zachbrowne/gist:6113052

## gistfile1.txt
#!/bin/bash

#############################################################
#  Setup Ubuntu 12.04 32/64 Natty Web Server for WordPress  #
#  by Zach Browne - http://zachbrowne.com                   #
#############################################################

## Setup SSH

mkdir ~/.ssh/
touch ~/.ssh/authorized_keys
echo "----YOUR-SSH-PUBLIC-KEY----" > ~/.ssh/authorized_keys

## Setup networking.

# Update, upgrade, and install basic applications.
aptitude update && aptitude -y safe-upgrade && aptitude -y install htop lynx dnsutils unzip byobu git-core

# Set up hosts file.
echo "server" > /etc/hostname
hostname -F /etc/hosts
sed -i '1 a\----SERVER IP----\t\----YOUR FULL FQDN----\t\----HOSTNAME----' /etc/hosts

# Set up interfaces file for static IP.
cp /etc/network/{interfaces,interfaces.bak}
rm /etc/network/interfaces
touch /etc/network/interfaces
cat > /etc/network/interaces <<EOF
auto lo
iface lo inet loopback
 auto eth0 eth0:1
iface eth0 inet statics
 address ----SERVER IP----
 netmask 255.255.255.0
 gateway ----GATEWAY----
iface eth0:1 inet static
 address ----INTERNAL IP----
 netmask 255.255.128.0
EOF

# Restart networking.
/etc/init.d/networking restart

# Set resolv.conf to rotate DNS
cp /etc/{resolv.conf,resolv.conf.bak}
rm /etc/resolv.conf
touch /etc/resolv.conf
cat > /etc/resolv.conf <<EOF
search members.linode.com
nameserver 72.14.188.5
nameserver 72.14.179.5
options rotate
EOF

# Install Bind9 to cache DNS.
aptitude -y install bind9
cp /etc/bind/{named.conf.options,named.conf.options.bak}
rm /etc/bind/named.conf.options
touch /etc/bind/named.conf.options
cat > /etc/bind/named.conf.options <<EOF
{
directory "/var/cache/bind";
forwarders {69.93.127.10;65.19.178.10;75.127.96.10;207.192.70.10;109.74.194.10;};
auth-nxdomain no;
listen-on-v6 { any; };
};
EOF
dig ----DOMAIN----
sleep 3
dig ----DOMAIN----

## Setup Apache2, PHP-CGI, APC, MySQL, and optimize server for VPS 512MB.

# Install apps for WordPress optimization
aptitude -y install apache2 apache2-mpm-itk mysql-server fontconfig-config javascript-common libdbd-mysql-perl libdbi-perl libfontconfig1 libfreetype6 libgd2-xpm libjpeg62 libjs-cropper libjs-jquery libjs-prototype libjs-scriptaculous libnet-daemon-perl libphp-phpmailer libphp-snoopy libplrpc-perl libt1-5 libxpm4 php-gettext php5-gd tinymce ttf-dejavu-core wwwconfig-common libapache2-mod-perl2 php5-cgi php5-suhosin php-apc php5-mysql php5-curl php5-gd php5-imagick php5-mcrypt php5-common php5-pspell php5-snmp php5-xmlrpc php5-xsl imagemagick perl php-pear

# Enable modules
a2enmod actions rewrite headers expires mem_cache include

# Enable APC
echo "extension=apc.so" > /etc/php5/conf.d/apc.ini

# Configure PHP-CGI.
touch /etc/apache2/conf.d/php-cgi.conf
cat > /etc/apache2/init.d/php-cgi.conf <<EOF
ScriptAlias /local-bin /usr/bin
AddHandler application/x-httpd-php5 php
Action application/x-httpd-php5 /local-bin/php-cgi
EOF

# Add IP to ports.conf.
cp /etc/apache2/{ports.conf,ports.conf.bak}
rm /etc/apache2/ports.conf
touch /etc/apache2/ports.conf
cat > /etc/apache2/ports.conf <<EOF
NameVirtualHost 72.14.187.136:80
Listen 80
EOF

# Create virtual host.
touch /etc/apache2/sites-available/----DOMAIN----
cat > /etc/apache2/sites-available/----DOMAIN---- <<EOF
<VirtualHost ----SERVER-IP----:80>

  	RewriteEngine On
		ServerName ----DOMAIN----
		ServerAdmin www@----DOMAIN----
		ServerAlias www.----DOMAIN----
		DocumentRoot /srv/www/----DOMAIN----/public/
		ErrorLog /srv/www/----DOMAIN----/logs/error.log
		CustomLog /srv/www/----DOMAIN----/logs/access.log combined

	<IfModule mpm_itk_module>
        	AssignUserId www-data www-data
	</IfModule>

</VirtualHost>
EOF

# Create robots.txt file.
touch /srv/www/----DOMAIN----/robots.txt
cat > /srv/www/----DOMAIN----/public/robots.txt <<EOF
User-agent: *
EOF

## Optimize server.

# Remove Apache server information from headers.
sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf.d/security
sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf.d/security

# Tweak apache.conf.
cp /etc/apache2/{apache2.conf,apache2.conf.bak}
sed -i 's/\(^\s*StartServers\)\s*[0-9]*/\1         1/' /etc/apache2/apache2.conf
sed -i 's/\(^\s*MaxClients\)\s*[0-9]*/\1           45/' /etc/apache2/apache2.conf
sed -i 's/\(^\s*MinSpareThreads\)\s*[0-9]*/\1      2/' /etc/apache2/apache2.conf
sed -i 's/\(^\s*MaxSpareThreads\)\s*[0-9]*/\1      5/' /etc/apache2/apache2.conf
sed -i 's/\(^\s*ThreadLimit\)\s*[0-9]*/\1          15/' /etc/apache2/apache2.conf
sed -i 's/\(^\s*ThreadsPerChild\)\s*[0-9]*/\1      15/' /etc/apache2/apache2.conf
sed -i 's/\(^\s*MaxRequestsPerChild\)\s*[0-9]*/\1  5000/' /etc/apache2/apache2.conf

# Tweak php.ini.
phpinidir="/etc/php5/cgi/php.ini"
sed -i 's/^\(max_execution_time = \)[0-9]*/\1120/' $phpinidir
sed -i 's/^\(max_input_time = \)[0-9]*/\1300/' $phpinidir
sed -i 's/^\(memory_limit = \)[0-9]*M/\164M/' $phpinidir
sed -i 's/^\(post_max_size = \)[0-9]*M/\125M/' $phpinidir
sed -i 's/^\(upload_max_filesize = \)[0-9]*M/\125M/' $phpinidir
sed -i 's/disable_functions =/disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source/' $phpinidir

# Harden sysctl.conf.
sed -i 's/^#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/' /etc/sysctl.conf
sed -i 's/^net.ipv4.conf.all.accept_source_route = 1/net.ipv4.conf.all.accept_source_route = 0/' /etc/sysctl.conf
sed -i 's/^#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/' /etc/sysctl.conf
sed -i 's/^net.ipv6.conf.all.accept_source_route = 1/net.ipv6.conf.all.accept_source_route = 0/' /etc/sysctl.conf

## Secure Apache2.

# Install mod_security & mod_evasive.
aptitude -y install libapache2-mod-evasive libapache-mod-security
apt-get -f install

# Install PageSpeed Apache2 Module.
wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-beta_current_amd64.deb
dpkg -i mod-pagespeed-*.deb
apt-get -f install

# Update public directory for Apache and security
chown -R www-data:www-data /srv/www/
find /srv/www/ -type d -exec chmod 755 {} \;
find /srv/www/ -type f -exec chmod 644 {} \;

# Engage Apache2.
a2dissite default
a2dissite default-ssl
a2ensite ----DOMAIN----

# Restart Apache2
/etc/init.d/apache2 restart

## Install Postfix for use with Gmail.

# Install Postfix.
echo "postfix postfix/main_mailer_type select Internet Site" | debconf-set-selections
echo "postfix postfix/mailname string ----DOMAIN----" | debconf-set-selections
echo "postfix postfix/destinations string localhost.localdomain, localhost" | debconf-set-selections
aptitude -y install postfix

# Create main.cf file.
cp /etc/postfix/main.cf /etc/postfix/main.cf.bak
rm /etc/postfix/main.cf
touch /etc/postfix/main.cf
cat > /etc/postfix/main.cf  <<EOF
# Main settings
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Host settings
myhostname = ----DOMAIN----
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =
relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
default_transport = smtp
relay_transport = smtp
inet_protocols = all

# SASL Settings
smtp_use_tls=yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
EOF

# Create sasl_password file.
touch /etc/postfix/sasl_passwd
cat > /etc/postfix/sasl_passwd <<EOF
[smtp.gmail.com]:587   ----YOUR-GMAIL-ADDRESS----:----GMAIL PASSWORD----
EOF

# Increase file security.
chmod 400 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
touch /etc/postfix/cacert.pem
cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem >> /etc/postfix/cacert.pem

# Restart Postfix
/etc/init.d/postfix restart

## Install and configure varnish.

#aptitude -y install varnish libapache2-mod-rpaf

#Configure varnish
#grep -i "start=" /etc/default/varnish | wc -l
#sed -i 's/START=no/START=yes/' /etc/default/varnish
#sed -i 's/^\s*DAEMON_OPTS="-a :6081/DAEMON_OPTS="-a \*:80/' /etc/default/varnish
#sed -i 's/\(^\s*-s\) [^ ][^ ]*./\1 malloc,'${VARNISH_CACHE_SIZE}'"/' /etc/default/varnish

#Change apache and virtualhost ports to 8080
#sed -i 's/72.14.187.136:80$/72.14.187.136:8080/' /etc/apache2/ports.conf
#sed -i 's/Listen 80$/Listen 8080/' /etc/apache2/ports.conf
#sed -i 's/72.14.187.136:80>$/72.14.187.136:8080>/' /etc/apache2/sites-available/zachbrowne.com

apache2ctl restart
	#!/bin/bash

	#############################################################
	# Setup Ubuntu 12.04 32/64 Natty Web Server for WordPress #
	# by Zach Browne - http://zachbrowne.com #
	#############################################################

	## Setup SSH

	mkdir ~/.ssh/
	touch ~/.ssh/authorized_keys
	echo "----YOUR-SSH-PUBLIC-KEY----" > ~/.ssh/authorized_keys

	## Setup networking.

	# Update, upgrade, and install basic applications.
	aptitude update && aptitude -y safe-upgrade && aptitude -y install htop lynx dnsutils unzip byobu git-core

	# Set up hosts file.
	echo "server" > /etc/hostname
	hostname -F /etc/hosts
	sed -i '1 a\----SERVER IP----\t\----YOUR FULL FQDN----\t\----HOSTNAME----' /etc/hosts

	# Set up interfaces file for static IP.
	cp /etc/network/{interfaces,interfaces.bak}
	rm /etc/network/interfaces
	touch /etc/network/interfaces
	cat > /etc/network/interaces <<EOF
	auto lo
	iface lo inet loopback
	auto eth0 eth0:1
	iface eth0 inet statics
	address ----SERVER IP----
	netmask 255.255.255.0
	gateway ----GATEWAY----
	iface eth0:1 inet static
	address ----INTERNAL IP----
	netmask 255.255.128.0
	EOF

	# Restart networking.
	/etc/init.d/networking restart

	# Set resolv.conf to rotate DNS
	cp /etc/{resolv.conf,resolv.conf.bak}
	rm /etc/resolv.conf
	touch /etc/resolv.conf
	cat > /etc/resolv.conf <<EOF
	search members.linode.com
	nameserver 72.14.188.5
	nameserver 72.14.179.5
	options rotate
	EOF

	# Install Bind9 to cache DNS.
	aptitude -y install bind9
	cp /etc/bind/{named.conf.options,named.conf.options.bak}
	rm /etc/bind/named.conf.options
	touch /etc/bind/named.conf.options
	cat > /etc/bind/named.conf.options <<EOF
	{
	directory "/var/cache/bind";
	forwarders {69.93.127.10;65.19.178.10;75.127.96.10;207.192.70.10;109.74.194.10;};
	auth-nxdomain no;
	listen-on-v6 { any; };
	};
	EOF
	dig ----DOMAIN----
	sleep 3
	dig ----DOMAIN----

	## Setup Apache2, PHP-CGI, APC, MySQL, and optimize server for VPS 512MB.

	# Install apps for WordPress optimization
	aptitude -y install apache2 apache2-mpm-itk mysql-server fontconfig-config javascript-common libdbd-mysql-perl libdbi-perl libfontconfig1 libfreetype6 libgd2-xpm libjpeg62 libjs-cropper libjs-jquery libjs-prototype libjs-scriptaculous libnet-daemon-perl libphp-phpmailer libphp-snoopy libplrpc-perl libt1-5 libxpm4 php-gettext php5-gd tinymce ttf-dejavu-core wwwconfig-common libapache2-mod-perl2 php5-cgi php5-suhosin php-apc php5-mysql php5-curl php5-gd php5-imagick php5-mcrypt php5-common php5-pspell php5-snmp php5-xmlrpc php5-xsl imagemagick perl php-pear

	# Enable modules
	a2enmod actions rewrite headers expires mem_cache include

	# Enable APC
	echo "extension=apc.so" > /etc/php5/conf.d/apc.ini

	# Configure PHP-CGI.
	touch /etc/apache2/conf.d/php-cgi.conf
	cat > /etc/apache2/init.d/php-cgi.conf <<EOF
	ScriptAlias /local-bin /usr/bin
	AddHandler application/x-httpd-php5 php
	Action application/x-httpd-php5 /local-bin/php-cgi
	EOF

	# Add IP to ports.conf.
	cp /etc/apache2/{ports.conf,ports.conf.bak}
	rm /etc/apache2/ports.conf
	touch /etc/apache2/ports.conf
	cat > /etc/apache2/ports.conf <<EOF
	NameVirtualHost 72.14.187.136:80
	Listen 80
	EOF

	# Create virtual host.
	touch /etc/apache2/sites-available/----DOMAIN----
	cat > /etc/apache2/sites-available/----DOMAIN---- <<EOF
	<VirtualHost ----SERVER-IP----:80>

	RewriteEngine On
	ServerName ----DOMAIN----
	ServerAdmin www@----DOMAIN----
	ServerAlias www.----DOMAIN----
	DocumentRoot /srv/www/----DOMAIN----/public/
	ErrorLog /srv/www/----DOMAIN----/logs/error.log
	CustomLog /srv/www/----DOMAIN----/logs/access.log combined

	<IfModule mpm_itk_module>
	AssignUserId www-data www-data
	</IfModule>

	</VirtualHost>
	EOF

	# Create robots.txt file.
	touch /srv/www/----DOMAIN----/robots.txt
	cat > /srv/www/----DOMAIN----/public/robots.txt <<EOF
	User-agent: *
	EOF

	## Optimize server.

	# Remove Apache server information from headers.
	sed -i 's/ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf.d/security
	sed -i 's/ServerSignature .*/ServerSignature Off/' /etc/apache2/conf.d/security

	# Tweak apache.conf.
	cp /etc/apache2/{apache2.conf,apache2.conf.bak}
	sed -i 's/\(^\sStartServers\)\s[0-9]*/\1 1/' /etc/apache2/apache2.conf
	sed -i 's/\(^\sMaxClients\)\s[0-9]*/\1 45/' /etc/apache2/apache2.conf
	sed -i 's/\(^\sMinSpareThreads\)\s[0-9]*/\1 2/' /etc/apache2/apache2.conf
	sed -i 's/\(^\sMaxSpareThreads\)\s[0-9]*/\1 5/' /etc/apache2/apache2.conf
	sed -i 's/\(^\sThreadLimit\)\s[0-9]*/\1 15/' /etc/apache2/apache2.conf
	sed -i 's/\(^\sThreadsPerChild\)\s[0-9]*/\1 15/' /etc/apache2/apache2.conf
	sed -i 's/\(^\sMaxRequestsPerChild\)\s[0-9]*/\1 5000/' /etc/apache2/apache2.conf

	# Tweak php.ini.
	phpinidir="/etc/php5/cgi/php.ini"
	sed -i 's/^\(max_execution_time = \)[0-9]*/\1120/' $phpinidir
	sed -i 's/^\(max_input_time = \)[0-9]*/\1300/' $phpinidir
	sed -i 's/^\(memory_limit = \)[0-9]*M/\164M/' $phpinidir
	sed -i 's/^\(post_max_size = \)[0-9]*M/\125M/' $phpinidir
	sed -i 's/^\(upload_max_filesize = \)[0-9]*M/\125M/' $phpinidir
	sed -i 's/disable_functions =/disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source/' $phpinidir

	# Harden sysctl.conf.
	sed -i 's/^#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/' /etc/sysctl.conf
	sed -i 's/^net.ipv4.conf.all.accept_source_route = 1/net.ipv4.conf.all.accept_source_route = 0/' /etc/sysctl.conf
	sed -i 's/^#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/' /etc/sysctl.conf
	sed -i 's/^net.ipv6.conf.all.accept_source_route = 1/net.ipv6.conf.all.accept_source_route = 0/' /etc/sysctl.conf

	## Secure Apache2.

	# Install mod_security & mod_evasive.
	aptitude -y install libapache2-mod-evasive libapache-mod-security
	apt-get -f install

	# Install PageSpeed Apache2 Module.
	wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-beta_current_amd64.deb
	dpkg -i mod-pagespeed-*.deb
	apt-get -f install

	# Update public directory for Apache and security
	chown -R www-data:www-data /srv/www/
	find /srv/www/ -type d -exec chmod 755 {} \;
	find /srv/www/ -type f -exec chmod 644 {} \;

	# Engage Apache2.
	a2dissite default
	a2dissite default-ssl
	a2ensite ----DOMAIN----

	# Restart Apache2
	/etc/init.d/apache2 restart

	## Install Postfix for use with Gmail.

	# Install Postfix.
	echo "postfix postfix/main_mailer_type select Internet Site" \| debconf-set-selections
	echo "postfix postfix/mailname string ----DOMAIN----" \| debconf-set-selections
	echo "postfix postfix/destinations string localhost.localdomain, localhost" \| debconf-set-selections
	aptitude -y install postfix

	# Create main.cf file.
	cp /etc/postfix/main.cf /etc/postfix/main.cf.bak
	rm /etc/postfix/main.cf
	touch /etc/postfix/main.cf
	cat > /etc/postfix/main.cf <<EOF
	# Main settings
	smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
	biff = no
	append_dot_mydomain = no
	readme_directory = no

	# TLS parameters
	smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
	smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
	smtpd_use_tls=no
	smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
	smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

	# Host settings
	myhostname = ----DOMAIN----
	alias_maps = hash:/etc/aliases
	alias_database = hash:/etc/aliases
	myorigin = /etc/mailname
	mydestination =
	relayhost = [smtp.gmail.com]:587
	mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
	mailbox_size_limit = 0
	recipient_delimiter = +
	inet_interfaces = loopback-only
	default_transport = smtp
	relay_transport = smtp
	inet_protocols = all

	# SASL Settings
	smtp_use_tls=yes
	smtp_sasl_auth_enable = yes
	smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
	smtp_sasl_security_options = noanonymous
	smtp_sasl_tls_security_options = noanonymous
	smtp_tls_CAfile = /etc/postfix/cacert.pem
	EOF

	# Create sasl_password file.
	touch /etc/postfix/sasl_passwd
	cat > /etc/postfix/sasl_passwd <<EOF
	[smtp.gmail.com]:587 ----YOUR-GMAIL-ADDRESS----:----GMAIL PASSWORD----
	EOF

	# Increase file security.
	chmod 400 /etc/postfix/sasl_passwd
	postmap /etc/postfix/sasl_passwd
	touch /etc/postfix/cacert.pem
	cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem >> /etc/postfix/cacert.pem

	# Restart Postfix
	/etc/init.d/postfix restart

	## Install and configure varnish.

	#aptitude -y install varnish libapache2-mod-rpaf

	#Configure varnish
	#grep -i "start=" /etc/default/varnish \| wc -l
	#sed -i 's/START=no/START=yes/' /etc/default/varnish
	#sed -i 's/^\sDAEMON_OPTS="-a :6081/DAEMON_OPTS="-a \:80/' /etc/default/varnish
	#sed -i 's/\(^\s-s\) [^ ][^ ]./\1 malloc,'${VARNISH_CACHE_SIZE}'"/' /etc/default/varnish

	#Change apache and virtualhost ports to 8080
	#sed -i 's/72.14.187.136:80$/72.14.187.136:8080/' /etc/apache2/ports.conf
	#sed -i 's/Listen 80$/Listen 8080/' /etc/apache2/ports.conf
	#sed -i 's/72.14.187.136:80>$/72.14.187.136:8080>/' /etc/apache2/sites-available/zachbrowne.com

	apache2ctl restart