Secure LAMP setup on Amazon Linux AMI

Secure LAMP setup on Amazon Linux AMI

Overview

  1. Run updates
  2. Setup automatic security updates
  3. Setup user account (so you aren’t logging in as root)
  4. Setup key based authentication and restrict ssh login to set IPs
  5. Install and configure packages including LAMP stack, fail2ban and logwatch


First off you will need to connect to the server.

chmod 400 /path/to/key/private.pem
ssh -i /path/to/key/private.pem ec2-user@your-server-name.amazonaws.com

Before starting anything, we want to make sure the most recent updates have been installed. Additionally, we will be automating the process of security updates. This will check for and install all security updates once a day.

sudo su -
yum update -y
yum install -y yum-security
wget https://gist.github.com/ifnull/5104689/raw/8092ba049bf54275c0cbd3d51946f37bf823d2da/yum-security.cron
chmod +x ./yum-security.cron
mv ./yum-security.cron /etc/cron.daily/yum-security.cron

First thing we need to do is setup our users.

passwd
useradd deploy
passwd deploy
vim /etc/sudoers
deploy  ALL=(ALL)       NOPASSWD:ALL

Next we will configure SSH to use our private key with the deploy user. This is the user we will use from now on.

cd /home/deploy
mkdir .ssh
touch .ssh/authorized_keys
chown -R deploy:deploy .ssh/
chmod 700 .ssh
chmod 600 .ssh/*
vim /etc/ssh/ssh_config
PasswordAuthentication no
AllowUsers deploy@your.ip.addr.ess deploy@another.ip.addr.ess
vim .ssh/authorized_keys
service sshd restart
ssh deploy@your-server-name.amazonaws.com


Now we will install our packages and configure our LAMP stack.

yum install -y httpd mysql mysql-server php php-mysql php-xml php-pdo php-odbc \
  php-soap php-common php-cli php-mbstring php-bcmath php-ldap php-imap php-gd \
  fail2ban logwatch git
chkconfig mysqld on
service mysqld start
/usr/bin/mysql_secure_installation
chkconfig httpd on
service httpd start
usermod -a -G apache deploy
wget https://gist.github.com/ifnull/5104918/raw/3677ccb8394820d80befbf409390b5c4a452d76b/logwatch.cron
vim ./logwatch.cron

chmod +x ./logwatch.cron
mv ./logwatch.cron /etc/cron.daily/logwatch.cron

When setting setting up a new vhost public folder, do the following.

su -
mkdir /var/www/example.com/
chown deploy:apache /var/www/example.com/
mkdir /etc/httpd/vhosts
echo 'Include vhosts/*.conf' >> /etc/httpd/conf/httpd.conf
echo 'ServerName localhost' >> /etc/httpd/conf/httpd.conf
echo 'NameVirtualHost *:80' >> /etc/httpd/conf/httpd.conf

nano /etc/httpd/vhosts/example.com.conf
<VirtualHost *:80>
    ServerAdmin admin@localhost
    ServerName example.com
    ServerAlias *.example.com
    DocumentRoot /var/www/example.com
    DirectoryIndex index.php index.html index.htm

    <Directory /var/www/example.com/>
        EnableSendfile Off
        Options -Indexes -Includes -ExecCGI FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all

        AddType font/opentype .otf

        RewriteEngine On

        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]

        RewriteCond %{REQUEST_URI}::$1 ^(/.+)(.+)::\2$
        RewriteRule ^(.*) - [E=BASE:%1]
        RewriteRule ^(.*)$ %{ENV:BASE}index.php [NC,L]
    </Directory>
    
    ErrorLog /var/log/httpd/example.com-error.log
    CustomLog /var/log/httpd/example.com-access.log combined
    LogLevel error

</VirtualHost>
service httpd restart

References

Short URL: http://bit.ly/10ADMaz

Leave a reply