Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd, 2017 please sign up again. Thanks!

  1. Follow us on twitter - we shoot all of our new original content out as well as random messages. https://twitter.com/linuxdotorg
    Dismiss Notice

Basic Debain LAMP setup

Discussion in 'Linux Server' started by tomfmason, Nov 10, 2011.

  1. tomfmason

    tomfmason Guest

    This is how I generally setup a new debian server or vps. This process normally only takes a few minutes to have a nice, secure, production worthy lamp setup and running quickly. This is one of the main reasons I love debian so much. In this I assume that you have a bare newly rented server without any prior installations and I cover a few of my common practices that make my life as a sysadmin a little bit easier. We will forget for now that some of their policy decisions seem to be motivated by to much coffee and estrogen.

    Update sources
    #most of the following should be executed as root
    apt-get update
    apt-get upgrade
    GNU screen will be something you learn to love as you become more experienced with it. The following UI setup I found somewhere a long time ago and have been using it ever since.
    apt-get install screen
    vi ~/.screenrc
    hardstatus on
    hardstatus alwayslastline
    hardstatus string '%{gk}[ %{G}%H %{g}][%= %{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}][%{Y}%l%{g}]%{=b C}[ %m/%d %c ]%{W}'
    #to start a screen session simply type 'screen'
    Control +a c adds a new window
    Control +a n switches to the next window
    Control +a p switches to the previous window
    Control +a x locks the screen session
    Control +a k kills the current window
    Control +a d detaches from the screen session

    screen -ls will list the current screen sessions
    screen -x xxx will reattach the given screen session

    Install fail2ban
    fail2ban is a great piece of software that monitors a log file for a given pattern(e.g. failed ssh logins, failed ftp logins, etc) and will block them for a variable amount of time depending on your requirements. This is great for preventing bruteforce attacks.
    apt-get install fail2ban
    This is where I differ from some sysadmin. Most create a shell script that holds all of their iptables rules, but I use two nifty packages shipped by default with debian(iptables-restore & iptables-save)

    (Log in to hide this advertisement)

    First, we save the default fail2ban rules somewhere that is easy to remember
    iptables-save > /etc/iptables
    And now we add our two basic rules to allow web and ssh traffic

    vi /etc/iptables
    # Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
    :PREROUTING ACCEPT [2507975:1707373020]
    :INPUT ACCEPT [2507975:1707373020]
    :OUTPUT ACCEPT [2481524:1683726521]
    :POSTROUTING ACCEPT [2481524:1683726521]
    # Completed on Wed Nov  9 22:16:52 2011
    # Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
    :INPUT ACCEPT [2507975:1707373020]
    :OUTPUT ACCEPT [2481524:1683726521]
    :fail2ban-ssh - [0:0]
    -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
    -A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
    -A INPUT -p tcp -j DROP
    -A INPUT -p udp -j DROP
    -A fail2ban-ssh -j RETURN
    # Completed on Wed Nov  9 22:16:52 2011
    # Generated by iptables-save v1.4.2 on Wed Nov  9 22:16:52 2011
    :PREROUTING ACCEPT [11674:749649]
    :POSTROUTING ACCEPT [11773:720169]
    :OUTPUT ACCEPT [11773:720169]
    # Completed on Wed Nov  9 22:16:52 2011
    You will notice that we added the following 4 lines. Which accepts all web and ssh traffic and drops everything else.
    -A INPUT -p tcp -m multiport --dports 80,22 -j ACCEPT
    -A INPUT -p tcp -j DROP
    -A INPUT -p udp -j DROP
    Now we update our iptables rules
    iptables-restore /etc/iptables

    Now we install MySQL
     apt-get install mysql-server mysql-client
    Just follow the on screen instructions anda you will be given the chance to create a root password. I would make note of this password if I were you.

    Apache and PHP5
    Here we install apache2 and php5 along with php5-suhosin for added security
    apt-get install apache2 php5 php5-mysql libapache2-mod-php5 php5-suhosin

    Now the basic suhosin setup
    vi /etc/php5/apache2/php.ini
    ;Disable session encryption (required for most login scripts)
    suhosin.session.encrypt = Off
    ;Log all errors
    ;Max traversal depth ie '../../'
    ;Disable eval
    ;Disable /e modifier
    ;Disallow newlines in Subject:, To: headers and double newlines in additional headers
    ;Recommend Settings
    ;Silently fail all failed sql queries. You may want to disable this for a development environment

    Now we setup ssl
    a2enmod ssl
    apache2 -k restart
    The vhost configs are in /etc/apache2/sites-available/default. If you are planning on having several domains the common practice on debian servers is to have the document root under /var/www and a corrisponding config in /etc/apache2/sites-available/.

    As an example if my site was named domain.com I would do the following
    mkdir /var/www/domain.com
    chown www-data:www-data /var/www/domain.com
    chmod ug+r /var/www/domain.com
    cp /etc/apache2/sites-available/default /etc/apache2/sites-available/domain.com
    vi /etc/apache2/sites-available/domain.com
    #......edit accordingly 
    apache2 -k restart
    This is all really pretty easy and should only take a few minutes to have a basic and secure lamp setup up and running :)
    2 people like this.
  2. enhu

    enhu Guest

    i've also installed lamp in my computer for awhile now and i have also installed wordpress and mybb in my http://localhost
    but what i'm gonna be trying to achieve is to know if i can set it up live where people world wide can access the sites I've set up in my localhost, how can i do this?
  3. tomfmason

    tomfmason Guest

    The only things you should need after having a similar setup would be a public facing ip(i.e. static), a dns server, and if you are lucky your provider has not blocked incoming connections on port 80 and or 52(if you host your own dns server). If you don't have a static ip, you will have to use a dynamic dns service and I would recommend ZoneEdit. It is free and easy to use imo.
    1 person likes this.
  4. enhu

    enhu Guest

    seem like theres much to do. how do i know that my provider didn't blocked incoming connections on port 80 and or 52?
    creating DNS server means another computer, right?
  5. tomfmason

    tomfmason Guest

    That should be as easy as finding your ip address and using a browser to navigate(or telnet) to http://XXX.XXX.XXX.XXX:80 where the x's are your ip address
    Not necessarily. All you have to do is install Bind9(or some other dns server) and add your ip for the nameservers for your domain with your registrar.
    2 people like this.
  6. enhu

    enhu Guest

    I already have installed LAMP, I can access my localhost/phpmyadmin/ and have already tested it by installing scripts on it.
    I'm not sure how to configure bind yet. apart from it which is a lot easier to install as my dns server?

    tried browsing /myipaddress:80 and The connection has timed out error prompts or is it because I don't have the dns server installed.
  7. animaguy

    animaguy Guest

    Can you set up a Debian Server with a dynamic ip address?
  8. animaguy

    animaguy Guest

    Oops you answeed tha question.
  9. Fanhao

    Fanhao Guest

    I have a problem´╝Ü
    Package php5-suhosin is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or is only available from another source

    E: Package 'php5-suhosin' has no installation candidate
    (My english is not well :))
    How can I do next
    1 person likes this.
  10. JasKinasis

    JasKinasis Guest

    According to this page:
    The package php5-suhosin was removed in Wheezy.

    I assume you are having problems with this step from tomfmason's original post at the top of the thread:
    apt-get install apache2 php5 php5-mysql libapache2-mod-php5 php5-suhosin

    In which case, remove php5-suhosin from the list of packages and all should be good:
    apt-get install apache2 php5 php5-mysql libapache2-mod-php5
    With suhosin removed, you should probably also skip the bit about configuring suhosin!
    #10 JasKinasis, Jun 26, 2014
    Last edited: Jun 26, 2014
    1 person likes this.
  11. Ashik Karki

    Ashik Karki New Member

    Aug 3, 2017
    Likes Received:
    well you can check any ports using canyouseeme.org.

Share This Page