Update all repository and install all updates
:~$ sudo apt-get update && sudo apt-get upgrade
Install LAMP SERVER
:~$ sudo apt-get install lamp-server^
select *apache
create mysql password
:~$ sudo service apache2 restart
Server should now be accesible in your browser via http://yourip or http:// localhost
Install PHPMyAdmin
:~$ sudo apt-get install phpmyadmin
for Ubuntu 16.04++
:~$ sudo apt-get install phpmyadmin php-mbstring php-gettext
supply mysql password
supply phpmyadmin user password
For Ubuntu 9.10++ and Apache2, the corresponding setting is located in the file /etc/apache2/conf-available/phpmyadmin.conf which is a link to /etc/phpmyadmin/apache.conf.
:~$ sudo nano /etc/apache2/conf-available/phpmyadmin.conf
The file contains
Alias /phpmyadmin /usr/share/phpmyadmin
where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:
Alias /secret /usr/share/phpmyadmin
:~$ sudo service apache2 restart
phpmyadmin should now be accesible in your browser via http://ip/secret
Allow enable mod_rewrite
:~$ sudo a2enmod rewrite
:~$ sudo nano /etc/apache2/apache2.conf
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
:~$ sudo service apache2 restart
Change Document Root
:~$ sudo nano /etc/apache2/sites-enabled/000-default.conf
Default is DocumentRoot /var/www/html
:~$ sudo service apache2 restart
Hide Apache Version and OS Identity from Errors
When you install Apache with source or any other package installers like yum, it displays the version of your Apache web server installed on your server with the Operating system name of your server in Errors. It also shows the information about Apache modules installed in your server.
Prevent Apache to not to display these information to the world, we need to make some changes in Apache main configuration file.
Open configuration file with vim or nano editor and search for “ServerSignature“, its by default On. We need to Off these server signature and the second line “ServerTokens Prod” tells Apache to return only Apache as product in the server response header on the every page request, It suppress the OS, major and minor version info.
:~$ sudo nano /etc/apache2/conf-enabled/security.conf
ServerTokens Prod
ServerSignature Off
:~$ sudo service apache2 restart
Disable Directory Listing
By default Apache list all the content of Document root directory in the absence of index file.
We can turn off directory listing by using Options directive in configuration file for a specific directory. For that we need to make an entry in httpd.conf or apache2.conf file.
:~$ sudo nano /etc/apache2/apache2.conf
<Directory /var/www/>
Options -Indexes
AllowOverride All
Require all granted
</Directory>
:~$ sudo service apache2 restart
Web Directory Group Owner
:~$ sudo adduser <username> www-data
For security reasons, it's probably better keep /var/www owned by root:root,
so instead of sudo chown -R www-data:www-data /var/www it better be
:~$ sudo chgrp -R www-data /var/www
This is what I do to ensure that all files created keep the current user and permissions (it’s really lame to create new files, say from Git, and then have to update the user, groups and permissions of the new files every time to ensure they can be run by the server)
:~$ sudo chmod -R g+rws /var/www
Firewall - UFW
A good place to start is to install a Firewall.
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use Shorewall, fwbuilder, or Firestarter.
Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide, UFW manual pages or the Ubuntu UFW community documentation.
Install UFW and enable, open a terminal window and enter :
:~$ sudo apt-get install ufw
Allow SSH and Http services.
:~$ sudo ufw allow ssh
:~$ sudo ufw allow http
:~$ sudo ufw allow https/tcp
Enable the firewall.
:~$ sudo ufw enable
Check the status of the firewall.
:~$ sudo ufw status verbose
POSTIX
Remove sendmail
:~$ sudo apt-get purge sendmail*
:~$ sudo apt-get install postfix mailutils
Adjust Firewall
:~$ sudo ufw allow Postfix
Internet Site
:~$ sudo nano /etc/postfix/main.cf
Update into these:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = yourdomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, yourhostname, localhost.$mydomain, $mydomain
relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all
:~$ sudo nano /etc/postfix/sasl_passwd
And add following line:
[smtp.gmail.com]:587 USERNAME@gmail.com:PASSWORD
Fix permission and update postfix config to use sasl_passwd file:
:~$ sudo chmod 400 /etc/postfix/sasl_passwd
:~$ sudo postmap /etc/postfix/sasl_passwd
Next, validate certificates to avoid running into error. Just run following command:
:~$ cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem
Finally, reload postfix config for changes to take effect:
:~$ sudo /etc/init.d/postfix reload
:~$ sudo reboot
:~$ sudo apt-get purge sendmail*
:~$ sudo apt-get install postfix mailutils
Adjust Firewall
:~$ sudo ufw allow Postfix
Internet Site
:~$ sudo nano /etc/postfix/main.cf
Update into these:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = yourdomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, yourhostname, localhost.$mydomain, $mydomain
relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all
:~$ sudo nano /etc/postfix/sasl_passwd
And add following line:
[smtp.gmail.com]:587 USERNAME@gmail.com:PASSWORD
Fix permission and update postfix config to use sasl_passwd file:
:~$ sudo chmod 400 /etc/postfix/sasl_passwd
:~$ sudo postmap /etc/postfix/sasl_passwd
Next, validate certificates to avoid running into error. Just run following command:
:~$ cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem
Finally, reload postfix config for changes to take effect:
:~$ sudo /etc/init.d/postfix reload
:~$ sudo reboot
Test using this command:
:~$ echo "This is the body of the email" | mail -s "This is the subject line" emailtoreceive@domain.com
Forwarding System Mail
The last thing we want to set up is forwarding, so you'll get emails sent to root on the system at your personal, external email address.
To configure Postfix so that system-generated emails will be sent to your email address, you need to edit the /etc/aliases file.
:~$ sudo nano /etc/aliases
The full contents of the file on a default installation of Ubuntu 16.04 are as follows:
/etc/aliases
# See man 5 aliases for format
postmaster: root
With that setting, system generated emails are sent to the root user. What you want to do is edit it so that those emails are rerouted to your email address. To accomplish that, edit the file so that it reads:
/etc/aliases
# See man 5 aliases for format
postmaster: root
root: your_email_address
Replace your_email_address with your personal email address. When finished, save and close the file. For the change to take effect, run the following command:
:~$ sudo newaliases
You may now test that it works by sending an email to the root account using:
:~$ echo "This is the body of the email" | mail -s "This is the subject line" root
To check email logs
:~$ sudo tail -f /var/log/mail.log
To configure Postfix so that system-generated emails will be sent to your email address, you need to edit the /etc/aliases file.
:~$ sudo nano /etc/aliases
The full contents of the file on a default installation of Ubuntu 16.04 are as follows:
/etc/aliases
# See man 5 aliases for format
postmaster: root
With that setting, system generated emails are sent to the root user. What you want to do is edit it so that those emails are rerouted to your email address. To accomplish that, edit the file so that it reads:
/etc/aliases
# See man 5 aliases for format
postmaster: root
root: your_email_address
Replace your_email_address with your personal email address. When finished, save and close the file. For the change to take effect, run the following command:
:~$ sudo newaliases
You may now test that it works by sending an email to the root account using:
:~$ echo "This is the body of the email" | mail -s "This is the subject line" root
To check email logs
:~$ sudo tail -f /var/log/mail.log
CONTINUE : Web Server Security Hardening
Comments
Post a Comment