Instalacion Y Puesta a Punto Debian8 en Servidor Nta
resumen en portada
em50l@jejo.es$
#1º Actualizo
apt-get update -y && apt-get upgrade -y && echo Actualizacion OK
#2º Paro/Desabilito servicios innecesarios
systemctl stop postfix
systemctl disable postfix
systemctl stop saslauthd
systemctl disable saslauthd
#http://highsec.es/2014/07/obtencion-de-informacion-a-traves-de-rpc-y-explotacion-de-nfs/
systemctl stop rpcbind
systemctl disable rpcbind
systemctl stop sshd
systemctl disable sshd
systemctl stop ssh
systemctl disable ssh
## utilidades sistema
#http://www.tutorialspoint.com/articles/top-tools-to-monitor-linux-performance
apt install -y curl
apt install -y mc
apt install -y htop
apt install -y iftop
apt install -y iotop
#apt install -y nmon
root@nata:/# ss -ltpna
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :::80 :::* users:(("apache2",pid=311,fd=4),("apache2",pid=308,fd=4))
SYN-RECV 0 0 ::ffff:95.46.199.106:80 ::ffff:189.90.193.252:7798
root@nata:/# ss -s
Total: 8616 (kernel 0)
TCP: 1496 (estab 0, closed 1495, orphaned 6, synrecv 0, timewait 231/0), ports 0
Transport Total IP IPv6
* 0 - -
RAW 0 0 0
UDP 0 0 0
TCP 1 0 1
INET 1 0 1
FRAG 0 0 0
#mas info: https://www.binarytides.com/linux-ss-command/
Instalar php7 en debian8
Modo1
#https://www.cyberciti.biz/faq/installing-php-7-on-debian-linux-8-jessie-wheezy-using-apt-get/
sudo apt-get install php7.0
echo "<?php phpinfo(); ?>" > /var/www/html/testphp.php
chown www-data:www-data /var/www/html/testphp.php
chmod 750 /var/www/html/testphp.php
# Visita: http://95.46.199.106/testphp.php
Modo2
#https://blog.programster.org/debian-8-install-php-7-1
#buena pagina para tomar algunas ideas
- certbot (https)
#https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8
echo 'deb http://archive.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/backports.list
apt-get -o Acquire::Check-Valid-Until=false update
apt-get install python-certbot-apache -t jessie-backports -y
#poner Dominios en apache.conf
cp /etc/apache2/sites-available/000-default.conf{,$(date -I)}
midominio=$(hostname) #en la mayoria de las vps hostname=dominio
sed -i "s/#ServerName .*/ServerName $midominio/g" /etc/apache2/sites-available/000-default.conf
#sed -i 's/#ServerName .*/ServerName nta.jejo.es/g' /etc/apache2/sites-available/000-default.conf
cat /etc/apache2/sites-available/000-default.conf | grep ServerName
apache2ctl configtest || Error Revisa archivo de configuracion
apache2ctl configtest && systemctl restart apache2
# certbot --apache # YA NO FUNCIONA
#workarround1 Aunque no funciona si que realiza la configuracion
certbot --apache
#certbot --authenticator standalone --installer apache -d <yourdomain> --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
#workarround2 renuevo el certificado a mano
certbot --authenticator webroot --installer apache
##Comprobar certificado
curl -vs https://127.0.0.1 | head
curl -vs https://$HOSTNAME 2>&1 | grep -e SSL -e CN
# Bien ya tengo el certificado OK
# https://www.ssllabs.com/ssltest/analyze.html?d=nta.jejo.es
## Para renovar el certificado manualmente
/etc/init.d/apache2 stop
certbot renew --dry-run -v --standalone --force-renewal
#si todo bien
certbot renew -v --standalone
/etc/init.d/apache2 start
##Comprobar certificado
curl -vv https://127.0.0.1 | head
#falla.
Hardening borrar y substituir sudo
whereis sudo # sudo: /usr/bin/sudo apt-get remove sudo
Hardening apache https://geekflare.com/10-best-practices-to-secure-and-harden-your-apache-web-server/
Hardening parar xinetd y crond ``` crontab -l cat /etc/crontab ls /etc/cron.hourly/
* Nextcloud
https://www.howtoforge.com/tutorial/how-to-install-nextcloud-15-on-debian-9/
apt-get install apache2 apt-transport-https -y a2enmod ssl
mkdir /var/www/html/jcloud chown www-data:www-data /var/www/html/jcloud chmod 750 /var/www/html/jcloud
mkdir -p /var/www/jcloud/data chown www-data:www-data /var/www/jcloud/ chmod 750 /var/www/jcloud/ chown www-data:www-data /var/www/jcloud/data chmod 750 /var/www/jcloud/data
cd /var/www/html/jcloud/ wget https://download.nextcloud.com/server/installer/setup-nextcloud.php chown www-data:www-data /var/www/html/jcloud/setup-nextcloud.php chmod 750 /var/www/html/jcloud/setup-nextcloud.php
ir a web https://95.46.199.106/jcloud/setup-nextcloud.php
#error php7.0 y dependencias nextcloud16 necesita php7.1 cd /var/www/html/jcloud/ wget https://download.nextcloud.com/server/releases/nextcloud-15.0.10.tar.bz2 tar -xvjf nextcloud-15.0.10.tar.bz2 find /var/www/html/jcloud/ -type d -print0 | xargs -0 chmod 0750 find /var/www/html/jcloud/ -type d -print0 | xargs -0 chown www-data:www-data
#apt install php7.0-zip php7.0-xml php7.0-curl php7.0-gd php7.0-sqlite
##apt install php-zip php-xml php-curl php-gd php-sqlite -y
No funciona Problemas con las versiones.
apt-get install php7.1 php7.1-zip php7.1-xml php7.1-curl php7.1-gd php7.1-sqlite php7.1-mbstring ##Ojo versiones https://www.php.net/supported-versions.php /etc/init.d/apache2 restart
#Mejoras apt-get -o Acquire::Check-Valid-Until=false update apt-get install php7.1-intl php7.1-imagick a2enmod headers /etc/init.d/apache2 restart
#comandos para deteccion de problemas #PHP php –ini php -m
ver pagina php generada con <?php phpinfo(); ?>
#en nuestro caso /etc/php/7.1/apache2/php.ini apt list –installed | grep php
Apache
apache2ctl -M
sudo -u www-data php /var/www/html/jcloud/occ user:resetpassword admin
### MEJORAS HSTS
a2enmod headers
nano /etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
https://hstspreload.org/?domain=nw.jejo.es
Comprobar que ha quedado optimizado
pstree -lc
### Actualizar php
apt-get remove php7.1 php7.1-zip php7.1-xml php7.1-curl php7.1-gd php7.1-sqlite php7.1-mbstring apt-get autoremove apt list –installed | grep php apt-get remove php7.0-common php7.0-sqlite3 php7.3-common php7.3-curl php7.3-gd php7.3-xml php7.3-zip apt-get autoremove
apt-get install php7.3 php7.3-zip php7.3-xml php7.3-curl php7.3-gd php7.3-sqlite php7.3-mbstring apt-get install php7.3-imagick #opcional /etc/init.d/apache2 restart
__________
<br><br>
## Migrar Datos
#Copiar archivos chown -R www-data:www-data /var/www/jcloud/data chmod -R 750 /var/www/jcloud/data cd /var/www/html/jcloud/ sudo -u www-data php occ files:scan –all
o Lanzar este php
<?php
$path = realpath(dirname(FILE));
exec(“php $path/console.php files:scan –all -v 2>&1”, $out, $result);
echo “Returncode: “ .$result .”
”; print_r($out); ?> ```Referencias:
https://blog.programster.org/debian-8-install-php-7-1 https://www.cyberciti.biz/faq/installing-php-7-on-debian-linux-8-jessie-wheezy-using-apt-get/ https://geekflare.com/10-best-practices-to-secure-and-harden-your-apache-web-server/ https://www.ssllabs.com/ssltest/analyze.html?d=nta.jejo.es https://www.ssllabs.com/ssltest/analyze.html?d=nw.jejo.es&latest
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8 https://nextcloud.com/install/#instructions-server https://download.nextcloud.com/server/releases/ https://linux-audit.com/configure-hsts-http-strict-transport-security-apache-nginx/ https://www.howtoforge.com/tutorial/how-to-install-nextcloud-15-on-debian-9/