runriot
6/12/2018 - 2:39 AM
New Server
// Add to /etc/apache2/apache.conf, at bottom
<IfModule mod_headers.c>
<Directory />
Header always set X-XSS-Protection "1; mode=block"
Header always set x-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Referrer-Policy "origin-when-cross-origin"
</Directory>
</IfModule>
// restart apache
// requires headers to be enabled (sudo a2enmod headers)
//
PHP
/etc/php/7.0/apache/pnp.ini --> session.cookie_httponly to 1 (https://support.detectify.com/customer/portal/articles/1969826-missing-httponly-flag-on-cookies)
/etc/apache/apache2.cong -- within each <Directory> add
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
OR
ini_set("session.cookie_httponly", True);
BEFORE session_start (first thing).
NB means cookies not availble in script / JS. So, if that is required, do not use this but rather set the HTTP Only flag on specific cookies at set stage
// MySQL Secure Installation
// REMOVE MOTD
// CREATE NON ROOT USER
adduser ubuntu
passwd ubuntu
usermod -aG sudo ubuntu
// test
su ubuntu
// COPY SSH KEY TO USER
cat ~/.ssh/authorized_keys
// copy it
mkdir /home/ubuntu/.ssh
nano /home/ubuntu/.ssh/authorized_keys
// paste it
// DISABLE ROOT LOGIN
sudo nano /etc/ssh/sshd_config
>> PermitRootLogin no
sudo systemctl reload sshd
// DISABLE PASSWORD AUTH
sudo nano /etc/ssh/sshd_config
>> PasswordAuthentication no
>> PubkeyAuthentication yes
>> ChallengeResponseAuthentication no
sudo systemctl reload sshd
// ADD USER TO WWW GROUP
sudo usermod -a -G www-data ubuntu
// requires relogin
// UPDATE
sudo apt-get dist-upgrade
sudo apt-get update
sudo apt-get upgrade
sudo reboot
// CHECK UPDATES CLEAR
// DISABLE PHP MAIL()
sudo nano /etc/php/7.0/apache2/php.ini
>> disable_functions = mail (add to existing elements)
sudo apache2 restart
// INSTALL FAIL2BAN
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04
// SET UP SAMBA
https://help.ubuntu.com/community/How%20to%20Create%20a%20Network%20Share%20Via%20Samba%20Via%20CLI%20%28Command-line%20interface/Linux%20Terminal%29%20-%20Uncomplicated,%20Simple%20and%20Brief%20Way!
>> ufw disable
>> CMS PLugin on live
>> Cron on Dev
>> BELOW REPLACED BY OWN RR MYSQL BACKUP PLUGIN
10 3 * * * sh /home/ubuntu/bkupscript.sh /var/www/dev runriot foundationrundev foundationrundev /dev/null 2>&1
>> Current State RClone
>> BELOW REPLACED BY OWN RR MYSQL BACKUP PLUGIN
>> Cron on Dev
sudo su
curl https://rclone.org/install.sh | sudo bash
## https://rclone.org/s3/#digitalocean-spaces
>> rclone copy /var/www/ do-space:runriot/current-state/SITENAME
as cron
// VH
https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04
// Secure GIT and Composer
sudo nano /etc/apache2/apache2.conf
>>
<DirectoryMatch "^/.*/\.git/">
Require all denied
</DirectoryMatch>
<FilesMatch "^\.git">
Require all denied
</FilesMatch>
<FilesMatch ^((composer|package)\.json$)$>
Deny from all
</FilesMatch>
// CLOUDFLARE Restore Visitor IP
// IF using CloudFlare:
https://support.cloudflare.com/hc/en-us/articles/200170786#C5XWe97z77b3XZV
sudo service apache2 restart
Do not use git on public website.
# Set Floating IP #
# Assign Firewalls #
# Create any secondary VHosts #
https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04
# Set up Node Query #
# MySQLDump Script #
>> BELOW REPLACED BY OWN RR MYSQL BACKUP PLUGIN
sudo nano /home/Ubuntu/backups/myconf.cnf
Define user and pass
# SAMBA #
sudo nano /etc/samba/smb.conf
Define shares
sudo service smbd restart
# CRONS #
Enable CMS cron
Enable Certbot Cron
# Certbot / LE #
Set up LE cert
# Secure GIT and Composer #
sudo nano /etc/apache2/apache2.conf
>>
<DirectoryMatch "^/.*/\.git/">
Require all denied
</DirectoryMatch>
<FilesMatch "^\.git">
Require all denied
</FilesMatch>
FilesMatch ^((composer|package)\.json$)$>
Deny from all
</FilesMatch>
sudo service apache2 restart
Do not use git on public website.