Setup a LAMP (Debian 11) - Optimized method

⚡ Update / Upgrade

Update source:

@ /etc/apt/sources.list

deb http://deb.debian.org/debian/ {dist} main

Update libs:

apt-get update
apt-get upgrade

Update system:

apt-get upgrade --without-new-pkgs
apt-get full-upgrade
reboot

Fix APT :

rm -fr /var/lib/apt/lists/*
apt-get --purge autoremove
apt-get clean all

Check:

uname -r
lsb_release -a

---

⚡ Setup Access (SSH/SFTP)

Install:

apt-get install openssh-server
# apt-get install ssh (client/server)

Change root password:

passwd root

Add SSH user:

adduser {username}

Apply SUDO on SSH user:

usermod -aG sudo {username}

@ /etc/sudoers

{username} ALL=(ALL) ALL
# {username} ALL=(ALL) NOPASSWD:ALL

Setup SSH/SFTP (CHROOT)

Configuration:

@ /etc/ssh/sshd_config

Port {port}
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 3

#Subsystem sftp /usr/lib/openssh/sftp-server (comment)
Subsystem sftp internal-sftp

Match [User|Group] {username|groupname}
        ForceCommand internal-sftp -u 077
        PasswordAuthentication yes
        ChrootDirectory /var/www
        AllowTCPForwarding no
        X11Forwarding no

Restart:

sshd -t
systemctl restart sshd

Check:

tail -f /var/log/auth.log

---

⚡ Setup Apache Server

Install:

apt-get install apache2
apt-get install libapache2-mod-php7.4

Configuration:

a2enmod rewrite
a2dissite 000-default
a2dissite default-ssl
a2ensite {site}
a2dissite {site}
apache2ctl configtest
service apache2 restart

---

⚡ Setup MySQL Server

Install:

apt-get install mariadb-server
mysql_secure_installation

Add database:

mysql -u root

CREATE USER '{username}'@'localhost' IDENTIFIED BY '{password}';
GRANT ALL PRIVILEGES ON *.* TO '{username}'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
CREATE DATABASE IF NOT EXISTS {database};
exit;

service mysql restart

Dump:

mysqldump -u {username} –p {password} {database} > {dump.sql}

---

⚡ Setup PHP

Install:

apt-get install php7.4 (php7.4-common)
apt-get install php7.4-cli
apt-get install php7.4-curl
apt-get install php7.4-intl
apt-get install php7.4-imagick
apt-get install php7.4-{extension}

Change php version:

a2dismod php7.0
a2enmod php7.4
service apache2 restart

---

⚡ Setup PhpMyAdmin

Install:

apt-get install phpmyadmin

Configuration:

@ /etc/apache2/apache2.conf

Include /etc/phpmyadmin/apache.conf

echo 'Include /etc/phpmyadmin/apache.conf' >> /etc/apache2/apache2.conf
service apache2 restart

---

⚡ Setup FTP (Optional)

Install:

apt-get install vsftpd

Configuration:

@ /etc/vsftpd.conf

Edit:

listen=YES
write_enable=YES
chown_uploads=YES
chown_username=www-data
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
local_umask=0022
anon_upload_enable=YES
anon_mkdir_write_enable=YES

Add:

allow_writeable_chroot=YES
chmod_enable=YES
ftp_username=www-data
force_dot_files=YES
max_clients=10
max_per_ip=3
hide_ids=YES
user_config_dir=/etc/vsftpd
file_open_mode=0777
user_sub_token=$USER
vsftpd_log_file=/var/log/vsftpd.log

mkdir /etc/vsftpd
nano /etc/vsftpd/{username}

local_root=/var/wwwsername}

service vsftpd restart

---

⚡ Setup DNS Server

Install:

apt-get install bind9
service bind9 restart

---

⚡ Setup SMTP

Install:

apt-get install postfix mailutils (postfix-mysql)
service postfix restart
service apache2 restart

---

⚡ Setup TLS/SSL

Install:

apt-get install openssl
apt-get install certbot python3-certbot-apache

Configuration:

certbot --apache
# certbot renew (/etc/letsencrypt/renewal)
# certbot certonly --cert-name domain.com -d domain.com
service apache2 restart
crontab -e

12 3 * * * letsencrypt renew >> /var/log/letsencrypt/renew.log

service cron restart

---

⚡ Setup Firewall

Install:

apt-get install ufw

Configuration:

ufw disable
ufw default deny incoming
ufw default allow outgoing
ufw allow 80
ufw allow 443
ufw allow ssh
ufw allow from {IPV4} to any port {port}
ufw allow from {IPV6} to any port {port}
ufw enable
# ufw reset

---

⚡ Setup Permissions

Add WEB/SFTP user:

useradd {username}

Add WEB/SFTP user to www-data Group:

# adduser {username} {group}
usermod -aG www-data {username}
usermod -d /var/www -m {username}

Apply WEB/SFTP directory permissions:

chown -R {username}:www-data /var/www/
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;

Change Access Control Lists (Optional):

apt-get install acl
setfacl -R -m g:www-data:rwx /var/www
setfacl -R -m u:{username}:rwx /var/www

Change Apache user:

@ /etc/apache2/envvars

export APACHE_RUN_USER={username}

echo 'export APACHE_RUN_USER={username}' >> /etc/apache2/envvars

---

⚡ Setup Redis

Install:

apt-get install redis-server
apt-get install php7.4-redis
apt-get install php7.4-igbinary

Configuration:

@ /etc/redis/redis.conf

# bind 127.0.0.1 ::1 (comment)
maxmemory 1024mb
maxmemory-policy allkeys-lru

Restart:

service redis-server restart

Test:

redis-cli
redis-cli FLUSHALL

---

⚡ Setup WP-CLI

Install:

wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod u+x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp

---

⚡ Setup GIT

Install:

apt-get install git

Configuration:

git config --global user.name "{username}"
git config --global user.email "{email}"

---

⚡ Setup Security

Install Fail2ban:

apt-get install fail2ban

Secure Apache:

@ /etc/apache2/apache2.conf

# Decrease Timeout value
Timeout 60

@ /etc/apache2/mods-available/ssl.conf

# Use only TLS, Disable SSLv2, SSLv3
SSLProtocol -all +TLSv1

# Disable Weak Ciphers
SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4

@ /etc/apache2/mods-available/userdir.conf

# Limit HTTP Request Methods
allow only GET, POST and HEAD

@ /etc/apache2/conf-available/security.conf

ServerTokens Prod
TraceEnable off
ServerSignature Off
FileETag None

# Set rules for Directory /var/www/html
Options None
AllowOverride All
Order Allow,Deny
Allow from All

a2enmod headers

# Cookie with HttpOnly and Secure flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# Clickjacking Attack Protection
Header always append X-Frame-Options SAMEORIGIN

# XSS Protection
Header set X-XSS-Protection "1; mode=block"

# Enforce secure connections to the server (HSTS)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# MIME sniffing Protection
Header set X-Content-Type-Options: "nosniff"

# Prevent Cross-site scripting and injections
Header set Content-Security-Policy "script-src 'self'; object-src 'self'"

service apache2 restart

Disable FTP access:

iptables -A INPUT -p tcp --dport 21 -j DROP

---

⚡ Tools

Install:

apt-get install net-tools

---

⚡ Service

Reset:

systemctl stop {service}
systemctl disable {service}
systemctl unmask {service}
rm /etc/systemd/system/{service}
rm /usr/lib/systemd/system/{service} 
systemctl daemon-reload
systemctl reset-failed

---

Authors:

• Jihad Sinnaour - Jakiboy (Initial work)

⭐ Support:

Please give it a Star if you like the project.