Secure LAMP setup on Amazon Linux AMI

Secure LAMP setup on Amazon Linux AMI


  1. Run updates
  2. Setup automatic security updates
  3. Setup user account (so you aren’t logging in as root)
  4. Setup key based authentication and restrict ssh login to set IPs
  5. Install and configure packages including LAMP stack, fail2ban and logwatch

First off you will need to connect to the server.

chmod 400 /path/to/key/private.pem
ssh -i /path/to/key/private.pem

Before starting anything, we want to make sure the most recent updates have been installed. Additionally, we will be automating the process of security updates. This will check for and install all security updates once a day.

sudo su -
yum update -y
yum install -y yum-security
chmod +x ./yum-security.cron
mv ./yum-security.cron /etc/cron.daily/yum-security.cron

First thing we need to do is setup our users.

useradd deploy
passwd deploy
vim /etc/sudoers
deploy  ALL=(ALL)       NOPASSWD:ALL

Next we will configure SSH to use our private key with the deploy user. This is the user we will use from now on.

cd /home/deploy
mkdir .ssh
touch .ssh/authorized_keys
chown -R deploy:deploy .ssh/
chmod 700 .ssh
chmod 600 .ssh/*
vim /etc/ssh/ssh_config
PasswordAuthentication no
AllowUsers deploy@your.ip.addr.ess deploy@another.ip.addr.ess
vim .ssh/authorized_keys
service sshd restart

Now we will install our packages and configure our LAMP stack.

yum install -y httpd mysql mysql-server php php-mysql php-xml php-pdo php-odbc \
  php-soap php-common php-cli php-mbstring php-bcmath php-ldap php-imap php-gd \
  fail2ban logwatch git
chkconfig mysqld on
service mysqld start
chkconfig httpd on
service httpd start
usermod -a -G apache deploy
vim ./logwatch.cron

chmod +x ./logwatch.cron
mv ./logwatch.cron /etc/cron.daily/logwatch.cron

When setting setting up a new vhost public folder, do the following.

su -
mkdir /var/www/
chown deploy:apache /var/www/
mkdir /etc/httpd/vhosts
echo 'Include vhosts/*.conf' >> /etc/httpd/conf/httpd.conf
echo 'ServerName localhost' >> /etc/httpd/conf/httpd.conf
echo 'NameVirtualHost *:80' >> /etc/httpd/conf/httpd.conf

nano /etc/httpd/vhosts/
<VirtualHost *:80>
    ServerAdmin admin@localhost
    ServerAlias *
    DocumentRoot /var/www/
    DirectoryIndex index.php index.html index.htm

    <Directory /var/www/>
        EnableSendfile Off
        Options -Indexes -Includes -ExecCGI FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all

        AddType font/opentype .otf

        RewriteEngine On

        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]

        RewriteCond %{REQUEST_URI}::$1 ^(/.+)(.+)::\2$
        RewriteRule ^(.*) - [E=BASE:%1]
        RewriteRule ^(.*)$ %{ENV:BASE}index.php [NC,L]
    ErrorLog /var/log/httpd/
    CustomLog /var/log/httpd/ combined
    LogLevel error

service httpd restart


Short URL:

Leave a reply