Instalacion Y Puesta a Punto Debian8 en Servidor Nta

Publicado: Jul 29, 2019

resumen en portada

em50l@jejo.es$

#1º Actualizo
apt-get update -y && apt-get upgrade -y && echo Actualizacion OK

#2º Paro/Desabilito servicios innecesarios
systemctl stop postfix
systemctl disable postfix

systemctl stop saslauthd
systemctl disable saslauthd

#http://highsec.es/2014/07/obtencion-de-informacion-a-traves-de-rpc-y-explotacion-de-nfs/
systemctl stop rpcbind
systemctl disable rpcbind

systemctl stop sshd
systemctl disable sshd

systemctl stop ssh
systemctl disable ssh

## utilidades sistema
#http://www.tutorialspoint.com/articles/top-tools-to-monitor-linux-performance
apt install -y curl 
apt install -y mc
apt install -y htop
apt install -y iftop
apt install -y iotop
#apt install -y nmon

root@nata:/# ss -ltpna
State     Recv-Q Send-Q   Local Address:Port      Peer Address:Port 
LISTEN         0    128   :::80                   :::*      users:(("apache2",pid=311,fd=4),("apache2",pid=308,fd=4))
SYN-RECV    0         0   ::ffff:95.46.199.106:80 ::ffff:189.90.193.252:7798  

root@nata:/# ss -s
Total: 8616 (kernel 0)
TCP:   1496 (estab 0, closed 1495, orphaned 6, synrecv 0, timewait 231/0), ports 0

Transport Total     IP        IPv6
*		  0         -         -        
RAW		  0         0         0        
UDP	 	  0         0         0        
TCP	 	  1         0         1        
INET	  1         0         1        
FRAG	  0         0         0  

#mas info: https://www.binarytides.com/linux-ss-command/

Instalar php7 en debian8

Modo1

#https://www.cyberciti.biz/faq/installing-php-7-on-debian-linux-8-jessie-wheezy-using-apt-get/

sudo apt-get install php7.0
echo "<?php phpinfo(); ?>" > /var/www/html/testphp.php
chown www-data:www-data /var/www/html/testphp.php
chmod 750 /var/www/html/testphp.php
# Visita: http://95.46.199.106/testphp.php

Modo2

#https://blog.programster.org/debian-8-install-php-7-1
#buena pagina para tomar algunas ideas

certbot (https)

#https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8
echo 'deb http://archive.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/backports.list

apt-get -o Acquire::Check-Valid-Until=false update
apt-get install python-certbot-apache -t jessie-backports -y

#poner Dominios en apache.conf
cp /etc/apache2/sites-available/000-default.conf{,$(date -I)}
midominio=$(hostname)  #en la mayoria de las vps hostname=dominio
sed -i "s/#ServerName .*/ServerName $midominio/g" /etc/apache2/sites-available/000-default.conf
#sed -i 's/#ServerName .*/ServerName nta.jejo.es/g' /etc/apache2/sites-available/000-default.conf
cat /etc/apache2/sites-available/000-default.conf | grep ServerName

apache2ctl configtest  ||  Error Revisa archivo de configuracion
apache2ctl configtest  &&  systemctl restart apache2 

# certbot --apache # YA NO FUNCIONA 
#workarround1 Aunque no funciona si que realiza la configuracion
certbot --apache
#certbot --authenticator standalone --installer apache -d <yourdomain> --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

#workarround2  renuevo el certificado a mano
certbot --authenticator webroot --installer apache

##Comprobar certificado
curl -vs https://127.0.0.1 | head
curl -vs https://$HOSTNAME 2>&1 | grep -e SSL -e CN


# Bien ya tengo el certificado OK
# https://www.ssllabs.com/ssltest/analyze.html?d=nta.jejo.es

## Para renovar el certificado manualmente
/etc/init.d/apache2 stop
certbot renew --dry-run -v --standalone --force-renewal
#si todo bien
certbot renew -v --standalone
/etc/init.d/apache2 start


##Comprobar certificado
curl -vv https://127.0.0.1 | head
#falla.

Hardening borrar y substituir sudo

whereis sudo
# sudo: /usr/bin/sudo
apt-get remove sudo

Hardening apache https://geekflare.com/10-best-practices-to-secure-and-harden-your-apache-web-server/
Hardening parar xinetd y crond ``` crontab -l cat /etc/crontab ls /etc/cron.hourly/




* Nextcloud
https://www.howtoforge.com/tutorial/how-to-install-nextcloud-15-on-debian-9/

apt-get install apache2 apt-transport-https -y a2enmod ssl

mkdir /var/www/html/jcloud chown www-data:www-data /var/www/html/jcloud chmod 750 /var/www/html/jcloud

mkdir -p /var/www/jcloud/data chown www-data:www-data /var/www/jcloud/ chmod 750 /var/www/jcloud/ chown www-data:www-data /var/www/jcloud/data chmod 750 /var/www/jcloud/data

cd /var/www/html/jcloud/ wget https://download.nextcloud.com/server/installer/setup-nextcloud.php chown www-data:www-data /var/www/html/jcloud/setup-nextcloud.php chmod 750 /var/www/html/jcloud/setup-nextcloud.php

ir a web https://95.46.199.106/jcloud/setup-nextcloud.php

#error php7.0 y dependencias nextcloud16 necesita php7.1 cd /var/www/html/jcloud/ wget https://download.nextcloud.com/server/releases/nextcloud-15.0.10.tar.bz2 tar -xvjf nextcloud-15.0.10.tar.bz2 find /var/www/html/jcloud/ -type d -print0 | xargs -0 chmod 0750 find /var/www/html/jcloud/ -type d -print0 | xargs -0 chown www-data:www-data

#apt install php7.0-zip php7.0-xml php7.0-curl php7.0-gd php7.0-sqlite
##apt install php-zip php-xml php-curl php-gd php-sqlite -y

No funciona Problemas con las versiones.

apt-get install php7.1 php7.1-zip php7.1-xml php7.1-curl php7.1-gd php7.1-sqlite php7.1-mbstring ##Ojo versiones https://www.php.net/supported-versions.php /etc/init.d/apache2 restart

#Mejoras apt-get -o Acquire::Check-Valid-Until=false update apt-get install php7.1-intl php7.1-imagick a2enmod headers /etc/init.d/apache2 restart

#comandos para deteccion de problemas #PHP php –ini php -m

ver pagina php generada con <?php phpinfo(); ?>

#en nuestro caso /etc/php/7.1/apache2/php.ini apt list –installed | grep php

Apache

apache2ctl -M

sudo -u www-data php /var/www/html/jcloud/occ user:resetpassword admin


### MEJORAS HSTS
a2enmod headers
nano /etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_headers.c>
    Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

https://hstspreload.org/?domain=nw.jejo.es



Comprobar que ha quedado optimizado
pstree -lc

### Actualizar php

apt-get remove php7.1 php7.1-zip php7.1-xml php7.1-curl php7.1-gd php7.1-sqlite php7.1-mbstring apt-get autoremove apt list –installed | grep php apt-get remove php7.0-common php7.0-sqlite3 php7.3-common php7.3-curl php7.3-gd php7.3-xml php7.3-zip apt-get autoremove

apt-get install php7.3 php7.3-zip php7.3-xml php7.3-curl php7.3-gd php7.3-sqlite php7.3-mbstring apt-get install php7.3-imagick #opcional /etc/init.d/apache2 restart


__________
<br><br>


## Migrar Datos

#Copiar archivos chown -R www-data:www-data /var/www/jcloud/data chmod -R 750 /var/www/jcloud/data cd /var/www/html/jcloud/ sudo -u www-data php occ files:scan –all

o Lanzar este php

<?php $path = realpath(dirname(FILE)); exec(“php $path/console.php files:scan –all -v 2>&1”, $out, $result); echo “Returncode: “ .$result .”

”; print_r($out); ?> ```

Referencias:

https://blog.programster.org/debian-8-install-php-7-1 https://www.cyberciti.biz/faq/installing-php-7-on-debian-linux-8-jessie-wheezy-using-apt-get/ https://geekflare.com/10-best-practices-to-secure-and-harden-your-apache-web-server/ https://www.ssllabs.com/ssltest/analyze.html?d=nta.jejo.es https://www.ssllabs.com/ssltest/analyze.html?d=nw.jejo.es&latest

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8 https://nextcloud.com/install/#instructions-server https://download.nextcloud.com/server/releases/ https://linux-audit.com/configure-hsts-http-strict-transport-security-apache-nginx/ https://www.howtoforge.com/tutorial/how-to-install-nextcloud-15-on-debian-9/

Instalar php7 en debian8

ir a web https://95.46.199.106/jcloud/setup-nextcloud.php

No funciona Problemas con las versiones.

ver pagina php generada con <?php phpinfo(); ?>

Apache

Referencias: