Setup a LAMP (Debian 11) - Optimized method

deb http://deb.debian.org/debian/ {dist} main

apt-get update
apt-get upgrade

apt-get upgrade --without-new-pkgs
apt-get full-upgrade
reboot

rm -fr /var/lib/apt/lists/*
apt-get --purge autoremove
apt-get clean all

uname -r
lsb_release -a

apt-get install openssh-server
# apt-get install ssh (client/server)

passwd root

adduser {username}

usermod -aG sudo {username}

{username} ALL=(ALL) ALL
# {username} ALL=(ALL) NOPASSWD:ALL

Port {port}
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 3

#Subsystem sftp /usr/lib/openssh/sftp-server (comment)
Subsystem sftp internal-sftp

Match [User|Group] {username|groupname}
        ForceCommand internal-sftp -u 077
        PasswordAuthentication yes
        ChrootDirectory /var/www
        AllowTCPForwarding no
        X11Forwarding no

sshd -t
systemctl restart sshd

tail -f /var/log/auth.log

apt-get install apache2
apt-get install libapache2-mod-php7.4

a2enmod rewrite
a2dissite 000-default
a2dissite default-ssl
a2ensite {site}
a2dissite {site}
apache2ctl configtest
service apache2 restart

apt-get install mariadb-server
mysql_secure_installation

mysql -u root

CREATE USER '{username}'@'localhost' IDENTIFIED BY '{password}';
GRANT ALL PRIVILEGES ON *.* TO '{username}'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
CREATE DATABASE IF NOT EXISTS {database};
exit;

service mysql restart

mysqldump -u {username} –p {password} {database} > {dump.sql}

apt-get install php7.4 (php7.4-common)
apt-get install php7.4-cli
apt-get install php7.4-curl
apt-get install php7.4-intl
apt-get install php7.4-imagick
apt-get install php7.4-{extension}

a2dismod php7.0
a2enmod php7.4
service apache2 restart

apt-get install phpmyadmin

Include /etc/phpmyadmin/apache.conf

echo 'Include /etc/phpmyadmin/apache.conf' >> /etc/apache2/apache2.conf
service apache2 restart

apt-get install vsftpd

listen=YES
write_enable=YES
chown_uploads=YES
chown_username=www-data
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
local_umask=0022
anon_upload_enable=YES
anon_mkdir_write_enable=YES

allow_writeable_chroot=YES
chmod_enable=YES
ftp_username=www-data
force_dot_files=YES
max_clients=10
max_per_ip=3
hide_ids=YES
user_config_dir=/etc/vsftpd
file_open_mode=0777
user_sub_token=$USER
vsftpd_log_file=/var/log/vsftpd.log

mkdir /etc/vsftpd
nano /etc/vsftpd/{username}

local_root=/var/wwwsername}

service vsftpd restart

apt-get install bind9
service bind9 restart

apt-get install postfix mailutils (postfix-mysql)
service postfix restart
service apache2 restart

apt-get install openssl
apt-get install certbot python3-certbot-apache

certbot --apache
# certbot renew (/etc/letsencrypt/renewal)
# certbot certonly --cert-name domain.com -d domain.com
service apache2 restart
crontab -e

12 3 * * * letsencrypt renew >> /var/log/letsencrypt/renew.log

service cron restart

apt-get install ufw

ufw disable
ufw default deny incoming
ufw default allow outgoing
ufw allow 80
ufw allow 443
ufw allow ssh
ufw allow from {IPV4} to any port {port}
ufw allow from {IPV6} to any port {port}
ufw enable
# ufw reset

useradd {username}

# adduser {username} {group}
usermod -aG www-data {username}
usermod -d /var/www -m {username}

chown -R {username}:www-data /var/www/
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;

apt-get install acl
setfacl -R -m g:www-data:rwx /var/www
setfacl -R -m u:{username}:rwx /var/www

export APACHE_RUN_USER={username}

echo 'export APACHE_RUN_USER={username}' >> /etc/apache2/envvars

apt-get install redis-server
apt-get install php7.4-redis
apt-get install php7.4-igbinary

# bind 127.0.0.1 ::1 (comment)
maxmemory 1024mb
maxmemory-policy allkeys-lru

service redis-server restart

redis-cli
redis-cli FLUSHALL

wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod u+x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp

apt-get install git

git config --global user.name "{username}"
git config --global user.email "{email}"

apt-get install fail2ban

# Decrease Timeout value
Timeout 60

# Use only TLS, Disable SSLv2, SSLv3
SSLProtocol -all +TLSv1

# Disable Weak Ciphers
SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4

# Limit HTTP Request Methods
allow only GET, POST and HEAD

ServerTokens Prod
TraceEnable off
ServerSignature Off
FileETag None

# Set rules for Directory /var/www/html
Options None
AllowOverride All
Order Allow,Deny
Allow from All

a2enmod headers

# Cookie with HttpOnly and Secure flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# Clickjacking Attack Protection
Header always append X-Frame-Options SAMEORIGIN

# XSS Protection
Header set X-XSS-Protection "1; mode=block"

# Enforce secure connections to the server (HSTS)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# MIME sniffing Protection
Header set X-Content-Type-Options: "nosniff"

# Prevent Cross-site scripting and injections
Header set Content-Security-Policy "script-src 'self'; object-src 'self'"

service apache2 restart

iptables -A INPUT -p tcp --dport 21 -j DROP

apt-get install net-tools

systemctl stop {service}
systemctl disable {service}
systemctl unmask {service}
rm /etc/systemd/system/{service}
rm /usr/lib/systemd/system/{service} 
systemctl daemon-reload
systemctl reset-failed