Add Swap Memory on Debian 10

Add Swap Memory on Debian 10

Checking no active swap with free -h and swapon --show command

#swapon --show
#free -h
             total       used       free     shared    buffers     cached
Mem:          492M       451M        41M        17M       125M       204M
-/+ buffers/cache:       120M       371M
Swap:           0B         0B         0B

No swap space active, then checking available space on the hdd

#df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/xvda2       20G  1.8G   17G  10% /
udev             10M     0   10M   0% /dev
tmpfs            99M   13M   87M  13% /run
tmpfs           247M     0  247M   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           247M     0  247M   0% /sys/fs/cgroup

Plenty of space available on the disk with /. ,Generally, an amount equal to or double the amount of RAM on your system is a good starting point.

Creating a Swap File with the fallocate program. Since the server as 512MB of RAM, we will create a 512MB file in this guide.

#fallocate -l 512MB /swapfile

We can verify that the correct amount of space was reserved by typing:

#ls -lh /swapfile
-rw-r--r-- 1 root root 489M Nov 3 06:56 /swapfile

Enabling the file as swap and swap space

#chmod 600 /swapfile
#mkswap /swapfile
Setting up swapspace version 1, size = 499996 KiB no label, UUID=a81f762c-ef8a-40b5-a845-52aed148aeea
#swapon /swapfile

Verify that the swap is available by typing:

#swapon --show
NAME TYPE SIZE USED PRIO
/swapfile file 488.3M 0B -1
#free -h
total used free shared buffers cached
Mem: 492M 456M 35M 17M 125M 205M
-/+ buffers/cache: 125M 367M
Swap: 488M 0B 488M

Our swap has been set up successfully

Making the Swap File Permanent, by adding the swap file to our /etc/fstab

#cp /etc/fstab /etc/fstab.bak
#echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab

Tuning Swap by Adjusting the Swappiness and Cache Pressure Setting

Set vm.swappiness and vm.vfs_cache_pressure value automatically by add the line to bottom of /etc/sysctl.conf

#nano /etc/sysctl.conf
vm.swappiness = 10
vm.vfs_cache_pressure = 50

Check the current swappiness value by typing:

cat /proc/sys/vm/swappiness
60

For a Desktop, a swappiness setting of 60 is not a bad value. For a server, you might want to move it closer to 0. Set the swappiness to a different value by using the sysctl.For instance set the swappiness to 10

#sysctl vm.swappiness=10
vm.swappiness = 10

Set value automatically by adding the line to bottom of /etc/sysctl.conf

#nano /etc/sysctl.conf
vm.swappiness=10

Save and close the file when you are finished.

Check the current Cache Pressure Setting

Configures how much the system will choose to cache inode and dentry information over other data.

#cat /proc/sys/vm/vfs_cache_pressure
100

Set this to a more conservative setting like 50 by typing:

#sysctl vm.vfs_cache_pressure=50
vm.vfs_cache_pressure = 50

Set value automatically by adding the line to bottom of /etc/sysctl.conf

#nano /etc/sysctl.conf
vm.vfs_cache_pressure=50

Save and close the file when you are finished.

Source : From https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-debian-10

HTTP/2 SSL PHP7 MariaDB on Debian 9

Requirements to enable HTTP/2 in Apache2;

  • Apache 2.4.17 or above, HTTP/2 is supported from this version and upwards
  • Prefer Debian 9 because uprade the Apache 2.4.10 on Deb 8 very complicated
  • Enable HTTPS, HTTP/2 only work over HTTPS. Also, TLS protocol version>= 1.2 with modern cipher suites is required
  • PHP7 or above
#cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"

Update and upgrade the System then Install Apache2

#apt-get update -y && apt-get upgrade -y
#apt-get install apache2 -y
#apache2ctl -v
Server version: Apache/2.4.25 (Debian)

Enable and load mod_rewrite Apache2

#nano /etc/apache2/apache2.conf and replace “AllowOverride None” to “AllowOverride All”

#a2enmod rewrite
#a2enmod headers
#a2enmod expires

Install PHP7.0-FPM and other required components

#apt-get install php7.0-fpm -y && apt-get install php7.0-mysql -y && apt-get install php7.0-gd -y && apt-get install php-pear php7.0 -y

Disable the mod_php module to PHP-FPM mode

#a2dismod php7.0
ERROR: Module php7.0 does not exist!
#a2dismod mpm_prefork
Module mpm_prefork already disabled

Tell Apache to use PHP FastCGI, set the Apache use a compatible PHP implementation by changing mod_php to php-fpm (PHP FastCGI).

#a2enconf php7.0-fpm
#a2enmod proxy_fcgi
#a2enmod mpm_event
#systemctl restart apache2

Next Install SSL Certificate Apache Debian https://vpshelpdesk.com/2017/11/18/install-ssl-certificate-apache-debian

SSL test on Qualys SSL Labs Rating A Configuration https://vpshelpdesk.com/2020/03/30/ssl-test-qualys-ssl-labs-rating-configuration/

Activate HTTP/2 protocol on default-ssl.conf

Insert Protocols h2 h2c http/1.1 after <VirtualHost _default_:443> on /etc/apache2/sites-available/default-ssl.conf

#nano /etc/apache2/sites-available/default-ssl.conf

Then follow the command below

#a2enmod ssl
#a2enmod http2
#a2ensite default-ssl
#systemctl restart apache2

Check HTTP/2 at https://http2.pro https://tools.keycdn.com/http2-test 

Then install MariaDB

#apt-get -y install mariadb-server mariadb-client
#mysql_secure_installation

Set Up OpenVPN Server with sh script

Update and Upgrade the system

#apt-get update -y && apt-get upgrade -y

Find and note down your IP address, use the ip command as follows;

#ip addr
#ip a show eth0

If the public IP address not showed, use the dig command/host command

#dig +short myip.opendns.com @resolver1.opendns.com

OR

#dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'

Download and run openvpn-install.sh script

#wget https://git.io/vpn -O openvpn-install.sh
#wget https://vpshelpdesk.com/files/openvpn-install.sh

OR

#wget https://git.io/vpn -O openvpn-install.sh
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.76.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23079 (23K) [text/plain]
Saving to: ‘openvpn-install.sh’

openvpn-install.sh                      100%[============================================================================>]  22.54K  --.-KB/s    in 0.001s

2020-10-26 14:33:15 (25.0 MB/s) - ‘openvpn-install.sh’ saved [23079/23079]

root@iZj6cij2s4ft9b2k2h81nmZ:/home#

Setup permissions using the chmod command:

#chmod +x openvpn-install.sh

One can view the script using a text editor such as nano/vim:

#nano openvpn-install.sh

Run openvpn-install.sh to install OpenVPN server

#./openvpn-install.sh

Follow the instruction

Welcome to this OpenVPN road warrior installer!
This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [222.222.222.1]:

Which protocol should OpenVPN use?
   1) UDP (recommended)
   2) TCP
Protocol [1]:

What port should OpenVPN listen to?
Port [1194]:

Select a DNS server for the clients:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]:

Enter a name for the first client:
Name [client]: client1

OpenVPN installation is ready to begin.
Press any key to continue...
..................
..................
Finished!

The client configuration is available in: /root/client1.ovpn
New clients can be added by running this script again.
root@iZj6cij2s4ft9b2k2h81nmZ:~#

Check if the OpenVPN server has been installed successfully, the tun0 available with #ip addr or #ifconfig

root@iZj6cij2s4ft9b2k2h81nmZ:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:16:3e:06:54:02 brd ff:ff:ff:ff:ff:ff
inet 172.01.1.12/20 brd 172.01.143.255 scope global dynamic eth0
valid_lft 315358011sec preferred_lft 315358011sec
inet6 fe80::216:3eff:fe06:5402/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever

Start/stop/restart OpenVPN server with systemctl command:

#systemctl stop openvpn-server@server.service 
#systemctl start openvpn-server@server.service 
#systemctl restart openvpn-server@server.service
#systemctl status openvpn-server@server.service

To add more client run the openvpn-install.sh again

root@iZj6cij2s4ft9b2k2h81nmZ:~# ./openvpn-install.sh
OpenVPN is already installed.

Select an option:
 1) Add a new client
 2) Revoke an existing client
 3) Remove OpenVPN
 4) Exit
Option: 1

Provide a name for the client:
Name: client2
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Generating a RSA private key
.........................................................................................................................................................................+++++
.............................................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1952.6girut/tmp.4cIY4C'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1952.6girut/tmp.07hFfF
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client2'
Certificate is to be certified until Oct 24 06:48:16 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

client2 added. Configuration available in: /root/client2.ovpn
root@iZj6cij2s4ft9b2k2h81nmZ:~#

To connect the OpenVPN server with OpenVPN Client download the client configuration (client.ovpn, client2.ovpn, etc), use WinSPC to download

Multiple SSL certificates on single IP address

Multiple SSL certificates on single IP address

Create the virtual host ssl inside the sites-available

#cd /etc/apache2/sites-available/
#cp default-ssl.conf web1.com-ssl.conf
#cp default-ssl.conf web2.com-ssl.conf

Make sure link on the /etc/apache2/sites-enable exist, the origin from the sites-available

#cd /etc/apache2/sites-enable
#ln -s /etc/apache2/sites-available/web1.com-ssl.conf
#ln -s /etc/apache2/sites-available/web2.com-ssl.conf
#ls -la /etc/apache2/sites-enabled
total 8
drwxr-xr-x 2 root root 4096 Apr 13 18:49 .
drwxr-xr-x 9 root root 4096 Apr 13 18:39 ..
lrwxrwxrwx 1 root root 35 Feb 15 09:57 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 58 Apr 13 18:48 web1.com-ssl.conf -> /etc/apache2/sites-available/web1.com-ssl.conf
lrwxrwxrwx 1 root root 54 Apr 13 18:49 web2.com-ssl.conf -> /etc/apache2/sites-available/web2.com-ssl.conf

Debian 9 with old PHP 5.6 and MySQL 5.6, 5.7 or 8.0 and Apache2

Debian 9 with old PHP 5.6 and MySQL 5.6, 5.7 or 8.0 and Apache2

Run below commands to upgrade the current packages to the latest version

#apt update
#apt upgrade

Install the Apache2 package

#apt install apache2

Execute the following commands to install the required packages first on your system. Then import packages signing key. After that configure PPA for the PHP packages on your system.

#apt install ca-certificates apt-transport-https
#wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
#echo "deb https://packages.sury.org/php/ stretch main" | tee /etc/apt/sources.list.d/php.list

Installing PHP 5.6

Execute the following commands for installing PHP 5.6 on your Debian 9 Stretch system.

#apt update
#apt install php5.6

Also install required php modules.

#apt-get install php5.6-cli php5.6-common php5.6-curl php5.6-mbstring php5.6-mysql php5.6-xml php5.6-gd

Install MYSQL Version 5.6, 5.7 or 8.0, better 5.7 or 8.0

#apt -y install wget
#wget https://repo.mysql.com//mysql-apt-config_0.8.13-1_all.deb
#dpkg -i mysql-apt-config_0.8.13-1_all.deb

During the installation the system will prompt to select MySQL version. Choose which MySQL version, 5.6, 5.7 or 8.0 available to choose then OK

#apt update
#apt -y install mysql-server

Finish up by running the MySQL secure_installation

#mysql_secure_installation

Test php working or not

Create new php file at /var/www/html

#vim info.php

write

<?php phpinfo(); ?>

Open browser http://localhost/info.php

Enable and load mod_rewrite Apache2 on Debian 8

#a2enmod rewrite

Then open and edit /etc/apache2/apache2.conf find

Options Indexes FollowSymLinks
AllowOverride All
Require all granted

Replace “AllowOverride None” to “AllowOverride all”

Enable Apache2 mod_headers & mod_expires on

To increase PageSpeed: Leverage browser caching.

enable mod_headers:

#a2enmod headers

enable mod_expires:

#a2enmod expires

Then restart Apache server to make these changes effective

#service apache2 restart

 

Set up iptables On Debian 8 Debian 9

Faster way paste this on console

/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP

IP-Tables are not persistent On Debian 8, save permanent the new rules to the master iptables file:

#iptables-save > /etc/iptables.up.rules

Make sure the iptables rules are started on a reboot we’ll create a new file:

#nano /etc/network/if-pre-up.d/iptables

Add these lines to it:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

#chmod +x /etc/network/if-pre-up.d/iptables
#iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

 

Error apt-get update upgrade Debian 8 Release file expired

$sudo apt-get update

E: Release file for http://cloudfront.debian.net/debian/dists/jessie-backports/InRelease is expired (invalid since 487d 11h 2min 2s). Updates for this repository will not be applied

Solutions

Add this to the command:

-o Acquire::Check-Valid-Until=false

For example:

sudo apt-get -o Acquire::Check-Valid-Until=false update
sudo apt-get -o Acquire::Check-Valid-Until=false dist-upgrade

then

apt-get install -y software-properties-common
apt-get install apache2
apt-get install php5.6
apt-get install php5.6-cli php5.6-common php5.6-curl php5.6-mbstring php5.6-mysql php5.6-xml php5.6-gd
apt-get install mariadb-server
iptables -L
/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP

iptables -L

apt-get install iptables-persistent

Sudo user in Debian

Install the “sudo” Command
You need to run this command as root user:

user@debian:~$ su -
Password:
root@debian:~ # apt-get install sudo

Create a new user account.

#/usr/sbin/adduser admin

Add the user to the sudo group; By default on Debian systems, members of the group sudo are granted with sudo access. To add a user to the sudo group use the usermod command:

#usermod -aG sudo admin

Check the sudo access

#id admin
uid=1001(admin) gid=1001(admin) groups=1001(admin),27(sudo)

The user admin a member of sudo group now and to work as a root, every command must start with sudo (sudo reboot, sudo vim, sudo del, sudo mkdir, sudo……)

Error and solutions

admin@debian9:~$ sudo ifconfig
sudo: unable to resolve host (none)

Solutions

Insert hostname to /etc/hostname and /etc/hosts something like:

127.0.0.1    localhost.localdomain localhost
127.0.1.1    debian9

Disable IPv6 Debian 8

Disable IPv6 Debian 8 / Ubuntu

If can’t remove IPv6 on Debain 8 from hosting admin menu, It can disable through terminal

Debian-based/Ubuntu

sudo bash -c 'cat <<EOF >> /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF'

Configure SSH daemon to only listen over IPv4 by running the following:

echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config

Then Reboot #reboot