- How to secure your Debian server by changing the SSH port number (read tutorial here)
- How to secure your Debian server by setting up SSH for passwordless login via public- and private-key cryptography (read tutorial here)
- How to secure your Debian server by updating the buggy openSSH Debian package (read tutorial here)
- How to secure your Debian server by configuring a GUI based Firewall named Firestarter (read tutorial here)
- How to simplify Debian administration by setting up a graphical interface (GNOME) to be used via VNC connection thru an SSH tunnel (read tutorial here)
server$ apt-get install apache2 php5 libapache2-mod-php5(yes we can use the
apt-get installcommand to install more than just one package, in this case we use it to install three packages consecutively)
/var/www. For checking if everything went well, we simply create a
phpinfoscript. Take your favourite editor like vi, vim, joe or nano. We use nano...
server$ nano /var/www/test.php
<?php phpinfo(); ?>
http://127.0.0.1/test.phpWhen everything went well, you will see your server specific PHP configuration.
As this file simply tells to much server internals and since we really don't need it anymore, we strongly recommend removing it now.
IV. Install MySQL, PHP5 connector and phpMyAdmin
IV. Part I. Installing MySQL
We still assume, you're logged into your server as root. Enter the following command:
server$ apt-get install mysql-server mysql-client php5-mysql(this time we again install three packages, we could have installed php and mysql even in one step, means we would have supplied an apt-get install with six commands)
server$ mysql -u root(login as user root)
mysql> USE mysql;
mysql> UPDATE user SET Password=PASSWORD('yournewpasswordgoeshere') WHERE user='root';
mysql> FLUSH PRIVILEGES;
server$ apt-get install phpmyadmin
http://yourserver.net/phpmyadmin. We feel this is not a good idea and not a very secure way here. Even if you already set the MySQL root password, it is no good idea to leave standard settings at that, since all the bad guys know this, aswell. So we have two options. First we just put an
.htaccessfile into that folder. That would work, but has the little disadvantage, that it would show the bad guys that the address
http://yourserver.net/phpmyadminreally exists. Therefore we prefer option 2: we make phpMyAdmin available from localhost (means from within the server) only and move it to a new place and make it accessible on a specific port only (we use a non privileged port for that). We still can access our beloved phpMyAdmin simply via SHH tunneled http or SSH tunneled VNC directly on the server.
server$ unlink /var/www/phpmyadmin(we remove the symbolic link, means pointing to
http://yourserver.net/phpmyadminwon't return any results anymore)
server$ nano /etc/apache2/sites-available/default
</VirtualHost>tag, we insert this:
Alias /my-pma-is-not-accessible/ "/usr/share/phpmyadmin/"
Options Indexes Multiviews FollowSymLinks
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
127.0.0.1 (localhost)as the only
Allow fromaddress and bind access to
port 8780. So our phpMyAdmin will now be accessible from
port 8780) only. Since
port 8780is behind our firewall and is not accessible from outside, we are quite safe for the beginning. V. Part III. Security precautions for phpMyAdmin III As mentioned before we got two ways for accessing our beloved phpMyAdmin now. The first is simply using our VNC connection and start a browser on our server machine and let it point to
. The second way is simply forwarding the
port 8780to our local client browser via SSH tunnel. Having bound the phpmyadmin access to the
new port 8780solves here another issue: forwarding of privileged ports would require root privileges on a client machine. Our somewhat unpurified trick to make Apache listening on a second non privileged port allows us forwarding to a client machine without a hitch. Let's edit
server$ nano /ect/apache2/ports.conf
ports.confadd this parameter
By now you might guess what this configuration targets at. It creates a listen port for apache on our beloved
port 8780 but only for network cards that have the IP address
127.0.0.1. Means in case our firewall would go down and port scanning would give results, there wouldn't be any results from port 8780...
server$ /ect/init.d/apache2 restart
client$ ssh -f -N -L 8780:localhost:8780 email@example.com -p 8722