Tag Archives: Linux How to

Unix Similar multi-user operating systems based on the Linux kernel and essentially on GNU software. Like CentOS, Debian, Ubuntu Fedora.

Lets Encrypt Certbot Certifiacte for Apache on Debian

Home
1 Comment

How to install Certbot for Apache on Debian to be able to issue Let’s Encrypt certificates.

Let’s Encrypt is a certificate authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that tries to automate most of the required steps. Let’s Encrypt uses the ACME protocol (ACMEv2) to verify the domain name and control and issue the certificate. Currently, the entire process of obtaining and installing a certificate on both Apache and Nginx is fully automated.

In this tutorial, Certbot is used to obtain a free SSL certificate for Apache on Debian 10 and to set up certificates automatically.

Apache web server with certbot certificate on Debian

Conditions

  • A Debian 10 server, a non-root user with sudo permissions is created and a firewall (ufw or firewalld) is set up.
  • A fully registered domain name, for example, unblog.ch.
  • Both of the following DNS records are set up for the server.
    • An A record for my_domain points to the server’s public IP address.
    • An A record for www.my_domain points to the server’s public IP address.
  • Apache is installed by following the instructions to install LAMP Stack on Debian. Make sure that a virtual hosts file is set up for the domain. This tutorial uses /etc/apache2/sites-available/my_domain.conf as an example.

Note: Currently, Certbot is not available by default in the Debian software repositories. To install Certbot as a snap on Debian, snapd must first be installed on the server. snapd is a daemon that is required to install and manage snaps.

Snap is a software distribution system and package management for Linux that works across distributions. The system developed by Canonical supports transactional updates and rollbacks. It was developed by Canonical for Ubuntu and is now also available for other Linux distributions.

Install Certbot on Debian

Follow the instructions below from the command line on the Debian server to install the latest version of snapd.

$ sudo snap install core; sudo snap refresh core

Run this command from the command line to install Certbot.

$ sudo snap install --classic certbot

Execute the following statement on the command line to ensure that the certbot command can be executed.

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Retrieve certificate and let Certbot make Apache ready

This command to retrieve a certificate and to let Certbot automatically edit the Apache configuration by enabling HTTPS access in a single step.

$ sudo certbot --apache

If you want to make the changes to the Apache configuration yourself, you can execute this command.

$ sudo certbot certonly --apache

Testing the automatic renewal of certificates is done with the following command.

$ sudo certbot renew --dry-run

To check the whole thing, visit https://my_domain/ in the browser of your choice look for the lock icon in the URL line.

Setting up the SSL certificate on Debian

Certbot must find the correct virtual host in the Apache configuration so that SSL can be configured automatically.This is done in particular by looking for the ServerName statement that corresponds to the domain for which a certificate is to be requested.

To verify, open the virtual hosts file for the domain using vim or nano text editor.

$ vi /etc/apache2/sites-available/my_domain.conf

Look in the row for ServerName The domain name should my_domain.

ServerName my_domain

If you have not already done so, update the ServerName statement to point to the domain name.

Next, check the syntax of the configuration changes.

$ sudo apache2ctl configtest

Certbot offers a variety of ways to obtain SSL certificates through plugins. The Apache plugin takes care of reconfiguring Apache and reloads the configuration if necessary. The following command uses this plugin.

$ sudo certbot --apache -d my_domain -d www.my_domain

It runs certbot with the --apache plugin and uses -dto specify the domain names for which the certificate should be valid.

When you start Certbot for the first time, you will be asked to enter an email address and agree to the Terms of Use. In addition, you will be asked if you are willing to share the email address with the Electronic Frontier Foundation, a non-profit organization that advocates for digital rights and also makes Certbot. Confirm here with Y for the email address or N to decline.

To test the renewal process, the following test run is available.

$ sudo certbot renew --dry-run

Conclusion

In this tutorial, we installed the Let’s Encrypt client, downloaded SSL certificates for the domain, configured Apache to use these certificates, and set up automatic certificate renewal.

Source link: certbot instructions

Install Linux Apache MariaDB PHP on Debian Server

Home
Leave a comment

LAMP stands for Linux Apache MySQL PHP, which we install on Debian web server, together with the MariaDB database and PHP for dynamic CMS sites.

LAMP is an open-source-based combination of software that is usually installed together to allow a server to hosting dynamic websites and web apps.

Install LAMP Stack on Debian Server

Install Debian Server with MariaDB, Linux Apache MySQL PHP

This tutorial shows how to install Apache, MariaDB and PHP, call LAMP stack with configuration on a Debian 11 (buster) as a web server complete with Apache/2.4, MariaDB 10, PHP 7.4 and vsftpd as well as Fail2ban and all necessary packages. The estimated time required for the installation is around 10 minutes, at the end of which a web server is ready to use for content management systems. Newly created users for FTP access are automatically chrooted to their own DocumentRoot.

Install Apache MariaDB PHP on Debian Server

We are logged in as root on a Debian 10, first, as always, we have all updates carried out.

apt update

First, required packages are provided as a prerequisite for further installation.

apt install ca-certificates apt-transport-https lsb-release gnupg curl vim unzip -y

The Debian repository does not contain the latest PHP versions, so we use the Sury repository.

wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list

Update the package index again.

apt update

Now install the Apache 2 web server on the Debian server.

apt install apache2 -y

Install tools and libraries required by most CMS right away.

apt install php7.4 php7.4-cli php7.4-common php7.4-curl php7.4-gd php7.4-intl php7.4-json php7.4-mbstring php7.4-mysql php7.4-opcache php7.4-readline php7.4-xml php7.4-xsl php7.4-zip php7.4-bz2 libapache2-mod-php7.4 -y

Next, install MariaDB on the Debian Server.

apt install mariadb-server mariadb-client -y

Now let’s run the script to complete the configuration of the MariaDB server.

mysql_secure_installation

When you first ask for the current password, you do not have to enter anything, but simply press the Enter key. Confirm the next question regarding changing the root password with Enter. Now a password is assigned for the root user of the MariaDB server (not Linux root). No characters appear as you type, which is normal. Confirm all of the following questions (deletion of the anonymous user, banning the external root login for security reasons, removing the test database and updating the rights) also with Enter. After that, the MariaDB server is fully installed and configured.

Install phpMyAdmin on Debian with MariaDB

Now able to manage the MariaDB databases on the Debian Server, we install by the command cd /usr/share to change the directory path where phpMyAdmin we would install.

To download phpMyAdmin, let’s now run wget.

wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip -O phpmyadmin.zip

Unzip the archive you just downloaded as follows.

unzip phpmyadmin.zip

After unpacking, remove the downloaded archive.

rm phpmyadmin.zip

Then the name of the unzipped directory must be renamed to phpmyadmin, with the following command.

mv phpMyAdmin-*-all-languages phpmyadmin

Grant the required rights to the phpMyAdmin directory.

chmod -R 0755 phpmyadmin

At last rename the phpMyAdmin sample.inc.php file.

mv /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php

Now let’s create an Apache2 configuration file for phpMyAdmin, with copy & paste of the following lines.

cat <<EOF> /etc/apache2/conf-available/phpmyadmin.conf
# phpMyAdmin Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
    Require all denied
</Directory>
EOF

In the Bash Terminal Copy Paste every line in the codebox.

Enable the Apache2 configuration file you just added.

a2enconf phpmyadmin

And perform the reload of the Apache2 web server.

systemctl reload apache2

Create the temporary directory that requires phpMyAdmin.

mkdir /usr/share/phpmyadmin/tmp/

And now assign the web server user the required owner rights for this temporary directory.

chown -R www-data:www-data /usr/share/phpmyadmin/tmp/

For security reasons, password authentication to the MariaDB server is no longer recommended to log in directly as a root user (i.e. via phpMyAdmin).

Create an additional user with all rights, to do this, we log on to the MariaDB server using the MySQL-Client.

mysql -u root

if everything went well, you are now in the MySQL (MariaDB) prompt.

MariaDB [(none)] >

And then hit the following SQL commands to create the MariaDB user and grant the rights.

CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'username'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;

Replace “username” and “password“with the desired username and password. Finally type exit to leave the MariaDB console.

MariaDB [(none)] > exit

Now you can log in to the MariaDB server with the newly created user (i.e. also via phpMyAdmin).

http://192.168.2.12/phpmyadmin

Enough – your Apache2 web server incl. PHP 7.4, MariaDB server and phpMyAdmin is now ready to use. The phpMyAdmin WebUI can be reached by add /phpmyadmin to the IP address or FQDN in the browser.

Note. you’ll see the following error message at the bottom of the phpmyadmin page when you first log in to /phpmyadmin.

The configuration file now needs a secret passphrase (blowfish_secret).

You need to add a blowfish password to the phpMyAdmin’s config file. Edit config.inc.php and insert a random blowfish passphrase in the line $cfg['blowfish_secret']here as an example:

vi /usr/share/phpmyadmin/config.inc.php

$cfg['blowfish_secret'] = 'ttTo4Zhy6zEOdUatH6vcOQFbXpnnM/WmOZpO1bM9BH2R7i4WZJVpdBntcsvSDVlM'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

Note. if you use vim for editing, you will notice that after entering the insert mode and paste text by press the right mouse key the blockwise Visual mode is turned on — (insert) VISUAL — that behaves undesirably, but this can be quickly solved by disabling the mouse control for vim, let’s do that right away and run echo "set mouse-=a" > ~/.vimrc

Hint. generating a passphrase is easy as the following command shows.

openssl rand -base64 48
ttTo4Zhy6zEOdUatH6vcOQFbXpnnM/WmOZpO1bM9BH2R7i4WZJVpdBntcsvSDVlM
# or another 48 characters long
date +%s | sha256sum | base64 | head -c 48 ; echo
MjhhMGUwMjYyYjljNWI2MjFiMGZmNmQ5MjdiYjY2MGE2YWNl

Securing and hardening Debian web server

First, the kernel firewall is configured for the web server, only the required services should be allowed incoming. With Debian, the ufw (Uncomplicated Firewall) is enabled by default after installation. The ports required for the web server are opened as follows.

ufw reset
ufw allow "WWW Full"
ufw allow 20/tcp
ufw allow 21/tcp
ufw allow 22/tcp
ufw allow 40000:50000/tcp
ufw default allow outgoing
ufw default deny incoming
ufw enable

With the following commands the firewall rules can be queried to check the configuration.

ufw status verbose
iptables -vnL
iptables -S

Use firewalld instead of ufw

If the firewalld package is required for Debian, it can be deactivated with ufw disable and firewalld can be installed.

apt instll firewalld -y

With Debian, the links for firewalld must be changed.

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

After installing firewalld, the rules can be defined.

firewall-cmd --zone=public --change-interface=ens192
firewall-cmd --zone=public --permanent --add-service=ssh
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-port=20/tcp
firewall-cmd --zone=public --permanent --add-port=40000-50000/tcp
firewall-cmd --reload

Note: instead of interface=ens192, use the interafce name determined with ip link or ifconfig.

To check the executed policy using the firewalld-cmd list command.

firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: dhcpv6-client ftp http https ssh
  ports: 40000-50000/tcp 20/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

To display the current policy use the following commands.

firewall-cmd --list-all
firewall-cmd --get-active-zones
iptables -vnL

Note: after each change, reload the firewall for the changes to take effect.

firewall-cmd --reload

Install FTP server with vsftpd on Debian

vsftpd is an FTP server for the old File Transfer Protocol. As an acronym, its name stands for Very Secure File Transfer Protocol Daemon. Whether OpenSSH with sftp is standard on every Linux and FreeBSD, but unfortunately FTP is still widely used.

The vsftpd daemon is installed as follows.

apt install vsftpd -y

Edit the vsftpd configuration file for changes.

vi /etc/vsftpd.conf

We disable anonymous login and allow local users to write.

anonymous_enable=NO
local_enable=YES
write_enable=YES

Settings for logging and port ranges.

use_localtime=YES
xferlog_enable=YES
log_ftp_protocol=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO
pasv_min_port=40000
pasv_max_port=50000

chroot stands for change root and is a function for Unixoid systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP utility prevents users from accessing files outside its directory. chroot also provides an easy way to sandbox untrusted data. The chroot settings for VSFTPD users can be found in the file vsftpd.conf at line chroot_local_user and change there to YES, so also with chroot_list_enable.

chroot_local_user=YES
chroot_list_enable=YES

All users are assigned chroot, except for some that are exempt, for this the file /etc/vsftpd.chroot_list is created, which contains users who are excluded from chroot.

chroot_list_file=/etc/vsftpd.chroot_list
allow_writeable_chroot=YES

To deny login altogether for certain users, we add the following lines to the vsftpd.conf file.

userlist_deny=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist

Create a vsftpd.userlist file and add users to be denied. The service accounts should be rejected, as they are often used for attacks. Add one user per row, example: vsftpd.userlist

Root
am
Daemon
sys
Sync
one
backup
Admin
sshd
Lp
Sync
proxy
stratagem
Irc
Shutdown
stop
email
news
Uucp
operator
games
nobody
postfix
www-data
Ftp
mysql

Start the vsftpd daemon.

systemctl start vsftpd

fail2ban hardens your web servers

Now it’s a good opportunity to protect your Debian with MariaDB and Apache web server with install fail2ban.

fail2ban is written in Python aims to protect server services against DoS attacks. It checks log files according to predefined patterns and temporarily blocks the corresponding IP addresses in the event of repeated failed access.

fail2ban is installed and configured on Debian as follows.

apt install fail2ban -y

The configuration of fail2ban for a web server with jail filter for watch access to the SSH and FTP service to bann brute-force attacks.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

After the configuration file jail.conf has been copied, the file jail.local can be loaded into the editor, all settings here override the value in jail.conf.

vi /etc/fail2ban/jail.local

Settings can be adjusted here and filters for services can be activated or deactivated. The DEFAULT allows a global definition of the options. The options can then be overridden in any jail.

[DEFAULT]
bantime = 43200
findtime = 600
maxretry = 5

The options have the following function:

  • bantime defines the duration of the blocking, here 12 hours (specified in seconds).
  • findtime defines the duration in which failed attempts can take place, here 10 minutes.
  • maxretry indicates the number of attempts.

By default, fail2ban is only activated with the SSH filter, further filters are activated with enabled = true.

[sshd]
enabled = true
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[vsftpd]
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s

Fail2ban Jail Filter query status, and verbose output for SSH.

fail2ban-client status
fail2ban-client -vvv status sshd

Note. Since fail2ban 0.10 (IPv6 support) fail2ban executes actionstart IP-family related on demand by first ban per jail, so iptables-multiport would create the chain f2b-sshd only if first IP gets banned in sshd jail.

important tools for the web server as virtual machine

apt install open-vm-tools -y
apt install dnsutils -y
apt install net-tools -y

Add Apache virtual host for new domain

Here a simple script to create a new Apache VirtualHost along with a new document root and it’s own user who can upload files to build the website.

#!/bin/bash
if [ $# -lt 2 ]; then
    echo "Missinng argument!"
    echo "use: addvhost [example.com] [username]"
  exit 1
fi
# make directory for new docroot
mkdir -p /var/www/$1 /var/www/$1/html
# add user for new docroot
useradd -s /sbin/nologin -d /var/www/$1/html $2
# put index.html into docroot
echo -e "<html>
  <head>
    <title>Welcome to $1</title>
  </head>
  <body>
    <h1>Howdy! Apache2 virtual host $1 is working!</h1>
  </body>
</html>" > /var/www/$1/html/index.html
# assign owner and grant rights
chown -R $2:$2 /var/www/$1
chmod -R 755 /var/www
# create new apache virtual host config
cat <<EOF> /etc/apache2/sites-available/$1.conf
<VirtualHost *:80>
    ServerAdmin webmaster@$1
    ServerName $1
    ServerAlias www.$1
    DocumentRoot /var/www/$1/html
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined
</VirtualHost>
EOF
# enable the new apache virtual host
a2ensite $1
systemctl restart apache2

Save the lines into a script file called addvhost and run it.

chmod 755 addvhost
./addvhost example.com username

Use the first argument for the domain name and the second for the user name to be created.

Note. do not forget give a secret passwd [username]

After running the script you’ll find a new docroot under /var/www as well as the associated apache virtual host configuration under /etc/apache2/sites-available this is already ebabled.

For HTTPS websites, Certbot can be integrated for Let’s Encrypt SSL certificates, the how to find in this Article.

Conclusion

It is therefore possible to build a complete web server with all the necessary services in a short time without using graphical user interfaces or other tools for setup and administration.