Basic Debain LAMP setup

[tomfmason]

This is how I generally setup a new debian server or vps. This process normally only takes a few minutes to have a nice, secure, production worthy lamp setup and running quickly. This is one of the main reasons I love debian so much. In this I assume that you have a bare newly rented server without any prior installations and I cover a few of my common practices that make my life as a sysadmin a little bit easier. We will forget for now that some of their policy decisions seem to be motivated by to much coffee and estrogen.

Update sources

Code:

#most of the following should be executed as root
apt-get update
apt-get upgrade

Screen
GNU screen will be something you learn to love as you become more experienced with it. The following UI setup I found somewhere a long time ago and have been using it ever since.

Code:

apt-get install screen
vi ~/.screenrc
hardstatus on
hardstatus alwayslastline
hardstatus string '%{gk}[ %{G}%H %{g}][%= %{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}][%{Y}%l%{g}]%{=b C}[ %m/%d %c ]%{W}'

#to start a screen session simply type 'screen'
screen

Control +a c adds a new window
Control +a n switches to the next window
Control +a p switches to the previous window
Control +a x locks the screen session
Control +a k kills the current window
Control +a d detaches from the screen session

screen -ls will list the current screen sessions
screen -x xxx will reattach the given screen session

Install fail2ban
fail2ban is a great piece of software that monitors a log file for a given pattern(e.g. failed ssh logins, failed ftp logins, etc) and will block them for a variable amount of time depending on your requirements. This is great for preventing bruteforce attacks.

Code:

apt-get install fail2ban

IPtables
This is where I differ from some sysadmin. Most create a shell script that holds all of their iptables rules, but I use two nifty packages shipped by default with debian(iptables-restore & iptables-save)

First, we save the default fail2ban rules somewhere that is easy to remember

Code:

iptables-save > /etc/iptables

And now we add our two basic rules to allow web and ssh traffic

Code:

vi /etc/iptables
# Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
*mangle
:PREROUTING ACCEPT [2507975:1707373020]
:INPUT ACCEPT [2507975:1707373020]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2481524:1683726521]
:POSTROUTING ACCEPT [2481524:1683726521]
COMMIT
# Completed on Wed Nov  9 22:16:52 2011
# Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
*filter
:INPUT ACCEPT [2507975:1707373020]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2481524:1683726521]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Wed Nov  9 22:16:52 2011
# Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
*nat
:PREROUTING ACCEPT [11674:749649]
:POSTROUTING ACCEPT [11773:720169]
:OUTPUT ACCEPT [11773:720169]
COMMIT
# Completed on Wed Nov  9 22:16:52 2011

You will notice that we added the following 4 lines. Which accepts all web and ssh traffic and drops everything else.

Code:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP

Now we update our iptables rules

Code:

iptables-restore /etc/iptables

MySQL

Now we install MySQL

Code:

 apt-get install mysql-server mysql-client

Just follow the on screen instructions anda you will be given the chance to create a root password. I would make note of this password if I were you.

Apache and PHP5
Here we install apache2 and php5 along with php5-suhosin for added security

Code:

apt-get install apache2 php5 php5-mysql libapache2-mod-php5 php5-suhosin

Now the basic suhosin setup

Code:

vi /etc/php5/apache2/php.ini
[suhosin]
extension=suhosin.so
;Disable session encryption (required for most login scripts)
suhosin.session.encrypt = Off
;Log all errors
suhosin.log.syslog=511
;Max traversal depth ie '../../'
suhosin.executor.include.max_traversal=4
;Disable eval
suhosin.executor.disable_eval=On
;Disable /e modifier
suhosin.executor.disable_emodifier=On
;Disallow newlines in Subject:, To: headers and double newlines in additional headers
suhosin.mail.protect=2
;Recommend Settings
;Silently fail all failed sql queries. You may want to disable this for a development environment
suhosin.sql.bailout_on_error=On

Now we setup ssl

Code:

a2enmod ssl
apache2 -k restart

The vhost configs are in /etc/apache2/sites-available/default. If you are planning on having several domains the common practice on debian servers is to have the document root under /var/www and a corrisponding config in /etc/apache2/sites-available/.

As an example if my site was named domain.com I would do the following

Code:

mkdir /var/www/domain.com
chown www-data:www-data /var/www/domain.com
chmod ug+r /var/www/domain.com
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/domain.com
vi /etc/apache2/sites-available/domain.com
#......edit accordingly 
apache2 -k restart

This is all really pretty easy and should only take a few minutes to have a basic and secure lamp setup up and running

[enhu]

i've also installed lamp in my computer for awhile now and i have also installed wordpress and mybb in my http://localhost
but what i'm gonna be trying to achieve is to know if i can set it up live where people world wide can access the sites I've set up in my localhost, how can i do this?

[tomfmason]

i've also installed lamp in my computer for awhile now and i have also installed wordpress and mybb in my http://localhost
but what i'm gonna be trying to achieve is to know if i can set it up live where people world wide can access the sites I've set up in my localhost, how can i do this?

The only things you should need after having a similar setup would be a public facing ip(i.e. static), a dns server, and if you are lucky your provider has not blocked incoming connections on port 80 and or 52(if you host your own dns server). If you don't have a static ip, you will have to use a dynamic dns service and I would recommend ZoneEdit. It is free and easy to use imo.

[enhu]

The only things you should need after having a similar setup would be a public facing ip(i.e. static), a dns server, and if you are lucky your provider has not blocked incoming connections on port 80 and or 52(if you host your own dns server). If you don't have a static ip, you will have to use a dynamic dns service and I would recommend ZoneEdit. It is free and easy to use imo.

seem like theres much to do. how do i know that my provider didn't blocked incoming connections on port 80 and or 52?
creating DNS server means another computer, right?

[tomfmason]

how do i know that my provider didn't blocked incoming connections on port 80 and or 52?

That should be as easy as finding your ip address and using a browser to navigate(or telnet) to http://XXX.XXX.XXX.XXX:80 where the x's are your ip address

creating DNS server means another computer, right?

Not necessarily. All you have to do is install Bind9(or some other dns server) and add your ip for the nameservers for your domain with your registrar.

[enhu]

I already have installed LAMP, I can access my localhost/phpmyadmin/ and have already tested it by installing scripts on it.
I'm not sure how to configure bind yet. apart from it which is a lot easier to install as my dns server?

tried browsing /myipaddress:80 and The connection has timed out error prompts or is it because I don't have the dns server installed.

[animaguy]

Can you set up a Debian Server with a dynamic ip address?

[animaguy]

Oops you answeed tha question.