148 lines
5.0 KiB
Plaintext
148 lines
5.0 KiB
Plaintext
Ubuntu 24.04.3LTS
|
|
PHP-default
|
|
Apache2
|
|
MySQL+phpmyadmin
|
|
|
|
# Step 1
|
|
sudo -i
|
|
apt update
|
|
apt -y upgrade
|
|
reboot
|
|
|
|
# Step 2
|
|
nano /etc/ssh/sshd_config
|
|
Change `#PasswordAuthentication yes` to `PasswordAuthentication no`
|
|
Add line
|
|
`AllowUsers <username>`
|
|
|
|
# Step 3
|
|
ON WINDOWS:
|
|
Via PowerShell
|
|
enable OpenSSH in PowerShell: https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
|
|
ssh-keygen -t ed25519 -C "<your email address>"
|
|
use a STRONG PASSPHRASE
|
|
Hit [Enter] to save keys at DEFAULT location
|
|
to get your rsa PUBLIC key, do:
|
|
Press [Windows Logo Key/Start]+R
|
|
Put in `notepad %USERPROFILE%/.ssh/id_ed25519.pub`
|
|
hit Enter
|
|
copy all the text in that file
|
|
# Technical details: it saves private key at %USERPROFILE%/.ssh/id_ed25519
|
|
# private key example: C:\Users\potatouser\.ssh\id_ed25519
|
|
# public key example: C:\Users\potatouser\.ssh\id_ed25519.pub
|
|
|
|
|
|
ON UBUNTU
|
|
mkdir ~/.ssh
|
|
chmod 700 ~/.ssh
|
|
nano ~/.ssh/authorized_keys
|
|
<paste rsa PUBLIC key>
|
|
chmod 600 ~/.ssh/authorized_keys
|
|
sudo systemctl reload sshd
|
|
|
|
TO CONNECT
|
|
SSH with Windows PowerShell
|
|
Powershell is installed by default on Windows 10/11
|
|
ssh <username>@<ipaddress>
|
|
|
|
Manage Files with WinSCP:
|
|
install winscp https://winscp.net/eng/download.php
|
|
install puttygen https://www.puttygen.com/download.php?val=4
|
|
run puttygen
|
|
Click Load
|
|
Select private key at %USERPROFILE%/.ssh/id_ed25519
|
|
copy and paste the string of text beginning in ssh-ed25519 and paste
|
|
save public and private key to %USERPROFILE%/.ssh/ under a %USERPROFILE%/.ssh/id_ed25519.ppk (private)
|
|
and %USERPROFILE%/.ssh/id_ed25519.ppk.pub (public)
|
|
run winscp
|
|
click new site
|
|
protocol: SFTP
|
|
host name: <server/ip>
|
|
username: <username>
|
|
port number: 22
|
|
click Advanced
|
|
on left panel under SSH click Authentication
|
|
Browse for private key at %USERPROFILE%/.ssh/id_ed25519.ppk
|
|
ok
|
|
save
|
|
|
|
# Step 4
|
|
sudo apt install -y git
|
|
# download and install scripts and tools
|
|
cd ~
|
|
git clone https://gitlab.com/princesspi/general-scripts-and-system-ssssssetup.git
|
|
sudo -i
|
|
apt install -y apache2 snapd mysql-server byobu nmap screen iotop zip unzip lynx htop php php-cli php-fpm php-json php-common php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear php-bcmath unattended-upgrades net-tools python3 python3-pip unison
|
|
snap install btop
|
|
# secure mysql
|
|
mysql_secure_installation
|
|
# follow directions, defaults are fine just remember what you set as the root password
|
|
# install and config phpmyadmin
|
|
apt install -y phpmyadmin
|
|
ln -s /usr/share/phpmyadmin /var/www/html/pma
|
|
# phpmyadmin will be accessable from the public internet at http://<your server ip>/pma
|
|
# ensure your passwords are up to snuff
|
|
// TODO: prolly should do some other security shit to protect phpmyadmin
|
|
systemctl restart apache2
|
|
systemctl restart mysql
|
|
# add user to web server group
|
|
usermod -a -G www-data <username>
|
|
# unattended upgrades
|
|
dpkg-reconfigure unattended-upgrades
|
|
nano /etc/apt/apt.conf.d/50unattended-upgrades
|
|
change `//Unattended-Upgrade::Automatic-Reboot "false";` to `Unattended-Upgrade::Automatic-Reboot "true";`
|
|
change `//Unattended-Upgrade::Remove-Unused-Dependencies "false";` to `Unattended-Upgrade::Remove-Unused-Dependencies "true";`
|
|
change `//Unattended-Upgrade::Mail "root@localhost";` to Unattended-Upgrade::Mail "<your admin email>";`
|
|
systemctl start unattended-upgrades && systemctl enable unattended-upgrades
|
|
unattended-upgrade -d -v //test unattended upgrades
|
|
# uncomplicated firewall setup
|
|
ufw allow http
|
|
ufw allow https
|
|
ufw allow ssh
|
|
ufw enable
|
|
reboot
|
|
|
|
|
|
// TODO: backups setup needs more work, not working at current
|
|
// make unison script pls
|
|
// SKIP backups section for now
|
|
# backups
|
|
sudo -i
|
|
mkdir -p /backups/log
|
|
mkdir /backups/backups
|
|
ln -s /var/backups /backups/system
|
|
cp -r /home/<user>/general-scripts-and-system-ssssssetup/customscripts /usr/share
|
|
chmod +x /usr/share/customscripts/*sh
|
|
nano /usr/share/customscripts/backup.sh //edit to add dirs to back up
|
|
sh /usr/share/customscripts/crowdsec.sh
|
|
screen -R backups
|
|
sh /usr/share/customscripts/backup.sh
|
|
Ctrl+A+D
|
|
sh /usr/share/customscripts/fix_permissions.sh
|
|
|
|
# Step 5
|
|
# install some cool securiy tools
|
|
apt install -y chkrootkit lynis certbot fail2ban
|
|
crontab -e //instal crons from /home/<user>/general-scripts-and-system-ssssssetup/crontab.txt
|
|
apt install -y tripwire
|
|
Follow directions and utilize secure passphrase DO NOT LOSE PASSPHRASE
|
|
# as primary user (NOT root or sudo, run `exit` if in doubt)
|
|
pip3 install thefuck
|
|
echo "# user addons" >> ~/.bashrc
|
|
echo "PATH=~/.local/bin/:$PATH" >> ~/.bashrc
|
|
echo 'eval "$(thefuck --alias)"' >> ~/.bashrc
|
|
echo 'HISTTIMEFORMAT="%Y-%m-%d %T "' >> ~/.bashrc
|
|
source ~/.bashrc
|
|
|
|
Step 6: # optional
|
|
IF you want to use sudo without password check:
|
|
sudo visudo
|
|
for ONE user:
|
|
select editor of your choice
|
|
add `<username> ALL=(ALL) NOPASSWD: ALL`
|
|
|
|
OR for all users in the sudo group
|
|
comment out the line beginning with %sudo soi it looks like #%sudo
|
|
add `%sudo ALL=(ALL) NOPASSWD: ALL` on any new line
|
|
save and exit
|
|
sudo reboot |