How to configure a dedicated Debian server for LAMP
Here is a short memo that I use for quickly reinstalling an operational configuration under Debian / Apache2 / PHP5 / Mysql for hosting web sites on a dedicated GNU/Linux hosted server. This configuration also includes eAccelerator and basic supervision and administration tools (Munin, phpsysinfo, mtop, PhpmyAdmin, AWStats). It is directly operational and sufficiently secured for a standard install (as long as packages are regularly updated). Anyways it works for me©®™.
This memo is a compilation of the best recommendations found elsewhere on the Net, updated for a Debian Lenny installation as of September 2009.
Start by connecting to the server using ssh with the root account and password that your hosting provider sent you. Use port 22 (the standard stuff…) (from another GNU/linux box, like an Ubuntu system, that would simply go like this: ssh -l root followed by the name or IP address of your server)
1. Changing the root password and creating a new user
Working as root is a bad habit, further so when this root account uses a generated password that traveled around by e-mail. You will thus start by creating a regular non-privileged user account (to which we will give enough privileges for remote administration), and by changing the root password.
passwd
-> change root password
adduser <your login>
adduser <your login> root
adduser <your login> adm
Check that you manage to connect with this new user, then quit the root session:
exit
2. Configuration of the connexion with a ssh key
Here is a detailed explanation (in French) of how to create a pair of ssh keys under GNU/Linux. There are other excellent English-language tutorials to that purpose elsewhere on the web (Google is your friend here). You can also do it quite simply under Windows using Putty for exemple.
Once the key is generated and stored locally in a text file, connect again using ssh and the non-privileged account created before:
ssh -l <your login> <host>
(still use the default 22 port with the password chosen for the new account above)
mkdir .ssh
cd .ssh
vi authorized_keys
-> paste the ssh key (long text string)
exit
You can now connect without typing a password thanks to the ssh key:
ssh -l <your login> <host>
(still on port 22, but with ssh key, hence without typing a password)
3. Minimum securing of the server
su root
rm /root/.ssh/authorized_keys2
rm /root/.p
rm /root/.email
vi /etc/hostname -> change machine name (like XXXXXX.<your-domain>.com)
invoke-rc.d hostname.sh stop
invoke-rc.d hostname.sh start
vi /etc/hosts
-> add a machine name
aptitude update aptitude safe-upgrade
(I leave the option to “all” for RAID disk initialization stuff at startup)
aptitude full-upgrade aptitude install debian-goodies
aptitude install libpam-cracklib wfrench
(utility that automatically checks password quality against a word dictionary (including French words!))
vi /etc/pam.d/su
-> Un-comment line : auth required pam_wheel.so
vi /etc/pam.d/common-password
-> Add this line to the end: password required pam_cracklib.so retry=3 minlen=8
aptitude install sudo
visudo
-> Add this line : %root ALL=(ALL) PASSWD: ALL
apt-get install fail2ban
vi /etc/fail2ban/jail.conf
->
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 # ban time bantime = 900
/etc/init.d/fail2ban restart vi /etc/ssh/sshd_config
-> Port 22000 (to move the listening port of the ssh daemon to a “non standard” address)
/etc/init.d/ssh restart
reboot
4. Uninstalling un-useful stuff / installing useful stuff
This time, we log into ssh on port 22000, still with the ssh key. You can therefore save or automate those connection settings that will remain effective from now on.
ssh -l <your login> -p 22000 <host> su
aptitude purge bind9 bind9-doc \ dhcp3-client dhcp3-common gcc \ gcc-4.2-base libdns43 libisc44 \ libncurses5-dev manpages-cs \ manpages-de manpages-de-dev \ manpages-es manpages-es-extra \ manpages-it manpages-pl \ manpages-pl-dev manpages-pt manpages-pt-dev \ manpages-ru reiserfsprogs
aptitude install openntpd
aptitude install mailx
Continued on page 2 (Installing Apache, MySql, Mtop…)
Pages : 1 2