Skip to content

Instantly share code, notes, and snippets.

@prochor666
Last active August 10, 2022 14:49
Show Gist options
  • Save prochor666/e31d830d1a11c64a5d3cd4b23df6de74 to your computer and use it in GitHub Desktop.
Save prochor666/e31d830d1a11c64a5d3cd4b23df6de74 to your computer and use it in GitHub Desktop.
Debian 10 Buster webserver installation
#!/bin/bash
# wget https://gist.githubusercontent.com/...
# Sanatorium webserver installer complete for Debian 10 Buster
# prochor, 2020
# prochor666@gmail.com
clear
echo -e "\e[38;5;14m|------------------------------------------- \e[0m"
echo -e "\e[38;5;14m| Sanatorium web server installer for Debian 10 Buster \e[0m"
echo -e "\e[38;5;14m|------------------------------------------- \e[0m"
echo -e "\e[38;5;14m| \e[0m"
echo -e "\e[38;5;14m| * Git \ \e[0m"
echo -e "\e[38;5;14m| * Aapache 2 \e[0m"
echo -e "\e[38;5;14m| * PHP 7 \ \e[0m"
echo -e "\e[38;5;14m| * MariaDB 10 \ \e[0m"
echo -e "\e[38;5;14m| * Memcached \ \e[0m"
echo -e "\e[38;5;14m| * Mod rewrite, Http pseudo streaming \ \e[0m"
echo -e "\e[38;5;14m| * Vsftpd \ \e[0m"
echo -e "\e[38;5;14m| * SSH config append! \ \e[0m"
echo -e "\e[38;5;14m| * for Debian 10 Buster \e[0m"
echo -e "\e[38;5;14m| \e[0m"
echo -e "\e[38;5;14m| prochor666@gmail.com 7/2019 \e[0m"
echo -e "\e[38;5;14m|------------------------------------------- \e[0m"
echo -e " "
echo -e "\e[38;5;220m ? Press any key to continue... \e[0m"
read -p " " -n1 -s
read -p "Type MariaDB root password (at least 4 characters): " MARIADBPASSWORD
MPW=${#MARIADBPASSWORD}
if [[ $MPW -lt 4 ]]; then
echo -e " "
echo -e "\e[91m MariaDB root password error, exiting \e[0m"
echo -e " "
exit 0
fi
if [[ $EUID -ne 0 ]]; then
echo -e " "
echo -e "\e[38;5;196m ! This script must be run as root \e[0m" 1>&2
exit 1
fi
export DEBIAN_FRONTEND=noninteractive
# Stretch backports repository
# echo "# stretch backports
# deb http://ftp.debian.org/debian stretch-backports main
# " >> /etc/apt/sources.list
# OS update + MISC packages
clear
echo -e ""
echo -e "\e[38;5;14m| OS update \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt update && sudo apt -y upgrade
apt install -y snmp make zip elinks
# Git
clear
echo -e ""
echo -e "\e[38;5;14m| Git \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt install -y git
# Apache 2
clear
echo -e ""
echo -e "\e[38;5;14m| Apache 2 \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt install -y apache2 apache2-utils
systemctl enable apache2
# Apache 2 MPM-ITK module
clear
echo -e ""
echo -e "\e[38;5;14m| Apache 2 mpm-itk module \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt install -y libapache2-mpm-itk
a2enmod mpm_itk
systemctl restart apache2
# MariaDB
clear
echo -e ""
echo -e "\e[38;5;14m| MariaDB \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
debconf-set-selections <<< "mariadb-server mysql-server/root_password password $MARIADBPASSWORD"
debconf-set-selections <<< "mariadb-server mysql-server/root_password_again password $MARIADBPASSWORD"
apt-get install -y mariadb-server mariadb-client
mysql -uroot -pPASS -e "SET PASSWORD = PASSWORD('');"
echo "
[client]
user=root
password=\"$MARIADBPASSWORD\"
[mysql]
user=root
password=\"$MARIADBPASSWORD\"
[mysqladmin]
user=root
password=\"$MARIADBPASSWORD\"
[mysqldump]
user=root
password=\"$MARIADBPASSWORD\"
[mysqldiff]
user=root
password=\"$MARIADBPASSWORD\"
" > /root/.my.cnf
# Memcached
clear
echo -e ""
echo -e "\e[38;5;14m| Memcached \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt install -y memcached
# PHP
clear
echo -e ""
echo -e "\e[38;5;14m| PHP \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt install -y php libphp-embed libapache2-mod-php php-all-dev
# PHP Extensions
clear
echo -e ""
echo -e "\e[38;5;14m| PHP extensions \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt install -y php-apcu \
php-cli \
php-fpm \
php-json \
php-pdo \
php-mysql \
php-zip \
php-gd \
php-mbstring \
php-curl \
php-xml \
php-pear \
php-bcmath \
php-imagick \
php-bz2 \
php-common \
php-dba \
php-geoip \
php-igbinary \
php-imap \
php-interbase \
php-intl \
php-json \
php-ldap \
php-memcached \
php-mongodb \
php-msgpack \
php-mysql \
php-odbc \
php-opcache \
php-pgsql \
php-phpdbg \
php-pspell \
php-readline \
php-recode \
php-redis \
php-snmp \
php-soap \
php-sqlite3 \
php-ssh2 \
php-sybase \
php-tidy \
php-xml \
php-xmlrpc \
php-xsl
# Mod rewrite
clear
echo -e ""
echo -e "\e[38;5;14m| Mod rewrite \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
a2enmod rewrite
# H264 streaming module
clear
echo -e ""
echo -e "\e[38;5;14m| H264 streaming module \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt install -y apache2-dev
systemctl restart apache2
wget http://h264.code-shop.com/download/apache_mod_h264_streaming-2.2.7.tar.gz
tar -zxvf apache_mod_h264_streaming-2.2.7.tar.gz
cd mod_h264_streaming-2.2.7
./configure --with-apxs=`which apxs2`
make
make install
#cp mod_h264_streaming.so /usr/lib/apache2/modules
echo 'AddHandler h264-streaming.extensions .mp4' > /etc/apache2/mods-available/mod_h264_streaming.conf
echo 'LoadModule h264_streaming_module /usr/lib/apache2/modules/mod_h264_streaming.so' > /etc/apache2/mods-available/mod_h264_streaming.load
a2enmod mod_h264_streaming
systemctl restart apache2
# FTP
clear
echo -e ""
echo -e "\e[38;5;14m| FTP server vsftpd \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt install -y vsftpd
mkdir /etc/vsftpd-users
cp /etc/vsftpd.conf /etc/vsftpd.conf.old
echo "listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
nopriv_user=nobody
ftpd_banner=Welcome to Sanatorium FTP service.
chroot_local_user=YES
user_config_dir=/etc/vsftpd-users
ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=ftp
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
seccomp_sandbox=NO
force_dot_files=YES
allow_writeable_chroot=YES
" > /etc/vsftpd.conf
systemctl restart vsftpd
# SSH
clear
echo -e ""
echo -e "\e[38;5;14m| SSH fixes \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
echo "
# Sanatorium SSH config
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseDNS no
# SSH timeout
ClientAliveInterval 30
ClientAliveCountMax 999
Match Group www-data
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
" > /etc/ssh/sshd_config
systemctl restart sshd
# Certbot / Letsencrypt
clear
echo -e ""
echo -e "\e[38;5;14m| Letsencrypt certbot \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
apt install -y python-certbot-apache
CREATEGROUP=true
getent group www-data > /dev/null 2>&1 && CREATEGROUP=false
if $CREATEGROUP; then
groupadd www-data
fi
echo -e ""
echo -e "\e[38;5;14m| Done \e[0m"
echo -e "\e[38;5;14m Run mysql_secure_installation command ---- \e[0m"
echo -e "\e[38;5;14m------------------------------------------- \e[0m"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment