
Code:
mkdir /var/www/domain.com
chown www-data:www-data /var/www/domain.com
chmod ug+r /var/www/domain.com
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/domain.com
vi /etc/apache2/sites-available/domain.com
#......edit accordingly
apache2 -k restart
This is all really pretty easy and should only take a few minutes to have a basic and secure lamp setup up and running
