Debian 7 Wheezy Dedicated Web Server Setup Step by Step: About The Author

Connect using SSH
Change root password

Debian 7 Wheezy Dedicated Web
Server Setup Step by Step
May 16th, 2013 136,411
Debian 7.0 Wheezy has been officially released on May 5, 2013.
Wheezy is powered by Linux kernel 3.2 and multiarch support.
Concerning LAMP software, Apache 2.2.22 MySQL 5.5.30 and
PHP 5.4.4 are included. Debian 7 supports systemd. More
information here.
In this post I describe a dedicated server setup, using Debian
Wheezy. It is a Hetzner EX4S dedicated server with IP
144.76.70.100 My blog, my company website and some other web
projects will be hosted in this server.
I use Dyn.com for all my DNS and e-MAIL needs, so I will not
setup bind name server or a full blown mail server. Default Debian
MTA (exim4) is enough for the server to send emails.
I selected a minimal Debian amd64 server (basic Debian system
and SSH). Thanks to Hetzner staff, the server was up and running
in less than an hour. As usual, they sent me the IP and root
password. Below I describe the whole procedure after this point.
This is the first and should be the last time you are remotely
connected with the server as root:
Use:
About the author
Christos Pontikis
452 followers
Follow
1 ssh 144.76.70.100 -l root
1 passwd
Find us on Facebook
pontikis.net
3,456 people like pontikis.net.
Facebook social plugin
Like Like
pontikis.net
Tech blog &
Web labs
Home Blog Tips Labs About
Debian 7 Wheezy Dedicated Web Server Setup St... http://www.pontikis.net/blog/debian-wheezy-web-...
1 sur 19 16/10/2014 20:49
remove /robot.sh
Perform a full system update
Update files database
Color Bash Prompt
This step concerns only Hetzner servers.
/etc/rc2.d/S99Zrobot (symbolic link to /robot.sh) is just for reporting
a successful install and should normally have been removed
immediately. Remove them in case has been not automatically
removed.
If /robot.sh is present, apt-get will fail with the following message
Using apt-get:
Use:
To add color to bash prompt, you can follow this guide, where a
global solution is provided (recommended).
As an alternative:
To add color to common user prompt:
uncomment #force_color_prompt=yes
To add red color to root prompt:
1
2
mv /robot.sh /robot.sh.bak
rm /etc/rc2.d/S99Zrobot
1 insserv: warning: script 'S99Zrobot' missing LSB tags and overrid
1 apt-get update && apt-get -V upgrade
1 updatedb
1
2
cd /home/pontikis
nano .bashrc
1
2
3
...
force_color_prompt=yes
...
1 cd /root
2 sur 19 16/10/2014 20:49
Customize nano text editor
Install systemd
Install ntp (Network Time Protocol)
Set server timezone
Set PS1 as follows:
Also, find # You may uncomment the following lines if you want `ls'
to be colorized: and uncomment the following lines
To see the changes you have to logoff and login again, or go to
home and give
To dislpay line numbers, uncomment # set const
Use:
Update grub and reboot
Modify GRUB_CMDLINE_LINUX_DEFAULT adding init=/bin
/systemd
Finally
Using apt-get
2 nano .bashrc
1 PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\h\[\033
1 . .bashrc
1 nano /etc/nanorc
1
2
# set const
set const
1 apt-get install systemd
1 nano /etc/default/grub
1 GRUB_CMDLINE_LINUX_DEFAULT="nomodeset init=/bin/systemd"
1 update-grub && reboot
1 apt-get install ntp
3 sur 19 16/10/2014 20:49
Install webmin
Create common user
Using dpkg
From http://wiki.debian.org/TimeZoneChanges
Restarting Daemons and Long-Running Programs
After the zoneinfo files are updated, you may need to restart
daemons and other long-running programs to get them to
use the new zone information. Examples of such programs
include apache, bind, cron, fetchmail -d, inetd, mailman,
sendmail, and sysklogd. A common symptom of this problem
is seeing incorrect timestamps mixed in with the correct
timestamps in your log files (e.g. /var/log/syslog). Even
interactive programs like "mutt" may continue to use the old
timezone information until they are restarted.
For example, restart cron
An easier way is to restart your system
REMARK: Server date and time settings are very important for
services like Amazon S3 backup, OpenVPN, NFS etc, where
"client" and "server" machines must have the same settings.
Add the following lines to /etc/apt/sources.list
Add apt key:
Finally
You can use webmin interface (recommended)
1 dpkg-reconfigure tzdata
1 systemctl restart cron.service
1 reboot
1
2
deb http://download.webmin.com/download/repository
deb http://webmin.mirror.somersettechsolutions.co.uk/repository
1
2
3
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
1
2
apt-get update
apt-get install webmin
4 sur 19 16/10/2014 20:49
Harden SSH
SSH key based authentication
Otherwise, you can use adduser srcipt
or the original linux commands
It is also important to create a Webmin user (pontikis in my case),
to avoid login to Webmin as root.
Edit SSH configuration:
Make the following changes
Restart SSH
To connect from workstation to server machine, add your public
key to server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
adduser pontikis
Adding user `pontikis' ...
Adding new group `pontikis' (1001) ...
Adding new user `pontikis' (1001) with group `pontikis'
Creating home directory `/home/pontikis' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pontikis
Enter the new value, or press ENTER for the default
Full Name []: Christos Pontikis
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
1
2
3
groupadd pontikis
useradd -m -g pontikis -s /bin/bash pontikis
passwd pontikis
1 nano /etc/ssh/sshd_config
1
2
3
4
5
6
7
...
PermitRootLogin no
...
X11Forwarding no
...
AllowUsers pontikis ...
...
1 systemctl restart ssh.service
1 ssh-copy-id -i ~/.ssh/id_rsa.pub 144.76.70.100
5 sur 19 16/10/2014 20:49
Change hostname
Harden kernel using /etc/sysctl.conf
Add the hostname (cosmos.medisign.com in my case) to
/etc/hostname and /etc/hosts so local address(es) resolves with the
new system name and reboot.
It was a pleasant surprise to see that Hetzner default installation
was included important changes to /etc/sysctl.conf:
I will only add
Just in case, default Debian /etc/sysctl.conf is a text file with all
extra settings commented. See here.
If you want to make changes, you have two options:
First method (recommended): create a file /etc/sysctl.d
/local.conf and reboot
Alternative method: make direct changes to /etc/sysctl.conf
and activate them with sysctl -p (without reboot.)
The contents of /etc/sysctl.d/local.conf should be:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
### Hetzner Online AG installimage
# sysctl config
#net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
# ipv6 settings (no autoconfiguration)
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_dad=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.default.forwarding=0
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_dad=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.accept_ra_defrtr=0
net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.all.forwarding=0
1 net.ipv4.tcp_syncookies = 1
1
2
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
6 sur 19 16/10/2014 20:49
Install exim4 MTA
Using apt-get:
Configure exim
Change default option "local delivery only" to "internet site"
Set system mail name: (cosmos.medisign.com in my case)
Accept the default settings in the remaining steps.
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
# ADD THE LINE
# ignore echo broadcast requests to prevent being part of smurf
net.ipv4.icmp_echo_ignore_broadcasts=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
net.ipv4.tcp_syncookies=1
# ipv6 settings (no autoconfiguration)
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_dad=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.default.forwarding=0
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_dad=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.accept_ra_defrtr=0
net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.all.forwarding=0
1 apt-get install exim4
1 dpkg-reconfigure exim4-config
7 sur 19 16/10/2014 20:49
Forward root mail
iptables firewall
(click the thumb for full image)
It is important as various software and services send mail to inform
root for results or errors (cron for example).
Then, rebuild aliases:
Using webmin
or using command line
this is just an example with the most common rules
1 nano /etc/aliases
1
2
...
root:pontikis@gmail.com
1 newaliases
1 nano /etc/iptables-up.rules
8 sur 19 16/10/2014 20:49
REMARK: rules -A INPUT -j LOG and -A FORWARD -j LOG force
iptables to keep log and needed if psad is used. See details in this
post.
To load these rules to iptables firewall:
To save iptables firewall active rules:
To load these rules on startup:
add to eth0 interface
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Generated by iptables-save v1.4.14 on Fri May 17 20:09:12 2013
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [189:103951]
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 25,587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
-A INPUT -j LOG
-A FORWARD -j LOG
COMMIT
# Completed on Fri May 17 20:09:12 2013
*mangle
:PREROUTING ACCEPT [49770:4531554]
:INPUT ACCEPT [49770:4531554]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48931:39133213]
:POSTROUTING ACCEPT [48931:39133213]
COMMIT
*nat
:PREROUTING ACCEPT [4223:278291]
:INPUT ACCEPT [1650:94585]
:OUTPUT ACCEPT [2836:192019]
:POSTROUTING ACCEPT [2836:192019]
COMMIT
1 iptables-restore < /etc/iptables.up.rules
1 iptables-save > /etc/iptables.up.rules
1 nano /etc/network/interfaces
1
2
...
post-up iptables-restore < /etc/iptables.up.rules
9 sur 19 16/10/2014 20:49
MySQL community database server
Install Apache web server
Using apt-get:
After installation, run:
mysql_secure_installation sets a root password (if not exists),
removes anonymous users, disables non-local root access,
removes the test database and access rules related to it and finally
reloads privileges.
REMARK: restart MySQL using systemctl restart mysql.service
Using apt-get:
Enable mod_rewrite and mod_deflate (gzip compression)
Config virtual hosts (settings may vary according to your needs)
Add your IP
Create virtual hosts. This is just an example:
1 apt-get install mysql-server
1 mysql_secure_installation
1 apt-get install apache2 apache2-mpm-prefork
1
2
a2enmod rewrite
a2enmod deflate
1 nano /etc/apache2/ports.conf
1 NameVirtualHost 144.76.70.100:80
1 nano /etc/apache2/sites-available/www.pontikis.net
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<VirtualHost 144.76.70.100:80>
ServerName www.pontikis.net
ServerAdmin christos@pontikis.net
DocumentRoot /var/www/pontikis.net
<Directory /var/www/pontikis.net>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/pontikis.net_error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/pontikis.net_access.log combined
ErrorDocument 404 /404/
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no
10 sur 19 16/10/2014 20:49
Awstats log analyzer
php
Enable site
Restart Apache
Using apt-get:
Details in a future post soon.
Using apt-get:
Enable php error log. Log file must be writable from Apache. So:
Edit php.ini
uncomment ;error_log:
Remember to rotate /var/log/php/php_errors.log:
add the following:
Install MySQL Native Driver (mysqlnd)
22
23
24
25
26
27
28
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</VirtualHost>
1 a2ensite www.pontikis.net
1 systemctl restart apache2.service
1 apt-get install awstats
1 apt-get install php5
1
2
mkdir /var/log/php
chown www-data /var/log/php
1 nano /etc/php5/apache2/php.ini
1 error_log = /var/log/php/php_errors.log
1 nano /etc/logrotate.d/php
1
2
3
4
5
6
7
/var/log/php/php_errors.log {
weekly
missingok
rotate 4
notifempty
create
}
11 sur 19 16/10/2014 20:49
Install memcached
REMARK: If, for any reason, you don't want mysqlnd, try apt-get
install php5-mysql instead.
Install php adodb extension.
Install php GD library
Config mbstring
Harden PHP setup (settings may vary according to your needs)
Restart Apache
Using apt-get:
Install phpMemcachedAdmin (optional):
You may want to restrict access to this directory using .htaccess
1 apt-get install php5-mysqlnd
1 apt-get install php5-adodb
1 apt-get install php5-gd
1 nano /etc/php5/conf.d/mbstring-settings.ini
1
2
3
4
5
6
7
8
9
[mbstring]
mbstring.language = English
mbstring.internal_encoding = UTF-8
mbstring.encoding_translation = On
mbstring.http_input = UTF-8,SJIS,EUC-JP
mbstring.http_output = UTF-8
mbstring.detect_order = UTF-8,ASCII,JIS,SJIS,EUC-JP
mbstring.substitute_character = none
mbstring.func_overload = 0
1 nano /etc/php5/conf.d/security.ini
1
2
3
4
5
6
7
8
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = escapeshellarg, escapeshellcmd,passthru, proc
1
2
apt-get install memcached php5-memcached
systemctl restart apache2.service
1
2
3
4
5
6
mkdir /var/www/phpMemcachedAdmin
cd /var/www/phpMemcachedAdmin
wget http://phpmemcacheadmin.googlecode.com/files/phpMemcachedAdm
tar -xvzf phpMemcachedAdmin-1.2.2-r262.tar.gz
chmod +r *
chmod 0777 Config/Memcache.php
12 sur 19 16/10/2014 20:49
Install Alternative PHP Cache (APC)
Install database manager
Install git
Install s3cmd for Amazon backup
Using apt-get:
Edit configuration (optional)
After extension=apc.so, add the following (modify them according
to your needs)
Restart Apache
phpMyAdmin and adminer are popular. I prefer adminer:
You may want to restrict access to this directory using .htaccess
Using apt-get:
Using apt-get:
REMARK: There is a serious BUG with current Debian version of
s3cmd (1.1.0-beta3) in multipart uploads to Amazon S3 (mainly
using cron). Some changes must be done to /usr/share/s3cmd
1 apt-get install php-apc
1 nano /etc/php5/conf.d/20-apc.ini
1
2
3
4
5
6
7
8
extension=apc.so
apc.enabled=1
apc.shm_size=128M
apc.ttl=3600
apc.user_ttl=7200
apc.gc_ttl=3600
apc.max_file_size=1M
1
2
mkdir /var/www/adminer
wget http://downloads.sourceforge.net/adminer/adminer-3
1 apt-get install git
1 apt-get install s3cmd
13 sur 19 16/10/2014 20:49
Various tools
Deploy Projects
Backup software
Simple system monitoring tools
/S3/S3.py. The patch is available here.
Configure s3cmd with your Amazon credentials
Using apt-get:
I use git and Github to deploy my projects (either public or
private). For example to deploy my blog in the new server:
Furthermore, to update this project in the future:
User pontikis public rsa key must be added to github. Details here.
There are many backup solutions available. I use bash-cloud-
backup.
bash-cloud-backup is a set of bash scripts, which can be used to
automate local and cloud backup in Linux/Unix machines. I use
Amazon S3 as cloud backup solution.
Get email notifications for updates
More details in this post.
1
2
cd /root
s3cmd --configure
1 apt-get install mc p7zip-full htop sysstat
1
2
3
chown -R pontikis:pontikis /var/www
cd /var/www
git clone git@github.com:pontikis/pontikis.net.git
1
2
3
cd /var/www/pontikis.net
git fetch
git merge origin/master
1
2
3
apt-get install apticron
apt-get install update-notifier-common
apt-get install debian-goodies
14 sur 19 16/10/2014 20:49
Simple intrusion detection techniques
Simple intrusion prevention techniques
Security and system auditing tool
Logwatch
Logwatch is a customizable log analysis system. Logwatch parses
through your system's logs and creates a report analyzing areas
that you specify.
Using apt-get:
Configuration:
rkhunter
fail2ban
fail2ban scans log files and bans IPs that show the malicious
signs, for example too many password failures, seeking for
exploits, etc.
Find details in this post.
psad
psad analyze iptables log messages to detect port scans and other
suspicious traffic.
Find details in this post.
Install Lynis using apt-get:
1 apt-get install logwatch
1
2
3
mkdir /var/cache/logwatch
cp /usr/share/logwatch/default.conf/logwatch.conf
nano /etc/logwatch/conf/logwatch.conf
1
2
#Output = stdout
Output = mail
1 apt-get install rkhunter
1 apt-get install fail2ban
1 apt-get install psad
1 apt-get install lynis
15 sur 19 16/10/2014 20:49
Perform (again) a full system update
Update files database (again)
Conclusion
Related Posts
Perform system check:
Using apt-get:
Use:
I would prefer a dedicated hardware firewall, but it is not so easy to
maintain it. Moreover, Hetzner does not offer dedicated firewall (as
far as I know).
I have posted dedicated posts for some topics of this article (e.g.
monitoring and intrusion detection techniques, local and Amazon
backup and more). See "Related posts" below.
You may also be interested in
Install and Config Fail2Ban in Debian 7 Wheezy (part of
server setup)
Install and Config Psad in Debian 7 Wheezy (part of server
setup)
Debian 7 Wheezy RC1 LAMP Server Setup Step by Step
Memcached Installation and Configuration with PHP on
Debian Server
Simple Steps to Update a Debian Server
Five Reasons to use Debian as a Server
1 lynis -c
1 apt-get update && apt-get -V upgrade
1 updatedb
16 sur 19 16/10/2014 20:49
Your comments are welcomed!
This site actively encourages commenting on any post. Comments are not pre-moderated, but this community does
not tolerate direct or indirect attacks, name-calling or insults. Please, read terms of use and Comment Policy at
privacy policy.
Sign-up for our free email newsletter. Get updates when
new tutorials and tips are published. You can unsubscribe
anytime with a click.
17 sur 19 16/10/2014 20:49
38 Comments pontikis.net - Tech blog & Web labs Login
Sort by Best Share
Join the discussion

Reply
franute a year ago
Simply amazing article, thanks a lot for this nice guide ;)
5
Reply
Thomas Lartaud 7 months ago
Hi,
I'm new on debian and servers configuration but, correct me if i'm wrong, i we had an user without
giving him root and sudo permissions by including this user into the correspnding groups, and then
add PermitRootLogin no, we lose root access.
Maybe should you add a warning on this for new users like me?
2
Reply
Alex a month ago
Really nice simple guide, keep it up :) But i would prefer on giving us references on specific stuff
aswell, maybe just a link or so. Makes it more legit, and gives us the ability to get more information
than what you give us!
Reply
mreshane 2 months ago
some of this are not available already and everything has changed, can you show me where and how
to change the *.conf files for creating a virtual host?
Thank you.
Reply
Juvelyn Reyes 4 months ago
Web server setup is not an easy task. thank your for sharing this very comprehensive post.
Reply
Raymond 6 months ago
Gotta show some love. This is very comprehensive! Ty!
Reply
Amma Rany 6 months ago
Hi. very pleased to see the explanation. waiting for other interesting posts at a time when that will
come.
From bvba Woodstone
(xiao du) 8 months ago
Nice, but I'd also recommend adding in maldet https://www.rfxn.com/projects/...
Share
Share
Share
Share
Favorite
Share
Share
Share
18 sur 19 16/10/2014 20:49
Memcached Installation and Configuration with PHP on Debian server Install
and Config Fail2Ban in Debian 7 Wheezy
Terms Privacy Contact us Home Blog Tips Labs About
19 sur 19 16/10/2014 20:49

Debian 7 Wheezy Dedicated Web Server Setup Step by Step: About The Author

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Debian 7 Wheezy Dedicated Web Server Setup Step by Step: About The Author

Încărcat de

Drepturi de autor:

Formate disponibile

Connect using SSH

Change root password

Sort by Best Share

Join the discussion

S-ar putea să vă placă și