DEV Community

Jihad Sinnaour
Jihad Sinnaour

Posted on

Setup a LAMP (Debian 11) - Optimized method

⚡ Update / Upgrade

Update source:

@ /etc/apt/sources.list

deb http://deb.debian.org/debian/ {dist} main
Enter fullscreen mode Exit fullscreen mode

Update libs:

apt-get update
apt-get upgrade
Enter fullscreen mode Exit fullscreen mode

Update system:

apt-get upgrade --without-new-pkgs
apt-get full-upgrade
reboot
Enter fullscreen mode Exit fullscreen mode

Fix APT :

rm -fr /var/lib/apt/lists/*
apt-get --purge autoremove
apt-get clean all
Enter fullscreen mode Exit fullscreen mode

Check:

uname -r
lsb_release -a
Enter fullscreen mode Exit fullscreen mode

⚡ Setup Access (SSH/SFTP)

Install:

apt-get install openssh-server
# apt-get install ssh (client/server)
Enter fullscreen mode Exit fullscreen mode

Change root password:

passwd root
Enter fullscreen mode Exit fullscreen mode

Add SSH user:

adduser {username}
Enter fullscreen mode Exit fullscreen mode

Apply SUDO on SSH user:

usermod -aG sudo {username}
Enter fullscreen mode Exit fullscreen mode

@ /etc/sudoers

{username} ALL=(ALL) ALL
# {username} ALL=(ALL) NOPASSWD:ALL
Enter fullscreen mode Exit fullscreen mode

Setup SSH/SFTP (CHROOT)

Configuration:

@ /etc/ssh/sshd_config

Port {port}
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 3
Enter fullscreen mode Exit fullscreen mode
#Subsystem sftp /usr/lib/openssh/sftp-server (comment)
Subsystem sftp internal-sftp
Enter fullscreen mode Exit fullscreen mode
Match [User|Group] {username|groupname}
        ForceCommand internal-sftp -u 077
        PasswordAuthentication yes
        ChrootDirectory /var/www
        AllowTCPForwarding no
        X11Forwarding no
Enter fullscreen mode Exit fullscreen mode

Restart:

sshd -t
systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

Check:

tail -f /var/log/auth.log
Enter fullscreen mode Exit fullscreen mode

⚡ Setup Apache Server

Install:

apt-get install apache2
apt-get install libapache2-mod-php7.4
Enter fullscreen mode Exit fullscreen mode

Configuration:

a2enmod rewrite
a2dissite 000-default
a2dissite default-ssl
a2ensite {site}
a2dissite {site}
apache2ctl configtest
service apache2 restart
Enter fullscreen mode Exit fullscreen mode

⚡ Setup MySQL Server

Install:

apt-get install mariadb-server
mysql_secure_installation
Enter fullscreen mode Exit fullscreen mode

Add database:

mysql -u root
Enter fullscreen mode Exit fullscreen mode
CREATE USER '{username}'@'localhost' IDENTIFIED BY '{password}';
GRANT ALL PRIVILEGES ON *.* TO '{username}'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
CREATE DATABASE IF NOT EXISTS {database};
exit;
Enter fullscreen mode Exit fullscreen mode
service mysql restart
Enter fullscreen mode Exit fullscreen mode

Dump:

mysqldump -u {username} –p {password} {database} > {dump.sql}
Enter fullscreen mode Exit fullscreen mode

⚡ Setup PHP

Install:

apt-get install php7.4 (php7.4-common)
apt-get install php7.4-cli
apt-get install php7.4-curl
apt-get install php7.4-intl
apt-get install php7.4-imagick
apt-get install php7.4-{extension}
Enter fullscreen mode Exit fullscreen mode

Change php version:

a2dismod php7.0
a2enmod php7.4
service apache2 restart
Enter fullscreen mode Exit fullscreen mode

⚡ Setup PhpMyAdmin

Install:

apt-get install phpmyadmin
Enter fullscreen mode Exit fullscreen mode

Configuration:

@ /etc/apache2/apache2.conf

Include /etc/phpmyadmin/apache.conf
Enter fullscreen mode Exit fullscreen mode
echo 'Include /etc/phpmyadmin/apache.conf' >> /etc/apache2/apache2.conf
service apache2 restart
Enter fullscreen mode Exit fullscreen mode

⚡ Setup FTP (Optional)

Install:

apt-get install vsftpd
Enter fullscreen mode Exit fullscreen mode

Configuration:

@ /etc/vsftpd.conf

Edit:

listen=YES
write_enable=YES
chown_uploads=YES
chown_username=www-data
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
local_umask=0022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
Enter fullscreen mode Exit fullscreen mode

Add:

allow_writeable_chroot=YES
chmod_enable=YES
ftp_username=www-data
force_dot_files=YES
max_clients=10
max_per_ip=3
hide_ids=YES
user_config_dir=/etc/vsftpd
file_open_mode=0777
user_sub_token=$USER
vsftpd_log_file=/var/log/vsftpd.log
Enter fullscreen mode Exit fullscreen mode
mkdir /etc/vsftpd
nano /etc/vsftpd/{username}
Enter fullscreen mode Exit fullscreen mode
local_root=/var/wwwsername}
Enter fullscreen mode Exit fullscreen mode
service vsftpd restart
Enter fullscreen mode Exit fullscreen mode

⚡ Setup DNS Server

Install:

apt-get install bind9
service bind9 restart
Enter fullscreen mode Exit fullscreen mode

⚡ Setup SMTP

Install:

apt-get install postfix mailutils (postfix-mysql)
service postfix restart
service apache2 restart
Enter fullscreen mode Exit fullscreen mode

⚡ Setup TLS/SSL

Install:

apt-get install openssl
apt-get install certbot python3-certbot-apache
Enter fullscreen mode Exit fullscreen mode

Configuration:

certbot --apache
# certbot renew (/etc/letsencrypt/renewal)
# certbot certonly --cert-name domain.com -d domain.com
service apache2 restart
crontab -e
Enter fullscreen mode Exit fullscreen mode
12 3 * * * letsencrypt renew >> /var/log/letsencrypt/renew.log
Enter fullscreen mode Exit fullscreen mode
service cron restart
Enter fullscreen mode Exit fullscreen mode

⚡ Setup Firewall

Install:

apt-get install ufw
Enter fullscreen mode Exit fullscreen mode

Configuration:

ufw disable
ufw default deny incoming
ufw default allow outgoing
ufw allow 80
ufw allow 443
ufw allow ssh
ufw allow from {IPV4} to any port {port}
ufw allow from {IPV6} to any port {port}
ufw enable
# ufw reset
Enter fullscreen mode Exit fullscreen mode

⚡ Setup Permissions

Add WEB/SFTP user:

useradd {username}
Enter fullscreen mode Exit fullscreen mode

Add WEB/SFTP user to www-data Group:

# adduser {username} {group}
usermod -aG www-data {username}
usermod -d /var/www -m {username}
Enter fullscreen mode Exit fullscreen mode

Apply WEB/SFTP directory permissions:

chown -R {username}:www-data /var/www/
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;
Enter fullscreen mode Exit fullscreen mode

Change Access Control Lists (Optional):

apt-get install acl
setfacl -R -m g:www-data:rwx /var/www
setfacl -R -m u:{username}:rwx /var/www
Enter fullscreen mode Exit fullscreen mode

Change Apache user:

@ /etc/apache2/envvars

export APACHE_RUN_USER={username}
Enter fullscreen mode Exit fullscreen mode
echo 'export APACHE_RUN_USER={username}' >> /etc/apache2/envvars
Enter fullscreen mode Exit fullscreen mode

⚡ Setup Redis

Install:

apt-get install redis-server
apt-get install php7.4-redis
apt-get install php7.4-igbinary
Enter fullscreen mode Exit fullscreen mode

Configuration:

@ /etc/redis/redis.conf

# bind 127.0.0.1 ::1 (comment)
maxmemory 1024mb
maxmemory-policy allkeys-lru
Enter fullscreen mode Exit fullscreen mode

Restart:

service redis-server restart
Enter fullscreen mode Exit fullscreen mode

Test:

redis-cli
redis-cli FLUSHALL
Enter fullscreen mode Exit fullscreen mode

⚡ Setup WP-CLI

Install:

wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod u+x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp
Enter fullscreen mode Exit fullscreen mode

⚡ Setup GIT

Install:

apt-get install git
Enter fullscreen mode Exit fullscreen mode

Configuration:

git config --global user.name "{username}"
git config --global user.email "{email}"
Enter fullscreen mode Exit fullscreen mode

⚡ Setup Security

Install Fail2ban:

apt-get install fail2ban
Enter fullscreen mode Exit fullscreen mode

Secure Apache:

@ /etc/apache2/apache2.conf

# Decrease Timeout value
Timeout 60
Enter fullscreen mode Exit fullscreen mode

@ /etc/apache2/mods-available/ssl.conf

# Use only TLS, Disable SSLv2, SSLv3
SSLProtocol -all +TLSv1

# Disable Weak Ciphers
SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4
Enter fullscreen mode Exit fullscreen mode

@ /etc/apache2/mods-available/userdir.conf

# Limit HTTP Request Methods
allow only GET, POST and HEAD
Enter fullscreen mode Exit fullscreen mode

@ /etc/apache2/conf-available/security.conf

ServerTokens Prod
TraceEnable off
ServerSignature Off
FileETag None
Enter fullscreen mode Exit fullscreen mode
# Set rules for Directory /var/www/html
Options None
AllowOverride All
Order Allow,Deny
Allow from All
Enter fullscreen mode Exit fullscreen mode
a2enmod headers
Enter fullscreen mode Exit fullscreen mode
# Cookie with HttpOnly and Secure flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# Clickjacking Attack Protection
Header always append X-Frame-Options SAMEORIGIN

# XSS Protection
Header set X-XSS-Protection "1; mode=block"

# Enforce secure connections to the server (HSTS)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# MIME sniffing Protection
Header set X-Content-Type-Options: "nosniff"

# Prevent Cross-site scripting and injections
Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
Enter fullscreen mode Exit fullscreen mode
service apache2 restart
Enter fullscreen mode Exit fullscreen mode

Disable FTP access:

iptables -A INPUT -p tcp --dport 21 -j DROP
Enter fullscreen mode Exit fullscreen mode

⚡ Tools

Install:

apt-get install net-tools
Enter fullscreen mode Exit fullscreen mode

⚡ Service

Reset:

systemctl stop {service}
systemctl disable {service}
systemctl unmask {service}
rm /etc/systemd/system/{service}
rm /usr/lib/systemd/system/{service} 
systemctl daemon-reload
systemctl reset-failed
Enter fullscreen mode Exit fullscreen mode

Authors:

  • Jihad Sinnaour - Jakiboy (Initial work)

⭐ Support:

Please give it a Star if you like the project.

Top comments (0)