L - Linux, N - Nginx, M - MySql/MariabDB, P - PHP/PY/Perl
This is based on "The Perfect Nginx Server" course by Andrew Eaton.
passwd
We are going to add a new user that will be given elevated privileges for when we need them. After the adduser command leave a space and type your desired username.
adduser
Type a password for the new user and the press enter at each question, then finally adding a y(yes) at the end. The new user needs elevated privileges.
visudo
We need to prevent anyone from logging in as the root user, edit the file sshd_config
,
using nano and change the line PermitRootLogin to no
cp sshd_config sshd_config.bak
nano sshd_config
Let's restart ssh and logout to apply the changes we have made.
systemctl restart ssh
exit
NON ROOT USER Login again as the user you just created and update the VPS. You will not be able to login as the root user. SSH KEY AUTHENTICATION GENERATE THE KEY PAIR - LOCALLY - NOT ON YOUR SERVER:
ssh-keygen –t rsa –b 4096
Once keys have been generated, copy the public key to you VPS. I'm referring to the public key as rsa_id.pub. Replace that name with the name you saved your public key as. Please refer to the video lectures regarding the path to the saved key and the key location when copying the public key to the server.
scp rsa_id.pub [email protected]:/home/username/
Login to your vps after copying the public key to the server Rename the public key to authorized_keys
mv rsa_id.pub authorized_keys
Create a directory called .ssh and move the authorized_keys file into that directory
mkdir .ssh/
mv authorized_keys .ssh/
Lockdown the authorized_keys file:
cd .ssh/
chmod 600 authorized_keys
Set an immutable bit on the authorized_keys file
sudo chattr +i authorized_keys
Lockdown the .ssh directory:
cd ..
chmod 700 .ssh
CONFIG FILE File is created locally on your pc or mac, not on the server
cd
nano .ssh/config
Contents:
Host
Hostname
User
IdentityFile ~/.ssh/
ServerAliveInterval 60
ServerAliveCountMax 120
SERVER UPDATES
sudo apt update
sudo apt upgrade
sudo apt autoremove
THE FIREWALL To confirm if UFW is installed, you can use the following command:
sudo ufw status verbose
In the event that UFW is not installed, you can install it using the package manager, apt.
sudo apt update
sudo apt install ufw
DEFAULT RULES
sudo ufw default deny incoming
sudo ufw default allow outgoing
ALLOWED SERVICES
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
Finally, to enable the rules you have specified, you need to enable UFW.
sudo ufw enable
Reboot server and check firewall is active after a reboot
sudo reboot
sudo ufw status verbose
FAIL2BAN Install Fail2Ban
sudo apt update
sudo apt install fail2ban
Create "jail.local"
cd /etc/fail2ban/
sudo cp jail.conf jail.local
Open the jail.local
file using nano
cd /etc/fail2ban
sudo nano jail.local
Change the bantime, findtime and maxretry
bantime = 604800s
findtime = 10800s
maxretry = 2
Use CTRL + W and search for sshd. Uncomment mode and change to aggressive. Then add
enabled = true
underneath the last directive related to sshd [sshd]
mode = aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
To enable the above changes, restart the fail2ban service on the server:
sudo systemctl restart fail2ban
Fail2Ban - Unban an IP: Google “what is my ip” and make a note of your IP Login to Console, unban your ip:
fail2ban-client set sshd unbanip ip_address_goes_here
Exit Console and you can open terminal and ssh to your server as normal. View Fail2Ban Log Files: The cat and less commands can be used to view the contents of a file.
sudo cat filename
sudo less filename
The cat command will display the entire file contents on the screen, that’s fine if the file contains very little information. The less command is more useful, as each page will be paused for you to peruse. You can use the following keys: HOME, END, PgUp, PgDn and your cursor keys. Pressing q will quit less and return to the prompt.
cd /var/log/
ls
cat fail2ban.log
sudo less fail2ban.log
THE PERFECT NGINX SERVER
UBUNTU 20.04 LEMP STACK NGINX | MARIADB | PHP INSTALL | HARDEN | OPTIMIZE UPDATED DECEMBER 2020 php 8.0 IMPORTANT NOTICE - PHP 8.0 As of December 2020, I don't recommend php 8 and WordPress 5.6 be used on a production server. Time is needed for the theme and plugin developers to release versions that are fully compatible with WordPress 5.6 and php 8. For this reason, test WordPress 5.6 and php8.0 on a test server first, not your production server. Your production server is not used to test new software releases!!!
There are a few commands we need to cover regarding the Advanced Package Manager, apt
:
APT COMMANDS:
Installing Packages:
sudo apt install package_name(s)
Removing Packages: configuration files are not removed
sudo apt remove package_name(s)
Purging Packages: configuration files are removed
sudo apt purge package_name(s)
Find a Package
sudo apt-cache search package_name
Package Information
sudo apt-cache show package_name
2 INSTALLING NGINX
Always ensure the package list is up to date before installing any packages:
sudo apt update
We are going to install nginx and the libnginx-mod-http-headers-more-filter packages.
sudo apt install nginx libnginx-mod-http-headers-more-filter
After installing nginx, check the status of nginx:
sudo systemctl status nginx
INSTALLING MARIADB
sudo apt install mariadb-server
Check the status of MariaDB. sudo systemctl status mariadb 3 INSTALLING PHP7.4
The following php modules are recommended for WordPress:
php7.4-fpm
php7.4-gd
php7.4-json
php7.4-mbstring
php7.4-mysql
php7.4-xml
php7.4-xmlrpc
php7.4-opcache
php7.4-cli
php7.4-zip
php7.4-soap
php7.4-intl
php7.4-bcmath
php7.4-curl
php-ssh2
php-imagick
Please make a note of the php-imagick package. Even if WordPress site health indicates its missing, only install the package if it’s needed. The package php-imagick has pretty much been replaced by the php-gd package. If a plugin requires this package, install it as sudo apt install php-imagick. Be aware that this module can cause issues with certain plugins. Refer to the video lecture regarding the installation of the php packages:
sudo apt install php7.4-{fpm,gd,json,mbstring,mysql,xml,xmlrpc,opcache,cli,zip,soap,intl,bcmath,curl} php-ssh2
Check the status of php-fpm: sudo systemctl status php7.4-fpm 4 INSTALLING PHP 8.0 ADD REPOSITORY CONTAINING PHP8.0
sudo apt install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt update && sudo apt upgrade
Press ENTER
when prompted after typing the add-apt-repository
command
INSTALL PHP MODULES
sudo apt install php8.0-{fpm,gd,mbstring,mysql,xml,opcache,cli,zip,soap,intl,bcmath,curl} php-ssh2
Check the status of php-fpm:
sudo systemctl status php8.0-fpm
SET PHP VERSION IN YOUR NGINX CONFIGURATION FILES EXISTING
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
include /etc/nginx/include_files/fastcgi_optimize.conf;
}
MODIFIED FOR PHP 8.0 - change php7.4 to php8.0
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
include /etc/nginx/include_files/fastcgi_optimize.conf;
}
HARDEN NGINX MARIADB & PHP
NGINX
The nginx defaults are actually very secure and further hardening of the server is a combination of securing and
optimizing. We will complete this step, in detail, in the next section.
For now, we need to prevent information leakage, in this case it's to prevent the nginx version number from being
displayed on various pages and to remove the server name from the http headers.
nginx.conf is the main nginx configuration file and is located in the /etc/nginx
directory. Make a backup copy of the file
prior to editing the file.
Refer to the video lecture regarding the initial changes that need to be made to the nginx.conf
file
more_clear_headers 'Server';
After making any changes to a nginx configuration file, you need to test the configuration syntax and then reload nginx to enable the changes in configuration. Test the nginx configuration syntax:
sudo nginx -t
Reload nginx to enable the changes in configuration:
sudo systemctl reload nginx
MARIADB
Securing MariaDB means that we need to remove any dangerous default settings that have been applied during the
installation process. This is accomplished by running the security script, mysql_secure_installation
.
sudo mysql_secure_installation
PHP 7.4 and PHP 8.0
The main php configuration file is php.ini
and is located in the following directory: /etc/php/7.4/fpm/
As before, make a backup copy of php.ini
file.
We need to make the following changes in the php.ini
file:
allow_url_fopen = Off
cgi.fix_pathinfo = 0
expose_php = Off
After making any changes to the php.ini file, the php7.4-fpm service needs to be restarted to enable the changes you have made to the php-fpm configuration:
sudo systemctl restart php7.4-fpm
After making any changes to the php.ini file, the php8.0-fpm service needs to be restarted to enable the changes you have made to the php-fpm configuration:
sudo systemctl restart php8.0-fpm
As php.ini
is a large file, use Nano's Search Function [ CTRL + W ]
to locate the directive you want to change.
OPTIMIZE NGINX MARIADB PHP7.4 and PHP8.0
NGINX
Optimizing nginx is an involved process. Initially we need to optimize the directives in the main, events, and http
contexts. The next section of the course deals with optimizing nginx exclusively. So, in the section we will only optimize
MariaDB and php.
In depth and detailed nginx optimization follows in the next section.
MARIADB
Initially we are going to implement both a performance and sys schema which will aid the recommendations made by an
optimization script, called MySQLTuner.
The main MariaDB configuration file is 50-server.cnf
. It’s located in the /etc/mysql/MariaDB.conf.d/
directory. As always,
make a backup copy of the file before editing.
performance_schema=ON
performance-schema-instrument='stage/%=ON'
performance-schema-consumer-events-stages-current=ON
performance-schema-consumer-events-stages-history=ON
performance-schema-consumer-events-stages-history-long=ON
Restart mariadb
sudo systemctl restart mariadb
UPDATED URL: Download the following Sys Schema from github.com to your home directory
cd
wget https://github.com/FromDual/mariadb-sys/archive/master.zip
Install zip and unzip
sudo apt update
sudo apt install zip unzip
Extract the master.zip file:
unzip mariadb-sys-master.zip
UPDATED: Change to the extracted directory and install the Sys Schema
cd mariadb-sys-master/
sudo mysql -u root < ./sys_10.sql
Delete the sys schema directory and zip file. Download mysqltuner:
wget http://mysqltuner.pl/ -O mysqltuner.pl
Give MySQLTuner executable permissions:
chmod +x mysqltuner.pl
PHP SETUP
We are going to be editing the main php configuration file, php.ini.
upload_max_filesize = 100M
post_max_size = 100M
max_execution_time = 30
max_input_time = 60
max_input_vars = 3000
memory_limit = 256M
OPCACHE
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=7963
opcache.validate_timestamps=0
After making any changes to the php.ini file, you must restart the php7.4-fpm process to enable the changes.
sudo systemctl restart php7.4-fpm
After making any changes to the php.ini file, the php8.0-fpm service needs to be restarted to enable the changes you
have made to the php-fpm configuration:
sudo systemctl restart php8.0-fpm
To calculate the opcache.max_accelerated_files.
cd /var/www
find . -type f -print | grep php | wc -l
CLOSEST PRIME NUMBER https://www.dcode.fr/closest-prime-number
Please make a backup copy of the configuration file before editing. Please refer to the video lectures to set the following directives Worker Processes Worker Connections If you site has lots of traffic, the worker connections may not be enough and you may find that you eventually end up with the error, "Too Many Open Files" Adding worker rlimit nofile to the main context and increasing the worker connections will help prevent this. Please don’t go overboard with these settings as worker connections of 2048 will be more than adequate. KEEP ALIVE SERVER TOKENS SERVER NAMES HASH BUCKET SIZE LOG FILES You have two log files, an access log and an error log. You can disbale the access log and enable it for individual sites
access_log off;
GZIP SETTINGS – please refer to the video lectures for the gzip directive values Compress data even for clients that are connecting to us via proxies. gzip_proxied Tell proxies to cache both the gzipped and regular version of a resource
gzip_vary
Compression level: 5 is a perfect compromise between size and cpu usage, offering about 75% reduction for most ascii files (almost identical to level 9).
gzip_comp_level
Don't compress anything that's already small and unlikely to shrink much if at all (the default is 20 bytes, which is bad as that usually leads to larger files after gzipping).
gzip_min_length
Sets the number and size of buffers used to compress a response
gzip_buffers
Enable compression both for HTTP/1.0 and HTTP/1.1. Compress all output labeled with one of the following MIME-types. gzip_types: typed on a single line ending with a semi colon text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml application/xhtml+xml application/atom+xml; All GZIP Directives:
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_min_length 256;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript
text/xml application/xml application/xml+rss text/javascript
image/svg+xml application/xhtml+xml application/atom+xml;
SETTINGS LOCATED OUTSIDE NGINX.CONF – CREATE INCLUDE FILE Now we are going to create new files for the buffer, timeout and cache directives. BUFFERS Filename:
buffers.conf
client_body_buffer_size 10k;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
woocommerce - use larger values for large_client_header_buffers use these values if you experience browser 400 errors
large_client_header_buffers 4 32k;
TIMEOUTS Filename:
timeouts.conf
client_header_timeout 3m;
client_body_timeout 3m;
keepalive_timeout 100;
keepalive_requests 1000;
send_timeout 3m;
FILE HANDLE CACHE: Filename:
file_handle_cache.conf
open_file_cache max=1500 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
Back to the nginx.conf file, in the http context, we need to include the files we have just created. Please refer to the video lectures on adding the include files to nginx.conf Check the syntax and then reload nginx to enable the directives. If the syntax check produces any errors, recheck the configuration files and make necessary corrections.
sudo nginx –t
sudo systemctl reload nginx
TO LOGIN:
sudo mysql -u root
Commands to create database - PLEASE REFER TO NOTE LISTED HEREUNDER IMPORTANT NOTE: When using the grant all privileges command, the database user will be created and the password will be given to that user. COMMANDS TO CREATE DATABASE:
create database db_name;
grant all privileges on db_name.* to 'db_user'@'localhost' identified by 'password';
flush privileges;
TO VIEW PRIVILEGES FOR A PARTICULAR USER:
show grants for 'db_user'@'localhost';
TO DELETE A DATABASE:
drop database db_name;
TO DELETE A DATABASE USER
drop user db_username;
TO EXIT MARIADB
exit
NOTE The command is for bind mounting a projects folder in www to user folder in $HOME/user/ftp/files and them stay persistent after rebooting the whole system.
sudo mount --bind /var/www/domain.uz /home/domain_uz/ftp/files
#sudo echo "/var/www/domain.uz/ /home/domain_uz/ftp/files none bind 0 0" >> /etc/fstab
echo "/var/www/clarifyy.devdata.uz/ /home/clarifyy_devdata_uz/ftp/files none bind 0 0" | sudo tee -a /etc/fstab