Home » Blogs » Vlad's blog

Install and secure Apache, MySql, PHP and Postfix

Submitted by Vlad on Fri, 03/19/2010 - 11:15
Categories: Ubuntu; Tags: Postfix, PHP, MySql, E-mail, Apache, security;

Installing MySql Server on Ubuntu is a very simple task:

sudo apt-get install mysql-server mysql-client libmysqlclient16-dev

One useful utility is the mysql_secure_installation script, which limits access to the ‘root’ account, removes the test database, and removes anonymous accounts.

mysql_secure_installation

That was the installation part. Now, for configuration things get a little bit more complicated. It all depends on your server's RAM and processing power. I recommend that you use MySqlTuner, a small perl script that gives you useful information on how to "fine tune" your MySql configuration. All the configuration is done by editing /etc/mysql/my.cnf file. For a low memory VPS (256MB) you can add the following lines to it:

key_buffer = 16K
max_allowed_packet = 1M
thread_stack = 64K
table_cache = 4
sort_buffer = 64K
net_buffer_length = 2K
skip-innodb

Restart the MySQL Server:

/etc/init.d/mysql restart

The next step is to install Apache and PHP. I recommend sticking with Apache and the prefork module even if you have a low memory server. Tuned correctly it can prove much more robust and fast than other solutions like Lighttpd, NginX or others.

sudo apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-prefork-dev apache2-utils apache2-suexec libexpat1 ssl-cert

If you have memory problems just edit the configuration file for Apache (/etc/apache2/apache2.conf) and change the section that refers to prefork MPM:

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
 
<IfModule mpm_prefork_module>
StartServers 1
MinSpareServers 3
MaxSpareServers 6
ServerLimit 15
MaxClients 15
MaxRequestsPerChild 3000
</IfModule>

Also add the:

ServerName srv.vladgh.com

Now you have MySQL and Apache installed. Now let's secure it:

sudo apt-get install libapache2-mod-security2 mod-security2-common

Download the modsecurity rules from http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/. Copy the base_rules folder into /etc/apache2.

Than copy from the archive the modsecurity_crs_10_config.conf file into /etc/apache2/base_rules. Also add the following lines at the end of it:

SecAuditEngine RelevantOnly
SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/apache2/modsec_audit.log
SecAuditLogParts ABIFHZ
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/apache2/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir
SecDebugLogLevel 3

After testing you can change to a disruptive action such as deny, drop or redirect if you
want to block the transaction. In order to do that you have to change the line 148 from:

	SecDefaultAction "phase:2,pass"

to:

	SecDefaultAction "phase:2,deny,log,auditlog,status:403"

Add the directories:

mkdir /var/log/modsecurity
mkdir /var/log/modsecurity/SecTmpDir
mkdir /var/log/modsecurity/SecDataDir
mkdir /var/log/modsecurity/SecUploadDir
chown -R www-data:www-data /var/log/modsecurity

Edit your httpd.conf file and add the following lines:

<IfModule mod_security2.c>
Include /etc/apache2/base_rules/*.conf
</IfModule>

The next thing you should install is PHP:

sudo apt-get install php5 php-pear php5-mysql php5-suhosin php5-dev gnu-standards automake
sudo apt-get install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

This installs PHP with Suhosin patch for increased security.

You can also edit the php.ini located at /etc/php5/apache2/php.ini, and modify the following lines:

memory_limit = 128M
upload_max_filesize = 128M
post_max_size = 128M
error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
log_errors = On
error_log = /var/log/php.log
date.timezone = US/Central

You can use php.ini if you want to add an existing mail server, or if not just install the Postfix server:

sudo apt-get install postfix procmail

General type of mail configuration: <-- Internet Site
System mail name: <-- srv.vladgh.com

For a null client (a server that only sends emails), you replace the existing /etc/postfix/main.cf file with the following:

myorigin = $mydomain
relayhost =
inet_interfaces = loopback-only
local_transport = error:local delivery is disabled
smtpd_banner = $myhostname ESMTP $mail_name
alias_maps = hash:/etc/aliases
message_size_limit = 104857600

Edit also the /etc/aliases file accordingly:

admin: root
root: yourname@yourdomain.com

Make changes permanent with:

newaliases

Now you have a fully functional LAMP system with the ability to send it's own emails. Be careful though to emails sent to Yahoo addresses as they have a very restrictive spam policy, and most of your emails will be deferred. Check your logs regularly for errors regarding your postfix or apache.


»

Books

NginX HTTP Server

The book includes detailed instructions for each of the processes it describes: downloading and installing the application, configuring and using modules, and much more. It provides a step-by-step tutorial to replace your existing web server with Nginx. With commented configuration sections and in-depth module descriptions, you will be able to make the most of the performance potential offered by Nginx.

Source: Packt Publishing

Google AdSense

Affiliates