bachir/debion-web-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated full install to debian 9 stretch, todo : supervising

Browse Source
This commit is contained in:
Bachir Soussi Chiadmi 2017-06-29 16:06:25 +02:00
parent 44bd68dccf
commit 8dca26fc81
3 changed files with 189 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
assets/99-lamp-php.ini Normal file
View File

@ -0,0 +1,19 @@
# conf added by custom lamp install script
max_execution_time = 60
max_input_time = 60
memory_limit = 512M
error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
display_errors = Off
log_errors = On
error_log = /var/log/php/php_errors.log
# security
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = shell_exec, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_get_status, proc_nice, proc_open,proc_terminate

7
assets/logrotate-php Normal file
View File

@ -0,0 +1,7 @@
/var/log/php/php_errors.log {
weekly
missingok
rotate 4
notifempty
create
}

295
install-debian-server.sh
View File

@ -1,9 +1,7 @@
#!/bin/sh #!/bin/sh
# bachir soussi chiadmi # bachir soussi chiadmi
# #
# http://www.debian.org/doc/manuals/securing-debian-howto/ # http://www.pontikis.net/blog/debian-9-stretch-rc3-web-server-setup-php7-mariadb
# https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
# https://www.linode.com/docs/websites/lamp/lamp-server-on-debian-7-wheezy/
# http://web-74.com/blog/reseaux/gerer-le-deploiement-facilement-avec-git/ # http://web-74.com/blog/reseaux/gerer-le-deploiement-facilement-avec-git/
# #
@ -50,6 +48,7 @@ echo '\033[35m
apt-get install vim apt-get install vim
sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen
locale-gen locale-gen
apt-get install ntp
echo '\033[35m echo '\033[35m
______________ _______ _____ __ __ ______________ _______ _____ __ __
@ -61,8 +60,9 @@ echo '\033[35m
echo "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m" echo "\033[35;1mInstalling ufw and setup firewall (allowing only ssh and http) \033[0m"
sleep 3 sleep 3
apt-get install ufw apt-get install ufw
ufw allow ssh # ufw allow ssh # knockd will open the ssh port
ufw allow http ufw allow http
ufw allow https
ufw enable ufw enable
ufw status verbose ufw status verbose
echo "\033[92;1mufw installed and firwall configured\033[Om" echo "\033[92;1mufw installed and firwall configured\033[Om"
@ -98,6 +98,7 @@ read sq2
sed -i "s/7000,8000,9000/$sq1/g" /etc/knockd.conf sed -i "s/7000,8000,9000/$sq1/g" /etc/knockd.conf
sed -i "s/9000,8000,7000/$sq2/g" /etc/knockd.conf sed -i "s/9000,8000,7000/$sq2/g" /etc/knockd.conf
sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd sed -i 's/START_KNOCKD=0/START_KNOCKD=1/g' /etc/default/knockd
service knockd start
echo "\033[92;1mknockd installed and configured\033[Om" echo "\033[92;1mknockd installed and configured\033[Om"
echo "\033[92;1mplease note these sequences for future knocking\033[Om" echo "\033[92;1mplease note these sequences for future knocking\033[Om"
echo "opening : $sq1 ; closing : $sq2" echo "opening : $sq1 ; closing : $sq2"
@ -118,6 +119,7 @@ adduser "$user"
echo "adding $user to admin group and limiting su to the admin group" echo "adding $user to admin group and limiting su to the admin group"
groupadd admin groupadd admin
usermod -a -G admin "$user" usermod -a -G admin "$user"
# allow admin group to su
dpkg-statoverride --update --add root admin 4750 /bin/su dpkg-statoverride --update --add root admin 4750 /bin/su
echo "\033[92;1muser $user configured\033[Om" echo "\033[92;1muser $user configured\033[Om"
@ -132,7 +134,21 @@ echo '\033[35m
echo "\033[35;1mEnable mail sending for php \033[0m" echo "\033[35;1mEnable mail sending for php \033[0m"
# http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13 # http://www.sycha.com/lamp-setup-debian-linux-apache-mysql-php#anchor13
sleep 3 sleep 3
dpkg-reconfigure exim4-config apt-get install exim4
echo "\033[35;1mConfiguring EXIM4 \033[0m"
while [ "$configexim" != "y" ] && [ "$configexim" != "n" ]
do
echo -n "Should we configure exim4 ? [y|n] "
read configexim
done
if [ "$configexim" = "y" ]; then
echo "choose the first option :internet site; mail is sent and received directly using SMTP. Leave the other options as default exepted for domain name which should be valid domain name if you want your mails to not be considered as spam"
echo "press any key to continue."
read continu
dpkg-reconfigure exim4-config
else
echo 'exim not configured'
fi
service exim4 restart service exim4 restart
# dkim spf # dkim spf
@ -140,11 +156,11 @@ service exim4 restart
echo "\033[35;1mConfiguring DKIM \033[0m" echo "\033[35;1mConfiguring DKIM \033[0m"
while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ] while [ "$installdkim" != "y" ] && [ "$installdkim" != "n" ]
do do
echo -n "Should we install dkim for exim4 ? [y|n] " echo -n "Should we install dkim for exim4 ? [y|n] "
read installdkim read installdkim
done done
if [ "$installdkim" = "y" ]; then if [ "$installdkim" = "y" ]; then
echo -n "Choose a domain for dkim: " echo -n "Choose a domain for dkim (same domain as you chose before for exim4): "
read domain read domain
selector=$(date +%Y%m%d) selector=$(date +%Y%m%d)
@ -231,7 +247,7 @@ if [ "$yn" = "y" ]; then
addgroup ftpuser addgroup ftpuser
echo "ftp installtion done" echo "ftp installtion done"
echo "to permit to a user to connect through ftp, add him to the ftpuser group" echo "to permit to a user to connect through ftp, add him to the ftpuser group by running : usermod -a -G admin USERNAME"
echo "FTP users are jailed on their home by default" echo "FTP users are jailed on their home by default"
fi fi
@ -240,6 +256,22 @@ fi
echo "\033[35;1mInstalling AMP web server \033[0m" echo "\033[35;1mInstalling AMP web server \033[0m"
echo '\033[35m
__ ___ __
/ |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ /
/ / / / /_/ (__ ) /_/ / /
/_/ /_/\__, /____/\__, /_/
/____/ /_/
\033[0m'
echo "\033[35;1minstalling Mysql \033[0m"
sleep 3
apt-get install mariadb-server
mysql_secure_installation
systemctl restart mariadb.service
echo "\033[92;1mmysql installed\033[Om"
echo '\033[35m echo '\033[35m
___ __ ___ ___ __ ___
/ | ____ ____ ______/ /_ ___ |__ \ / | ____ ____ ______/ /_ ___ |__ \
@ -252,30 +284,17 @@ echo "\033[35;1mInstalling Apache2 \033[0m"
sleep 3 sleep 3
apt-get install apache2 apt-get install apache2
a2enmod rewrite a2enmod rewrite
cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.back # cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.back
cat "$_cwd"/assets/apache2.conf > /etc/apache2/apache2.conf # cat "$_cwd"/assets/apache2.conf > /etc/apache2/apache2.conf
# Change logrotate for Apache2 log files to keep 10 days worth of logs # Change logrotate for Apache2 log files to keep 10 days worth of logs
sed -i 's/\tweekly/\tdaily/' /etc/logrotate.d/apache2 sed -i 's/\tweekly/\tdaily/' /etc/logrotate.d/apache2
sed -i 's/\trotate .*/\trotate 10/' /etc/logrotate.d/apache2 sed -i 's/\trotate .*/\trotate 10/' /etc/logrotate.d/apache2
# Remove Apache server information from headers. # Remove Apache server information from headers.
sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf.d/security sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf-enabled/security.conf
sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf.d/security sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf-enabled/security.conf
service apache2 restart service apache2 restart
echo "\033[92;1mApache2 installed\033[Om" echo "\033[92;1mApache2 installed\033[Om"
echo '\033[35m
__ ___ __
/ |/ /_ ___________ _/ /
/ /|_/ / / / / ___/ __ `/ /
/ / / / /_/ (__ ) /_/ / /
/_/ /_/\__, /____/\__, /_/
/____/ /_/
\033[0m'
echo "\033[35;1minstalling Mysql \033[0m"
sleep 3
apt-get install mysql-server
mysql_secure_installation
echo "\033[92;1mmysql installed\033[Om"
echo '\033[35m echo '\033[35m
____ __ ______ ____ __ ______
@ -286,23 +305,32 @@ echo '\033[35m
\033[0m' \033[0m'
echo "\033[35;1mInstalling PHP \033[0m" echo "\033[35;1mInstalling PHP \033[0m"
sleep 3 sleep 3
apt-get install php5 php-pear php5-gd apt-get install php7.0 php-pear php7-gd
echo "Configuring PHP" echo "Configuring PHP"
cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.back cp "$_cwd"/assets/99-lamp-php.ini /etc/php/7.0/apache2/conf.d/
sed -i "s/max_execution_time\ =\ [0-9]\+/max_execution_time = 60/g" /etc/php5/apache2/php.ini # conffile=/etc/php/7.0/apache2/conf.d/99-lamp-php.ini
sed -i "s/max_input_time\ =\ [0-9]\+/max_input_time = 60/g" /etc/php5/apache2/php.ini # cp /etc/php/7.0/apache2/php.ini $conffile
sed -i "s/memory_limit\ =\ [0-9]\+M/memory_limit = 512M/g" /etc/php5/apache2/php.ini # sed -i "s/max_execution_time\ =\ [0-9]\+/max_execution_time = 60/g" $conffile
sed -i "s/;\?error_reporting\ =\ [^\n]\+/error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR/g" /etc/php5/apache2/php.ini # sed -i "s/max_input_time\ =\ [0-9]\+/max_input_time = 60/g" $conffile
sed -i "s/;\?display_errors\ =\ On/display_errors = Off/g" /etc/php5/apache2/php.ini # sed -i "s/memory_limit\ =\ [0-9]\+M/memory_limit = 512M/g" $conffile
sed -i "s/;\?log_errors\ =\ Off/log_errors = On/g" /etc/php5/apache2/php.ini # sed -i "s/;\?error_reporting\ =\ [^\n]\+/error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR/g" $conffile
# sed -i "s/;\?display_errors\ =\ On/display_errors = Off/g" $conffile
# sed -i "s/;\?log_errors\ =\ Off/log_errors = On/g" $conffile
# echo "register_globals = Off" >> $conffile
# following command doesn't work, make teh change manualy # following command doesn't work, make teh change manualy
#sed -ri ":a;$!{N;ba};s/;\?\ \?error_log\ =\ [^\n]\+([^\n]*\n(\n|$))/error_log = \/var\/log\/php\/error.log\1/g" /etc/php5/apache2/php.ini #sed -ri ":a;$!{N;ba};s/;\?\ \?error_log\ =\ [^\n]\+([^\n]*\n(\n|$))/error_log = \/var\/log\/php\/error.log\1/g" /etc/php5/apache2/php.ini
echo "register_globals = Off" >> /etc/php5/apache2/php.ini
mkdir /var/log/php mkdir /var/log/php
chown www-data /var/log/php chown www-data /var/log/php
cp "$_cwd"/assets/logrotate-php /etc/logrotate.d/php
apt-get install php7.0-mysql php7.0-curl php7.0-mbstring php7.0-zip php7.0-xml php7.0-gd php7.0-mcrypt php-memcached
apt-get install memcached
sed -i "s/-m\s64/-m 128/g" /etc/memcached.conf
systemctl start memcached
apt-get install php5-mysql
echo "\033[92;1mphp installed\033[Om" echo "\033[92;1mphp installed\033[Om"
echo '\033[35m echo '\033[35m
@ -316,9 +344,10 @@ echo '\033[35m
echo "\033[35;1mInstalling phpMyAdmin \033[0m" echo "\033[35;1mInstalling phpMyAdmin \033[0m"
apt-get install phpmyadmin apt-get install phpmyadmin
# echo "include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf # echo "include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf
ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin.conf ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf
a2enconf phpmyadmin.conf
echo "\033[35;1msecuring phpMyAdmin \033[0m" echo "\033[35;1msecuring phpMyAdmin \033[0m"
sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/" # sed -i "s/DirectoryIndex index.php/DirectoryIndex index.php\nAllowOverride all/"
cp "$_cwd"/assets/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess cp "$_cwd"/assets/phpmyadmin_htaccess > /usr/share/phpmyadmin/.htaccess
echo -n "define a user name for phpmyadmin : " echo -n "define a user name for phpmyadmin : "
read un read un
@ -381,103 +410,105 @@ else
echo "Vhost installation aborted" echo "Vhost installation aborted"
fi fi
echo '\033[35m
__ ___ _ __ __ __ ___ _
/ |/ /__ ___ (_) /_ _/_/ / |/ /_ _____ (_)__
/ /|_/ / _ \/ _ \/ / __/ _/_/ / /|_/ / // / _ \/ / _ \
/_/ /_/\___/_//_/_/\__/ /_/ /_/ /_/\_,_/_//_/_/_//_/
\033[0m'
echo "\033[35;1mInstalling Munin \033[0m"
sleep 3
# https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/
apt-get install munin munin-node munin-plugins-extra
# Configure Munin
# enable plugins
ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_
ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb
ln -s /usr/share/munin/plugins/mysql_isam_space_ /etc/munin/plugins/mysql_isam_space_
ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/ # TODO supervising
ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/ # echo '\033[35m
ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/ # __ ___ _ __ __ __ ___ _
# / |/ /__ ___ (_) /_ _/_/ / |/ /_ _____ (_)__
# ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins/ # / /|_/ / _ \/ _ \/ / __/ _/_/ / /|_/ / // / _ \/ / _ \
# /_/ /_/\___/_//_/_/\__/ /_/ /_/ /_/\_,_/_//_/_/_//_/
# dbdir, htmldir, logdir, rundir, and tmpldir # \033[0m'
sed -i 's/^#dbdir/dbdir/' /etc/munin/munin.conf # echo "\033[35;1mInstalling Munin \033[0m"
sed -i 's/^#htmldir/htmldir/' /etc/munin/munin.conf # sleep 3
sed -i 's/^#logdir/logdir/' /etc/munin/munin.conf # # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/
sed -i 's/^#rundir/rundir/' /etc/munin/munin.conf # apt-get install munin munin-node munin-plugins-extra
sed -i 's/^#tmpldir/tmpldir/' /etc/munin/munin.conf # # Configure Munin
# # enable plugins
sed -i "s/^\[localhost.localdomain\]/[${HOSTNAME}]/" /etc/munin/munin.conf # ln -s /usr/share/munin/plugins/mysql_ /etc/munin/plugins/mysql_
# ln -s /usr/share/munin/plugins/mysql_bytes /etc/munin/plugins/mysql_bytes
# ln -s /etc/munin/apache24.conf /etc/apache2/conf-enabled/munin.conf # ln -s /usr/share/munin/plugins/mysql_innodb /etc/munin/plugins/mysql_innodb
sed -i 's/Require local/Require all granted\nOptions FollowSymLinks SymLinksIfOwnerMatch/g' /etc/munin/apache24.conf # ln -s /usr/share/munin/plugins/mysql_isam_space_ /etc/munin/plugins/mysql_isam_space_
htpasswd -c /etc/munin/munin-htpasswd admin # ln -s /usr/share/munin/plugins/mysql_queries /etc/munin/plugins/mysql_queries
sed -i 's/Require all granted/AuthUserFile \/etc\/munin\/munin-htpasswd\nAuthName "Munin"\nAuthType Basic\nRequire valid-user/g' /etc/munin/apache24.conf # ln -s /usr/share/munin/plugins/mysql_slowqueries /etc/munin/plugins/mysql_slowqueries
# ln -s /usr/share/munin/plugins/mysql_threads /etc/munin/plugins/mysql_threads
#
# ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
# ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
#
# # ln -s /usr/share/munin/plugins/fail2ban /etc/munin/plugins/
#
# # dbdir, htmldir, logdir, rundir, and tmpldir
# sed -i 's/^#dbdir/dbdir/' /etc/munin/munin.conf
# sed -i 's/^#htmldir/htmldir/' /etc/munin/munin.conf
# sed -i 's/^#logdir/logdir/' /etc/munin/munin.conf
# sed -i 's/^#rundir/rundir/' /etc/munin/munin.conf
# sed -i 's/^#tmpldir/tmpldir/' /etc/munin/munin.conf
#
# sed -i "s/^\[localhost.localdomain\]/[${HOSTNAME}]/" /etc/munin/munin.conf
#
# # ln -s /etc/munin/apache24.conf /etc/apache2/conf-enabled/munin.conf
# sed -i 's/Require local/Require all granted\nOptions FollowSymLinks SymLinksIfOwnerMatch/g' /etc/munin/apache24.conf
# htpasswd -c /etc/munin/munin-htpasswd admin
# sed -i 's/Require all granted/AuthUserFile \/etc\/munin\/munin-htpasswd\nAuthName "Munin"\nAuthType Basic\nRequire valid-user/g' /etc/munin/apache24.conf
#
#
# service apache2 restart
# service munin-node restart
# echo "\033[92;1mMunin installed\033[Om"
#
# echo "\033[35;1mInstalling Monit \033[0m"
# sleep 3
# # https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/2/
# apt-get install monit
# # TODO setup monit rc
# cat "$_cwd"/assets/monitrc > /etc/monit/monitrc
#
# # TODO setup webaccess
# passok=0
# while [ "$passok" = "0" ]
# do
# echo -n "Write web access password to monit"
# read passwda
# echo -n "ReWrite web access password to monit"
# read passwdb
# if [ "$passwda" = "$passwdb" ]; then
# sed -i 's/PASSWD_TO_REPLACE/$passwda/g' /etc/monit/monitrc
# passok=1
# else
# echo "pass words don't match, please try again"
# fi
# done
#
# # TODO setup mail settings
# sed -i "s/server1\.example\.com/$HOSTNAME/g" /etc/monit/monitrc
#
# mkdir /var/www/html/monit
# echo "hello" > /var/www/html/monit/token
#
# service monit start
#
# echo "\033[92;1mMonit installed\033[Om"
service apache2 restart # echo '\033[35m
service munin-node restart # ___ __ __
echo "\033[92;1mMunin installed\033[Om" # / |_ _______/ /_____ _/ /_
# / /| | | /| / / ___/ __/ __ `/ __/
echo "\033[35;1mInstalling Monit \033[0m" # / ___ | |/ |/ (__ ) /_/ /_/ / /_
sleep 3 # /_/ |_|__/|__/____/\__/\__,_/\__/
# https://www.howtoforge.com/tutorial/server-monitoring-with-munin-and-monit-on-debian/2/ # \033[0m'
apt-get install monit # echo "\033[35;1mInstalling Awstat \033[0m"
# TODO setup monit rc # sleep 3
cat "$_cwd"/assets/monitrc > /etc/monit/monitrc # apt-get install awstats
# # Configure AWStats
# TODO setup webaccess # temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l`
passok=0 # if [ $temp -lt 1 ]; then
while [ "$passok" = "0" ] # echo SiteDomain="$_host_name" >> /etc/awstats/awstats.conf.local
do # fi
echo -n "Write web access password to monit" # # Disable Awstats from executing every 10 minutes. Put a hash in front of any line.
read passwda # sed -i 's/^[^#]/#&/' /etc/cron.d/awstats
echo -n "ReWrite web access password to monit" # echo "\033[92;1mAwstat installed\033[Om"
read passwdb
if [ "$passwda" = "$passwdb" ]; then
sed -i 's/PASSWD_TO_REPLACE/$passwda/g' /etc/monit/monitrc
passok=1
else
echo "pass words don't match, please try again"
fi
done
# TODO setup mail settings
sed -i "s/server1\.example\.com/$HOSTNAME/g" /etc/monit/monitrc
mkdir /var/www/html/monit
echo "hello" > /var/www/html/monit/token
service monit start
echo "\033[92;1mMonit installed\033[Om"
echo '\033[35m
___ __ __
/ |_ _______/ /_____ _/ /_
/ /| | | /| / / ___/ __/ __ `/ __/
/ ___ | |/ |/ (__ ) /_/ /_/ / /_
/_/ |_|__/|__/____/\__/\__,_/\__/
\033[0m'
echo "\033[35;1mInstalling Awstat \033[0m"
sleep 3
apt-get install awstats
# Configure AWStats
temp=`grep -i sitedomain /etc/awstats/awstats.conf.local | wc -l`
if [ $temp -lt 1 ]; then
echo SiteDomain="$_host_name" >> /etc/awstats/awstats.conf.local
fi
# Disable Awstats from executing every 10 minutes. Put a hash in front of any line.
sed -i 's/^[^#]/#&/' /etc/cron.d/awstats
echo "\033[92;1mAwstat installed\033[Om"
# echo '\033[35m # echo '\033[35m