Comment goes here
You should log in and post some comments! The link is up there in the toolbar. Go nuts!
 

Basic Debain LAMP setup

This is how I generally setup a new debian server or vps. This process normally only takes a few minutes to have a nice, secure, production worthy lamp setup and running quickly. This is one of the main reasons I love debian so much. In this I assume that you have a bare newly rented server without any prior installations and I cover a few of my common practices that make my life as a sysadmin a little bit easier. We will forget for now that some of their policy decisions seem to be motivated by to much coffee and estrogen.

Update sources

#most of the following should be executed as root
apt-get update
apt-get upgrade

Screen
GNU screen will be something you learn to love as you become more experienced with it. The following UI setup I found somewhere a long time ago and have been using it ever since. 

vi ~/.screenrc
hardstatus on
hardstatus alwayslastline
hardstatus string '%{gk}[ %{G}%H %{g}][%= %{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}][%{Y}%l%{g}]%{=b C}[ %m/%d %c ]%{W}'

Control +a c adds a new window
Control +a n switches to the next window
Control +a p switches to the previous window
Control +a x locks the screen session
Control +a k kills the current window

Install fail2ban
fail2ban is a great piece of software that monitors a log file for a given pattern(e.g. failed ssh logins, failed ftp logins, etc) and will block them for a variable amount of time depending on your requirements. This is great for preventing bruteforce attacks.

apt-get install fail2ban

IPtables
This is where I differ from some sysadmin. Most seem create a shell script that holds all of their iptables rules but I use two nifty packages shipped by default with debian(iptables-restore & iptables-save)

First we save the default fail2ban rules somewhere that is easy to remember

iptables-save > /etc/iptables
And now we add our two basic rules to allow web and ssh traffic


vi /etc/iptables
# Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
*mangle
:PREROUTING ACCEPT [2507975:1707373020]
:INPUT ACCEPT [2507975:1707373020]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2481524:1683726521]
:POSTROUTING ACCEPT [2481524:1683726521]
COMMIT
# Completed on Wed Nov  9 22:16:52 2011
# Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
*filter
:INPUT ACCEPT [2507975:1707373020]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2481524:1683726521]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Wed Nov  9 22:16:52 2011
# Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
*nat
:PREROUTING ACCEPT [11674:749649]
:POSTROUTING ACCEPT [11773:720169]
:OUTPUT ACCEPT [11773:720169]
COMMIT
# Completed on Wed Nov  9 22:16:52 2011

You will notice that we added the following 4 lines. Which accepts all web and ssh traffic and drops everything else.

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP

Now we update our iptables rules 
iptables-restore /etc/iptables

MySQL

Now we install MySQL

 apt-get install mysql-server mysql-client

Just follow the on screen instructions anda you will be given the chance to create a root password. I would make note of this password if I were you.

Apache and PHP5
Here we install apache2 and php5 along with php5-suhosin for added security

apt-get install apache2 php5 php5-mysql libapache2-mod-php5 php5-suhosin


Now the basic suhosin setup

vi /etc/php5/apache2/php.ini
[suhosin]
extension=suhosin.so
;Disable session encryption (required for most login scripts)
suhosin.session.encrypt = Off
;Log all errors
suhosin.log.syslog=511
;Max traversal depth ie '../../'
suhosin.executor.include.max_traversal=4
;Disable eval
suhosin.executor.disable_eval=On
;Disable /e modifier
suhosin.executor.disable_emodifier=On
;Disallow newlines in Subject:, To: headers and double newlines in additional headers
suhosin.mail.protect=2
;Recommend Settings
;Silently fail all failed sql queries. You may want to disable this for a development environment
suhosin.sql.bailout_on_error=On


Now we setup ssl

a2enmod ssl
apache2 -k restart

The vhost configs are in /etc/apache2/sites-available/default. If you are planning on having several domains the common practice on debian servers is to have the document root under /var/www and a corrisponding config in /etc/apache2/sites-available/.

As an example if my site was named domain.com I would do the following

mkdir /var/www/domain.com
chown www-data:www-data /var/www/domain.com
chmod ug+r /var/www/domain.com
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/domain.com
vi /etc/apache2/sites-available/domain.com
#......edit accordingly 
apache2 -k restart

This is all really pretty easy and should only take a few minutes to have a basic and secure lamp setup up and running