runriot
6/12/2018 - 2:39 AM

New Server

// Add to /etc/apache2/apache.conf, at bottom

<IfModule mod_headers.c>
  <Directory />
    Header always set X-XSS-Protection "1; mode=block"
    Header always set x-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set Referrer-Policy "origin-when-cross-origin"
  </Directory>
</IfModule>

// restart apache
// requires headers to be enabled (sudo a2enmod headers)


//
PHP
/etc/php/7.0/apache/pnp.ini --> session.cookie_httponly to 1 (https://support.detectify.com/customer/portal/articles/1969826-missing-httponly-flag-on-cookies)
/etc/apache/apache2.cong -- within each <Directory> add 
        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

OR

ini_set("session.cookie_httponly", True);
BEFORE session_start (first thing).
NB means cookies not availble in script / JS. So, if that is required, do not use this but rather set the HTTP Only flag on specific cookies at set stage
// MySQL Secure Installation

// REMOVE MOTD

// CREATE NON ROOT USER
adduser ubuntu
passwd ubuntu
usermod -aG sudo ubuntu
// test
su ubuntu


// COPY SSH KEY TO USER
cat ~/.ssh/authorized_keys
// copy it
mkdir /home/ubuntu/.ssh
nano /home/ubuntu/.ssh/authorized_keys
// paste it


// DISABLE ROOT LOGIN
sudo nano /etc/ssh/sshd_config
>> PermitRootLogin no
sudo systemctl reload sshd


// DISABLE PASSWORD AUTH
sudo nano /etc/ssh/sshd_config
>> PasswordAuthentication no
>> PubkeyAuthentication yes
>> ChallengeResponseAuthentication no
sudo systemctl reload sshd


// ADD USER TO WWW GROUP
sudo usermod -a -G www-data ubuntu
// requires relogin


// UPDATE
sudo apt-get dist-upgrade
sudo apt-get update
sudo apt-get upgrade
sudo reboot
// CHECK UPDATES CLEAR


// DISABLE PHP MAIL()
sudo nano /etc/php/7.0/apache2/php.ini
>> disable_functions = mail  (add to existing elements)
sudo apache2 restart


// INSTALL FAIL2BAN
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04


// SET UP SAMBA
https://help.ubuntu.com/community/How%20to%20Create%20a%20Network%20Share%20Via%20Samba%20Via%20CLI%20%28Command-line%20interface/Linux%20Terminal%29%20-%20Uncomplicated,%20Simple%20and%20Brief%20Way!
>> ufw disable



>> CMS PLugin on live
>> Cron on Dev
>> BELOW REPLACED BY OWN RR MYSQL BACKUP PLUGIN
10 3 * * * sh /home/ubuntu/bkupscript.sh /var/www/dev runriot foundationrundev foundationrundev /dev/null 2>&1

>> Current State RClone
>> BELOW REPLACED BY OWN RR MYSQL BACKUP PLUGIN
>> Cron on Dev
sudo su
curl https://rclone.org/install.sh | sudo bash
## https://rclone.org/s3/#digitalocean-spaces
>> rclone copy /var/www/ do-space:runriot/current-state/SITENAME
as cron


// VH
https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04


// Secure GIT and Composer
sudo nano /etc/apache2/apache2.conf
>>
<DirectoryMatch "^/.*/\.git/">
    Require all denied
</DirectoryMatch>
<FilesMatch "^\.git">
    Require all denied
</FilesMatch>
<FilesMatch ^((composer|package)\.json$)$>
    Deny from all
</FilesMatch> 

// CLOUDFLARE Restore Visitor IP
// IF using CloudFlare:
  https://support.cloudflare.com/hc/en-us/articles/200170786#C5XWe97z77b3XZV

sudo service apache2 restart

Do not use git on public website.

# Set Floating IP #

# Assign Firewalls #

# Create any secondary VHosts #
https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04

# Set up Node Query #

# MySQLDump Script #
>> BELOW REPLACED BY OWN RR MYSQL BACKUP PLUGIN
sudo nano /home/Ubuntu/backups/myconf.cnf
Define user and pass

# SAMBA # 
sudo nano /etc/samba/smb.conf
Define shares
sudo service smbd restart

# CRONS #
Enable CMS cron
Enable Certbot Cron


# Certbot / LE #
Set up LE cert


# Secure GIT and Composer #
sudo nano /etc/apache2/apache2.conf
>>
<DirectoryMatch "^/.*/\.git/">
    Require all denied
</DirectoryMatch>
<FilesMatch "^\.git">
    Require all denied
</FilesMatch>
FilesMatch ^((composer|package)\.json$)$>
    Deny from all
</FilesMatch> 
sudo service apache2 restart

Do not use git on public website.