Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Debian 7 Wheezy Basic Install with SSL
# Debian Linux Apache MySQL and PHP with SSL
# http://youtu.be/0bUo7mg2ZFw
# First things first-- update the system.
apt-get update
apt-get upgrade
# add the IP address, the fully qualified domain name, and the machine
# name
vi /etc/hosts
-----
###.###.###.### hostname.domain-name.tld hostname
-----
# this should be just the machine name
vi /etc/hostname
-----
hostname
-----
# Install the web server we will attach everything to.
apt-get install apache2
# The most important configuration directories and files can be
# found in /etc/apache2 and then your error logs will be in /var/log/apache2
# You will want the two following libraries installed, trying to install them twice
# doesn't really hurt anything better safe than sorry.
apt-get install ssh openssl
# Enable the SSL module in Apache
a2enmod ssl
# Enable mod_headers in Apache
a2enmod headers
# Make a private key and subsequently a Certificate Signing Request (CSR).
# Don't get spooked by the questions.
openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.csr
----------
Generating a 2048 bit RSA private key
....................................................................+++
...........+++
writing new private key to '/etc/ssl/enc-ssl.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Eastlake
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Rust Belt Rebellion
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:list255.com
Email Address []:bradchesney79@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password2014
An optional company name []:
----------
# Use the CSR to get a SSL certificate from a Certificate Authority (CA).
tail -n100 /etc/ssl/ssl.csr
# This command will remove the passphrase from the key.
# It is rare to have a key requiring human interaction.
# Non-human passphrase entry is out of scope for today.
openssl rsa -in /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.key
# It is a good idea to install a Certificate Authority Chain Certificate
# (a.k.a. Intermdiate Certificate & Subordinate Certificate Authority Certificates).
# You may get lucky and the browser happens to know your CA.
# If not, these documents point your browser closer to a Root Certificate Authority your browser trusts.
# Your browser may follow several chain certificates to get to a CA it knows it can trust.
# The whole system is based on these chains of trust.
vi /etc/ssl/certs/sub.class2.server.sha2.ca.pem
### I prepared the certificate set ahead of time-- I am going to replace
### what I just put in with what I have prepared beforehand here.
# The definitions of the websites are in /etc/apache2/sites-available .
# Time to modify the default virtual host listening for SSL requests
vi /etc/apache2/sites-available/default-ssl
----------
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
#####################################
### We added/modified these lines ###
### SSLv2 has been compormised as well as SSLv3 (POODLE)
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
### Notice the completely missing RC4 cipher and other specifically disallowed encryption methods (Null & MD5 specifically)
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/ssl/ssl.crt
SSLCertificateKeyFile /etc/ssl/ssl.key
SSLCertificateChainFile /etc/ssl/certs/sub.class2.server.sha2.ca.pem
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
# SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
### End modified lines ###
##########################
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
----------
vi /etc/apache2/conf.d/security
----------
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
# AllowOverride None
# Order Deny,Allow
# Deny from all
#</Directory>
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
#ServerTokens Minimal
#ServerTokens OS
#ServerTokens Full
ServerTokens Prod
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature Off
#ServerSignature On
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
#
TraceEnable Off
#TraceEnable On
#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
# Deny from all
# Satisfy all
#</DirectoryMatch>
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
Header set X-Content-Type-Options: "nosniff"
#
# Some browsers have a built-in XSS filter that will detect some cross site
# scripting attacks. By default, these browsers modify the suspicious part of
# the page and display the result. This behavior can create various problems
# including new security issues. This header will tell the XSS filter to
# completely block access to the page instead.
# Requires mod_headers to be enabled.
#
Header set X-XSS-Protection: "1; mode=block"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
Header set X-Frame-Options: "sameorigin"
----------
# Now we have to enable the default virtual host listening for SSL requests
a2ensite default-ssl
# It doesn't hurt to reload the Apache server then visit the website
# to verify it works.
service apache2 reload
# I generally add the PHP package next
apt-get install php5 libapache2-mod-php5
# Your PHP configurations are going to be found in /etc/php5 .
# Make a short script that contains <?php phpinfo() ?> to check that PHP works.
# You should be able to browse to it and see the particulars of your installation
vi /var/www/phpinfo.php
# The last packages are for the MySQL server that listens for requests,
# the MySQL-client that requests information from the command line, and
# php5-mysql that facilitates making MySQL requests from PHP.
# You will be asked for your MySQL root user password twice.
# This is important for later, remember it.
apt-get install mysql-server mysql-client php5-mysql
# At this point everything works, but I wouldn't feel good about this install
# until we lock MySQL down just a little more.
# This script removes a lot of the insecure configurations & resources from
# an initial installation.
mysql_secure_installation
# You will be asked for your password from a few seconds ago.
----------
Change the root password? [Y/n] n
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y
----------
# We are going to log in to MySQL and modify the default users.
mysql -uroot -p
# We will be working exclusively in the database that MySQL uses to store
# information about itself.
USE mysql
# A common vector is to attack the MySQL root user since it is the default
# omipotent user put on almost all MySQL installs.
#So, give your 'root' user a different name.
# (Is admin more secure than root, meh. Yeah, I guess.)
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'127.0.0.1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'::1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
# Then we get rid of the known 'root' user. Cannot hack what is not there...
DELETE FROM mysql.user WHERE user='root';
# This following command makes our changes active.
FLUSH PRIVILEGES;
# We have finished what we wanted inside the MySQL client.
EXIT
# When I am done, I restart the server instead of reloading it for no good reason.
service apache2 restart
# I don't use webmin. But, we did talk about installing webmin
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.710_all.deb
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python libapt-pkg-perl
dpkg --install webmin_1.710_all.deb
!!!Post Addendum: Just read about something that may be better than webmin, http://ajenti.org/ . I don't use either and I have never tried ajenti, but there it is.
# We also talked about installing phpMyAdmin.
apt-get install phpmyadmin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment