Results 1 to 12 of 12
  1. #1

    How to set-up a webserver on debian

    I want to learn how to secure a dedicated box (change ssh port, user/pass etc) then install Apache/Lighthttpd + PHP5 + MySQL

    Could someone point me to some good tutorials/guides for this? I'm not looking for ready packages but considering compiling apache and php.

    Its a debian box and I have ssh root access. Please note I want to learn and that is why I'm doing this, so if you can't help please don't reply.

    In short I need to learn how to set-up and secure a dedicated box running debian to run as a webserver.

    Any help would be greatly appreciated.

  2. #2
    If you don't not have experience with that,I suggest you purchase a control panel such like cPanel/DA to do it.
    If you do want to do it youself,see the official documentation will be the best way.

  3. #3
    No I don't have experience with it, Yes I want to learn how to do it and No I don't want to do it through a control panel.

    I've basically found a good guide to install apache/mysql (http://www.debian-administration.org/articles/357)

    Now I'm looking for some guides that will help me secure the box, I mean change root pass, change ssh port etc

    And again thanks for your replies

  4. #4
    Join Date
    Jan 2006
    Location
    Worldwide
    Posts
    150
    Quote Originally Posted by Zeest
    No I don't have experience with it, Yes I want to learn how to do it and No I don't want to do it through a control panel.

    I've basically found a good guide to install apache/mysql (http://www.debian-administration.org/articles/357)

    Now I'm looking for some guides that will help me secure the box, I mean change root pass, change ssh port etc

    And again thanks for your replies
    # passwd
    > enter password
    > enter new pass
    > enter it again

    # nano /etc/ssh/sshd_config

    You'll see "Port 22" move down to that, change "22" to whatever port you want.

    Pretty simple, suggest you read up on some basic UNIX commands. Also, you would be better off doing this on a box at home behind a firewall otherwise you might get someone hacking your server causing you all sorts of headaches.

  5. #5
    Quote Originally Posted by Zeest
    No I don't have experience with it, Yes I want to learn how to do it and No I don't want to do it through a control panel.

    I've basically found a good guide to install apache/mysql (http://www.debian-administration.org/articles/357)

    Now I'm looking for some guides that will help me secure the box, I mean change root pass, change ssh port etc

    And again thanks for your replies
    For SSH Secure,I would suggest you disable root login with password, authorize with RAS key, also install denyhosts to protect your server.

  6. #6
    Webmin is right for you.
    Hans Comequick
    http://now1host.com
    Now One Host // Instant Activation //Free Setup //One Big Usefull Packet
    //You get Fast Servers //You get Helpfull Stuff

  7. #7
    Join Date
    Apr 2006
    Location
    Mandaluyong, Philippines
    Posts
    316
    Quote Originally Posted by Zeest
    I want to learn how to secure a dedicated box (change ssh port, user/pass etc) then install Apache/Lighthttpd + PHP5 + MySQL

    Could someone point me to some good tutorials/guides for this? I'm not looking for ready packages but considering compiling apache and php.

    Its a debian box and I have ssh root access. Please note I want to learn and that is why I'm doing this, so if you can't help please don't reply.

    In short I need to learn how to set-up and secure a dedicated box running debian to run as a webserver.

    Any help would be greatly appreciated.
    This is very simple :

    1 - , edit /etc/ssh/sshd_config , this is a well commented self explanatory file. Re-start ssh with /etc/init.d/ssh restart

    2 - You're going to need to install some libraries prior to building lighttpd :

    Code:
    apt-get install libpcre3 libpcre3-dev (this is for lightys regular expression engine)
    
    apt-get install libssl-dev openssl (for secure socket layer)
    
    apt-get install bzip2 gzip (for compression)
    From there, download and untar lighty, then run

    Code:
    ./configure --with-openssl
    When done, you should see this :
    Code:
    Features:
    
    enabled:
      auth-crypt
      compress-bzip2
      compress-deflate
      compress-gzip
      large-files
      network-ipv6
      network-openssl
      regex-conditionals
    disabled:
      auth-ldap
      stat-cache-fam
      storage-gdbm
      storage-memcache
      webdav-properties
    make, then make install. You'll need to copy over one of the init scripts and do an update-rc.d so it starts at boot. (tutorials on this can be found on lighttpd's site).

    If you want memcache, webdav, ldap .. etc, you'll need to install some more packages and add more switches to the ./configure command.

    To see what can be specified run :

    Code:
    ./configure --help
    What you didn't mention was what version of PHP or MySQL you wanted, so I can't post examples for those. You'll need to make a few changes in lighttpd's config file reflecting these.

    Debian + Lighttpd is a *very* good match, and very good choice on your part This should (at least) get you to the point that lighty builds and installs on your server .. as I said the rest is easy to find on lighttpd.net , or just Google.

    Hope this helps,
    -Tim

  8. #8
    Join Date
    Apr 2006
    Location
    Mandaluyong, Philippines
    Posts
    316
    Quote Originally Posted by sticky
    # passwd
    > enter password
    > enter new pass
    > enter it again

    # nano /etc/ssh/sshd_config

    You'll see "Port 22" move down to that, change "22" to whatever port you want.

    Pretty simple, suggest you read up on some basic UNIX commands. Also, you would be better off doing this on a box at home behind a firewall otherwise you might get someone hacking your server causing you all sorts of headaches.
    You will also want to change this line :

    #Protocol 2,1

    To read just :

    Protocol 2

    Notice the # and 1 are gone, this forces ssh v2. SSH v1 is no better than telnet. This stops someone from logging in to your server as root using an older ssh client , forces protocol2. You never know what kind of client someone helping you set things up could be using.

    I also *highly* recommend installing and configuring shorewall (iptables firewall) to help lock down the box. If you're using the default server install of Sarge or Etch, not too many un-used services should be present. Give a look, and make sure services started in init.d/ are indeed needed, or disable them.

    Best,
    -Tim

  9. #9
    Thanks a lot everyone, here's the progress

    I've successfully done the following
    - changed root password
    - installed sudo
    - created new user and added entry to sudoers
    - changed ssh port
    - PermitRootLogin No
    - Protocol 2
    - installed and configured DenyHosts
    - installed ShoreWall
    - configuring ShoreWall (STUCK)

    I need a little help configuring Shorewall, I have mostly followed this guide http://deb.riseup.net/networking/firewall/ except for the rules. I need help in setting the rules. I haven't started it yet and startup is 0. I'd also want to block any pings to my server. Is this ok then?

    Code:
    REJECT   net     fw    icmp    8 
    REJECT   fw      net   icmp 
    ACCEPT   net     fw    tcp     ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission 
    ACCEPT   net     fw    udp     https
    And one more very important thing, I have changed my ssh port from 22 to something else, so do I have to enter the new port in rules file?

    Apart from this anything else I should do to increase server security?

    And what is "authorize with RAS key"? How do I go about doing that? Could you please point me to a guide or something because I can't find much on google.

    thanks again

    EDIT : Where will I find more info about the services and which of them aren't really required and can be disabled?
    Last edited by Zeest; 12-09-2006 at 02:39 AM.

  10. #10
    Thanks for the help guys, I successfully installed lighttpd + php5 + mysql5 + eAccelerator and vsftpd. Shorewall didn't seem to work out so well, the configuration is too complicated. Is there some alternative firewall thats easy to configure? I only have denyhosts running now.

  11. #11
    Join Date
    Oct 2006
    Location
    uk
    Posts
    448
    apt-get install arno-iptables-firewall

  12. #12
    Join Date
    Apr 2004
    Location
    Tampa, FL
    Posts
    131
    APF is also a good firewall, it's conf file is much more readable to humans than regular IPTables or Shorewall.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •