Digital-Ocean-Debian-7.0-32bit-LAMP-Server.bash

#!/bin/bash

# log into your server
ssh root@[server ipaddress]

# change root password
passwd

# update all packages and operating system
apt-get update && apt-get --yes upgrade

# setup date to match date and time of current timezone
dpkg-reconfigure tzdata

# verify local date and time
date

# make sure the server keeps our time up to date
apt-get install ntp
update-rc.d ntp enable

# I reboot here, log back in and verify the server's time has not changed
reboot
ssh root@[server ipaddress]
date

# install common applications
apt-get install vim members pwgen ufw vsftpd aptitude dnsutils make autofs discus python-software-properties software-properties-common

# reboot the box
reboot
ssh root@[server ipaddress]

# ===========================================================
# setup and install apache2
apt-get install apache2

# back up the setup files
# cp /etc/apache2/httpd.conf /etc/apache2/httpd.conf.original
cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.original && cp /etc/apache2/envvars /etc/apache2/envvars.original && cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default.original && cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/default-ssl.original

# enable modules
a2enmod rewrite
service apache2 restart

# setup vhosts
# nano /etc/apache2/httpd.conf

# add all of the text between the starting [[ and ending ]]
# [[
#
# NameVirtualHost *
#
# ]]

# reboot the box
reboot
ssh root@[server ipaddress]

# once the server comes back online navigate to the http://[server ipaddress]/ and you should see the default landing page for apache stating "it works."

# ===========================================================

# setup where your sites will live
mkdir -p /srv/{backup,ftp,www,git}
mkdir /srv/www/default.site

# setup the apache default site
rm /etc/apache2/sites-available/default
vim /etc/apache2/sites-available/default

# add all of the text between the starting [[ and ending ]]
# [[

<VirtualHost *>
    ServerAdmin domains@hued.io

    ErrorDocument 400 /error.htm
    ErrorDocument 401 /error.htm
    ErrorDocument 403 /error.htm
    ErrorDocument 404 /error.htm
    ErrorDocument 500 /error.htm

    DocumentRoot /srv/www/default.site
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /srv/www/default.site/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

# ]]

# restart the box and verify our default configuration shows the hello world template.
# I switch to my own default site over the default apache account so I can capture all defaults with a "pretty site."
service apache2 restart

# reboot the box
reboot
ssh root@[server ipaddress]

# ===========================================================
# setup and install mysql, make sure to change your root mysql user password, I recommend something different than your server root
apt-get install mysql-server mysql-client
mysql_secure_installation

# Add user
mysql -u root -p
CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';
FLUSH PRIVILEGES;

# Stop mysql
service mysql stop

# backup default configuration
cp /etc/mysql/my.cnf /etc/mysql/my.cnf.original

# change default port
vim /etc/mysql/my.cnf

change port on line 20: [use at least a 4 digit port number, and write down the port you selected]

# reboot the box
reboot
ssh root@[server ipaddress]

# ===========================================================
# setup and install php
apt-get install php5 libapache2-mod-php5

# required common packages
apt-get install php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

# setup php dump file
vim /srv/www/default.site/server.php

# add all of the text between the starting [[ and ending ]]
# [[

<?php
// Show all information, defaults to INFO_ALL
phpinfo();
?>

# ]]

# reboot the box
reboot
ssh root@[server ipaddress]

# once the server has comes back online navigate to http://[server ipaddress]/server.php and verify that page is coming up correctly
# also search for a block explicitly highlighting mysql can connect.
rm /srv/www/default.site/server.php

# ===========================================================
# setup admin level users, this should be specific to your configuration
adduser [username]

# groups for global, ftp, ssh
groupadd admin && groupadd sshlogin && groupadd ftplogin && groupadd git

# Add [username] to groups
usermod -G adm,admin,sshlogin,ftplogin,www-data,git [username]

# Add [username] to sudoers
visudo

# add all of the text between the starting [[ and ending ]] after root
# [[

[username] ALL=(ALL:ALL) ALL

# ]]

# base permissions
chown -R root.admin /srv/backup
chown -R root.www-data /srv/www
chmod -R 775 /srv/www
chown -R root.git /srv/git
chmod -R 775 /srv/git

# On local Mac
# setup ssh security with a new unique key, here is an example of how I have mine configured. I also use a passphrase.
ssh-keygen -t rsa -f ~/.ssh/id_rsa.digitalocean -C "my digital ocean server account"
scp ~/.ssh/id_rsa.digitalocean.pub root@[server ipaddress]:/home/[username]/

# mv the ssh key to our ssh key directory
mkdir /home/[username]/.ssh
mv /home/[username]/id_rsa.digitalocean.pub /home/[username]/.ssh/authorized_keys

# root permissions
chown -R [username]:[username] /home/[username]/.ssh
chmod 700 /home/[username]/.ssh
chmod 600 /home/[username]/.ssh/authorized_keys

# backup the config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

# make the config secure
vim /etc/ssh/sshd_config

Set New Port [pick a port >3000 and write down the port you selected]: 0000 [should be on line 5]
Verify Set to Yes: RSAAuthentication yes [should be on line 31]
Verify Set to Yes: PubkeyAuthentication yes [should be on line 32]
Uncomment: Banner /etc/issue.net  [remove the "#" around line 71]

# add all of the text between the starting [[ and ending ]] to the very end of this file
# [[

#disable dns reverse lookup since we are using keys
UseDNS no
#only the sshlogin group is allowed to ssh into the server
AllowGroups sshlogin

# ]]

# setup the ssh login message
vim /etc/issue.net

# add all of the text between the starting [[ and ending ]]
# [[

***************************************************************************

                            NOTICE TO USERS

This computer system is the private property of its owner, whether
individual, corporate or government.  It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials.  Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.

****************************************************************************

# ]]

# reboot the box
reboot

# test to make sure our ssh keys are setup correctly, this step is CRITICAL. If setup incorrectly, you can lock yourself out of your server
ssh [username]@[server ipaddress] -p [ssh port setup earlier]

# if you can get in successfully, it's time to lock it down even more, first switch to the root user
su root

# edit the ssh configuration again
vim /etc/ssh/sshd_config

Set: PermitRootLogin no [should be on line 27]
Uncomment and Set: PasswordAuthentication no [should be on line 51]

# reboot the box
reboot
ssh [username]@[server ipaddress] -p [ssh port setup earlier]
su root

# ===========================================================
# setup and install phpmyadmin
apt-get install phpmyadmin

# Setup the .htaccess File
vim /etc/apache2/conf.d/phpmyadmin.conf

# add all of the text between the starting [[ and ending ]] in "<Directory /usr/share/phpmyadmin>"
# [[
AllowOverride All
# ]]

# Configure the .htaccess file
vim /usr/share/phpmyadmin/.htaccess

# add all of the text between the starting [[ and ending ]]
# [[
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /home/[username]/.htpasswd
Require valid-user
# ]]

# Create the htpasswd file
htpasswd -c /home/[username]/.htpasswd username
chown [username]:[username] /home/[username]/.htpasswd

# Restart apache
service apache2 restart

# ===========================================================
# backup the ftp configuration
cp /etc/vsftpd.conf /etc/vsftpd.conf.original

#add users that are admins or have full ftp access to this list
vim /etc/vsftpd.chroot_list

# extra help for reference: http://ubuntuforums.org/showthread.php?t=518293
# edit the ftp configuration
vim /etc/vsftpd.conf

# after listen=yes around line 16, hit enter and add the following
listen_port=[pick a port >3000, different from the ssh port, and write down the port you selected]
Set: anonymous_enable=NO [should be on line 25]
Uncomment: local_enable=YES  [should be on line 28]
Uncomment: write_enable=YES  [remove the "#" around line 31]
Uncomment: local_umask=022  [remove the "#" around line 35]
Uncomment and Set: anon_upload_enable=NO   [remove the "#" around line 40, set to NO]
Uncomment and Set: anon_mkdir_write_enable=NO [remove the "#" around line 44, set to NO]
Set: connect_from_port_20=NO [should be on line 60]
Uncomment: xferlog_file=/var/log/vsftpd.log [should be on line 70]
Uncomment: xferlog_std_format=YES [should be on line 74]
Uncomment: idle_session_timeout=600 [should be on line 77]
Uncomment: data_connection_timeout=120 [should be on line 80]
Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104]
Add: banner_file=/etc/issue.net [add underneath #ftp_banner to match ssh login screen, should be on line 105]
Comment Out: # chroot_local_user=YES [should be on line 115]
Uncomment: chroot_local_user=YES [should be on line 123]
Uncomment: chroot_list_enable=YES [should be on line 124]
Uncomment : chroot_list_file=/etc/vsftpd.chroot_list [should be on line 126]

# add all of the text between the starting [[ and ending ]] to the very end of this file
# [[

# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES

# Hide the info about the owner (user and group) of the files.
hide_ids=YES

# Connection limit for each IP:
max_per_ip=10

# Maximum number of clients:
max_clients=5

# FTP Passive Settings
pasv_enable=YES
#If your listen_port is 9000 set this range to 7500 and 8500
pasv_min_port=[port range min]
pasv_max_port=[port range max]

# Keep non-chroot listed users jailed
allow_writeable_chroot=YES

# ]]

# restart the ftp service to make the changes stick
sudo service vsftpd restart

#test ftp via secondary terminal window:
ftp [ftp user name]@[server ipaddress] [ftp port]

# 2013-04-16 at the time of writing this gist vsftpd had an issue jailing users to their specific home directories with the error:
# 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
# after extensive research on this topic and a great blog post http://blog.desertbushtech.com/2013/02/i-use-ubuntu.html
# here are the commands to rollback this software
wget http://www.kunniagaming.net/vsftpd-chroot-patched-12.10/vsftpd_2.3.5-3.jme_amd64.deb
sudo dpkg -i vsftpd_2.3.5-3.jme_amd64.deb
sudo service vsftpd restart

#test ftp via secondary terminal window to verify a user has been jailed to their home directory
ftp [ftp user name]@[server ipaddress] [ftp port]

# reboot the box
reboot
ssh [username]@[server ipaddress] -p [ssh port setup earlier]
su root

# ===========================================================
# enable the firewall previously installed
ufw enable

# turn on logging
ufw logging on

# set log level
ufw logging low

# delete all existing rules
ufw status numbered
ufw delete # for each number, if existing

# allow http port
ufw allow 80/tcp

# allow https port
ufw allow 443/tcp

# allow ssh port
ufw limit [ssh port]/tcp

# allow port for ftp
ufw allow [ftp port]/tcp

# allow passive ftp ports
ufw allow [min port range]:[max port range]/tcp

# allow port for mysql
ufw limit [sql port]

# limit ssh/tcp rapid attacks
ufw limit ssh/tcp

# check firewall rules
ufw status numbered

# reboot the box
reboot
ssh [username]@[server ipaddress] -p [ssh port setup earlier]
su root

# ===========================================================
# Install Apache modules to prevent future DDOS attacks
apt-get install libapache2-mod-evasive libapache-mod-security

# Create Backup Dir
mkdir /var/log/apache2/mod_evasive

# Set ownership to Apache
chown www-data:www-data /var/log/apache2/mod_evasive/

# Create a configuration file in your conf.d directory all files in this folder gets read by Apache Server
vim /etc/apache2/conf.d/mod_evasive.conf

# add all of the text between the starting [[ and ending ]] to this file
# [[

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/apache2/mod_evasive
DOSWhitelist 127.0.0.1

# ]]

# Enable the modules and restart Apache Server:
a2enmod mod-evasive
a2enmod mod-security

# Restart Apache
service apache2 restart

# Install Mod-Qos:
apt-get install libapache2-mod-qos

# Backup Original Install:
cp /etc/apache2/mods-available/qos.conf /etc/apache2/mods-available/qos.conf.original

# Setup the Config file:
vim /etc/apache2/mods-available/qos.conf

# add all of the text between the starting [[ and ending ]] to this file
# [[

<IfModule qos_module>

## QoS Settings
# handles connections from up to 100000 different IPs
QS_ClientEntries 100000

# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50

# maximum number of active TCP connections is limited to 256
MaxClients 256

# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 70%

# minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything):
QS_SrvMinDataRate 150 1200

# and limit request header and body:
# LimitRequestFields 30
# QS_LimitRequestBody 102400

</IfModule>

# ]]

# ===========================================================
# reboot the box, verify ssh access, and default websites are running

reboot
ssh [username]@[server ipaddress] -p [ssh port setup earlier]
su root

# ===========================================================
# configure git deploy

cd /srv/www/default.site
git init
vim .git/config

# add all of the text between the starting [[ and ending ]] to this file
# [[

[remote "hub"]
  url = /srv/git/default.git
  fetch = +refs/heads/*:refs/remotes/hub/*

# ]]

chown -R root.www-data /srv/www
chmod -R 775 /srv/www

cd /srv/git/
mkdir default.git
cd default.git
git init --bare
vim hooks/post-update

# add all of the text between the starting [[ and ending ]] to this file
# [[

#!/bin/sh

echo
echo "**** Pulling changes into Live [Hub's post-update hook]"
echo

cd /srv/www/default.site || exit
unset GIT_DIR
git pull hub master

exec git-update-server-info

# ]]

vim hooks/post-commit

# add all of the text between the starting [[ and ending ]] to this file
# [[

#!/bin/sh

echo
echo "**** pushing changes to Hub [Live's post-commit hook]"
echo

git push hub

# ]]

chown -R root.git /srv/git
chmod -R 775 /srv/git
chmod +x /srv/git/default.git/hooks/post-update
chmod +x /srv/git/default.git/hooks/post-commit

# ===========================================================
# install node.js
apt-get update && apt-get install git-core curl build-essential openssl libssl-dev

cd
git clone https://github.com/joyent/node.git
cd node

# 'git tag' shows all available versions: select the latest stable.
git checkout v0.10.21

# Configure seems not to find libssl by default so we give it an explicit pointer.
# Optionally: you can isolate node by adding --prefix=/opt/node

./configure --openssl-libpath=/usr/lib/ssl
make
make test
make install
node -v # it's alive!

# Luck us: NPM is packaged with Node.js source so this is now installed too
# curl http://npmjs.org/install.sh | sudo sh
npm -v # it's alive!

rm -R [node folder]

# Install grunt
npm install -g grunt-cli

# Install bower
npm install -g bower

# ===========================================================
# install ghost blog

curl -L https://ghost.org/zip/ghost-latest.zip -o ghost.zip
unzip -uo ghost.zip -d ghost
cd ghost
npm install --production

# Configure ghost
vim config.js

# Make it run forever
npm install -g forever
NODE_ENV=production forever start index.js

# Configure Apache proxy
vim /etc/apache/conf.d

# add all of the text between the starting [[ and ending ]] to this file
# [[

NameVirtualHost *:80
<VirtualHost *:80>
     ServerName your-url.com
     ServerAlias www.your-url.com
     ProxyRequests off
     ProxyPass / http://127.0.0.1:2368/
     ProxyPassReverse / http:/127.0.0.1:2368/
</VirtualHost>

# ]]

a2enmod proxy_http
a2enmod proxy