Debian 9 (Stretch) LEMP Setup

setup.md

Debian 9 LEMP

1. Set the hostname of the server

   hostnamectl set-hostname johnsmith
   

2. Make the hostname resolvable. Open the file /etc/hosts in your favourite editor and assign the IPv4 & IPv6 records of the server to your chosen hostname & FQDN.

   127.0.0.1       localhost.localdomain   localhost
   12.34.56.78     johnsmith.example.com johnsmith 
   1234:5678::abcd:efgh:1234:5678      johnsmith.example.com johnsmith
   
   # The following lines are desirable for IPv6 capable hosts
   ::1     localhost ip6-localhost ip6-loopback
   ff02::1 ip6-allnodes
   ff02::2 ip6-allrouters
   

3. Fix Perl locale complaints.

   locale-gen en_US.UTF-8
   dpkg-reconfigure locales
   

4. Open ~/.bashrc in your favourite editor and add the following

   export LANGUAGE=en_US.UTF-8
   export LANG=en_US.UTF-8
   export LC_ALL=en_US.UTF-8
   

5. Set the system timezone

   dpkg-reconfigure tzdata
   

6. Install ufw firewall

   apt-get install ufw
   

7. Setup default firewall rules, where port 22 is your ssh port and 15.15.15.51 is an internal ip address

   ufw allow from 15.15.15.51  to any port 22
   ufw allow http
   ufw allow https
   ufw enable
   

8. Update Debian repository sources. Open the file /etc/apt/sources.list in your favourite editor and update to look like the below

   deb http://mirrors.linode.com/debian/ stretch main contrib non-free
   deb-src http://mirrors.linode.com/debian/ stretch main contrib non-free
   
   deb http://mirrors.linode.com/debian-security/ stretch/updates main contrib non-free
   deb-src http://mirrors.linode.com/debian-security/ stretch/updates main contrib non-free
   
   # stretch-updates, previously known as 'volatile'
   deb http://mirrors.linode.com/debian/ stretch-updates main
   deb-src http://mirrors.linode.com/debian/ stretch-updates main
   

9. Add MariaDB repository

   curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash
   

10. Add PHP 7 repository

    apt-get -y install apt-transport-https lsb-release ca-certificates
    wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
    sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
    

11. Install all necessary components for this setup

    apt-get update && apt-get upgrade --show-upgraded
    apt-get -y install sudo locate mlocate curl git debsums nginx php7.3-curl php7.3-gd php7.3-cli php7.3-fpm php7.3-mbstring php7.3-mysqlnd php7.3-opcache php7.3-zip mariadb-server galera-4 libmariadb3 mariadb-backup mariadb-common zsh unattended-upgrades mailutils ssmtp zip unzip
    

12. Update file database

    updatedb
    

13. Create a user and set the groups to sudo and www-data for system and apache access

    adduser exampleuser
    usermod -a -G sudo exampleuser
    

14. Switch the newly created user and set ZSH as the default shell

    su exampleuser
    cd ~
    curl -L http://install.ohmyz.sh | sh
    chsh -s /usr/bin/zsh
    mkdir .ssh
    

15. Copy your secure key from your desktop

    scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys
    

16. Setup the secure key for secure access

    chmod 700 .ssh
    chmod 600 .ssh/authorized_keys
    

17. Create a new SSH key for the user

    ssh-keygen -t rsa -C "[email protected]"
    eval "$(ssh-agent -s)"
    ssh-add ~/.ssh/id_rsa
    

18. Make SSH secure. Open /etc/ssh/sshd_config in your favourite editor and apply the following settings

    PasswordAuthentication no
    PermitRootLogin no
    

19. Restart SSH (Make sure you keep a session open in case soemthing goes wrong)

    sudo service ssh restart
    

20. Install Composer server wide

    curl -sS https://getcomposer.org/installer | php
    sudo mv composer.phar /usr/local/bin/composer
    

21. Secure MariaDB by running the following command and following the instructions

    sudo mysql_secure_installation
    

22. Open /etc/php/7.3/fpm/php.ini in your favourite editor and change the the settings below:

    upload_max_filesize = 100M
    

23. Enable unattended upgrades

    sudo dpkg-reconfigure -plow unattended-upgrades
    

24. Add SMTP settings to allow mail to be sent. Open /etc/ssmtp/ssmtp.conf in your favourite editor and add the settigns below:

    FromLineOverride=YES
    
    [email protected]
    AuthPass=PASSWORD
    mailhub=smtp.gmail.com:587
    UseSTARTTLS=YES
    

25. Install MySQLtuner

    sudo wget http://mysqltuner.pl/ -O /usr/local/bin/mysqltuner
    sudo chmod +x /usr/local/bin/mysqltuner
    

26. Install Auto MySQL Backup

    cd ~
    mkdir automysqlbackup /var/backups/db
    cd automysqlbackup
    wget http://downloads.sourceforge.net/project/automysqlbackup/AutoMySQLBackup/AutoMySQLBackup%20VER%203.0/automysqlbackup-v3.0_rc6.tar.gz
    tar -zxvf automysqlbackup-v3.0_rc6.tar.gz
    sudo ./install.sh
    

27. Open /etc/automysqlbackup/myserver.conf in your favourite editor and apply the following settings

    CONFIG_mysql_dump_username='root'
    CONFIG_mysql_dump_password='PASSWORD'
    CONFIG_mysql_dump_host='localhost'
    CONFIG_backup_dir='/var/backups/db'
    CONFIG_db_names=()
    CONFIG_db_exclude=( 'information_schema' 'performance_schema' )
    CONFIG_db_month_names=()
    CONFIG_do_monthly="01"
    CONFIG_do_weekly="5"
    CONFIG_rotation_daily=6
    CONFIG_rotation_weekly=35
    CONFIG_rotation_monthly=150
    CONFIG_mysql_dump_dbstatus='yes'
    CONFIG_mysql_dump_use_separate_dirs='yes'
    CONFIG_mailcontent='quiet'
    CONFIG_mail_address='[email protected]'
    

28. Setup a cronjob to automate MySQL backups. Open /etc/cron.daily/runmysqlbackup in your favourite editor and apply the following settings

    #!/bin/sh
    
    /usr/local/bin/automysqlbackup /etc/automysqlbackup/myserver.conf
    
    chown root.root /var/backup/db* -R
    find /var/backups/db* -type f -exec chmod 400 {} \;
    find /var/backups/db* -type d -exec chmod 700 {} \;
    

29. Finalize automated backups

    sudo chmod +x /etc/cron.daily/runmysqlbackup
    rm -fr ~/automysqlbackup