Diamond Hard LAMP
Building a Linux Apache MySQL PHP(LAMP) web hosting server is easy, anyone can build one with a 5-minute tutorial. Securing a LAMP web hosting server, on the other hand, is very hard and time-consuming. There are many details and packages you need to know about, and that knowledge only comes with experience. Diamond Hard LAMP aims to cover any experience shortfalls for you!
Over the years I have built scripts to automate my roles as a Linux System Administrator. Diamond Hard LAMP(DHL) is the combination of those scripts and knowledge. DHL builds a LAMP web hosting server with the maximum security-hardened services; diamond-hard security. DHL incorporates all the security configurations, tools, and methodologies to form a suite of services working in concert together. The end result is a LAMP stack with very high security and automated management.
So let’s walk through the DHL build-out process.
DHL Build Overview
- Build a new Vitual Machine
- Clone DHL GitHub codebase
- Configure Your Unique Server Settings
- Run DHL installer
- Add your first webhosting account
Virtual Machine Specs
DHL is designed and tested for Ubuntu 20.04 LTS. So I recommend using that OS. Your VM specs will vary based on the number of websites you host and their traffic. Below are the minimum recommended specs.
- CPU: 4 Cores
- 8GB RAM
- 16GB HDD
- 1x 1G Network Interface
- 1x Internal LAN IPv4
- WAN Accessable ports needed, 22, 80, & 443
Note: AppArmor cannot run appropriately inside a container. Additionally, containers are considered less secure than the segmentation VMs provide. For these reasons, DHL requires a VM and not a container.
Install Diamond Hard LAMP
On a fresh OS install run the following commands to clone DHL GitHub codebase.
# Update the OS
sudo apt -y update && apt -yq upgrade
# Install Git, so you can clone the repository
sudo apt -yq install git
# Clone DHL GitHub codebase
git clone https://github.com/Brets0150/DiamondHardLAMP.git
cd ./DiamondHardLAMP
# Set the execute bit on the script
chmod +x ./DiamondWebServerManager.sh
Configure Your Unique Server Settings
There are a few settings that must be configured so DHL can alert you correctly about events. Open up the “./settings.sh” file and filling the required settings.
# Update the settings file with your unique settins.
nano ./settings.sh
Run DHL Server Builder
Now that we have the DHL GitHub codebase on the server, we can start the server setup. The “–install” command will install and configure all the security tools and features of DHL. The installer will take time to complete. The Diffie-Hellman Key generation, alone, can take up to an hour.
# Run DHL's Server builder.
./DiamondWebServerManager.sh --install
After the installation of all tools and services is complete you will be provided the administrative credentials. Copy these details to a secure location; you will never see this data again.
The “PhpMyAdmin .htaccess” user name is actually “admin_2919” in the above image.
Username Generation
The Admin account username is randomized every time the installer runs. This randomized username means there are now 9999 different possible usernames that may be applied. No one is brute-forcing this login with 9999 different possible usernames and a random 16 character password; good luck!
Website Management Design
DHL deploys websites in a way you would expect a shared-hosting system would. Each Website has its own user account, access rights, logins, and segmented directories. Below is a list of the services a user has access to so they can manage their own website.
- SFTP – To upload and download files
- Access to Apache logs for their website only. Allows the User to troubleshoot there own issues.
- User can add .htaccess file to any web directory to quickly add another layer of security to a directory.
- Access to PhpMyAdmin to fully manager their own database.
User and Site Segmentation
The core guiding principle behind the user site configuration is segmentation. I wanted to make sure one poorly coded website could not affect others on the same server. So to the furthest extent possible, sites share nothing between them. This is done in the following ways.
- AppArmor sandboxes the user account and the website.
- Each website runs in Apache with its own user account.
- Each website has its own “.secret/.htpasswd” file for passwords.
- One site, One database, with permissions to nothing else.
- No shared logging.
- Strict adherence to principle of least privilege
Adding a New Webhosting User
To add a new Webhosting User use the below command.
# Run DHL's Add Web User Command.
./DiamondWebServerManager.sh --addwebuser
Running the command will prompt you for details about the new user account.
Copy these details to a secure location; you will never see this data again.
DHL Help Menu
Setup Complete!
That’s it, DHL is ready to go! If you have any issues, reach out to me on GitHub. Also, there are some helpful tools for troubleshooting websites by using the “–manage” flag.
# My GitHub
https://github.com/Brets0150/DiamondHardLAMP
[…] This article is the seventh in the Diamond Hard LAMP series. […]
[…] This article is the sixth in the Diamond Hard LAMP series. […]
[…] This article is the fifth in the Diamond Hard LAMP series. […]
[…] This article is the fourth in the Diamond Hard LAMP series. […]
[…] This article is the third in the Diamond Hard LAMP series. […]
[…] This article is the second in the Diamond Hard LAMP series. […]
[…] This article is the first in the Diamond Hard LAMP series. […]
[…] Click here to get started with Diamond Hard LAMP […]