Skip to content

Instantly share code, notes, and snippets.

@derrekbertrand

derrekbertrand/Checklist.md

Last active November 11, 2021 05:49
Show Gist options
  • Save derrekbertrand/16de6cd7d73d91bd8947 to your computer and use it in GitHub Desktop.
Save derrekbertrand/16de6cd7d73d91bd8947 to your computer and use it in GitHub Desktop.
Download ZIP
Security Checklist for using Laravel on Digital Ocean's LEMP app
Raw
Checklist.md

Security Checklist

For setting up laravel on Ubuntu 14.04. Assumes using DO's LEMP image to start.

To start:

  • Install and update new software:
    • Run apt-get update
    • Run apt-get install php5-cli php5-mcrypt git
    • Run php5enmod mcrypt
    • Run service php5-fpm restart
  • Remove info.php from the web root; nobody needs to know that much info about our configuration
  • If you are running something other than this image, edit /etc/php5/fpm/php.ini, line ~768 should be changed. We need to ensure that this is set properly: cgi.fix_pathinfo=0
  • Run mysql_secure_installation
  • Save copy of MySQL root password for personal reference
  • Remove /etc/motd.tail
  • Edit /etc/adduser.conf, and change directory permissions to 750; we don't want users looking through each others' files
  • Add directorie to /etc/skel: .ssh
  • Add an empty authorized_keys file, with proper permission sets (700) then you can append to it with scripts

Create a new web account:

  • Remove the default site from /etc/nginx/sites-enabled/, as we probably will create a user with the script below
  • Run the script here to make new users on various domains.
  • If you are using laravel, then the web folder should be the folder in your project called 'public'. So you will probably end up with something like /home/account/public_html/public; Where you put it is up to you, but your actual Laravel installation should be outside the user's web root folder.
  • Run chown -R account:account /home/account/site_folder in order to ensure that the user can write to his files. You must do this to your Laravel project folder to ensure that the storage folder is writable.
  • Run service php5-fpm restart
  • If you have any SSH keys to add, now is the time

While we're at it make a new administrator account:

  • Run adduser administrator, be sure to set a password for the user for safety
  • Add user to sudoers usermod -a -G sudo administrator
  • Add any SSH keys to authorized_keys for this new user
  • Log out of the server, log back in as administrator, and ensure that you can use sudo to do root things before continuing!
  • Now you can disable the root account's password: passwd -l root
  • Remove all keys from root's authorized_keys file

With this done it is now time to change SSH policy:

  • Open /etc/ssh/sshd_config and set PasswordAuthentication no
  • in the same file, change to a non-default port (near the top)
  • set PermitRootLogin no and save the file
  • Restart the ssh daemon service ssh restart, log out, and log in as your new admin on the new port

Working With Laravel 5.0:

Don't forget:

  • Configure your DNS for any applicable subdomains
  • Restart the server when you're done to finalize any package installs

Upon completion of this, you should have a new account on a new port that can act as an administrator. Root should have its password locked, and not be able to SSH in. For each new user, they'll need a schema, a db user, and another run of the user create script above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment