Let’s Encrypt is a certificate authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that tries to automate most of the required steps. Let’s Encrypt uses the ACME protocol (ACMEv2) to verify the domain name and control and issue the certificate. Currently, the entire process of obtaining and installing a certificate on both Apache and Nginx is fully automated.
In this tutorial, Certbot is used to obtain a free SSL certificate for Apache on Debian 10 and to set up certificates automatically.
A Debian 10 server, a non-root user with sudo permissions is created and a firewall (ufw or firewalld) is set up.
A fully registered domain name, for example, unblog.ch.
Both of the following DNS records are set up for the server.
An A record for my_domain points to the server’s public IP address.
An A record for www.my_domain points to the server’s public IP address.
Apache is installed by following the instructions to install LAMP Stack on Debian. Make sure that a virtual hosts file is set up for the domain. This tutorial uses /etc/apache2/sites-available/my_domain.conf as an example.
Note: Currently, Certbot is not available by default in the Debian software repositories. To install Certbot as a snap on Debian, snapd must first be installed on the server. snapd is a daemon that is required to install and manage snaps.
Snap is a software distribution system and package management for Linux that works across distributions. The system developed by Canonical supports transactional updates and rollbacks. It was developed by Canonical for Ubuntu and is now also available for other Linux distributions.
Certbot installation on Debian 10
Follow the instructions below from the command line on the Debian server to install the latest version of snapd.
$ sudo snap install core; sudo snap refresh core
Run this command from the command line to install Certbot.
$ sudo snap install --classic certbot
Execute the following statement on the command line to ensure that the certbot command can be executed.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
This command to retrieve a certificate and to let Certbot automatically edit the Apache configuration by enabling HTTPS access in a single step.
$ sudo certbot --apache
If you want to make the changes to the Apache configuration yourself, you can execute this command.
$ sudo certbot certonly --apache
Testing the automatic renewal of certificates is done with the following command.
$ sudo certbot renew --dry-run
To check the whole thing, visit https://my_domain/ in the browser of your choice look for the lock icon in the URL line.
Setting up the SSL certificate
Certbot must find the correct virtual host in the Apache configuration so that SSL can be configured automatically.This is done in particular by looking for the ServerName statement that corresponds to the domain for which a certificate is to be requested.
To verify, open the virtual hosts file for the domain using vim or nano text editor.
$ vi /etc/apache2/sites-available/my_domain.conf
Look in the row for ServerName The domain name should my_domain.
If you have not already done so, update the ServerName statement to point to the domain name.
Next, check the syntax of the configuration changes.
$ sudo apache2ctl configtest
Certbot offers a variety of ways to obtain SSL certificates through plugins. The Apache plugin takes care of reconfiguring Apache and reloads the configuration if necessary. The following command uses this plugin.
It runs certbot with the --apache plugin and uses -dto specify the domain names for which the certificate should be valid.
To test the renewal process, the following test run is available.
$ sudo certbot renew --dry-run
In this tutorial, we installed the Let’s Encrypt client, downloaded SSL certificates for the domain, configured Apache to use these certificates, and set up automatic certificate renewal.
Linux – Apache – MySQL – PHP – How to Install LAMP Stack on Debian
LAMP is an open-source-based combination of software that is usually installed together to allow a server to hosting dynamic websites and web apps. LAMP is the acronym for Linux Apache MySQL PHP, which stands for Linux with the Apache web server, together with the MySQL database and PHP for dynamic CMS sites.
In this tutorial, the LAMP stack is installed and configured on a Debian 10 (buster) complete with Apache/2.4, MariaDB 10, PHP 7.4 and vsftpd as well as Fail2ban and all necessary packages. The estimated time required for the installation is around 10 minutes, at the end of which a web server is ready to use for content management systems. Newly created users for FTP access are automatically chrooted to their own DocumentRoot.
Install LAMP Stack on Debian
We are rooted on a Debian 10 Linux, as always update is done before more packages are installed.
First, required packages are provided as a prerequisite for further installation.
apt install ca-certificates apt-transport-https lsb-release gnupg curl vim unzip -y
The Debian repository does not contain the latest PHP versions, so we use the Sury repository.
Now let’s run the script to complete the configuration of the MariaDB server.
When you first ask for the current password, you do not have to enter anything, but simply press the Enter key. Confirm the next question regarding changing the root password with Enter. Now a password is assigned for the root user of the MariaDB server (not Linux root). No characters appear as you type, which is normal. Confirm all of the following questions (deletion of the anonymous user, banning the external root login for security reasons, removing the test database and updating the rights) also with Enter. After that, the MariaDB server is fully installed and configured.
How to Install phpMyAdmin
Now we use the command cd /usr/share to change the directory path where phpMyAdmin we would install.
For security reasons, password authentication to the MariaDB server is no longer recommended to log in directly as a root user (i.e. via phpMyAdmin).
Create an additional user with all rights, to do this, we log on to the MariaDB server using the MySQL-Client.
mysql -u root
if everything went well, you are now in the MySQL (MariaDB) prompt.
MariaDB [(none)] >
And then hit the following SQL commands to create the MariaDB user and grant the rights.
CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'username'@'localhost' WITH GRANT OPTION;
Replace “username” and “password“with the desired username and password. Finally type exit to leave the MariaDB console.
MariaDB [(none)] > exit
Now you can log in to the MariaDB server with the newly created user (i.e. also via phpMyAdmin).
Enough – your Apache2 web server incl. PHP 7.4, MariaDB server and phpMyAdmin is now ready to use. The phpMyAdmin WebUI can be reached by add /phpmyadmin to the IP address or FQDN in the browser.
Note. you’ll see the following error message at the bottom of the phpmyadmin page when you first log in to /phpmyadmin.
The configuration file now needs a secret passphrase (blowfish_secret).
You need to add a blowfish password to the phpMyAdmin’s config file. Edit config.inc.php and insert a random blowfish passphrase in the line $cfg['blowfish_secret']here as an example:
$cfg['blowfish_secret'] = 'ttTo4Zhy6zEOdUatH6vcOQFbXpnnM/WmOZpO1bM9BH2R7i4WZJVpdBntcsvSDVlM'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
Note. if you use vim for editing, you will notice that after entering the insert mode and paste text by press the right mouse key the blockwise Visual mode is turned on — (insert) VISUAL — that behaves undesirably, but this can be quickly solved by disabling the mouse control for vim, let’s do that right away and run echo "set mouse-=a" > ~/.vimrc
Hint. generating a passphrase is easy as the following command shows.
openssl rand -base64 48
# or another 48 characters long
date +%s | sha256sum | base64 | head -c 48 ; echo
Securing and hardening Debian web server
First, the kernel firewall is configured for the web server, only the required services should be allowed incoming. With Debian, the ufw (Uncomplicated Firewall) is enabled by default after installation. The ports required for the web server are opened as follows.
Note: after each change, the firewall must be reloaded.
How to install FTP server with vsftpd
vsftpd is an FTP server for the old File Transfer Protocol. As an acronym, its name stands for Very Secure File Transfer Protocol Daemon. Whether OpenSSH with sftp is standard on every Linux and FreeBSD, but unfortunately FTP is still widely used.
The vsftpd daemon is installed as follows.
apt install vsftpd -y
Edit the vsftpd configuration file for changes.
We disable anonymous login and allow local users to write.
chroot stands for change root and is a function for Unixoid systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP utility prevents users from accessing files outside its directory. chroot also provides an easy way to sandbox untrusted data. The chroot settings for VSFTPD users can be found in the file vsftpd.conf at line chroot_local_user and change there to YES, so also with chroot_list_enable.
All users are assigned chroot, except for some that are exempt, for this the file /etc/vsftpd.chroot_list is created, which contains users who are excluded from chroot.
Create a vsftpd.userlist file and add users to be denied. The service accounts should be rejected, as they are often used for attacks. Add one user per row, example: vsftpd.userlist
Start the vsftpd daemon.
systemctl start vsftpd
Protect the services using Fail2ban
fail2ban is written in Python aims to protect server services against DoS attacks. It checks log files according to predefined patterns and temporarily blocks the corresponding IP addresses in the event of repeated failed access.
fail2ban is installed and configured on Debian as follows.
apt install fail2ban -y
The configuration of fail2ban for a web server with jail filter for watch access to the SSH and FTP service to bann brute-force attacks.
bantime defines the duration of the blocking, here 12 hours (specified in seconds).
findtime defines the duration in which failed attempts can take place, here 10 minutes.
maxretry indicates the number of attempts.
By default, fail2ban is only activated with the SSH filter, further filters are activated with enabled = true.
enabled = true
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
Fail2ban Jail Filter query status, and verbose output for SSH.
fail2ban-client -vvv status sshd
Note. Since fail2ban 0.10 (IPv6 support) fail2ban executes actionstart IP-family related on demand by first ban per jail, so iptables-multiport would create the chain f2b-sshd only if first IP gets banned in sshd jail.
If you enter the command ifconfig in the shell for modern Linux operating systems, you will see command not found.
-bash: ifconfig: command not found
ifconfig is the utility for viewing and setting the network configuration on Red Hat, Fedora, CentOS, Debian, and Ubuntu Linux systems. The command includes the net-tools package, which has been replaced by the iproute2 package.
net-tools – ifconfig installation
The ifconfig binary is supplied with the Debian net-tools package. Install the package with the following command, which is available under the default repositories.
$ sudo apt install net-tools -y
Then ifconfig can be run to check the network configuration. The following command displays details for all interfaces configured on a Debian system.
For RHEL 8 and CentOS 8, the net-tools package is provided with the Manager YUM package.
$ sudo yum -y install net-tools
NOTE: The ifconfig program is deprecated! Replacement is given by the commands ip addr and ip link.
ifconfig shows the output of the network interfaces and their configuration.
Diese Website verwendet Cookies, um Ihre Erfahrung zu verbessern, während Sie durch die Website navigieren. Von diesen werden die Cookies, die nach Bedarf kategorisiert werden, in Ihrem Browser gespeichert, da sie für das Funktionieren der grundlegenden Funktionen der Website wesentlich sind. Wir verwenden auch Cookies von Drittanbietern, mit denen wir analysieren und verstehen können, wie Sie diese Website nutzen. Diese Cookies werden nur mit Ihrer Zustimmung in Ihrem Browser gespeichert. Sie haben auch die Möglichkeit, diese Cookies zu deaktivieren. Das Deaktivieren einiger dieser Cookies kann sich jedoch auf Ihre Browser-Erfahrung auswirken.
Notwendige Cookies sind unbedingt erforderlich, damit die Website ordnungsgemäß funktioniert. Diese Kategorie enthält nur Cookies, die grundlegende Funktionen und Sicherheitsmerkmale der Website gewährleisten. Diese Cookies speichern keine persönlichen Informationen.
Alle Cookies, die für die Funktion der Website möglicherweise nicht besonders erforderlich sind und speziell zur Erfassung personenbezogener Daten des Benutzers über Analysen, Anzeigen und andere eingebettete Inhalte verwendet werden, werden als nicht erforderliche Cookies bezeichnet. Es ist obligatorisch, die Zustimmung des Benutzers einzuholen, bevor diese Cookies auf Ihrer Website ausgeführt werden.