Pim de Greef - student psychologie

Debian webserver II: install LAMP stack

This tutorial, part of a series that will guide you in making a Debian webserver, will show you how to install the LAMP stack; Apache with PHP and MySQL (MariaDB). The tutorials work on Debian 10 (Buster) but will probably work on older versions and newer versions to come.

Always make sure your system is up to date!

$ sudo apt update && sudo apt upgrade

1. Apache
Install Apache and the Apache utilities and check its status.
$ sudo apt install apache2 apache2-utils
$ systemctl status apache2

If it doesn’t say ‘running’, start it manually. 
$ sudo systemctl start apache2

Enable apache at boot.
$ sudo systemctl enable apache2

Open the default port in ufw (you can check this with $ sudo ufw app info ‘Apache’ )
$ sudo ufw allow 80/tcp

Check to see if the servername is correct.
$ sudo apache2ctl -t

If it doesn’t say ‘Syntax OK’, change the name (best to go with the system’s hostname).
$ sudo vim /etc/apache2/conf-available/servername.conf

ServerName host.name.net


Activate the configuration and reload apache.
$ sudo a2enconf servername.conf
$ sudo systemctl reload apache2

2. MariaDB databaseserver (MySQL)
$ sudo apt install mariadb-server mariadb-client

Check the status.
$ sudo systemctl status mariadb

If it doesn’t say ‘running’, start it manually. 
$ sudo systemctl start mariadb

Make MariaDB start at boot.
$ sudo systemctl enable mariadb

Start the postinstallation script and choose a root password, in most cases you can answer all other questions with yes e.g. ‘Y’.
$ sudo mysql_secure_installation

Try to log in (no password needed).
$ sudo mariadb -u root or $ sudo mysql -u root

Log out with
> exit;

3. PHP (skip this step and go to 3.x if you want to use PHP-FPM)
Install the PHP modules. At the time of writing PHP 7.3 is the latest stable version.
$ sudo apt install php7.3 libapache2-mod-php7.3 php7.3-mysql php-common php7.3-cli php7.3-common php7.3-json php7.3-opcache php7.3-readline

Activate PHP en restart apache.
$ sudo a2enmod php7.3
$ sudo systemctl restart apache2
                     
Test if PHP works with a test file.
$ sudo vim /var/www/html/info.php

<?php phpinfo(); ?>


Save the file and point your browser to it. You should see a long list of information. After that, delete the file, it is a potential security risk (but fine for testing).
$ sudo rm /var/www/html/info.php

3.x PHP-FPM (optional, instead step 3)
Install the PHP-FPM module. At the time of writing PHP 7.3 is the latest stable version.
$ sudo apt install php7.3-fpm

Activate the proxy_fcgi and setenvif modules.
$ sudo a2enmod proxy_fcgi setenvif

Activate PHP-FPM and restart apache.
$ sudo a2enconf php7.3-fpm
$ sudo systemctl restart apache2
                     
Test if PHP works with a test file.
$ sudo vim /var/www/html/info.php

<?php phpinfo(); ?>


Save the file and point your browser to it. You should see a long list of information. After that, delete the file, it is a potential security risk (but fine for testing).
$ sudo rm /var/www/html/info.php

That’s it!

Debian webserver I: basic configuration

This tutorial, part of a series that will guide you in making a Debian webserver, will show you how to prepare your fresh Debian server installation. The tutorials work on Debian 10 (Buster) but will probably work on older versions and newer versions to come. Let’s start with some basic configuration: SSH, setting up an admin account, a firewall and fail2ban.

1. SSH
SSH into your server and update. Then, if needed (in case of a VPS you’ll get a root password from your provider) change the root password. 
# apt update && sudo apt upgrade
# passwd

Create a user with root privileges (sudo).
# adduser admin
# usermod -aG sudo admin

Switch to the new user (admin), whoami should return that this user is a Administrator. Check if it works by opening a new session with the new user in a new tab or screen (ssh admin@serveripordomain). Do not close the old connection untill you verify that the new user works!
# su – admin
$ sudo whoami

Logged in as the user, change the default SSH port by removing the comment (#) in the line before ‘port’ and change the port number (for example to 10000). Then change ‘PermitRootLogin’ to ‘no’.
$ sudo vim /etc/ssh/sshd_config

Restart the service again and then test if it works by making a new connection in a new screen or tab with ‘ssh admin@serveripordomain -p 10000’. Close the old connection if it works.
$ sudo systemctl restart ssh

2. SSH keygen (optional but strongly recommended!)
Create a ssh key on the client computer and choose a password.
$ ssh-keygen -b 4096

Copy the key to the server.
$ ssh-copy-id admin@server -p 1000 (the port you chose in step 3)

Log in with the new key. If this works, change the SSH config again to dissalow password login. Set ‘PasswordAuthentication’ to ‘no’.
$ sudo vim /etc/ssh/sshd_config

Now restart the service. You should test this again.
$ sudo systemctl restart ssh


3. ufw (firewall)
Install ufw (Uncomplicated Firewall), a simple firewall solution.
$ sudo apt install ufw

Add the SSH port from step 3.
$ sudo ufw allow 1000/tcp

Enable IPv6 if your provider supports it.
$ sudo sed -i ‘s/IPV6=no/IPV6=yes/g’ /etc/default/ufw

Set default rules.
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Set logging to low.
$ sudo ufw logging low

Enable the firewall and check the status. You should again check if this works by making a new SSH connection.
$ sudo ufw enable
$ sudo ufw status

4. fail2ban (intrusion prevention)
5. Install fail2ban, enable it and active it at boot. This is fairly simple but effective intrusion prevention software.
$ sudo apt install fail2ban
$ sudo systemctl enable fail2ban
$ sudo systemctl start fail2ban

I recommend to make a portscan ‘definition’. This will help mitigate brute force attacks and (automated) scans. I recommend to learn more about fail2ban.

First let’s create a ‘action rule’. This will actually block perpetrators. If this file already exists, leave it as it is.
$ sudo vim /etc/fail2ban/action.d/ufw.conf

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw deny in from <ip>
actionunban = ufw delete deny in from <ip>


Then we’ll have to make a ‘filter’. This will scan the firewall logs for blocked connections.
$ sudo vim /etc/fail2ban/filter.d/portscan.conf

[Definition]
failregex = UFW BLOCK.* SRC=<HOST>
ignoreregex =


Create your own added configuration file. This will make up the configuration together with the basic configuration in ‘/etc/fail2ban/jail.conf’. This will also be persitent througout fail2ban updates. Enable the portscan jail and whitelist the local IP addresses (and your own?).
$ sudo vim /etc/fail2ban/jail.local

[portscan]
enabled = true
filter = portscan
logpath = /var/log/ufw.log
action = ufw
maxretry = 5

# local IPs
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16


I suggest that you add the following basic jails to the ‘/etc/fail2ban/jail.conf’ too, above the changes you made just now. We’ll talk about more fail2ban jails (for software we will install later) in a other tutorial.

[sshd]
enabled = true
port = 10000 # or whichever port you chose in step 3 

[recidive]
enabled = true
maxretry = 3


Now reload the configuration.
$ sudo systemctl reload fail2ban

Check the status of the fail2ban service and the status of the jails.
$ sudo systemctl status fail2ban.service
$ sudo fail2ban-client status
$ sudo fail2ban-client status sshd

That’s it for now.