Setup Basic Apache Web Server in Ubuntu 18.04+ ( LAMP : Linux Apache MySQL PHP)

-






Update all repository and install all updates
:~$ sudo apt-get update && sudo apt-get upgrade


Install LAMP ( Linux Apache MySQL PHP) SERVER

:~$ sudo apt-get install lamp-server^
select *apache

 Ubuntu 16.04 below you will be prompted to create mysql password . After this continue to phpmyadmin installation.
Ubuntu 18.04 check this tutorial : MySQL in Ubuntu 18.04

 :~$ sudo service apache2 restart


 Server should now be accesible in your browser via http://yourip or http:// localhost


Install PHPMyAdmin

:~$  sudo apt-get install phpmyadmin
For Ubuntu 16.04 below you will be prompted to supply mysql password and supply phpmyadmin user password.

 For Ubuntu 18.04 you need to create mysql user and password for phpmyadmin.
See how here : https://www.digitalocean.com/community/tutorials/how-to-create-a-new-user-and-grant-permissions-in-mysql
For Ubuntu 9.10++ and Apache2, the corresponding setting is located in the file /etc/apache2/conf-available/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf.

:~$ sudo nano /etc/apache2/conf-available/phpmyadmin.conf

 The file contains
Alias /phpmyadmin /usr/share/phpmyadmin
where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:
Alias /secret /usr/share/phpmyadmin

 :~$ sudo service apache2 restart

 phpmyadmin should now be accesible in your browser via http://ip/secret




Allow enable mod_rewrite

:~$  sudo a2enmod rewrite
:~$  sudo nano /etc/apache2/apache2.conf
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
:~$ sudo service apache2 restart
Change Document Root
:~$ sudo nano /etc/apache2/sites-enabled/000-default.conf
Default is DocumentRoot /var/www/html
:~$ sudo service apache2 restart

Hide Apache Version and OS Identity from Errors

When you install Apache with source or any other package installers like yum, it displays the version of your Apache web server installed on your server with the Operating system name of your server in Errors. It also shows the information about Apache modules installed in your server.
Prevent Apache to not to display these information to the world, we need to make some changes in Apache main configuration file.
Open configuration file with vim or nano editor and search for “ServerSignature“, its by default On. We need to Off these server signature and the second line “ServerTokens Prod” tells Apache to return only Apache as product in the server response header on the every page request, It suppress the OS, major and minor version info.
:~$ sudo nano /etc/apache2/conf-enabled/security.conf
ServerTokens Prod
ServerSignature Off

 TraceEnable Off
:~$ sudo service apache2 restart

Disable Directory Listing

By default Apache list all the content of Document root directory in the absence of index file.
We can turn off directory listing by using Options directive in configuration file for a specific directory. For that we need to make an entry in httpd.conf or apache2.conf file.
:~$ sudo nano /etc/apache2/apache2.conf
<Directory /var/www/>
Options -Indexes
AllowOverride All
Require all granted
</Directory>
:~$ sudo service apache2 restart
Web Directory Group Owner
:~$ sudo adduser <username> www-data
For security reasons, it's probably better keep /var/www owned by root:root,
so instead of sudo chown -R www-data:www-data /var/www it better be
:~$ sudo chgrp -R www-data /var/www/
This is what I do to ensure that all files created keep the current user and permissions (it’s really lame to create new files, say from Git, and then have to update the user, groups and permissions of the new files every time to ensure they can be run by the server)
:~$ sudo chmod -R g+rws /var/www/

Firewall - UFW

A good place to start is to install a Firewall.
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use  Shorewall, fwbuilder, or Firestarter.
Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide,  UFW manual pages or the Ubuntu UFW community documentation.

Install UFW and enable, open a terminal window and enter :

:~$ sudo apt-get install ufw

Allow SSH and Http services.
:~$ sudo ufw allow ssh
:~$ sudo ufw allow http
:~$ sudo ufw allow https/tcp

Enable the firewall.
:~$ sudo ufw enable

Check the status of the firewall.

:~$ sudo ufw status verbose

POSTFIX


Remove sendmail
:~$ sudo apt-get purge sendmail*

:~$ sudo apt-get install postfix mailutils

Adjust Firewall
:~$ sudo ufw allow Postfix

Internet Site

:~$ sudo nano /etc/postfix/main.cf

Update into these:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile =  /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes


smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = yourdomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, yourhostname, localhost.$mydomain, $mydomain
relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all


:~$ sudo nano /etc/postfix/sasl_passwd

And add following line:

[smtp.gmail.com]:587    USERNAME@gmail.com:PASSWORD

Fix permission and update postfix config to use sasl_passwd file:

:~$ sudo chmod 400 /etc/postfix/sasl_passwd
:~$ sudo postmap /etc/postfix/sasl_passwd
Next, validate certificates to avoid running into error. Just run following command:

:~$ cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

Finally, reload postfix config for changes to take effect:

:~$ sudo /etc/init.d/postfix reload

:~$ sudo reboot 

Test using this command:
:~$ echo "This is the body of the email" | mail -s "This is the subject line" emailtoreceive@domain.com

Forwarding System Mail


The last thing we want to set up is forwarding, so you'll get emails sent to root on the system at your personal, external email address.

To configure Postfix so that system-generated emails will be sent to your email address, you need to edit the /etc/aliases file.

:~$ sudo nano /etc/aliases

The full contents of the file on a default installation of Ubuntu 16.04 are as follows:

/etc/aliases
# See man 5 aliases for format
postmaster:    root

With that setting, system generated emails are sent to the root user. What you want to do is edit it so that those emails are rerouted to your email address. To accomplish that, edit the file so that it reads:

/etc/aliases
# See man 5 aliases for format
postmaster:    root
root:          your_email_address

Replace your_email_address with your personal email address. When finished, save and close the file. For the change to take effect, run the following command:

:~$ sudo newaliases

You may now test that it works by sending an email to the root account using:

:~$ echo "This is the body of the email" | mail -s "This is the subject line" root

To check email logs

:~$ sudo tail -f /var/log/mail.log
 

 CONTINUE : Web Server Security Hardening

Comments

Post a Comment

Popular posts from this blog

CakePHP 4: Firebase Cloud Messaging Component in CakePHP for Push Notification

-
Image
Easily deploy an SSD cloud server on @DigitalOcean in 55 seconds. Sign up using this link and receive $100 in cloud credits: https://m.do.co/t/335732d1df0b <?php namespace   App\Controller\Component ; use  Cake\Controller\ Component ; use  Cake\Http\ Client ; class   FirebaseComponent   extends   Component {         public   function   headers () {         $header  =    [ 'headers'   =>    [                                          'Accept'   =>   'application/json' ,                                          'Content-Type'   =>   'application/json' ,                                          'Authorization'   =>   'key=AAAAeh0kVhs4ums9A0SYyO2xbCgXvT_jfUUi-0jXs0GfMpZ5DZPqKylqht-TPXGPiqFVj81hBPLL_st9NkjspAarhbfufFHBQN_7'                                     ]                     ];          return  $header;     }      public   function   sendSingleNotification ()  //FCM     {         $fcToken  =   'e_tHOI1XT3udZvMYS
Read more

CakePHP 4 : Using Component inside Command ( Shell )

-
Image
Easily deploy an SSD cloud server on @DigitalOcean in 55 seconds. Sign up using this link and receive $100 in cloud credits: https://m.do.co/t/335732d1df0b src>Command>AppCommand.php <?php namespace   App\Command ; use  Cake\Console\ Arguments ; use  Cake\Console\ Command ; use  Cake\Console\ ConsoleIo ; use  Cake\Console\ ConsoleOptionParser ; use  Cake\Http\ Client ; use  Cake\Log\ Log ; //need this two line use  Cake\Controller\ ComponentRegistry ; use  App\Controller\Component\ FirebaseComponent ; class   AppCommand   extends   Command {      protected   function   buildOptionParser ( ConsoleOptionParser  $parser) :   ConsoleOptionParser     {         $parser -> addArgument ( 'command' , [ 'help'   =>   'What your parameter?' ]);         $parser -> addArgument ( 'params' , [ 'help'   =>   'What your parameter?' ]);          return  $parser;     }      public   function   execute ( Arguments  $args,  ConsoleIo  $io
Read more

CakePHP: COUNT data and GROUP BY date

-
Image
Easily deploy an SSD cloud server on @DigitalOcean in 55 seconds. Sign up using this link and receive $100 in cloud credits: https://m.do.co/t/335732d1df0b Goal: Count Tip Offs created per day for a month to use for graph Problem: created field name is in datetime format: Y-m-d H:i:s Solution: format SQL Query date: DATE_FORMAT(TipOff.created, '%Y-%m-%d') Inside the function of controller <?php $ tipOffsMonthly = $ this -> TipOff -> find( ' all ' , array ( ' conditions ' => array ( ' AND ' => array ( ' TipOff.electric_cooperatives_id ' => AuthComponent :: User ( ' electric_cooperatives_id ' ) , ' TipOff.created BETWEEN ? AND ? ' => array ( $ first_day , $ last_day ) ) ) ,
Read more