Debian Server Setup [Deleted]

[Adam Howard]

Question:

Does this also work with Ubuntu?

Answer:

Yes, the basic instructions here are compatible with all Debian based Linux Distors, this of course includes Ubuntu, Mint, and a wide range of other OS's.

Of course you want to use their repositories and not the one for Debian. Repository list can easily be found on the OS's website.

Dotdeb.org repositories have been noted to be backward compatible with both Debian and Ubuntu, but I would still recommend using Ubuntu's own repository sources for Ubuntu.

But to answer your question (publicly), yes, this guide will work for Debian, Ubuntu, Mint, and any other Debian based system.

 

[Adam Howard]

Question:

Debian 8, code named, Jessie... Do you believe this is stable enough to use?

Answer:

The smart answer is that you should never use the pre-release build on a production (live site).

However, personally speaking, I have used Debian 8 (Jessie) both on a VPS and it is my current Desktop OS as well. I personally find it stable enough to use. I've even upgraded several dozen VPS and Dedicated Servers to it (upon their personal request).

Only once did something need manual fixing and that was only because someone had customized one of the files (excessively), so technically that would (could) have affected it regardless. So my experience this far gives it a 99% ratio of it being issue free.

But even though people have requested it and even though I and others have found it to be stable... It is still officially a test build. And you should keep that in mind on the off chance something does go wrong which may need manual fixing. And as such, if you do decide to use it, you should always backup before making changes or upgrading anything.

But so far, I've had no issues with it.

 

[Adam Howard]

Question:

Adam, I followed your guide and got this error

No candidate version found for apache2.2-common

Answer:

Welcome to Apache 2.4

apache2.2-common (apache-common) seems to have been phased out in Jessie (Debian 8), because of the migration to Apache 2.4

You can basically obtain the few things it provided by installing the following if you feel it is needed

aptitude install apache2-bin apache2-dbg apache2-dev apache2-utils apache2.2-bin apache2-data lsb-base mime-support procps perl

This guide will include this update upon the final release of Debian 8, code named, Jessie.

 

[Adam Howard]

The original guide for
Debian 5, 6, 7


Part 1
​

I felt this was needed for all the many people here who may wish to develop their XenForo site without the need for a control panel such as cPanel (just dos prompt / command prompt). Typically those of you seeking to use a VPS, Semi-Dedicated, or Dedicated Server for the first time or who are generally new to Linux.

While it is true there are a lot of other guides online, many of them are outdated or insecure.

This guide will cover the most easiest and basic setup for any beginer using Debian Linux. Which has the standard advantages of easy to use, easy to configure, and very little system resources needed.

STEP 1​

I'm again going to assume your starting out with Debian Minimum Install. I'm also going to assume you're using either a dedicated or vps server, with root access.

1st let's install aptitude. This will make installing programs easier and help you resolve any conflicts (and warn you of them before trying anything).

apt-get install aptitude

Next before you go about installing anything, let's make sure to install any update within the core install

aptitude update

aptitude full-upgrade

Depending on how your web host allows for things and depending on how many or what was upgraded, you may want to reboot (caution check with your host if this is supported. Most allow this and it is free, but double-check). This can take a few minutes so do not panic if you're not be online right away (you'll need to sign back in once you're online).

To reboot (remember my caution)

reboot

Next we're going to install a very simple editor to help you edit things (alternatively, you could always download files and edit them on your PC and then upload them if it is easier). The editor I would suggest if you will edit things manually online is Nano.

aptitude install nano

Now we're going to add a few things into your update source list

nano /etc/apt/sources.list

Or of course you could download that file and edit on your PC (follow that path)

# Debain Main Update
deb http://ftp.de.debian.org/debian stable main contrib non-free
deb-src http://ftp.de.debian.org/debian stable main contrib non-free

deb http://ftp.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.debian.org/debian/ wheezy-updates main contrib non-free

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

The above will add all the repositories from Debian on their main Germany server, which is where updates are posted 1st before they are branched out else where. So you'll get things ASAP when you do update or upgrade.

TIP = It is safe to replace any official Debian Sources that may have already been there, but if you find anything none official... Odds are good your host may have their own things in there. Do not replace theirs, just the official sources only.

You may also want to add this to your repository (I would suggest you do so)

#Debian Backport
deb http://ftp.debian.org/debian/ wheezy-backports main

This is a repository that developers submit things to Debian. It often will help you obtain the news security patches before it is added onto the Debian main servers. There is a small catch... Sometimes I've been told things here are not always stable... Its never happen to me, but I figure you should know.

Finally we're going to need to add 1 last thing onto the list. No matter if you elect to use Apache2 or nGinx, this is where you'll get the newest stable version.

#Dotdeb.org
deb http://packages.dotdeb.org wheezy all
deb-src http://packages.dotdeb.org wheezy all

If you want to use php 5.5 rather than php 5.4 add this as well

#Dotdeb.org php 5.5
deb http://packages.dotdeb.org wheezy-php55 all
deb-src http://packages.dotdeb.org wheezy-php55 all

Save and exit Nano (remember to save)

Now the next step is as follows (this will add the security key for Dotdeb.org)

wget http://www.dotdeb.org/dotdeb.gpg
cat dotdeb.gpg | sudo apt-key add -

Next lets once again make sure everything is up to date before we install anything else.

aptitude update

aptitude full-upgrade

You may get a few updates. If you again you happen to get a lot of update, reboot. (remember my cation and remember this may take sometime)

reboot

 

[Adam Howard]

The original guide for
Debian 5, 6, 7

Part 2​

Now the fun part

I'm going to suggest Apache2 with php-fpm and standard MySQL.

Mostly because you're new and setting up nGinx isn't for the faint of heart. But also for the life of you... I don't think you'll want to re-configure and re-write rules for every 3rd party change or add-on you'll add for either XenForo, Word Press, or anything else for that matter.

STEP 2​

If you did or needed to reboot a 2nd time, follow the same update and full-upgrade until everything reports there are no update.

Now after you're completed this.... The fun begins

aptitude install mysql-server mysql-client

Normally during the install, you will be asked to provide a MySQL Root Password. This is important to NEVER use the MySQL root (if you can help it), but also important to NEVER forget this password either. Make this password long and not easy to guess.

If for some odd reason the install didn't ask you to add a password..... Immediately after you have installed the mysql server, you should change its root password

/usr/bin/mysqladmin -u root password 'enter-your-good-new-password-here'

You must never use your root account and password when running databases.
The root account is a privileged account which should only be used for admin procedures. You will need to create a separate user account to connect to your MySQL databases from a PHP script. You can add users to a MySQL database by using a control panel like phpMyAdmin to easily create or assign database permissions for users.

I can not stress enough how many people are stupid and end up using the root name and password. Don't do it.

Now let's install and setup Apache2

aptitude install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils

Type in your server's IP address (inside your web browser) .... You should see a nice Apache page (typically says, IT WORKS!)

Now let's install PHP

aptitude install php5 php5-fpm libapache2-mod-php5 php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

The above should allow you to run every possible modification you will find on XenForo. Although you can add php5-geoip if you plan on using it or if you feel it is required, but it does use up some resources.

Let's see if php is working

a2enmod rewrite
a2enmod include

/etc/init.d/apache2 restart

We're going to make a simple php test file

<?php

// Show all information, defaults to INFO_ALL
phpinfo();

?>

Name that file as anything you want, as long as it ends with .php

Upload it to:

/var/www/

Type in your servers IP address and add the path to that file

Example = 192.168.1.1/FileName.php

If you see your PHP details all is working

Now DELETE that file. It's not really a good idea to keep it on your server.

Now let's install a few random things you may find you'll need.

aptitude install curl perl libapache2-mod-perl2 python libapache2-mod-python ntp ntpdate

Now lets restart apache2 again (to load all this). The above adds curl, perl, python, and keeps your site time up to date.

/etc/init.d/apache2 restart

At this point, depending on your web host... You maybe simply able to type in your domain name and see that nice Apache2 page without typing in your IP address.

Thankfully most host (even unmanaged host) have an internal dns / bind system. So configuring or installing such isn't required. And saves you resources and helps limit security threats. Be so thankful for our ever-changing world of technology.

If this is not the case for you.... I'd think about finding another host. Seriously.

Now you need to make a choice
​

1) Is this the only domain you will be having on this server

OR

2) Will have other domain names and / or sub domain names

If option 1 .... Congratulations, you're done. Pat yourself on the back. Wasn't that easy?

The following will allow you to work with phpMyAdmin

aptitude install phpmyadmin

You'll be asked if you want phpMyAdmin to make its own database, say NO

/etc/init.d/apache2 restart

The user name and password will be your root and password. For this reason, do not leave phpMyAdmin installed. Use it only for how long you need it and then remove it. That is my advise to you.

If you follow my advise, you will need to do the follow below (if you do not follow my advice, at least password protect it using .htaccess as an extra level of security. But remember, I warned you)

A whole guide to htaccess can be found on Apache's own web site: http://httpd.apache.org/docs/2.0/howto/htaccess.html

aptitude remove phpmyadmin

aptitude purge phpmyadmin

/etc/init.d/apache2 restart

If option 2 .... A little more work for you....

OPTION 2​

So you've decided you want more and thus continued to option 2

a2enmod userdir

Configure Apache module userdir in /etc/apache2/mods-enabled/userdir.conf

nano /etc/apache2/mods-enabled/userdir.conf

<IfModule mod_userdir.c>
  UserDir public_html
  UserDir disabled root

  <Directory /home/*/public_html>
  AllowOverride All
  Options MultiViews Indexes SymLinksIfOwnerMatch
  <Limit GET POST OPTIONS>
  Order allow,deny
  Allow from all
  </Limit>
  <LimitExcept GET POST OPTIONS>
  Order deny,allow
  Deny from all
  </LimitExcept>
  </Directory>
</IfModule>

Create directory as user (not as root)

mkdir /home/$USER/public_html

Change group as root (substitute your username) and restart web server

chgrp www-data /home/<username>/public_html

service apache2 restart

If you get a Forbidden error when accessing home folder through apache check /home/username has permissions drwxr-xr-x. If the permissions are wrong correct them as such:

chmod 755 /home/<username>

Next we need to change something for PHP to work this way

nano /etc/apache2/mods-available/php5.conf

<IfModule mod_php5.c>
  <FilesMatch "\.ph(p3?|tml)$">
  SetHandler application/x-httpd-php
  </FilesMatch>
  <FilesMatch "\.phps$">
  SetHandler application/x-httpd-php-source
  </FilesMatch>
  # To re-enable php in user directories comment the following lines
  # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
  # prevents .htaccess files from disabling it.
  #<IfModule mod_userdir.c>
  #  <Directory /home/*/public_html>
  #  php_admin_value engine Off
  #  </Directory>
  #</IfModule>
</IfModule>

See little instruction note in that? Follow it

Save and exit

/etc/init.d/apache2 restart

Done

 

[Sheratan]

A little nginx-php5-fpm guide. This guide is using nginx and php from dotdeb!

1. Install nginx

apt-get install nginx

2. Install php5-fpm

apt-get install php5-fpm php5-gd php5-mysql

3. Open /etc/nginx/sites-enable/default, uncomment:

location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
    #    # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
    #
    #    # With php5-cgi alone:
    #    fastcgi_pass 127.0.0.1:9000;
    #    # With php5-fpm:
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        try_files $uri =404;

4. Restart nginx and php5-fpm

service nginx reload
service nginx restart
service php5-fpm
service php5-fpm reload

5. Let's make it more secure. Go /etc/nginx/nginx.conf If you see this:

user www-data;

Okay, now nginx will be running as www-data. Good. Don't change.

Open /etc/php5/pool.d/www.conf If you find this:

user = www-data
group = www-data

php5-fpm will running as www-data. Good. Don't change.

6. Now, let's see who's running nginx and php5-fpm

lsof -i -P

If you see "nginx (some number) www-data blablala tcp *:80"

Your nginx is running as www-data, not root. Good. Now let's see what userid is www-data

id www-data

If you see 333, you can change it to non previlages ID. I'm using 10000

usermod -u 10000 www-data

Restart nginx and php5-fpm

Whoops! You cannot open your website! Permission, perhaps? Then we need to change nginx root folder permission to www-data

chown -R www-data:www-data /usr/share/nginx/html

Remember to change the file/folder owner everytime you upload a new file to nginx root folder! Example, installing a new addon.

7. Someone said it a good idea to use basedir. So... open /etc/php5/fpm/php.ini find "open_basedir" and add nginx root file and /tmp. So the line should look like this:

open_basedir = /usr/share/nginx/html/:/tmp/

8. You can try to hardening your PHP more, like adding some disable_function. I use this:

disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,shell_exec,system,exec,proc_open,passthru,chgrp,chmod,chown,symlink,touch,link,curl_multi_exec,popen,str_rot13,escapeshellarg,escapeshellcmd,proc_close,dl,ini_alter

But everybody had different needs. Tweak it with your own needs.

Last but not least, please backup your nginx.conf, /sites-enable/default, and php.ini first before making any change!

Feel free to add correction!

 

[Sheratan]

This guide is arguably safe. Use it at your own risk.

Now we will try to add some protection to SSH.

Open /etc/ssh/sshd_config find: "port 22"

That's a default port for ssh. Let's change it to another port for obscurity. Change it to whatever between 50000 to 65000.

If you prefer using "su -" and wanted to prevent anyone to login as root, add your administrator username to "AllowUsers"

What is administrator username?

Well certainly when you are installing Debian, Debian installer is asking an adminstrator username and password. Use that username in "AllowUsers" Remember this?

Yeah, that username.

Restart ssh daemon:

service sshd restart

The side effect of this guide is:
> You need to define a port when connecting via SSH
> You cannot edit a file or copy or move a file directly from WinSCP or SSH.
a. You need su - in SSH before use copy/move/delete/edit any file.
b. You can only upload file and folder to administrator home directory, like "/home/blablabla" and move it to nginx root folder via SSH if you wanted to use that file. Dont forget to check file/directory owner!

Feel free to add correction!

 

[Adam Howard]

This image in your mini guide failed to load for me @Sheratan
http://static.howtoforge.com/images/perfect_server_debian_squeeze_ispconfig2/15.png

But for the record, I wrote this guide so people would NOT use guides found on hottoforge.com. There are a ton of them on that site which leave huge exploits. And some of those guides even trick you into adding exploits.

I read one guide there that actually tricked unsuspecting users to chmod their root path 777. And I can imagine some unexperienced newbie not knowing any better, just easily following a copy & paste mentality.

Another thing is I think that site often adds way to many unneeded steps. Asking you to edit far to much. And that is why a lot of people who follow those guides, often end up with broken systems when they update or upgrade anything.

I'm not saying this guide is bad. And I love your enthusiasm and eagerness to help.

Originally, I was going to suggest a nginx guide should be it's own guide, but I actually would like to see it included in this guide "Debian Server Setup", so people could easily find it all in 1 place. Which is what it seems you're willing and eager to see as well.

So here is what I am going to do.... I'm going to ping @MattW and @Tracy Perry (Hi guys) and ask them really nicely to look over what you have submitted. Because I'm not an nginx person.

 

[Sheratan]

I'm just lazy to create an example image.

And the guide above is not that unsecure howtoforge guide.

Next day I will add some guide to secure MySQL. And anyway, feel free to correct my guide.

 

[Adam Howard]

Ubuntu Users:

There currently is an Open LiteSpeed repository for you, if you want to try it. Open Lite Speed is a web server designed as an alternative to Apache.

There is 2 ways you can add it.

The quick, easy, and in my opinion dirty way is thus

add-apt-repository ppa:stefanobalocco/openlitespeed

Or you can manually add it to your source list

deb http://ppa.launchpad.net/stefanobalocco/openlitespeed/ubuntu X main
deb-src http://ppa.launchpad.net/stefanobalocco/openlitespeed/ubuntu X main

^ Replace X with the proper code name for your linux distro ... ie... For example, if you were using 14.04 you would replace X with the word "trusty". Just as with 12.04 you would use the word "precise".

It's up to you to know your distro code name, but usually its not hard to figure out since your source list will have this already listed several time.

 

[Adam Howard]

Debain users who use dotdeb.org and who followed my guide... For animated avatars without installing the perl install of image magick (who stuck to only using the simply apt-get or aptitude install package)

Add this to your php.ini file then restart apache for a cool surprise

extension=/usr/lib/php5/20121212/imagick.so

 

[Adam Howard]

Question:
What do you recommend for memory, execution time, and file size?

Answer:
I get this all the time and these are the values I would suggest on a 2 GB Ram system

memory_limit = 512
max_execution_time = 120
max_input_time = 120
upload_max_filesize = 128

Of course if you have A LOT of add-ons or maybe feel you'll be importing something, I would suggest changing the 120 values to 300.

 

[Adam Howard]

Adam Howard updated Debian Server Setup with a new update entry:

small maintenance update

No changed or updates are required of you. This update is really only a little maintenance update to the guide it's self.

Although I did add fail2ban as a suggested item to install for security.

aptitude install fail2ban

You can keep the default settings or configure it by editing

nano /etc/fail2ban/jail.conf

Updated the FAQ to link to a few mini guides that were long posted in the thread.

Also updated the methods of restarting apache2 (included...

Read the rest of this update entry...

 

[Adam Howard]

IF you have decided to play with Debian Jessie (Debian Testing / Debian 8), you will wish to take this into account
http://xenforo.com/community/threads/debian-server-setup.35066/page-4#post-674044

The guide will be updated for Debian 8 (when it is released in the final version).

 

[ekine]

It would be great if there would also be instructions for setting up Email, ftp access, and ssh.

 

[Adam Howard]

It would be great if there would also be instructions for setting up Email, ftp access, and ssh.

This guide was made to keep it simple for the most simplest newbie trying to setup something for XenForo.

Alone php can and does send out XenForo emails, so that was never added to the guide (install php and you're good to go).

SFTP is already installed and is secure, compared to normal FTP. This too is taken care of when you make users (covered in this guide).

SSH is also already standard and installed. I could have gotten into more on it, but I wanted this to be kept simple and compatible for everyone (not everyone can use keys for example).

 

[Adam Howard]

This guide was made to keep it simple for the most simplest newbie trying to setup something for XenForo.

Alone php can and does send out XenForo emails, so that was never added to the guide (install php and you're good to go).

SFTP is already installed and is secure, compared to normal FTP. This too is taken care of when you make users (covered in this guide).

SSH is also already standard and installed. I could have gotten into more on it, but I wanted this to be kept simple and compatible for everyone (not everyone can use keys for example).

^^ However.... I will re-visit this when Debian 8 (currently in testing) is released. A LOT changes in that build and it would be a good time for me to take advantage of expanding the guide at that time

 

[ekine]

This guide was made to keep it simple for the most simplest newbie trying to setup something for XenForo.

Alone php can and does send out XenForo emails, so that was never added to the guide (install php and you're good to go).

SFTP is already installed and is secure, compared to normal FTP. This too is taken care of when you make users (covered in this guide).

SSH is also already standard and installed. I could have gotten into more on it, but I wanted this to be kept simple and compatible for everyone (not everyone can use keys for example).

Thanks for the clarification.

 

[Adam Howard]

Tip:

If you feel your VPS or Dedicated server is not resolving outside sources (such as maybe Ubuntu's repositories), do the following.

nano /etc/resolvconf/resolv.conf.d/tail

Add the following

nameserver 8.8.8.8
nameserver 8.8.4.4

If your host also support v6 IP addresses, you can also add this

nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

Save then enter the following command at ssh

/etc/init.d/resolvconf restart

What this does is adds Google DNS as a solution to help resolve things.

This tip will be included in the updated guide

 

[Adam Howard]

Tip:

If you're using Ubuntu and you really do not feel like using Dotdeb.org for whatever reason (maybe you really just want pure Ubuntu built sources) and yet still want the latest version.... This is an alternative for you.

Ubuntu 14.04 LTS

nano nano /etc/apt/sources.list

Add

###### https://launchpad.net/~ondrej/+archive/php5 (PPA Source)
deb http://ppa.launchpad.net/ondrej/php5/ubuntu trusty main
deb-src http://ppa.launchpad.net/ondrej/php5/ubuntu trusty main

Save, close

aptitude update

You'll get a small harmless error telling you that the source does not have a public key. Run this command

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4F4EA0AAE5267A6C

Now run

aptitude update

The error should be now resolve. If it is not; note down the number key at the end of that error (at the moment it is 4F4EA0AAE5267A6C) and run that command with that key in place of the one I just listed (they normally never change, but it's food for thought).

You can now install or upgrade your php to the most current PHP 5.5.x version.

DONE

************

You can technically try php 5.6 however, I would NOT suggest you do so until the final version (it's currently in Alpha pre-release). As such not all modules are yet ported over and what you end up with may not even work. BUT if you wish to do so on a local pc or you have an extra VPS or Dedicated test server....

deb http://ppa.launchpad.net/ondrej/php5-5.6/ubuntu trusty main
deb-src http://ppa.launchpad.net/ondrej/php5-5.6/ubuntu trusty main

^ You use 5.6 beta at your own risk and don't bother asking for support.