Debian LAMP Server
Aus Weis nix
Intro
Some collected notes to convert a basic Debian/Sarge (3.1) system into the "latest" LAMP server. (Based in part on this article)
- update to etch (testing)
- apache2.0, php5, mod_perl2, mysql5
- addons: HTML::Mason, phpMyAdmin
- security improvements (shorewall, tripwire)
Update to Etch
Add the following line to /etc/apt/sources.list
deb http://ftp.de.debian.org/debian/ testing main non-free contrib
Then, as superuser, run
apt-get update apt-get dist-upgrade apt-get install gnupg
Add Debian Packages
apt-get update apt-get upgrade apt-get install lsof apt-get install joe apt-get install rsync apt-get install postfix apt-get install bzip2 apt-get install unzip
Configure Firewall
Based on part on this article.
apt-get install shorewall cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall
Edit /etc/shorewall/zones
fw firewall net ipv4
Edit /etc/shorewall/interfaces
net eth0 detect dhcp,routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
Edit /etc/shorewall/policy
fw net ACCEPT net all DROP info all all REJECT info
Edit /etc/shorewall/rules
ACCEPT net fw icmp 8 ACCEPT fw net icmp ACCEPT net fw tcp ssh,http,https
Edit /etc/default/shorewall
startup=1
The restart the firewall to activate protection
/etc/init.d/shorewall start
Install Apache
apt-get install apache2-mpm-prefork apache2-doc lynx
Edit /etc/apache2/conf.d/local_configs.conf
# Tighten access to the file system. <Directory> # Forbid default access to file system locations Order Deny,Allow Deny from all # prevent use of .htaccess files in all directories # apart from those specifically enabled. AllowOverride None </Directory > # Limit available info about this server. ServerSignature off ServerTokens production
Create dummy index for main server
echo " " >/var/www/index.html
Configure SSH
Edit /etc/ssh/sshd_config to
AuthorizedKeysFile %h/.ssh/authorized_keys2
On target server, as root run:
ssh-keygen -t dsa
On local server, as root run:
ssh-keygen -t dsa [only once] scp /root/.ssh/id_dsa.pub root@***target***.com:/root/.ssh/authorized_keys2
Update known_hosts on local server using
ssh root@***target***.com ls
which should not ask for a password now.
Make this setup available for webserver processes (adjust paths and names for server, example is a FC4 local host):
mkdir /var/www/.ssh cp /root/.ssh/* /var/www/.ssh chown -R apache.apache /var/www/.ssh
Add dotdeb/PHP5
Add to /etc/apt/sources.list as per Dotdeb:
# Use dotdeb.org for LAMP related packages not available in Sarge deb http://dotdeb.pimpmylinux.org/ stable all deb-src http://dotdeb.pimpmylinux.org/ stable all
apt-get update apt-get install libapache2-mod-php5 apt-get install libapache2-mod-perl2 libapache2-mod-perl2-dev
Install MySQL 5
apt-get install mysql-client-5.0 mysql-server-5.0 mysqladmin -u root password *******
Create new datadir
/etc/init.d/mysql stop
Move datadir
mkdir /home/mysql cp -r /var/lib/mysql/* /home/mysql/ rm /home/mysql/ib* chown -R mysql.mysql /home/mysql
Edit /etc/mysql/my.cnf and change /var/lib/mysql to new dir /home/mysql
joe /etc/mysql/my.cnf
PHP support with
apt-get install php5-mysql
Install phpMyAdmin
cd /home/www.*******.com wget "http://switch.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.9.0-rc1.tar.bz2" tar xvjf phpMyAdmin-2.9.0-rc1.tar.bz2 ln -s phpMyAdmin-2.9.0-rc1 phpMyAdmin cd phpMyAdmin mkdir config chmod 777 config ... navigate to /phpMyAdmin with browser and create config script ... cp config/config.inc.php . rm -rf config
Add a Virtual Server
- Make new root directory in /home
- Create file for virtual server in /etc/apache2/sites-available/www.server.com
<VirtualHost * >
#Basic setup
ServerAdmin webmaster@server.com
ServerName www.server.com
DocumentRoot /home/www.server.com
<Directory /home/www.server.com>
Order Deny,Allow
Allow from all
# Don't show indexes for directories
Options -Indexes
</Directory>
</VirtualHost>
- link in new site and reload server
a2ensite www.server.com /etc/init.d/apache2 reload
Update CPAN/perl/mod_perl
Prepare apache
apt-get install apache2-threaded-dev libapreq2-dev
Prepare CPAN
perl -MCPAN -e shell ... configure ... cpan> install Bundle::CPAN cpan> exit perl -MCPAN -e shell ... re-configure ... cpan> install Bundle::CPAN cpan> exit perl -MCPAN -e shell cpan> install Term::ReadKey cpan> exit
Install Mason
perl -MCPAN -e shell cpan> install HTML::Mason cpan> install CGI cpan> install Apache2::Cookie
Create mason data directory
mkdir /home/mason chown www-data.www-data /home/mason/
And use this sample template for a virtual server using a mason folder
PerlModule HTML::Mason::ApacheHandler # Mason configuration PerlSetVar MasonCompRoot /home/www.server.com/mason PerlSetVar MasonDataDir /home/mason <Location /mason> SetHandler perl-script PerlHandler HTML::Mason::ApacheHandler </Location>
Additional perl Modules
perl -MCPAN -e shell cpan> install Time::HiRes cpan> install JSON cpan> install JSON::Syck cpan> install JSON::PC cpan> install Date::Manip
Install backup system
Update python and install prerequisites for duplicity manual installation
apt-get install duplicity apt-get remove duplicity apt-get install python-dev apt-get install librsync-dev
Get and install duplicity
cd wget http://savannah.nongnu.org/download/duplicity/duplicity-0.4.2.tar.gz tar xvzf duplicity-0.4.2.tar.gz cd duplicity-0.4.2 python setup.py install
Create backup script backup.sh
#!/bin/sh export PASSPHRASE=secret export FTP_PASSWORD=7******* TARGET=ftp://username@backup.server.com echo "Backing up home ..." duplicity /home $TARGET/home echo "Backing up root ..." duplicity --exclude /sys --exclude /dev --exclude /mnt --exclude /tmp --exclude /proc --exclude /home / $TARGET/root export PASSPHRASE= export FTP_PASSWORD=
Create target folders on FTP server
apt-get install ftp ftp backup.server.com ...login... mkdir root mkdir home
Do initial backup
chmod +x backup.sh ./backup.sh
Install Consistency Checker
Based on this article.
Install tripwire
apt-get install tripwire
and answer yes to the 4 questions. Enter the root password for both site and local key.
Edit policy file /etc/tripwire/twpol.txt to:
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions
}
and remove
/etc/rc.boot /etc/shadow /proc
Rebuild policy file with
cd /etc/tripwire /usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt
Initialize tripwire
tripwire --init
Check with
tripwire --check
General Security Updates
Enable shadow passwords
shadowconfig on
Edit the file /etc/network/options to
syncookies=yes
Update permissions
chmod 660 /var/log/btmp
Disable RPC services
update-rc.d portmap remove
Harden system and install checkers (chkrootkit is run by tiger, do not enable its cron):
apt-get install harden-clients apt-get install harden-servers apt-get install tiger chkrootkit
Check the system and maybe change settings and reconfigure. Ignore /dev/log and "PACKET SNIFFER(/sbin/dhclient3)" warnings.
tiger chkrootkit
Edit /etc/php5/apache2/php.ini to
safe_mode = On open_basedir = /home
DNS Server
Based in part on this article.
Install bind on secondary server
apt-get install bind9 bind9-doc dnsutils
On the primary server modify the options section of /etc/named.conf [FC4] to:
allow-transfer { ***secondary_IP***; };
query-source address * port 53;
On the primary server modify the zone file to include:
NS ***secondary_name*** ***secondary_name*** A ***secondary_IP***
On the secondary server add to /etc/bind/named.conf.local [Debian] the slave zone:
zone "***domain***" {
type slave;
file "db.***domain***";
masters {
***primary_IP***;
};
};
Edit the secondary server options in /etc/bind/named.conf.options to:
query-source address * port 53;
Add firewall rule to /etc/shorewall/rules
DNS/ACCEPT net fw DNS/ACCEPT fw net
and restart the firewall
/etc/init.d/shorewall restart
Also configure external firewalls to pass traffic for UDP port 53
Nr. Rem.IP Rem.Port Loc.Port Proto Action 12 All 53 Any UDP Allow 13 All Any 53 UDP Allow
Restart named servers
service named restart [FC4] /etc/init.d/bind9 restart [Debian]
and check the cache location for the new database to show up:
ls /var/cache/bind
Test DNS service with
dig @***primary_IP*** host.***domain*** dig @***secondary_IP*** host.***domain***
Mailserver
Based in part on this article.
Update PHP
apt-get install php5-pear
Edit /etc/php5/apache2/php.ini and /etc/php5/cli/php.ini
- change memory limits from 8M to 32M
- uncomment include_path = ".:/usr/share/php"
Update Pear
pear install DB
Install exim4
apt-get install exim4-daemon-heavy apt-get --reinstall install exim4-config
Install vexim (see also download page for latest version:
adduser --system --uid 99 --group --home /var/opt/vmail vmail cd /usr/local/src wget wget http://silverwraith.com/vexim/vexim2.2RC1.tar.gz tar xzf vexim2.2RC1.tar.gz mv vexim2/vexim /usr/share/ chown -R www-data.www-data /usr/share/vexim
Edit vexim2/setup/mysql.sql and replace all occurences of CHANGE with 99
mysql -u root -p < vexim2/setup/mysql.sql
Edit /usr/share/vexim/config/variables.php to:
$sqlpass = "99";
$imapquotaserver = "{mail.*******.net:143/imap/notls}";
$uid = "99";
$gid = "99";
$domaininput = "dropdown";
$mailmanroot = "http://www.*******.com/mailman";
Install mailman
apt-get install mailman
Use database root password for
newlist mailman
Edit /etc/mailman/mm_cfg.py to
DEFAULT_URL_PATTERN = 'http://%s/mailman/' DEFAULT_EMAIL_HOST = 'mail.******.com' DEFAULT_URL_HOST = 'www.*******.com'
Create file /etc/apache2/conf.d/mailman.conf
ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/
Add to each virtual host configuration
# mailman ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ <Directory /usr/lib/cgi-bin/mailman> Order Deny,Allow Allow from all </Directory> <Directory /var/lib/mailman/archives/public> Order Deny,Allow Allow from all </Directory> <Directory /usr/share/images/mailman> Order Deny,Allow Allow from all </Directory>
Restart services
/etc/init.d/apache2 restart /etc/init.d/mailman start
Uses database root password for
mmsitepass <password>
Install spamassassin
apt-get install spamassassin spamc
Edit /etc/default/spamassassin to
ENABLED=1
Edit /etc/spamassassin/local.cf and add
use_bayes=0
Start service with
/etc/init.d/spamassassin start
Install antivirus
apt-get install clamav clamav-freshclam clamav-daemon usermod -G Debian-exim clamav
Copy Exim configuration with
cp /usr/local/src/vexim2/docs/configure /etc/exim4/exim4.conf cp /usr/local/src/vexim2/docs/vexim* /etc/exim4/
Edit /etc/exim4/exim4.conf to
MAILMAN_HOME=/var/lib/mailman MAILMAN_USER=list MAILMAN_GROUP=daemon MY_IP = ***** hostlist relay_from_hosts = localhost : MY_IP trusted_users = vmail:www-data hide mysql_servers = localhost::(/var/run/mysqld/mysqld.sock)/vexim/vexim/99 av_scanner = clamd:/var/run/clamav/clamd.ctl exim_user = Debian-exim exim_group = Debian-exim .include /etc/exim4/vexim-acl-check-spf.conf .include /etc/exim4/vexim-acl-check-helo.conf .include /etc/exim4/vexim-acl-check-rcpt.conf .include /etc/exim4/vexim-acl-check-content.conf .include /etc/exim4/vexim-group-router.conf user = Debian-exim group = Debian-exim
Edit /etc/exim4/vexim-acl-check-content.conf and change maildeliver to vmail Start service with
/etc/init.d/exim4 restart
Link weblink interface
ln -s /usr/share/vexim /home/www.*****.com/html/vexim
Edit /etc/apache2/sites-available/*****.com to
<Directory /home/www.*****.com/html> # ... Options -Indexes FollowSymLinks </Directory> # vexim Alias /vexim /usr/share/vexim <Directory /usr/share/vexim/> Order Deny,Allow Allow from all AllowOverride All </Directory> <Directory /home/www.*****.com/html/vexim/> Order Deny,Allow Allow from all AllowOverride All </Directory>
Install courier:
apt-get install courier-imap courier-imap-ssl courier-auth-mysql courier-pop courier-pop-ssl
Forced authmysql installation from .deb file (this version does not work with etch):
cd wget http://security.debian.org/debian-security/pool/updates/main/c/courier/courier-authmysql_0.47-4sarge5_i386.deb apt-get install libmysqlclient12 dpkg --force-all --install courier-authmysql_0.47-4sarge5_i386.deb
Edit /etc/courier/authdaemonrc to
authmodulelist="authmysql"
Edit /etc/courier/authmysqlrc to (verify the syslog for database errors when IMAP connecting)
MYSQL_USERNAME vexim MYSQL_PASSWORD 99 MYSQL_USERNAME vexim MYSQL_PASSWORD 99 MYSQL_SOCKET /var/run/mysqld/mysqld.sock MYSQL_PORT 3306 MYSQL_DATABASE vexim MYSQL_USER_TABLE users MYSQL_LOGIN_FIELD username MYSQL_HOME_FIELD pop MYSQL_NAME_FIELD realname MYSQL_MAILDIR_FIELD smtp
Create a maildir for mail storage
mkdir /usr/local/mail chown vmail.vmail /usr/local/mail
Login using username siteadmin/CHANGE
http://www.******.com/vexim
and change password.
Each virtual domain needs to be added in /etc/mailman/mm_cfg.py
add_virtualhost('host-url', 'email-host')
Copy firewall macros
cp /usr/share/shorewall/macro.* /etc/shorewall
Update firewall /etc/shorewall/rules to
IMAP/ACCEPT net fw SMTP/ACCEPT net fw
and restart firewall
/etc/init.d/shorewall restart
