Blog

Thoughts, opinions, tutorials and any other stuff we could think of

Setting Up a Fully Featured LAMP Server – Part Two

June 7th | Back to Blog

Following our first post on how to set-up a LAMP server, this post will help us deploy a proper development environment with SVN and Webmin, examine security best practices and general maintenance, so let’s get right to it.

Installing Subversion

Subversion allows you to manage code, collaborate and deploy versions safely, this not required but very recommended. The installation is fairly easy:

apt-get install subversion

We would also recommend using a remote repository like Beanstalk and manage your deployments better.

Installing Webmin

Webmin is a nice open source control panel for your server, very similar in function to cPanel or Plesk. The installation is pretty straight forward:

dpkg --install webmin_1.550_all.deb

The install will be done automatically to /usr/share/webmin, the administration username set to root and the password to your current root password. You should now be able to login to Webmin at the URL http://ip.address:10000/.

If you encounter dependency issues, just type in the following:

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions

If you haven’t installed the dpkg package by now, just type in:

apt-get install dpkg

And then repeat the process.

ClamAV – Antivirus

Web servers are often vulnerable to attacks from viruses, trojans and worms. It important to check your server regularly and often. ClamAV is a free antivirus available for Linux. Just type the following to install ClamAV:

apt-get install clamav

To scan files:

clamscan -R /folder_name

To update virus database:

freshclam

IP Tables Firewall

IP Tables is a pretty basic firewall software that allows you block off ports. To install IP Tables, just type:

apt-get install iptables

How to use IP Tables

First, if you wish, create a whitelist (IP passes through firewall) or blacklist (packets from IP always dropped):

nano /usr/local/etc/whitelist.txt

And/Or:

nano /usr/local/etc/blacklist.txt

Add to these files IP addresses that you’d like to accept or block, one IP address per line.

Create firewall.sh Script
Then put the following in /etc/init.d/firewall.sh, and edit to fit your needs:

#!/bin/sh
#
## Quick n Dirty Firewall
#
## List Locations
#
WHITELIST=/usr/local/etc/whitelist.txt
BLACKLIST=/usr/local/etc/blacklist.txt
#
## Specify ports you wish to use.
#
ALLOWED="22 25 53 80 443 465 587 993"
#
## Specify where IP Tables is located
#
IPTABLES=/sbin/iptables
#
## Clear current rules
#
$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'
echo 'Allowing Localhost'
#Allow localhost.
$IPTABLES -A INPUT -t filter -s 127.0.0.1 -j ACCEPT
#
## Whitelist
#
for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
        echo "Permitting $x..."
        $IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done
#
## Blacklist
#
for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
        echo "Denying $x..."
        $IPTABLES -A INPUT -t filter -s $x -j DROP
done
#
## Permitted Ports
#
for port in $ALLOWED; do
        echo "Accepting port TCP $port..."
        $IPTABLES -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done
for port in $ALLOWED; do
        echo "Accepting port UDP $port..."
        $IPTABLES -A INPUT -t filter -p udp --dport $port -j ACCEPT
done
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -j DROP
$IPTABLES -A INPUT -p tcp --syn -j DROP

Give the script proper permissions:

chmod 700 /etc/init.d/firewall.sh

And start your firewall:

/etc/init.d/firewall.sh

General Security and Maintenance Tips

Daily Database Backups

Use Webmin scheduled cron jobs in order to backup your DB on a daily basis:

mysqldump --opt --user=USER --password=PASSWORD --databases DBNAME --default-character-set=utf8 | gzip > /var/backups/db-`date +\%Y-\%m-\%d`.sql.gz

Just replace USER with username, PASSWORD with password and DBNAME with the database you want to backup. You can also –all-databases instead of DBNAME to backup your entire database. If your backups take too much space, you may want to consider a script to erase old backups.

Bind MySQL to Local Connections Only

Though sometimes necessary, enabling remote connections to your database is not recommended. If you do enable remote connections to your database, make sure they are made only via trusted IP addresses.

Restrict SSH Connections

SSH connections enable command line access to your server thus an insecure SSH port (22 by default) may pose a huge security risk. Here are a few pointers regarding SSH connections:

  1. Disable root log-in to your server. Create another user with root privileges and use it to log-in, this way you’ll still need to enter your password before certain commands.
  2. If possible, restrict SSH log-in to trusted IP addresses:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 --source [accepted ip address here] -j ACCEPT

Check For Viruses Daily

Use Webmin to setup a daily virus check on your /var/www directory with ClamAV. Also, make sure that your virus DB is updated

Install Fail2Ban

Fail2ban is a simple script that blocks users for 10 minutes after more than 5 failed log-in attempts.

apt-get install fail2ban

Summary

This concludes our setup, it’s important to mention that this process has never been tried from start to end but a reconstruction of a previous setup. So if you encounter problems, have any suggestions please leave us a comment and share your thoughts with us.

One last thing, I’d like to give a big thanks to our friends at Forrst who helped us with some great advice on the security section.


Recent Posts

Leave a comment

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>