Basic Debain LAMP setup

Discussion in 'Linux Server' started by tomfmason, Nov 9, 2011.

  1. tomfmason

    tomfmason New Member Staff Writer

    Messages:
    22
    Likes Received:
    6
    Trophy Points:
    0
    This is how I generally setup a new debian server or vps. This process normally only takes a few minutes to have a nice, secure, production worthy lamp setup and running quickly. This is one of the main reasons I love debian so much. In this I assume that you have a bare newly rented server without any prior installations and I cover a few of my common practices that make my life as a sysadmin a little bit easier. We will forget for now that some of their policy decisions seem to be motivated by to much coffee and estrogen.

    Update sources
    Code:
    #most of the following should be executed as root
    apt-get update
    apt-get upgrade
    
    Screen
    GNU screen will be something you learn to love as you become more experienced with it. The following UI setup I found somewhere a long time ago and have been using it ever since.
    Code:
    apt-get install screen
    vi ~/.screenrc
    hardstatus on
    hardstatus alwayslastline
    hardstatus string '%{gk}[ %{G}%H %{g}][%= %{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}][%{Y}%l%{g}]%{=b C}[ %m/%d %c ]%{W}'
    
    #to start a screen session simply type 'screen'
    screen
    
    Control +a c adds a new window
    Control +a n switches to the next window
    Control +a p switches to the previous window
    Control +a x locks the screen session
    Control +a k kills the current window
    Control +a d detaches from the screen session

    screen -ls will list the current screen sessions
    screen -x xxx will reattach the given screen session

    Install fail2ban
    fail2ban is a great piece of software that monitors a log file for a given pattern(e.g. failed ssh logins, failed ftp logins, etc) and will block them for a variable amount of time depending on your requirements. This is great for preventing bruteforce attacks.
    Code:
    apt-get install fail2ban
    
    IPtables
    This is where I differ from some sysadmin. Most create a shell script that holds all of their iptables rules, but I use two nifty packages shipped by default with debian(iptables-restore & iptables-save)

    First, we save the default fail2ban rules somewhere that is easy to remember
    Code:
    iptables-save > /etc/iptables
    
    And now we add our two basic rules to allow web and ssh traffic


    Code:
    vi /etc/iptables
    # Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
    *mangle
    :PREROUTING ACCEPT [2507975:1707373020]
    :INPUT ACCEPT [2507975:1707373020]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [2481524:1683726521]
    :POSTROUTING ACCEPT [2481524:1683726521]
    COMMIT
    # Completed on Wed Nov  9 22:16:52 2011
    # Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
    *filter
    :INPUT ACCEPT [2507975:1707373020]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [2481524:1683726521]
    :fail2ban-ssh - [0:0]
    -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
    -A INPUT -p tcp -j DROP
    -A INPUT -p udp -j DROP
    -A fail2ban-ssh -j RETURN
    COMMIT
    # Completed on Wed Nov  9 22:16:52 2011
    # Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
    *nat
    :PREROUTING ACCEPT [11674:749649]
    :POSTROUTING ACCEPT [11773:720169]
    :OUTPUT ACCEPT [11773:720169]
    COMMIT
    # Completed on Wed Nov  9 22:16:52 2011
    
    You will notice that we added the following 4 lines. Which accepts all web and ssh traffic and drops everything else.
    Code:
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
    -A INPUT -p tcp -j DROP
    -A INPUT -p udp -j DROP
    
    Now we update our iptables rules
    Code:
    iptables-restore /etc/iptables
    MySQL

    Now we install MySQL
    Code:
     apt-get install mysql-server mysql-client
    
    Just follow the on screen instructions anda you will be given the chance to create a root password. I would make note of this password if I were you.

    Apache and PHP5
    Here we install apache2 and php5 along with php5-suhosin for added security
    Code:
    apt-get install apache2 php5 php5-mysql libapache2-mod-php5 php5-suhosin
    

    Now the basic suhosin setup
    Code:
    vi /etc/php5/apache2/php.ini
    [suhosin]
    extension=suhosin.so
    ;Disable session encryption (required for most login scripts)
    suhosin.session.encrypt = Off
    ;Log all errors
    suhosin.log.syslog=511
    ;Max traversal depth ie '../../'
    suhosin.executor.include.max_traversal=4
    ;Disable eval
    suhosin.executor.disable_eval=On
    ;Disable /e modifier
    suhosin.executor.disable_emodifier=On
    ;Disallow newlines in Subject:, To: headers and double newlines in additional headers
    suhosin.mail.protect=2
    ;Recommend Settings
    ;Silently fail all failed sql queries. You may want to disable this for a development environment
    suhosin.sql.bailout_on_error=On
    

    Now we setup ssl
    Code:
    a2enmod ssl
    apache2 -k restart
    
    The vhost configs are in /etc/apache2/sites-available/default. If you are planning on having several domains the common practice on debian servers is to have the document root under /var/www and a corrisponding config in /etc/apache2/sites-available/.

    As an example if my site was named domain.com I would do the following
    Code:
    mkdir /var/www/domain.com
    chown www-data:www-data /var/www/domain.com
    chmod ug+r /var/www/domain.com
    cp /etc/apache2/sites-available/default /etc/apache2/sites-available/domain.com
    vi /etc/apache2/sites-available/domain.com
    #......edit accordingly 
    apache2 -k restart
    
    This is all really pretty easy and should only take a few minutes to have a basic and secure lamp setup up and running :)
    DevynCJohnson and Rob like this.
  2. enhu

    enhu New Member

    Messages:
    93
    Likes Received:
    4
    Trophy Points:
    0
    i've also installed lamp in my computer for awhile now and i have also installed wordpress and mybb in my http://localhost
    but what i'm gonna be trying to achieve is to know if i can set it up live where people world wide can access the sites I've set up in my localhost, how can i do this?
  3. tomfmason

    tomfmason New Member Staff Writer

    Messages:
    22
    Likes Received:
    6
    Trophy Points:
    0
    The only things you should need after having a similar setup would be a public facing ip(i.e. static), a dns server, and if you are lucky your provider has not blocked incoming connections on port 80 and or 52(if you host your own dns server). If you don't have a static ip, you will have to use a dynamic dns service and I would recommend ZoneEdit. It is free and easy to use imo.
    enhu likes this.
  4. enhu

    enhu New Member

    Messages:
    93
    Likes Received:
    4
    Trophy Points:
    0
    seem like theres much to do. how do i know that my provider didn't blocked incoming connections on port 80 and or 52?
    creating DNS server means another computer, right?
  5. tomfmason

    tomfmason New Member Staff Writer

    Messages:
    22
    Likes Received:
    6
    Trophy Points:
    0
    That should be as easy as finding your ip address and using a browser to navigate(or telnet) to http://XXX.XXX.XXX.XXX:80 where the x's are your ip address
    Not necessarily. All you have to do is install Bind9(or some other dns server) and add your ip for the nameservers for your domain with your registrar.
    Rob and enhu like this.
  6. enhu

    enhu New Member

    Messages:
    93
    Likes Received:
    4
    Trophy Points:
    0
    I already have installed LAMP, I can access my localhost/phpmyadmin/ and have already tested it by installing scripts on it.
    I'm not sure how to configure bind yet. apart from it which is a lot easier to install as my dns server?

    tried browsing /myipaddress:80 and The connection has timed out error prompts or is it because I don't have the dns server installed.
  7. animaguy

    animaguy New Member

    Messages:
    53
    Likes Received:
    1
    Trophy Points:
    0
    Can you set up a Debian Server with a dynamic ip address?
  8. animaguy

    animaguy New Member

    Messages:
    53
    Likes Received:
    1
    Trophy Points:
    0
    Oops you answeed tha question.
  9. Fanhao

    Fanhao New Member

    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    I have a problem´╝Ü
    Package php5-suhosin is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or is only available from another source

    E: Package 'php5-suhosin' has no installation candidate
    (My english is not well :))
    How can I do next
    DevynCJohnson likes this.
  10. JasKinasis

    JasKinasis Member

    Messages:
    64
    Likes Received:
    32
    Trophy Points:
    18
    According to this page:
    https://www.debian.org/releases/wheezy/amd64/release-notes/ch-upgrading.en.html
    The package php5-suhosin was removed in Wheezy.

    I assume you are having problems with this step from tomfmason's original post at the top of the thread:
    Code:
    apt-get install apache2 php5 php5-mysql libapache2-mod-php5 php5-suhosin

    In which case, remove php5-suhosin from the list of packages and all should be good:
    Code:
    apt-get install apache2 php5 php5-mysql libapache2-mod-php5
    With suhosin removed, you should probably also skip the bit about configuring suhosin!
    Last edited: Jun 26, 2014
    DevynCJohnson likes this.

Share This Page