Setup Basic Apache Web Server in Ubuntu 13.04+

Update all repository and install all updates
:~$ sudo apt-get update && sudo apt-get upgrade


:~$ sudo apt-get install lamp-server^
select *apache
create mysql password

:~$ sudo service apache2 restart

Server should now be accesible in your browser via http://yourip or http:// localhost

Install PHPMyAdmin

:~$  sudo apt-get install phpmyadmin

for Ubuntu 16.04++

:~$  sudo apt-get install phpmyadmin php-mbstring php-gettext
supply mysql password
supply phpmyadmin user password
For Ubuntu 9.10++ and Apache2, the corresponding setting is located in the file /etc/apache2/conf-available/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf.

:~$ sudo nano /etc/apache2/conf-available/phpmyadmin.conf

The file contains
Alias /phpmyadmin /usr/share/phpmyadmin
where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:
Alias /secret /usr/share/phpmyadmin

:~$ sudo service apache2 restart

phpmyadmin should now be accesible in your browser via http://ip/secret

Allow enable mod_rewrite

:~$  sudo a2enmod rewrite
:~$  sudo nano /etc/apache2/apache2.conf

<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

:~$ sudo service apache2 restart
Change Document Root
:~$ sudo nano /etc/apache2/sites-enabled/000-default.conf
Default is DocumentRoot /var/www/html
:~$ sudo service apache2 restart

Hide Apache Version and OS Identity from Errors

When you install Apache with source or any other package installers like yum, it displays the version of your Apache web server installed on your server with the Operating system name of your server in Errors. It also shows the information about Apache modules installed in your server.
Prevent Apache to not to display these information to the world, we need to make some changes in Apache main configuration file.
Open configuration file with vim or nano editor and search for “ServerSignature“, its by default On. We need to Off these server signature and the second line “ServerTokens Prod” tells Apache to return only Apache as product in the server response header on the every page request, It suppress the OS, major and minor version info.
:~$ sudo nano /etc/apache2/conf-enabled/security.conf
ServerTokens Prod
ServerSignature Off
:~$ sudo service apache2 restart

Disable Directory Listing

By default Apache list all the content of Document root directory in the absence of index file.

We can turn off directory listing by using Options directive in configuration file for a specific directory. For that we need to make an entry in httpd.conf or apache2.conf file.

:~$ sudo nano /etc/apache2/apache2.conf
<Directory /var/www/>
Options -Indexes
AllowOverride All
Require all granted
:~$ sudo service apache2 restart

Web Directory Group Owner
:~$ sudo adduser <username> www-data

For security reasons, it's probably better keep /var/www owned by root:root,
so instead of sudo chown -R www-data:www-data /var/www it better be
:~$ sudo chgrp -R www-data /var/www

This is what I do to ensure that all files created keep the current user and permissions (it’s really lame to create new files, say from Git, and then have to update the user, groups and permissions of the new files every time to ensure they can be run by the server)
:~$ sudo chmod -R g+rws /var/www

Firewall - UFW

A good place to start is to install a Firewall.
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use  Shorewall, fwbuilder, or Firestarter.
Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide,  UFW manual pages or the Ubuntu UFW community documentation.

Install UFW and enable, open a terminal window and enter :

:~$ sudo apt-get install ufw

Allow SSH and Http services.
:~$ sudo ufw allow ssh
:~$ sudo ufw allow http
:~$ sudo ufw allow https/tcp

Enable the firewall.
:~$ sudo ufw enable

Check the status of the firewall.

:~$ sudo ufw status verbose


Remove sendmail
:~$ sudo apt-get purge sendmail*

:~$ sudo apt-get install postfix mailutils

Adjust Firewall
:~$ sudo ufw allow Postfix

Internet Site

:~$ sudo nano /etc/postfix/

Update into these:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile =  /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, yourhostname, localhost.$mydomain, $mydomain
relayhost = []:587
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all

:~$ sudo nano /etc/postfix/sasl_passwd

And add following line:


Fix permission and update postfix config to use sasl_passwd file:

:~$ sudo chmod 400 /etc/postfix/sasl_passwd
:~$ sudo postmap /etc/postfix/sasl_passwd
Next, validate certificates to avoid running into error. Just run following command:

:~$ cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

Finally, reload postfix config for changes to take effect:

:~$ sudo /etc/init.d/postfix reload

:~$ sudo reboot 

Test using this command:
:~$ echo "This is the body of the email" | mail -s "This is the subject line"

Forwarding System Mail

The last thing we want to set up is forwarding, so you'll get emails sent to root on the system at your personal, external email address.

To configure Postfix so that system-generated emails will be sent to your email address, you need to edit the /etc/aliases file.

:~$ sudo nano /etc/aliases

The full contents of the file on a default installation of Ubuntu 16.04 are as follows:

# See man 5 aliases for format
postmaster:    root

With that setting, system generated emails are sent to the root user. What you want to do is edit it so that those emails are rerouted to your email address. To accomplish that, edit the file so that it reads:

# See man 5 aliases for format
postmaster:    root
root:          your_email_address

Replace your_email_address with your personal email address. When finished, save and close the file. For the change to take effect, run the following command:

:~$ sudo newaliases

You may now test that it works by sending an email to the root account using:

:~$ echo "This is the body of the email" | mail -s "This is the subject line" root

To check email logs

:~$ sudo tail -f /var/log/mail.log

CONTINUE : Web Server Security Hardening
Post a Comment

Popular posts from this blog

CakeAdminLTE is based on AdminLTE Theme for CakePHP 2.4+

CakePHP: COUNT data and GROUP BY date

CakePHP: Calling function from other controller