Debian 9 Web Server install

Another year, another web server install. 
The same again, but different.
This year the version count is up to Debian 9.
After installing that one, that is Debian 9, 
here are all the needed steps to install a useful web server,
without any hidden environment variables or other such things :-

1.  Changing lines in /etc/ssh/sshd-config:

PermitRootLogin no
LogLevel. INFO

2.   adduser  roger

3.   apt-get update

4.  apt-get install sudo

5.  user mod -a -G sudo roger

6. dpkg-reconfigure tzdata

7.  Fail2ban

cd /usr/local/src
wget https://github.com/fail2ban/fail2ban/archive/debian/0.10.2-1.tar.gx
tar xvfz. 0.10.2-1.tar/gz
cd  0.10.2-1
python setup.py. build
python setup.py install
cd /etc/fail2ban
cp jail.conf  jail.local
add in :-

[ssh]
enabled = true
filter = sushi
logpath= /var/log/sshd.log
maxretry = 3

create the file: /etc/rsyslod.d/sshd.conf
and add in the lines:-
if $programname==‘sshd’ then /var/log/sshd.log

Lastly, restart fail2ban
service syslog restart 

fail2ban -b start
fail2ban-client reload
fail2ban-client status [ssh]

Edit /etc/logrotate.d/rsyslog
Insert after the line ‘/var/log/auth.log’
/var/log/sshd.log
/var/log/fail2ban.log

8. Iptables

iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 3 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state 
                                                    --  state NEW -j DROP
iptables -I INPUT 4 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 5 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE 
                                                    -j DROP
iptables -I INPUT 6 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m 
                                                   state --state NEW -j DROP
iptables -I INPUT 7 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,
                                                 SYN,RST,PSH,ACK,URG -j DROP
iptables -I INPUT 9 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -I INPUT 10 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -I INPUT 11 -p tcp -m tcp --dport 80     -m state --state NEW 
                                                  -j ACCEPT
iptables -I INPUT 11 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
iptables -I INPUT 12 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -I INPUT 13 -j LOG
iptables -P  INPUT  DROP

9.  Iniit fail2ban for bootup

cp  /usr/local/src/fail2ban-debian-0.10.2-1/files/fail2ban.service.in.  
         /etc/systemd/system/fail2ban.service

[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service ip6tables.service ipset.service
PartOf=iptables.service firewalld.service ip6tables.service ipset.service

[Service]
Type=forking
ExecStartPre=/bin/mkdir -p /var/run/fail2ban
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
ExecStart=/usr/local/bin/fail2ban-client -x start
ExecStop=/usr/local/bin/fail2ban-client stop 
ExecReload=/usr/local/bin/fail2ban-client reload 
Restart=always

[Install]
WantedBy=multi-user.target

systemctl daemon-reload
systemctl. start. fail2ban

10.  Install a few things

apt-get install —- fix-missing gcc
apt-get  install  gcc-doc. Make  libghc-regex-pcre-dev
apt-get. Instal. libexpat1-dev

11.  Apache

cd /usr/local/src
wget http://apache.mirror.amaze.com.au//httpd/httpd-2.4.33.tar.gz
tar  xvfz  httpd-2.4.33.tar.gz

12.     Apr

cd /usr/local/src/httpd-2.4.33/srclib
wget  http://apache/mirror/apr/apr-1.6.3.tar.gz
wget. http://apache/mirro/apr/apr-util-1.6.1.tar.gz
tar. xvfz  *.gz
ln. -s  apr-1.6.3/. apr
ln. -s. Apr-util-1.6.1/. qpr-util

13.   SSL

cd  /usr/local/src
wget  https://www.openssl.org/sorce/openssl-1.1.1-pre3.tar.gz
tar xvfz  *.gz
cd openssl-1.1.1-pre3
./config
make
make install

14.  Delete system console messages

Create a file /etc/rc.local
Insert the line:-
dimes -n 1
chmod +x /etc/rc.local
systemctl daemon-reload

15.  Generate some apache files need later here

cd /usr/local/apche2
./buildconf
./configure --enable-ssl --with-ssl=/usr/src/openssl-1.1.1-pre3 
            --enable-ssl-staticlib-deps 
            --enable-mods-static=ssl --with-included-apr 
            --with-mpm=prefork --enable-mods=most

16.   Init Apache for startup.

root@localhost:/etc/systemd/system# cat apache.service 

[Unit]
Description=Apache2 Server
After=network.target auditd.service

[Service]
Type=forking
EnvironmentFile=-/usr/local/apache2/bin/envvars
ExecStart=/usr/local/apache2/bin/apachectl -k start
ExecReload=/usr/local/apache2/bin/apachectl graceful
ExecStop=/usr/local/apache2/bin/apachectl stop
## KillMode=SIGCONT
PIDFile=/usr/local/apache2/logs/httpd.pid
PrivateTmp=true
#ReadOnlyDirectories=/var
Restart=on-failure

[Install]
WantedBy=multi-user.target

17.  Some new accounts etc

adduser  —no-create-home  —ungroup apache  —disabled-password. 
         —disable-login. apache
chown -v -R apache  /var/www
chown -R apache: apache  /usr/local/apache2
edit.  /usr/local/apache2/conf/httpd.conf
systemctl enable apache

18.  Tomcat

apt-get install default-idk
java  -showversion
Edit  and add into /etc/environment
JAVA_HOME=/usr/lib/jvm/java-8…../jdk
adducer —system  —shell  /bin/bash. —gecos  ‘Tomcat Java Server”
       — group  —disabled-password.  —home. /home/tomcat.   tomcat

cd  /usr/local/src. ( get the binary tomcat, not the source )
wget. http: //apache/mirror/tomcat/tomcat-8/v8.5.29/bin/apache-tomcat-8.5.29.tar.gz
tar xvfz. *.gz
cd /usr/local
ln  -s. /usr/local/src/apache-tomcat-9.5.29-src.  tomcat
chown  -R.  Tomcat : tomcat. tomcat/ *
chmod. +x. tomcat/bin/.*.sh
mkdir. /usr/local/tomcat/logs
touch. /usr/local/tomcat/logs/catalina.out
chown. -R. Tomcat. /usr/local/tomcat/logs

18.  Init  tomcat

[Unit]
Description=Tomcat Server
After=syslog.target network.target 

[Service]
Type=forking
EnvironmentFile=/etc/environment
Environment=CATALINA_PID=/usr/local/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/usr/local/tomcat
Environment=CATALINA_BASE=/usr/local/tomcat
Environment='CATALINA_OPTS=-Djava.library.path=/usr/local/tomcat/lib -Xms1024M -Xmx1024M
-server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.haedless=true -Djava.security.egd=file:/dev/./urandom'
Environment=CATALINA_TMPDIR=/usr/local/tomcat/temp
User=tomcat
Group=tomcat
ExecStart=/usr/local/tomcat/bin/startup.sh
ExecStop=/usr/local/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

19.  The apache tomcat connector

cd  /usr/local/src
wget http://apache.mirror.serversaustralia.com.au/tomcat/tomcat-connectors/jk/
tomcat-connectors-1.2.43-src.tar.gz
apt-get.  install  libtool
apt-get   install automate. autoconf
tar xvfz   *.gz
cd  /usr/local/src/tomcat-connectors-1.2.43
cd  native
cd  /usr/local/bin
ln. -s /usr/local/src/http-2…/srclib/apr/libtool. libtool
cd. /usr/local/src/tomcat-connectors-1.2.43
./buildconf.sh
./configure. — with-apache = /usr/local/src/httpd-2.4.33

20.  Compile  apache

cd. /usr/local/src/httpd-2.4.33
make clean
./buildconf
./configure --enable-ssl --with-ssl=/usr/src/openssl-1.1.1-pre3 
--enable-ssl-staticlib-deps --enable-mods-static=ssl 
--with-included-apr --with-mpm=prefork -with-mod_jk 
--enable-mods=most
make
make install

© 2018, James Harry Burton. All rights reserved.