How to install Certbot for Apache on Debian to be able to issue Let’s Encrypt certificates.
Let’s Encrypt is a certificate authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that tries to automate most of the required steps. Let’s Encrypt uses the ACME protocol (ACMEv2) to verify the domain name and control and issue the certificate. Currently, the entire process of obtaining and installing a certificate on both Apache and Nginx is fully automated.
In this tutorial, Certbot is used to obtain a free SSL certificate for Apache on Debian 10 and to set up certificates automatically.
Apache web server with certbot certificate on Debian
Conditions
A Debian 10 server, a non-root user with sudo permissions is created and a firewall (ufw or firewalld) is set up.
A fully registered domain name, for example, unblog.ch.
Both of the following DNS records are set up for the server.
An A record for my_domain points to the server’s public IP address.
An A record for www.my_domain points to the server’s public IP address.
Apache is installed by following the instructions to install LAMP Stack on Debian. Make sure that a virtual hosts file is set up for the domain. This tutorial uses /etc/apache2/sites-available/my_domain.conf as an example.
Note: Currently, Certbot is not available by default in the Debian software repositories. To install Certbot as a snap on Debian, snapd must first be installed on the server. snapd is a daemon that is required to install and manage snaps.
Snap is a software distribution system and package management for Linux that works across distributions. The system developed by Canonical supports transactional updates and rollbacks. It was developed by Canonical for Ubuntu and is now also available for other Linux distributions.
Install Certbot on Debian
Follow the instructions below from the command line on the Debian server to install the latest version of snapd.
$ sudo snap install core; sudo snap refresh core
Run this command from the command line to install Certbot.
$ sudo snap install --classic certbot
Execute the following statement on the command line to ensure that the certbot command can be executed.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Retrieve certificate and let Certbot make Apache ready
This command to retrieve a certificate and to let Certbot automatically edit the Apache configuration by enabling HTTPS access in a single step.
$ sudo certbot --apache
If you want to make the changes to the Apache configuration yourself, you can execute this command.
$ sudo certbot certonly --apache
Testing the automatic renewal of certificates is done with the following command.
$ sudo certbot renew --dry-run
To check the whole thing, visit https://my_domain/ in the browser of your choice look for the lock icon in the URL line.
Setting up the SSL certificate on Debian
Certbot must find the correct virtual host in the Apache configuration so that SSL can be configured automatically.This is done in particular by looking for the ServerName statement that corresponds to the domain for which a certificate is to be requested.
To verify, open the virtual hosts file for the domain using vim or nano text editor.
$ vi /etc/apache2/sites-available/my_domain.conf
Look in the row for ServerName The domain name should my_domain.
ServerName my_domain
If you have not already done so, update the ServerName statement to point to the domain name.
Next, check the syntax of the configuration changes.
$ sudo apache2ctl configtest
Certbot offers a variety of ways to obtain SSL certificates through plugins. The Apache plugin takes care of reconfiguring Apache and reloads the configuration if necessary. The following command uses this plugin.
It runs certbot with the --apache plugin and uses -dto specify the domain names for which the certificate should be valid.
When you start Certbot for the first time, you will be asked to enter an email address and agree to the Terms of Use. In addition, you will be asked if you are willing to share the email address with the Electronic Frontier Foundation, a non-profit organization that advocates for digital rights and also makes Certbot. Confirm here with Y for the email address or N to decline.
To test the renewal process, the following test run is available.
$ sudo certbot renew --dry-run
Conclusion
In this tutorial, we installed the Let’s Encrypt client, downloaded SSL certificates for the domain, configured Apache to use these certificates, and set up automatic certificate renewal.
This tutorial shows how to install Apache, MariaDB and PHP, call LAMP stack with configuration on a Debian 11 (buster) as a web server complete with Apache/2.4, MariaDB 10, PHP 7.4 and vsftpd as well as Fail2ban and all necessary packages. The estimated time required for the installation is around 10 minutes, at the end of which a web server is ready to use for content management systems. Newly created users for FTP access are automatically chrooted to their own DocumentRoot.
Install Apache MariaDB PHP on Debian Server
We are logged in as root on a Debian 10, first, as always, we have all updates carried out.
apt update
First, required packages are provided as a prerequisite for further installation.
apt install ca-certificates apt-transport-https lsb-release gnupg curl vim unzip -y
The Debian repository does not contain the latest PHP versions, so we use the Sury repository.
Now let’s run the script to complete the configuration of the MariaDB server.
mysql_secure_installation
When you first ask for the current password, you do not have to enter anything, but simply press the Enter key. Confirm the next question regarding changing the root password with Enter. Now a password is assigned for the root user of the MariaDB server (not Linux root). No characters appear as you type, which is normal. Confirm all of the following questions (deletion of the anonymous user, banning the external root login for security reasons, removing the test database and updating the rights) also with Enter. After that, the MariaDB server is fully installed and configured.
Install phpMyAdmin on Debian with MariaDB
Now able to manage the MariaDB databases on the Debian Server, we install by the command cd /usr/share to change the directory path where phpMyAdmin we would install.
For security reasons, password authentication to the MariaDB server is no longer recommended to log in directly as a root user (i.e. via phpMyAdmin).
Create an additional user with all rights, to do this, we log on to the MariaDB server using the MySQL-Client.
mysql -u root
if everything went well, you are now in the MySQL (MariaDB) prompt.
MariaDB [(none)] >
And then hit the following SQL commands to create the MariaDB user and grant the rights.
CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'username'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Replace “username” and “password“with the desired username and password. Finally type exit to leave the MariaDB console.
MariaDB [(none)] > exit
Now you can log in to the MariaDB server with the newly created user (i.e. also via phpMyAdmin).
http://192.168.2.12/phpmyadmin
Enough – your Apache2 web server incl. PHP 7.4, MariaDB server and phpMyAdmin is now ready to use. The phpMyAdmin WebUI can be reached by add /phpmyadmin to the IP address or FQDN in the browser.
Note. you’ll see the following error message at the bottom of the phpmyadmin page when you first log in to /phpmyadmin.
The configuration file now needs a secret passphrase (blowfish_secret).
You need to add a blowfish password to the phpMyAdmin’s config file. Edit config.inc.php and insert a random blowfish passphrase in the line $cfg['blowfish_secret']here as an example:
vi /usr/share/phpmyadmin/config.inc.php
$cfg['blowfish_secret'] = 'ttTo4Zhy6zEOdUatH6vcOQFbXpnnM/WmOZpO1bM9BH2R7i4WZJVpdBntcsvSDVlM'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
Note. if you use vim for editing, you will notice that after entering the insert mode and paste text by press the right mouse key the blockwise Visual mode is turned on — (insert) VISUAL — that behaves undesirably, but this can be quickly solved by disabling the mouse control for vim, let’s do that right away and run echo "set mouse-=a" > ~/.vimrc
Hint. generating a passphrase is easy as the following command shows.
openssl rand -base64 48
ttTo4Zhy6zEOdUatH6vcOQFbXpnnM/WmOZpO1bM9BH2R7i4WZJVpdBntcsvSDVlM
# or another 48 characters long
date +%s | sha256sum | base64 | head -c 48 ; echo
MjhhMGUwMjYyYjljNWI2MjFiMGZmNmQ5MjdiYjY2MGE2YWNl
Securing and hardening Debian web server
First, the kernel firewall is configured for the web server, only the required services should be allowed incoming. With Debian, the ufw (Uncomplicated Firewall) is enabled by default after installation. The ports required for the web server are opened as follows.
Note: after each change, reload the firewall for the changes to take effect.
firewall-cmd --reload
Install FTP server with vsftpd on Debian
vsftpd is an FTP server for the old File Transfer Protocol. As an acronym, its name stands for Very Secure File Transfer Protocol Daemon. Whether OpenSSH with sftp is standard on every Linux and FreeBSD, but unfortunately FTP is still widely used.
The vsftpd daemon is installed as follows.
apt install vsftpd -y
Edit the vsftpd configuration file for changes.
vi /etc/vsftpd.conf
We disable anonymous login and allow local users to write.
chroot stands for change root and is a function for Unixoid systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP utility prevents users from accessing files outside its directory. chroot also provides an easy way to sandbox untrusted data. The chroot settings for VSFTPD users can be found in the file vsftpd.conf at line chroot_local_user and change there to YES, so also with chroot_list_enable.
chroot_local_user=YES
chroot_list_enable=YES
All users are assigned chroot, except for some that are exempt, for this the file /etc/vsftpd.chroot_list is created, which contains users who are excluded from chroot.
Create a vsftpd.userlist file and add users to be denied. The service accounts should be rejected, as they are often used for attacks. Add one user per row, example: vsftpd.userlist
Root
am
Daemon
sys
Sync
one
backup
Admin
sshd
Lp
Sync
proxy
stratagem
Irc
Shutdown
stop
email
news
Uucp
operator
games
nobody
postfix
www-data
Ftp
mysql
Start the vsftpd daemon.
systemctl start vsftpd
fail2ban hardens your web servers
Now it’s a good opportunity to protect your Debian with MariaDB and Apache web server with install fail2ban.
fail2ban is written in Python aims to protect server services against DoS attacks. It checks log files according to predefined patterns and temporarily blocks the corresponding IP addresses in the event of repeated failed access.
fail2ban is installed and configured on Debian as follows.
apt install fail2ban -y
The configuration of fail2ban for a web server with jail filter for watch access to the SSH and FTP service to bann brute-force attacks.
After the configuration file jail.conf has been copied, the file jail.local can be loaded into the editor, all settings here override the value in jail.conf.
vi /etc/fail2ban/jail.local
Settings can be adjusted here and filters for services can be activated or deactivated. The DEFAULT allows a global definition of the options. The options can then be overridden in any jail.
bantime defines the duration of the blocking, here 12 hours (specified in seconds).
findtime defines the duration in which failed attempts can take place, here 10 minutes.
maxretry indicates the number of attempts.
By default, fail2ban is only activated with the SSH filter, further filters are activated with enabled = true.
[sshd]
enabled = true
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[vsftpd]
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
Fail2ban Jail Filter query status, and verbose output for SSH.
fail2ban-client status
fail2ban-client -vvv status sshd
Note. Since fail2ban 0.10 (IPv6 support) fail2ban executes actionstart IP-family related on demand by first ban per jail, so iptables-multiport would create the chain f2b-sshd only if first IP gets banned in sshd jail.
important tools for the web server as virtual machine
Use the first argument for the domain name and the second for the user name to be created.
Note. do not forget give a secret passwd [username]
After running the script you’ll find a new docroot under /var/www as well as the associated apache virtual host configuration under /etc/apache2/sites-available this is already ebabled.
For HTTPS websites, Certbot can be integrated for Let’s Encrypt SSL certificates, the how to find in this Article.
Conclusion
It is therefore possible to build a complete web server with all the necessary services in a short time without using graphical user interfaces or other tools for setup and administration.
UNBLOG verwendet Cookies, um Dein Online-Erlebnis zu verbessern. Mit "ACCEPT" gibst Du Deine Zustimmung zur Nutzung dieser Website und unseren Datenschutzbestimmungen, oder wähle Cookie settings.
Diese Website verwendet Cookies, um Ihre Erfahrung zu verbessern, während Sie durch die Website navigieren. Von diesen werden die Cookies, die nach Bedarf kategorisiert werden, in Ihrem Browser gespeichert, da sie für das Funktionieren der grundlegenden Funktionen der Website wesentlich sind. Wir verwenden auch Cookies von Drittanbietern, mit denen wir analysieren und verstehen können, wie Sie diese Website nutzen. Diese Cookies werden nur mit Ihrer Zustimmung in Ihrem Browser gespeichert. Sie haben auch die Möglichkeit, diese Cookies zu deaktivieren. Das Deaktivieren einiger dieser Cookies kann sich jedoch auf Ihre Browser-Erfahrung auswirken.
Notwendige Cookies sind unbedingt erforderlich, damit die Website ordnungsgemäß funktioniert. Diese Kategorie enthält nur Cookies, die grundlegende Funktionen und Sicherheitsmerkmale der Website gewährleisten. Diese Cookies speichern keine persönlichen Informationen.
Alle Cookies, die für die Funktion der Website möglicherweise nicht besonders erforderlich sind und speziell zur Erfassung personenbezogener Daten des Benutzers über Analysen, Anzeigen und andere eingebettete Inhalte verwendet werden, werden als nicht erforderliche Cookies bezeichnet. Es ist obligatorisch, die Zustimmung des Benutzers einzuholen, bevor diese Cookies auf Ihrer Website ausgeführt werden.