Linux VPS Help Desk, Tutorials, How to Set Up, Install, Configure, etc
How to bypass BAD PASSWORD: The password fails the dictionary check – it is based on a dictionary word on Debian 11.
in /etc/pam.d/common-password add dictcheck=0 to the line below:
#nano /etc/pam.d/common-password #password requisite pam_pwquality.so try_first_pass local_users_only authtok_type= minlen=8 retry=3 difok=3 enforce_for_root password requisite pam_pwquality.so try_first_pass local_users_only authtok_type= minlen=8 dictcheck=0 retry=3 difok=3 enforce_for_root
ADD dictcheck=0
Upgrade or Install PHP 8.x on Debian running Apache2
1. List existing PHP packages to packages.txt which can be referred anytime.
dpkg -l | grep php | tee packages.txt
2. Updating Debian as root
#apt update #apt upgrade -y && reboot
2. Add SURY PHP PPA Repository
SURY is a third-party repository that offers current PHP versions for Debian GNU/Linux, which is added as root.
#apt -y install lsb-release apt-transport-https ca-certificates wget #wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg #echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list #apt update -y
3. Installing PHP 8.x on Debian
#apt -y install php8.2 #update-alternatives --set php /usr/bin/php8.2
More than one PHP version can be installed on the system, run update-alternatives –set php [version] to enable a Version.
4. Install Important Web Modules for PHP 8.2 on Debian
#apt -y install libapache2-mod-php8.2 php8.2-mysql php8.2-gd -y #systemctl restart apache2
5. Module for WordPress server
#apt install php8.2-gd php8.2-mbstring php8.2-xml php8.2-xmlrpc php8.2-curl
6.Check the current PHP version
#php -v
PHP 8.2.14 (cli) (built: Dec 21 2023 20:21:17) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.14, Copyright (c) Zend Technologies
with Zend OPcache v8.2.14, Copyright (c), by Zend Technologies
7. Activate PHP 8.2
#a2dismod php7.3 #a2enmod php8.2 #systemctl apache2 restart
Optional Remove the old version of PHP
#apt-get purge --auto-remove php7*
Install iptables Debian 11 (Bullseye) and basic rules initial configuration.
IPtables is being replaced by nftables starting with Debian 10 Buster. Debian 11 comes with nftables framework. So to install iptables first we need uninstall nftables and its dependencies.
Uninstall nftables and its dependencies.
#apt-get remove --auto-remove nftables #apt-get purge nftables
Install IPtables in Debian 11
#apt-get update -y #apt-get install iptables -y
Configure iptables rules for website
Faster way paste this on console
/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP
New script only open port 22, 80, 443, 25, 465,587
/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP
Debian 11 IPtables persistent make your iptables rules persistent install iptables-persistent package:
#apt-get install iptables-persistent
Debian 11 IPtables Save to update iptables with new rules use IPtables Save
#iptables-save > /etc/iptables/rules.v4 #ip6tables-save > /etc/iptables/rules.v6
Debian 11 Restore to restore iptables configuration form iptables
#iptables-restore < /etc/iptables/rules.v4
#/usr/sbin/iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:urd ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
#cd /var/www #mkdir -p /var/www/mydomainname.com #chmod -R 755 /var/www/mydomainname.com #chown -R www-data:www-data /var/www/mydomainname.com #mkdir -p /var/log/apache2/mydomainname.com #cd /etc/apache2/sites-available/ #cp 000-default.conf mydomainname.com.conf
#vim mydomainname.com.conf
Insert code below
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName mydomainname.com
ServerAlias www.mydomainname.com mydomainname.com
DocumentRoot /var/www/mydomainname.com
<Directory /var/www/mydomainname.com>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/mydomainname.com/error.log
CustomLog ${APACHE_LOG_DIR}/mydomainname.com/access.log combined
</VirtualHost>
Activate
#a2ensite mydomainname.com.conf Enabling site mydomainname.com. To activate the new configuration, you need to run: systemctl reload apache2 # systemctl reload apache2
Check
#ls -la /etc/apache2/sites-enabled/ total 8 drwxr-xr-x 2 root root 4096 May 31 18:35 . drwxr-xr-x 9 root root 4096 Apr 10 15:07 .. lrwxrwxrwx 1 root root 35 Apr 10 13:23 000-default.conf -> ../sites-available/000-default.conf lrwxrwxrwx 1 root root 54 May 31 18:30 mydomainname.com.conf -> /etc/apache2/sites-available/mydomainname.com.conf
To add more virtual hosts for another domain please follow the step above
First, let’s make sure our package manager is up to date.
#apt update -y && apt upgrade -y #apt install snapd #snap install core #snap refresh core
Now, we can install certbot.
#snap install --classic certbot
Prepare the certbot command, so it can be ran from the command line.
#ln -s /snap/bin/certbot /usr/bin/certbot
Finally run de certbot to start and follow the instructions on screen.
#certbot --apache
#certbot --apache root@servero:/etc/fail2ban/action.d# certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): themail@domainname.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Account registered. Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): domainname.com Requesting a certificate for domainname.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/domainname.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/domainname.com/privkey.pem This certificate expires on 2023-08-25. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for domainname.com to /etc/apache2/sites-available/000-default-le-ssl.conf Congratulations! You have successfully enabled HTTPS on https://domainname.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - root@servero:/etc/fail2ban/action.d#
Check if Certbot SSL Certificates config already added to apache conf
#ls -la /etc/apache2/sites-available/ total 24 drwxr-xr-x 2 root root 4096 May 27 07:29 . drwxr-xr-x 8 root root 4096 May 27 07:29 .. -rw-r--r-- 1 root root 1467 May 27 07:29 000-default.conf -rw-r--r-- 1 root root 1547 May 27 07:29 000-default-le-ssl.conf -rw-r--r-- 1 root root 6338 Apr 21 22:01 default-ssl.conf
Check by open the 000-default-le-ssl.conf
#vim 000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName domainname.com
SSLCertificateFile /etc/letsencrypt/live/domainname.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domainname.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
source: https://msmtech.ca/blog/guides/how-to-install-an-ssl-certificate-with-certbot-on-ubuntu-and-apache/
Remove certbot using snap
If you have installed certbot using snap, this will work perfectly to remove
#sudo snap remove certbot
#sudo apt-get install ufw #sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Enter Y, and proceed to allow connections to your server
Firewall is active and enabled on system startup
Check whether UFW is running:
#sudo ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6)
Allow Connections to Your Server
#sudo ufw allow 80
#sudo ufw allow 80/tcp #sudo ufw allow 443/tcp
If you are unsure of its port number. For example, to enable MySQL:
#sudo ufw allow mysql
Specify Filtering Mode
Incoming Traffic.
#sudo ufw allow in ftp
Outgoing Traffic.
#sudo ufw allow out smtp
Deny Connections to Your Server
#sudo ufw deny 3306
Removing Firewall Rules
Checking UFW status with the parameter numbered. This allows you to select a rule by entry number.
#sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Apache DENY IN Anywhere
[ 2] 80 DENY IN Anywhere
[ 3] 22 ALLOW IN Anywhere
(out)
Delete the rules by the numbers in square brackets[]
#sudo ufw delete 3Set Logging Level
By default, the Uncomplicated Firewall logging level is set to low. However, multiple logging levels are supported, and you have a preferred setting based on what firewall logs you wish to keep.
off disables ufw logging.
low logs blocked packets that don’t match your set rules and packets matching logged rules.
medium logs low level, allowed packets that don’t match the set policy, invalid packets, and all new connections to your server.
high logs medium without attempts/rate-limiting and all packets with attempt limiting.
full logs all firewall packets without rate/access attempts limiting.
To set your UFW logging level, use the command below.
#sudo ufw logging LEVEL
For example:
#sudo ufw logging medium
To enable logging for a specific firewall rule, such as SSH, use the command.
#sudo allow log 22/tcp
Enable IPV6 Support
#sudo vim /etc/default/ufw
Locate the IPV6 line and make sure it is set to yes
IPV6=yesDisable / Reload UFW
To disable (stop) Uncomplicated Firewall, run the command.
#sudo ufw disable
If you need to reload UFW (reload rules), use the reload parameter.
#sudo ufw reload
To restart UFW, you will need to disable it first and then enable it again.
#sudo ufw disable
#sudo ufw enable
Again, before enabling UFW, make sure that the SSH port is allowed for your IP address.
If you need to reset UFW back to default settings, type the following command. This will delete all existing rules and reset the firewall to default values.
user@example:~#ufw reset
Resetting all rules to installed defaults. This may disrupt existing ssh
connections. Proceed with operation (y|n)?https://www.vultr.com/docs/how-to-configure-uncomplicated-firewall-ufw-on-ubuntu-20-04/
Requirements to install X2Go is VPS with high memory min 6GB
Install and configure the Full Desktop Environment. This is similar to what you would get if you installed Debian from a bootable DVD/USB memory stick to your local PC:
#apt-get update && apt-get upgrade -y
Step 1: Installing the Desktop Environment
#apt-get install task-xfce-desktop -y
Install xfce4 and all of the additional dependencies needed to support it:
#apt-get install xfce4
Step 2: Install X2Go on your server, type the following command:
#apt-get install x2goserver x2goserver-xsession
Step 3: Installing the X2Go Client Locally
On Linux
#apt-get install x2goclient
On Windows download X2Go Client at https://wiki.x2go.org/doku.php/download:start
Step 4: Connecting To the Remote Desktop
In the top-left menu select New session
Enter your server’s IP address or hostname in the Host field under Server.
Enter the username you used for your SSH connection in the Login field.
And, since you installed XFCE in Step Two, choose XFCE as your Session
Source https://www.digitalocean.com/community/tutorials/how-to-set-up-a-remote-desktop-with-x2go-on-debian-10
To quickly install Composer in the current directory, run the following script in your terminal. To automate the installation, use the guide on installing Composer programmatically.
#cd /var/www/html
#php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
#php -r "if (hash_file('sha384', 'composer-setup.php') === 'dac665fdc30fdd8ec78b38b9800061b4150413ff2e3b6f88543c636f7cd84f6db9189d43a81e5503cda447da73c7e5b6') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
If the result Installer corrupt, visit https://getcomposer.org/download/
#php composer-setup.php
#php -r "unlink('composer-setup.php');"
Most likely, you want to put the composer.phar into a directory on your PATH, so you can simply call composer from any directory (Global install)
#mv composer.phar /usr/local/bin/composer
Install PHPMAILER
#composer require phpmailer/phpmailer
apt-get update -y && apt-get upgrade -y
apt-get install curl -y
curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl
If you do not have curl, you can alternatively use a recent wget:
sudo wget https://yt-dl.org/downloads/latest/youtube-dl -O /usr/local/bin/youtube-dl
sudo chmod a+rx /usr/local/bin/youtube-dl
UPDATE Youtube-dl
youtube-dl -U
apt-get install software-properties-common -y
apt-get install ffmpeg -y
Create Symbolic Links python3 to python to recognize youtube-dl
ln -s /usr/bin/python3 /usr/local/bin/python
DOWNLOAD ONLY AUDIO MP3
youtube-dl –extract-audio –audio-format mp3 –format ‘bestaudio’ URL
DOWNLOAD NORMAL MP4
youtube-dl URL
DOWNLOAD HIGH RES MP4
youtube-dl -f ‘bestvideo[ext=mp4]+bestaudio[ext=m4a]/best[ext=mp4]/best’ URL
Source : https://ytdl-org.github.io/youtube-dl/index.html
Change Hostname, Update, Upgrade, Install Zip Unzip and VIM
#apt-get update -y #apt-get upgrade -y #nano /etc/hostname
#apt-get install zip -y #apt-get install unzip -y #apt-get install vim -y
Enable vim cut paste
If needed “Add Swap Memory on Debian 10”
If needed “Increase SSH Connection Timeout in Linux”
#vim /etc/ssh/sshd_config ClientAliveInterval 1200 ClientAliveCountMax 3
#systemctl status sshd.service
For Debian 11 go to Iptables Debian 11 Bullseye configuration
Configure UFW Firewall Rules
Setup and Configure Fail2ban
Install Apache2
#apt install apache2 -y
Replace “AllowOverride None” to “AllowOverride All”
#vim /etc/apache2/apache2.conf
Enable and load mod_rewrite Apache2
#/usr/sbin/a2enmod rewrite #/usr/sbin/a2enmod headers
#/usr/sbin/a2enmod expires
Install MariaDB
#apt install mariadb-server -y #mysql_secure_installation
Instal PHP
#apt install php libapache2-mod-php php-mysql php-gd -y
Note: If you plan to host a WordPress server, install additional PHP modules
#apt install php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip -y
Check PHP Version to install Addons
#php -v
PHP 7.3.31-1~deb10u1 (cli) (built: Oct 24 2021 15:18:08) ( NTS )
Important to Install PHP GD Addons
#apt-get install php7.3-gd -y
Increase PHP Upload and Post Size by modified php.ini file
Find php.ini file by create phpinfo.php code below at /var/www/html
<?php phpinfo();?>
The find php.ini located by open the phpinfo.php at http://website/php.php
Open the php.ini file in the text editor. for example
#vim /etc/php/7.4/apache2/php.ini
Search for upload_max_filesize variable and specify with size below
upload_max_filesize = 128M
Search for post_max_size variable and specify with size below (Basically it same as upload_max_filesize variable value)
post_max_size = 128M
Once done, save the modified php.ini file and restart the server.
Install Postfix for email
#apt-get purge --auto-remove exim4 #apt-get install postfix libsasl2-modules ca-certificates mailutils -y
If needed configure Crontab job auto restart server on memory low
Install SSL Certificate
SSL test on Qualys SSL Labs Rating A Configuration
Activate HTTP/2 protocol on default-ssl.conf
Insert Protocols h2 h2c http/1.1 after on /etc/apache2/sites-available/default-ssl.conf
#vim /etc/apache2/sites-available/default-ssl.conf
Then follow the command below
#/usr/sbin/a2enmod ssl #/usr/sbin/a2enmod http2
#/usr/sbin/a2ensite default-ssl
#systemctl restart apache2
#service restart apache2