bradchesney79/Minimal commands to set up

## Minimal commands to set up
# Debian Linux Apache MySQL and PHP with SSL
# http://youtu.be/0bUo7mg2ZFw

# First things first-- update the system.

apt-get update
apt-get upgrade

# add the IP address, the fully qualified domain name, and the machine
# name

vi /etc/hosts

-----

###.###.###.### hostname.domain-name.tld hostname

-----

# this should be just the machine name
vi /etc/hostname

-----

hostname

-----

# Install the web server we will attach everything to.
apt-get install apache2

# The most important configuration directories and files can be
# found in /etc/apache2 and then your error logs will be in /var/log/apache2

# You will want the two following libraries installed, trying to install them twice
# doesn't really hurt anything better safe than sorry.
apt-get install ssh openssl

# Enable the SSL module in Apache
a2enmod ssl

# Enable mod_headers in Apache
a2enmod headers

# Make a private key and subsequently a Certificate Signing Request (CSR).
# Don't get spooked by the questions.
openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.csr

----------
Generating a 2048 bit RSA private key
....................................................................+++
...........+++
writing new private key to '/etc/ssl/enc-ssl.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Eastlake
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Rust Belt Rebellion
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:list255.com
Email Address []:bradchesney79@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password2014
An optional company name []:
----------

# Use the CSR to get a SSL certificate from a Certificate Authority (CA).
tail -n100 /etc/ssl/ssl.csr

# This command will remove the passphrase from the key.
# It is rare to have a key requiring human interaction.
# Non-human passphrase entry is out of scope for today.
openssl rsa -in /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.key

# It is a good idea to install a Certificate Authority Chain Certificate
# (a.k.a. Intermdiate Certificate & Subordinate Certificate Authority Certificates).
# You may get lucky and the browser happens to know your CA.
# If not, these documents point your browser closer to a Root Certificate Authority your browser trusts.
# Your browser may follow several chain certificates to get to a CA it knows it can trust.
# The whole system is based on these chains of trust.
vi /etc/ssl/certs/sub.class2.server.sha2.ca.pem

### I prepared the certificate set ahead of time-- I am going to replace
### what I just put in with what I have prepared beforehand here.

# The definitions of the websites are in /etc/apache2/sites-available .
# Time to modify the default virtual host listening for SSL requests
vi /etc/apache2/sites-available/default-ssl


----------

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined


	# SSL Engine Switch:
	# Enable/Disable SSL for this virtual host.
	SSLEngine on

	#####################################
	### We added/modified these lines ###
	### SSLv2 has been compormised as well as SSLv3 (POODLE)
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	### Notice the completely missing RC4 cipher and other specifically disallowed encryption methods (Null & MD5 specifically)
	SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

	SSLCertificateFile /etc/ssl/ssl.crt
	SSLCertificateKeyFile /etc/ssl/ssl.key
	SSLCertificateChainFile /etc/ssl/certs/sub.class2.server.sha2.ca.pem

	#   A self-signed (snakeoil) certificate can be created by installing
	#   the ssl-cert package. See
	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
	#   If both key and certificate are stored in the same file, only the
	#   SSLCertificateFile directive is needed.
	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
	### End modified lines ###
	##########################

	#   A self-signed (snakeoil) certificate can be created by installing
	#   the ssl-cert package. See
	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
	#   If both key and certificate are stored in the same file, only the
	#   SSLCertificateFile directive is needed.
	#SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

	#   Server Certificate Chain:
	#   Point SSLCertificateChainFile at a file containing the
	#   concatenation of PEM encoded CA certificates which form the
	#   certificate chain for the server certificate. Alternatively
	#   the referenced file can be the same as SSLCertificateFile
	#   when the CA certificates are directly appended to the server
	#   certificate for convinience.
	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

	#   Certificate Authority (CA):
	#   Set the CA certificate verification path where to find CA
	#   certificates for client authentication or alternatively one
	#   huge file containing all of them (file must be PEM encoded)
	#   Note: Inside SSLCACertificatePath you need hash symlinks
	#         to point to the certificate files. Use the provided
	#         Makefile to update the hash symlinks after changes.
	#SSLCACertificatePath /etc/ssl/certs/
	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

	#   Certificate Revocation Lists (CRL):
	#   Set the CA revocation path where to find CA CRLs for client
	#   authentication or alternatively one huge file containing all
	#   of them (file must be PEM encoded)
	#   Note: Inside SSLCARevocationPath you need hash symlinks
	#         to point to the certificate files. Use the provided
	#         Makefile to update the hash symlinks after changes.
	#SSLCARevocationPath /etc/apache2/ssl.crl/
	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

	#   Client Authentication (Type):
	#   Client certificate verification type and depth.  Types are
	#   none, optional, require and optional_no_ca.  Depth is a
	#   number which specifies how deeply to verify the certificate
	#   issuer chain before deciding the certificate is not valid.
	#SSLVerifyClient require
	#SSLVerifyDepth  10

	#   Access Control:
	#   With SSLRequire you can do per-directory access control based
	#   on arbitrary complex boolean expressions containing server
	#   variable checks and other lookup directives.  The syntax is a
	#   mixture between C and Perl.  See the mod_ssl documentation
	#   for more details.
	#<Location />
	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
	#</Location>

	#   SSL Engine Options:
	#   Set various options for the SSL engine.
	#   o FakeBasicAuth:
	#     Translate the client X.509 into a Basic Authorisation.  This means that
	#     the standard Auth/DBMAuth methods can be used for access control.  The
	#     user name is the `one line' version of the client's X.509 certificate.
	#     Note that no password is obtained from the user. Every entry in the user
	#     file needs this password: `xxj31ZMTZzkVA'.
	#   o ExportCertData:
	#     This exports two additional environment variables: SSL_CLIENT_CERT and
	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
	#     server (always existing) and the client (only existing when client
	#     authentication is used). This can be used to import the certificates
	#     into CGI scripts.
	#   o StdEnvVars:
	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
	#     Per default this exportation is switched off for performance reasons,
	#     because the extraction step is an expensive operation and is usually
	#     useless for serving static content. So one usually enables the
	#     exportation for CGI and SSI requests only.
	#   o StrictRequire:
	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
	#     under a "Satisfy any" situation, i.e. when it applies access is denied
	#     and no other module can change it.
	#   o OptRenegotiate:
	#     This enables optimized SSL connection renegotiation handling when SSL
	#     directives are used in per-directory context.
	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
	<FilesMatch "\.(cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
		SSLOptions +StdEnvVars
	</Directory>

	#   SSL Protocol Adjustments:
	#   The safe and default but still SSL/TLS standard compliant shutdown
	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
	#   the close notify alert from client. When you need a different shutdown
	#   approach you can use one of the following variables:
	#   o ssl-unclean-shutdown:
	#     This forces an unclean shutdown when the connection is closed, i.e. no
	#     SSL close notify alert is send or allowed to received.  This violates
	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
	#     this when you receive I/O errors because of the standard approach where
	#     mod_ssl sends the close notify alert.
	#   o ssl-accurate-shutdown:
	#     This forces an accurate shutdown when the connection is closed, i.e. a
	#     SSL close notify alert is send and mod_ssl waits for the close notify
	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
	#     practice often causes hanging connections with brain-dead browsers. Use
	#     this only for browsers where you know that their SSL implementation
	#     works correctly.
	#   Notice: Most problems of broken clients are also related to the HTTP
	#   keep-alive facility, so you usually additionally want to disable
	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
	#   "force-response-1.0" for this.
	BrowserMatch "MSIE [2-6]" \
		nokeepalive ssl-unclean-shutdown \
		downgrade-1.0 force-response-1.0
	# MSIE 7 and newer should be able to use keepalive
	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

----------

vi /etc/apache2/conf.d/security

----------

#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
#       AllowOverride None
#       Order Deny,Allow
#       Deny from all
#</Directory>


# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
#ServerTokens Minimal
#ServerTokens OS
#ServerTokens Full
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off
#ServerSignature On

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
#
TraceEnable Off
#TraceEnable On

#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
#       Deny from all
#       Satisfy all
#</DirectoryMatch>

#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
Header set X-Content-Type-Options: "nosniff"

#
# Some browsers have a built-in XSS filter that will detect some cross site
# scripting attacks. By default, these browsers modify the suspicious part of
# the page and display the result. This behavior can create various problems
# including new security issues. This header will tell the XSS filter to
# completely block access to the page instead.
# Requires mod_headers to be enabled.
#
Header set X-XSS-Protection: "1; mode=block"

#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
Header set X-Frame-Options: "sameorigin"

----------

# Now we have to enable the default virtual host listening for SSL requests
a2ensite default-ssl

# It doesn't hurt to reload the Apache server then visit the website
# to verify it works.
service apache2 reload

# I generally add the PHP package next
apt-get install php5 libapache2-mod-php5

# Your PHP configurations are going to be found in /etc/php5 .
# Make a short script that contains <?php phpinfo() ?> to check that PHP works.
# You should be able to browse to it and see the particulars of your installation
vi /var/www/phpinfo.php

# The last packages are for the MySQL server that listens for requests,
# the MySQL-client that requests information from the command line, and
# php5-mysql that facilitates making MySQL requests from PHP.
# You will be asked for your MySQL root user password twice.
# This is important for later, remember it.
apt-get install mysql-server mysql-client php5-mysql

# At this point everything works, but I wouldn't feel good about this install
# until we lock MySQL down just a little more.
# This script removes a lot of the insecure configurations & resources from
# an initial installation.
mysql_secure_installation

# You will be asked for your password from a few seconds ago.
----------
Change the root password? [Y/n] n
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y
----------

# We are going to log in to MySQL and modify the default users.
mysql -uroot -p

# We will be working exclusively in the database that MySQL uses to store
# information about itself.
USE mysql

# A common vector is to attack the MySQL root user since it is the default
# omipotent user put on almost all MySQL installs.
#So, give your 'root' user a different name.
# (Is admin more secure than root, meh. Yeah, I guess.)
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'127.0.0.1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'::1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;

# Then we get rid of the known 'root' user. Cannot hack what is not there...
DELETE FROM mysql.user WHERE  user='root';

# This following command makes our changes active.
FLUSH PRIVILEGES;

# We have finished what we wanted inside the MySQL client.
EXIT

# When I am done, I restart the server instead of reloading it for no good reason.
service apache2 restart

# I don't use webmin. But, we did talk about installing webmin
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.710_all.deb
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python libapt-pkg-perl
dpkg --install webmin_1.710_all.deb

!!!Post Addendum: Just read about something that may be better than webmin, http://ajenti.org/ . I don't use either and I have never tried ajenti, but there it is.

# We also talked about installing phpMyAdmin.
apt-get install phpmyadmin
	# Debian Linux Apache MySQL and PHP with SSL
	# http://youtu.be/0bUo7mg2ZFw

	# First things first-- update the system.

	apt-get update
	apt-get upgrade

	# add the IP address, the fully qualified domain name, and the machine
	# name

	vi /etc/hosts

	-----

	###.###.###.### hostname.domain-name.tld hostname

	-----

	# this should be just the machine name
	vi /etc/hostname

	-----

	hostname

	-----

	# Install the web server we will attach everything to.
	apt-get install apache2

	# The most important configuration directories and files can be
	# found in /etc/apache2 and then your error logs will be in /var/log/apache2

	# You will want the two following libraries installed, trying to install them twice
	# doesn't really hurt anything better safe than sorry.
	apt-get install ssh openssl

	# Enable the SSL module in Apache
	a2enmod ssl

	# Enable mod_headers in Apache
	a2enmod headers

	# Make a private key and subsequently a Certificate Signing Request (CSR).
	# Don't get spooked by the questions.
	openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.csr

	----------
	Generating a 2048 bit RSA private key
	....................................................................+++
	...........+++
	writing new private key to '/etc/ssl/enc-ssl.key'
	-----
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [AU]:US
	State or Province Name (full name) [Some-State]:Ohio
	Locality Name (eg, city) []:Eastlake
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Rust Belt Rebellion
	Organizational Unit Name (eg, section) []:
	Common Name (e.g. server FQDN or YOUR name) []:list255.com
	Email Address []:bradchesney79@gmail.com

	Please enter the following 'extra' attributes
	to be sent with your certificate request
	A challenge password []:password2014
	An optional company name []:
	----------

	# Use the CSR to get a SSL certificate from a Certificate Authority (CA).
	tail -n100 /etc/ssl/ssl.csr

	# This command will remove the passphrase from the key.
	# It is rare to have a key requiring human interaction.
	# Non-human passphrase entry is out of scope for today.
	openssl rsa -in /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.key

	# It is a good idea to install a Certificate Authority Chain Certificate
	# (a.k.a. Intermdiate Certificate & Subordinate Certificate Authority Certificates).
	# You may get lucky and the browser happens to know your CA.
	# If not, these documents point your browser closer to a Root Certificate Authority your browser trusts.
	# Your browser may follow several chain certificates to get to a CA it knows it can trust.
	# The whole system is based on these chains of trust.
	vi /etc/ssl/certs/sub.class2.server.sha2.ca.pem

	### I prepared the certificate set ahead of time-- I am going to replace
	### what I just put in with what I have prepared beforehand here.

	# The definitions of the websites are in /etc/apache2/sites-available .
	# Time to modify the default virtual host listening for SSL requests
	vi /etc/apache2/sites-available/default-ssl



	----------

	<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www
	<Directory />
	Options FollowSymLinks
	AllowOverride None
	</Directory>
	<Directory /var/www/>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride None
	Order allow,deny
	allow from all
	</Directory>

	#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
	AllowOverride None
	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
	Order allow,deny
	Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined


	# SSL Engine Switch:
	# Enable/Disable SSL for this virtual host.
	SSLEngine on

	#####################################
	### We added/modified these lines ###
	### SSLv2 has been compormised as well as SSLv3 (POODLE)
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	### Notice the completely missing RC4 cipher and other specifically disallowed encryption methods (Null & MD5 specifically)
	SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

	SSLCertificateFile /etc/ssl/ssl.crt
	SSLCertificateKeyFile /etc/ssl/ssl.key
	SSLCertificateChainFile /etc/ssl/certs/sub.class2.server.sha2.ca.pem

	# A self-signed (snakeoil) certificate can be created by installing
	# the ssl-cert package. See
	# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
	# If both key and certificate are stored in the same file, only the
	# SSLCertificateFile directive is needed.
	# SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
	### End modified lines ###
	##########################

	# A self-signed (snakeoil) certificate can be created by installing
	# the ssl-cert package. See
	# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
	# If both key and certificate are stored in the same file, only the
	# SSLCertificateFile directive is needed.
	#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

	# Server Certificate Chain:
	# Point SSLCertificateChainFile at a file containing the
	# concatenation of PEM encoded CA certificates which form the
	# certificate chain for the server certificate. Alternatively
	# the referenced file can be the same as SSLCertificateFile
	# when the CA certificates are directly appended to the server
	# certificate for convinience.
	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

	# Certificate Authority (CA):
	# Set the CA certificate verification path where to find CA
	# certificates for client authentication or alternatively one
	# huge file containing all of them (file must be PEM encoded)
	# Note: Inside SSLCACertificatePath you need hash symlinks
	# to point to the certificate files. Use the provided
	# Makefile to update the hash symlinks after changes.
	#SSLCACertificatePath /etc/ssl/certs/
	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

	# Certificate Revocation Lists (CRL):
	# Set the CA revocation path where to find CA CRLs for client
	# authentication or alternatively one huge file containing all
	# of them (file must be PEM encoded)
	# Note: Inside SSLCARevocationPath you need hash symlinks
	# to point to the certificate files. Use the provided
	# Makefile to update the hash symlinks after changes.
	#SSLCARevocationPath /etc/apache2/ssl.crl/
	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

	# Client Authentication (Type):
	# Client certificate verification type and depth. Types are
	# none, optional, require and optional_no_ca. Depth is a
	# number which specifies how deeply to verify the certificate
	# issuer chain before deciding the certificate is not valid.
	#SSLVerifyClient require
	#SSLVerifyDepth 10

	# Access Control:
	# With SSLRequire you can do per-directory access control based
	# on arbitrary complex boolean expressions containing server
	# variable checks and other lookup directives. The syntax is a
	# mixture between C and Perl. See the mod_ssl documentation
	# for more details.
	#<Location />
	#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP\|NULL)/ \
	# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
	# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
	# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
	# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
	# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
	#</Location>

	# SSL Engine Options:
	# Set various options for the SSL engine.
	# o FakeBasicAuth:
	# Translate the client X.509 into a Basic Authorisation. This means that
	# the standard Auth/DBMAuth methods can be used for access control. The
	# user name is the `one line' version of the client's X.509 certificate.
	# Note that no password is obtained from the user. Every entry in the user
	# file needs this password: `xxj31ZMTZzkVA'.
	# o ExportCertData:
	# This exports two additional environment variables: SSL_CLIENT_CERT and
	# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
	# server (always existing) and the client (only existing when client
	# authentication is used). This can be used to import the certificates
	# into CGI scripts.
	# o StdEnvVars:
	# This exports the standard SSL/TLS related `SSL_*' environment variables.
	# Per default this exportation is switched off for performance reasons,
	# because the extraction step is an expensive operation and is usually
	# useless for serving static content. So one usually enables the
	# exportation for CGI and SSI requests only.
	# o StrictRequire:
	# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
	# under a "Satisfy any" situation, i.e. when it applies access is denied
	# and no other module can change it.
	# o OptRenegotiate:
	# This enables optimized SSL connection renegotiation handling when SSL
	# directives are used in per-directory context.
	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
	<FilesMatch "\.(cgi\|shtml\|phtml\|php)$">
	SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
	SSLOptions +StdEnvVars
	</Directory>

	# SSL Protocol Adjustments:
	# The safe and default but still SSL/TLS standard compliant shutdown
	# approach is that mod_ssl sends the close notify alert but doesn't wait for
	# the close notify alert from client. When you need a different shutdown
	# approach you can use one of the following variables:
	# o ssl-unclean-shutdown:
	# This forces an unclean shutdown when the connection is closed, i.e. no
	# SSL close notify alert is send or allowed to received. This violates
	# the SSL/TLS standard but is needed for some brain-dead browsers. Use
	# this when you receive I/O errors because of the standard approach where
	# mod_ssl sends the close notify alert.
	# o ssl-accurate-shutdown:
	# This forces an accurate shutdown when the connection is closed, i.e. a
	# SSL close notify alert is send and mod_ssl waits for the close notify
	# alert of the client. This is 100% SSL/TLS standard compliant, but in
	# practice often causes hanging connections with brain-dead browsers. Use
	# this only for browsers where you know that their SSL implementation
	# works correctly.
	# Notice: Most problems of broken clients are also related to the HTTP
	# keep-alive facility, so you usually additionally want to disable
	# keep-alive for those clients, too. Use variable "nokeepalive" for this.
	# Similarly, one has to force some clients to use HTTP/1.0 to workaround
	# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
	# "force-response-1.0" for this.
	BrowserMatch "MSIE [2-6]" \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0
	# MSIE 7 and newer should be able to use keepalive
	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

	</VirtualHost>
	</IfModule>

	----------

	vi /etc/apache2/conf.d/security

	----------

	#
	# Disable access to the entire file system except for the directories that
	# are explicitly allowed later.
	#
	# This currently breaks the configurations that come with some web application
	# Debian packages.
	#
	#<Directory />
	# AllowOverride None
	# Order Deny,Allow
	# Deny from all
	#</Directory>


	# Changing the following options will not really affect the security of the
	# server, but might make attacks slightly more difficult in some cases.

	#
	# ServerTokens
	# This directive configures what you return as the Server HTTP response
	# Header. The default is 'Full' which sends information about the OS-Type
	# and compiled in modules.
	# Set to one of: Full \| OS \| Minimal \| Minor \| Major \| Prod
	# where Full conveys the most information, and Prod the least.
	#
	#ServerTokens Minimal
	#ServerTokens OS
	#ServerTokens Full
	ServerTokens Prod

	#
	# Optionally add a line containing the server version and virtual host
	# name to server-generated pages (internal error documents, FTP directory
	# listings, mod_status and mod_info output etc., but not CGI generated
	# documents or custom error documents).
	# Set to "EMail" to also include a mailto: link to the ServerAdmin.
	# Set to one of: On \| Off \| EMail
	#
	ServerSignature Off
	#ServerSignature On

	#
	# Allow TRACE method
	#
	# Set to "extended" to also reflect the request body (only for testing and
	# diagnostic purposes).
	#
	# Set to one of: On \| Off \| extended
	#
	TraceEnable Off
	#TraceEnable On

	#
	# Forbid access to version control directories
	#
	# If you use version control systems in your document root, you should
	# probably deny access to their directories. For example, for subversion:
	#
	#<DirectoryMatch "/\.svn">
	# Deny from all
	# Satisfy all
	#</DirectoryMatch>

	#
	# Setting this header will prevent MSIE from interpreting files as something
	# else than declared by the content type in the HTTP headers.
	# Requires mod_headers to be enabled.
	#
	Header set X-Content-Type-Options: "nosniff"

	#
	# Some browsers have a built-in XSS filter that will detect some cross site
	# scripting attacks. By default, these browsers modify the suspicious part of
	# the page and display the result. This behavior can create various problems
	# including new security issues. This header will tell the XSS filter to
	# completely block access to the page instead.
	# Requires mod_headers to be enabled.
	#
	Header set X-XSS-Protection: "1; mode=block"

	#
	# Setting this header will prevent other sites from embedding pages from this
	# site as frames. This defends against clickjacking attacks.
	# Requires mod_headers to be enabled.
	#
	Header set X-Frame-Options: "sameorigin"

	----------

	# Now we have to enable the default virtual host listening for SSL requests
	a2ensite default-ssl

	# It doesn't hurt to reload the Apache server then visit the website
	# to verify it works.
	service apache2 reload

	# I generally add the PHP package next
	apt-get install php5 libapache2-mod-php5

	# Your PHP configurations are going to be found in /etc/php5 .
	# Make a short script that contains <?php phpinfo() ?> to check that PHP works.
	# You should be able to browse to it and see the particulars of your installation
	vi /var/www/phpinfo.php

	# The last packages are for the MySQL server that listens for requests,
	# the MySQL-client that requests information from the command line, and
	# php5-mysql that facilitates making MySQL requests from PHP.
	# You will be asked for your MySQL root user password twice.
	# This is important for later, remember it.
	apt-get install mysql-server mysql-client php5-mysql

	# At this point everything works, but I wouldn't feel good about this install
	# until we lock MySQL down just a little more.
	# This script removes a lot of the insecure configurations & resources from
	# an initial installation.
	mysql_secure_installation

	# You will be asked for your password from a few seconds ago.
	----------
	Change the root password? [Y/n] n
	Remove anonymous users? [Y/n] Y
	Disallow root login remotely? [Y/n] Y
	Remove test database and access to it? [Y/n] Y
	Reload privilege tables now? [Y/n] Y
	----------

	# We are going to log in to MySQL and modify the default users.
	mysql -uroot -p

	# We will be working exclusively in the database that MySQL uses to store
	# information about itself.
	USE mysql

	# A common vector is to attack the MySQL root user since it is the default
	# omipotent user put on almost all MySQL installs.
	#So, give your 'root' user a different name.
	# (Is admin more secure than root, meh. Yeah, I guess.)
	GRANT ALL PRIVILEGES ON . TO 'admin'@'localhost' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
	GRANT ALL PRIVILEGES ON . TO 'admin'@'127.0.0.1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
	GRANT ALL PRIVILEGES ON . TO 'admin'@'::1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;

	# Then we get rid of the known 'root' user. Cannot hack what is not there...
	DELETE FROM mysql.user WHERE user='root';

	# This following command makes our changes active.
	FLUSH PRIVILEGES;

	# We have finished what we wanted inside the MySQL client.
	EXIT

	# When I am done, I restart the server instead of reloading it for no good reason.
	service apache2 restart

	# I don't use webmin. But, we did talk about installing webmin
	wget http://prdownloads.sourceforge.net/webadmin/webmin_1.710_all.deb
	apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python libapt-pkg-perl
	dpkg --install webmin_1.710_all.deb

	!!!Post Addendum: Just read about something that may be better than webmin, http://ajenti.org/ . I don't use either and I have never tried ajenti, but there it is.

	# We also talked about installing phpMyAdmin.
	apt-get install phpmyadmin