Debian LAMP Server

Aus Weis nix
Wechseln zu: Navigation, Suche

Intro

Some collected notes to convert a basic Debian/Sarge (3.1) system into the "latest" LAMP server. (Based in part on this article)

  1. update to etch (testing)
  2. apache2.0, php5, mod_perl2, mysql5
  3. addons: HTML::Mason, phpMyAdmin
  4. security improvements (shorewall, tripwire)

Update to Etch

Add the following line to /etc/apt/sources.list

deb http://ftp.de.debian.org/debian/ testing main non-free contrib

Then, as superuser, run

apt-get update
apt-get dist-upgrade
apt-get install gnupg

Add Debian Packages

apt-get update
apt-get upgrade
apt-get install lsof
apt-get install joe
apt-get install rsync
apt-get install postfix
apt-get install bzip2
apt-get install unzip

Configure Firewall

Based on part on this article.

apt-get install shorewall
cp /usr/share/doc/shorewall/default-config/zones /etc/shorewall
cp /usr/share/doc/shorewall/default-config/interfaces /etc/shorewall
cp /usr/share/doc/shorewall/default-config/policy /etc/shorewall
cp /usr/share/doc/shorewall/default-config/rules /etc/shorewall

Edit /etc/shorewall/zones

fw      firewall
net     ipv4

Edit /etc/shorewall/interfaces

net     eth0    detect          dhcp,routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist

Edit /etc/shorewall/policy

fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

Edit /etc/shorewall/rules

ACCEPT   net     fw    icmp    8
ACCEPT   fw      net   icmp
ACCEPT   net     fw    tcp     ssh,http,https

Edit /etc/default/shorewall

startup=1

The restart the firewall to activate protection

/etc/init.d/shorewall start

Install Apache

apt-get install apache2-mpm-prefork apache2-doc lynx

Edit /etc/apache2/conf.d/local_configs.conf

# Tighten access to the file system.
<Directory>
 # Forbid default access to file system locations
 Order Deny,Allow
 Deny from all
 # prevent use of .htaccess files in all directories
 # apart from those specifically enabled.
 AllowOverride None
</Directory >
# Limit available info about this server.
ServerSignature off
ServerTokens production

Create dummy index for main server

echo " " >/var/www/index.html

Configure SSH

Edit /etc/ssh/sshd_config to

AuthorizedKeysFile      %h/.ssh/authorized_keys2

On target server, as root run:

ssh-keygen -t dsa

On local server, as root run:

ssh-keygen -t dsa  [only once]
scp /root/.ssh/id_dsa.pub root@***target***.com:/root/.ssh/authorized_keys2

Update known_hosts on local server using

ssh root@***target***.com ls

which should not ask for a password now.

Make this setup available for webserver processes (adjust paths and names for server, example is a FC4 local host):

mkdir /var/www/.ssh
cp /root/.ssh/* /var/www/.ssh
chown -R apache.apache /var/www/.ssh

Add dotdeb/PHP5

Add to /etc/apt/sources.list as per Dotdeb:

# Use dotdeb.org for LAMP related packages not available in Sarge
deb http://dotdeb.pimpmylinux.org/ stable all
deb-src http://dotdeb.pimpmylinux.org/ stable all
apt-get update
apt-get install libapache2-mod-php5
apt-get install libapache2-mod-perl2 libapache2-mod-perl2-dev

Install MySQL 5

apt-get install mysql-client-5.0 mysql-server-5.0
mysqladmin -u root password *******

Create new datadir

/etc/init.d/mysql stop

Move datadir

mkdir /home/mysql
cp -r /var/lib/mysql/* /home/mysql/
rm /home/mysql/ib*
chown -R mysql.mysql /home/mysql

Edit /etc/mysql/my.cnf and change /var/lib/mysql to new dir /home/mysql

joe /etc/mysql/my.cnf

PHP support with

apt-get install php5-mysql

Install phpMyAdmin

cd /home/www.*******.com
wget "http://switch.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.9.0-rc1.tar.bz2"
tar xvjf phpMyAdmin-2.9.0-rc1.tar.bz2
ln -s phpMyAdmin-2.9.0-rc1 phpMyAdmin
cd phpMyAdmin
mkdir config
chmod 777 config
... navigate to /phpMyAdmin with browser and create config script ... 
cp config/config.inc.php .
rm -rf config

Add a Virtual Server

  • Make new root directory in /home
  • Create file for virtual server in /etc/apache2/sites-available/www.server.com
<VirtualHost * >
       #Basic setup
       ServerAdmin webmaster@server.com
       ServerName www.server.com
       DocumentRoot /home/www.server.com
       <Directory /home/www.server.com>
               Order Deny,Allow
               Allow from all
               # Don't show indexes for directories
               Options -Indexes
       </Directory>
</VirtualHost>
  • link in new site and reload server
a2ensite www.server.com
/etc/init.d/apache2 reload

Update CPAN/perl/mod_perl

Prepare apache

apt-get install apache2-threaded-dev libapreq2-dev

Prepare CPAN

perl -MCPAN -e shell
... configure ...
cpan> install Bundle::CPAN
cpan> exit
perl -MCPAN -e shell
... re-configure ...
cpan> install Bundle::CPAN
cpan> exit
perl -MCPAN -e shell
cpan> install Term::ReadKey
cpan> exit

Install Mason

perl -MCPAN -e shell
cpan> install HTML::Mason
cpan> install CGI
cpan> install Apache2::Cookie

Create mason data directory

mkdir /home/mason
chown www-data.www-data /home/mason/

And use this sample template for a virtual server using a mason folder

PerlModule HTML::Mason::ApacheHandler
# Mason configuration
PerlSetVar  MasonCompRoot    /home/www.server.com/mason
PerlSetVar  MasonDataDir     /home/mason
<Location /mason>
 SetHandler   perl-script
 PerlHandler  HTML::Mason::ApacheHandler
</Location>

Additional perl Modules

perl -MCPAN -e shell
cpan> install Time::HiRes
cpan> install JSON
cpan> install JSON::Syck
cpan> install JSON::PC
cpan> install Date::Manip

Install backup system

Update python and install prerequisites for duplicity manual installation

apt-get install duplicity
apt-get remove duplicity
apt-get install python-dev
apt-get install librsync-dev

Get and install duplicity

cd
wget http://savannah.nongnu.org/download/duplicity/duplicity-0.4.2.tar.gz
tar xvzf duplicity-0.4.2.tar.gz
cd duplicity-0.4.2
python setup.py install

Create backup script backup.sh

#!/bin/sh
export PASSPHRASE=secret
export FTP_PASSWORD=7*******
TARGET=ftp://username@backup.server.com
echo "Backing up home ..."
duplicity /home $TARGET/home
echo "Backing up root ..."
duplicity --exclude /sys --exclude /dev --exclude /mnt --exclude /tmp --exclude /proc --exclude /home / $TARGET/root
export PASSPHRASE=
export FTP_PASSWORD=

Create target folders on FTP server

apt-get install ftp
ftp backup.server.com
...login...
mkdir root
mkdir home

Do initial backup

chmod +x backup.sh
./backup.sh

Install Consistency Checker

Based on this article.

Install tripwire

apt-get install tripwire

and answer yes to the 4 questions. Enter the root password for both site and local key.

Edit policy file /etc/tripwire/twpol.txt to:

# These files change the behavior of the root account
(
 rulename = "Root config files",
 severity = 100
)
{
       /root                           -> $(SEC_CRIT) ; # Catch all additions
}

and remove

/etc/rc.boot
/etc/shadow
/proc

Rebuild policy file with

cd /etc/tripwire
/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

Initialize tripwire

tripwire --init

Check with

tripwire --check

General Security Updates

Enable shadow passwords

shadowconfig on

Edit the file /etc/network/options to

syncookies=yes

Update permissions

chmod 660 /var/log/btmp

Disable RPC services

update-rc.d portmap remove

Harden system and install checkers (chkrootkit is run by tiger, do not enable its cron):

apt-get install harden-clients 
apt-get install harden-servers
apt-get install tiger chkrootkit

Check the system and maybe change settings and reconfigure. Ignore /dev/log and "PACKET SNIFFER(/sbin/dhclient3)" warnings.

tiger
chkrootkit

Edit /etc/php5/apache2/php.ini to

safe_mode = On
open_basedir = /home

DNS Server

Based in part on this article.

Install bind on secondary server

apt-get install bind9 bind9-doc dnsutils

On the primary server modify the options section of /etc/named.conf [FC4] to:

allow-transfer { ***secondary_IP***; };
query-source address * port 53;

On the primary server modify the zone file to include:

NS ***secondary_name***
***secondary_name*** A ***secondary_IP***

On the secondary server add to /etc/bind/named.conf.local [Debian] the slave zone:

zone "***domain***" {
       type slave;
       file "db.***domain***";
       masters {
        ***primary_IP***;
       };
};

Edit the secondary server options in /etc/bind/named.conf.options to:

query-source address * port 53;

Add firewall rule to /etc/shorewall/rules

DNS/ACCEPT   net     fw
DNS/ACCEPT   fw      net

and restart the firewall

/etc/init.d/shorewall restart

Also configure external firewalls to pass traffic for UDP port 53

Nr.  Rem.IP  Rem.Port Loc.Port Proto   Action
12	All	53	Any	UDP	Allow
13	All	Any	53	UDP	Allow

Restart named servers

service named restart        [FC4]
/etc/init.d/bind9 restart    [Debian]

and check the cache location for the new database to show up:

ls /var/cache/bind

Test DNS service with

dig @***primary_IP*** host.***domain***
dig @***secondary_IP*** host.***domain***

Mailserver

Based in part on this article.

Update PHP

apt-get install php5-pear

Edit /etc/php5/apache2/php.ini and /etc/php5/cli/php.ini

  • change memory limits from 8M to 32M
  • uncomment include_path = ".:/usr/share/php"

Update Pear

pear install DB

Install exim4

apt-get install exim4-daemon-heavy
apt-get --reinstall install exim4-config

Install vexim (see also download page for latest version:

adduser --system --uid 99 --group --home /var/opt/vmail vmail
cd /usr/local/src
wget wget http://silverwraith.com/vexim/vexim2.2RC1.tar.gz
tar xzf vexim2.2RC1.tar.gz
mv vexim2/vexim /usr/share/
chown -R www-data.www-data /usr/share/vexim

Edit vexim2/setup/mysql.sql and replace all occurences of CHANGE with 99

mysql -u root -p < vexim2/setup/mysql.sql

Edit /usr/share/vexim/config/variables.php to:

$sqlpass = "99";
$imapquotaserver = "{mail.*******.net:143/imap/notls}";
$uid = "99";
$gid = "99";
$domaininput = "dropdown";
$mailmanroot = "http://www.*******.com/mailman";

Install mailman

apt-get install mailman

Use database root password for

newlist mailman

Edit /etc/mailman/mm_cfg.py to

DEFAULT_URL_PATTERN = 'http://%s/mailman/'
DEFAULT_EMAIL_HOST = 'mail.******.com'
DEFAULT_URL_HOST   = 'www.*******.com'

Create file /etc/apache2/conf.d/mailman.conf

ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/

Add to each virtual host configuration

# mailman
ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/
<Directory /usr/lib/cgi-bin/mailman>
 Order Deny,Allow
 Allow from all
</Directory>
<Directory /var/lib/mailman/archives/public>
 Order Deny,Allow
 Allow from all
</Directory>
<Directory  /usr/share/images/mailman>
 Order Deny,Allow
 Allow from all
</Directory>

Restart services

/etc/init.d/apache2 restart
/etc/init.d/mailman start

Uses database root password for

mmsitepass <password>

Install spamassassin

apt-get install spamassassin spamc

Edit /etc/default/spamassassin to

ENABLED=1

Edit /etc/spamassassin/local.cf and add

use_bayes=0

Start service with

/etc/init.d/spamassassin start

Install antivirus

apt-get install clamav clamav-freshclam clamav-daemon
usermod -G Debian-exim clamav

Copy Exim configuration with

cp /usr/local/src/vexim2/docs/configure /etc/exim4/exim4.conf
cp /usr/local/src/vexim2/docs/vexim* /etc/exim4/

Edit /etc/exim4/exim4.conf to

MAILMAN_HOME=/var/lib/mailman
MAILMAN_USER=list
MAILMAN_GROUP=daemon
MY_IP = *****
hostlist   relay_from_hosts = localhost : MY_IP
trusted_users = vmail:www-data
hide mysql_servers = localhost::(/var/run/mysqld/mysqld.sock)/vexim/vexim/99
av_scanner = clamd:/var/run/clamav/clamd.ctl
exim_user = Debian-exim
exim_group = Debian-exim
.include /etc/exim4/vexim-acl-check-spf.conf
.include /etc/exim4/vexim-acl-check-helo.conf
.include /etc/exim4/vexim-acl-check-rcpt.conf
.include /etc/exim4/vexim-acl-check-content.conf
.include /etc/exim4/vexim-group-router.conf
user = Debian-exim
group = Debian-exim

Edit /etc/exim4/vexim-acl-check-content.conf and change maildeliver to vmail Start service with

/etc/init.d/exim4 restart

Link weblink interface

ln -s /usr/share/vexim /home/www.*****.com/html/vexim

Edit /etc/apache2/sites-available/*****.com to

<Directory /home/www.*****.com/html>
 # ...
 Options -Indexes FollowSymLinks
</Directory>
# vexim
Alias /vexim /usr/share/vexim
<Directory /usr/share/vexim/>
 Order Deny,Allow
 Allow from all
 AllowOverride All
</Directory>
<Directory /home/www.*****.com/html/vexim/>
 Order Deny,Allow
 Allow from all
 AllowOverride All
</Directory>

Install courier:

apt-get install courier-imap courier-imap-ssl courier-auth-mysql courier-pop courier-pop-ssl

Forced authmysql installation from .deb file (this version does not work with etch):

cd 
wget http://security.debian.org/debian-security/pool/updates/main/c/courier/courier-authmysql_0.47-4sarge5_i386.deb
apt-get install libmysqlclient12 
dpkg --force-all --install courier-authmysql_0.47-4sarge5_i386.deb

Edit /etc/courier/authdaemonrc to

authmodulelist="authmysql"

Edit /etc/courier/authmysqlrc to (verify the syslog for database errors when IMAP connecting)

MYSQL_USERNAME          vexim
MYSQL_PASSWORD          99
MYSQL_USERNAME vexim
MYSQL_PASSWORD 99
MYSQL_SOCKET /var/run/mysqld/mysqld.sock
MYSQL_PORT 3306
MYSQL_DATABASE vexim
MYSQL_USER_TABLE users
MYSQL_LOGIN_FIELD username
MYSQL_HOME_FIELD pop
MYSQL_NAME_FIELD realname
MYSQL_MAILDIR_FIELD smtp

Create a maildir for mail storage

mkdir /usr/local/mail
chown vmail.vmail /usr/local/mail

Login using username siteadmin/CHANGE

http://www.******.com/vexim

and change password.

Each virtual domain needs to be added in /etc/mailman/mm_cfg.py

add_virtualhost('host-url', 'email-host')

Copy firewall macros

cp /usr/share/shorewall/macro.* /etc/shorewall

Update firewall /etc/shorewall/rules to

IMAP/ACCEPT net fw
SMTP/ACCEPT net fw

and restart firewall

/etc/init.d/shorewall restart