Building a Linux Apache MySQL PHP(LAMP) web hosting server is easy, anyone can build one with a 5-minute tutorial. Securing a LAMP web hosting server, on the other hand, is very hard and time-consuming. There are many details and packages you need to know about, and that knowledge only comes with experience. Diamond Hard LAMP aims to cover any experience shortfalls for you!

Over the years I have built scripts to automate my roles as a Linux System Administrator. Diamond Hard LAMP(DHL) is the combination of those scripts and knowledge. DHL builds a LAMP web hosting server with the maximum security-hardened services; diamond-hard security. DHL incorporates all the security configurations, tools, and methodologies to form a suite of services working in concert together. The end result is a LAMP stack with very high security and automated management.

So let’s walk through the DHL build-out process.

DHL Build Overview

  1. Build a new Vitual Machine
  2. Clone DHL GitHub codebase
  3. Configure Your Unique Server Settings
  4. Run DHL installer
  5. Add your first webhosting account

Virtual Machine Specs

DHL is designed and tested for Ubuntu 20.04 LTS. So I recommend using that OS. Your VM specs will vary based on the number of websites you host and their traffic. Below are the minimum recommended specs.

  • CPU: 4 Cores
  • 8GB RAM
  • 16GB HDD
  • 1x 1G Network Interface
  • 1x Internal LAN IPv4
  • WAN Accessable ports needed, 22, 80, & 443

Note: AppArmor cannot run appropriately inside a container. Additionally, containers are considered less secure than the segmentation VMs provide. For these reasons, DHL requires a VM and not a container.

Install Diamond Hard LAMP

On a fresh OS install run the following commands to clone DHL GitHub codebase. 

# Update the OS
sudo apt -y update && apt -yq upgrade
# Install Git, so you can clone the repository
sudo apt -yq install git
# Clone DHL GitHub codebase
git clone https://github.com/Brets0150/DiamondHardLAMP.git
cd ./DiamondHardLAMP
# Set the execute bit on the script
chmod +x ./DiamondWebServerManager.sh

Configure Your Unique Server Settings

There are a few settings that must be configured so DHL can alert you correctly about events. Open up the “./settings.sh” file and filling the required settings.

# Update the settings file with your unique settins.
nano ./settings.sh
Image of required settings in the "./settings.sh" file.

Run DHL Server Builder

Now that we have the DHL GitHub codebase on the server, we can start the server setup. The “–install” command will install and configure all the security tools and features of DHL. The installer will take time to complete. The Diffie-Hellman Key generation, alone, can take up to an hour.

# Run DHL's Server builder. 
./DiamondWebServerManager.sh --install

After the installation of all tools and services is complete you will be provided the administrative credentials. Copy these details to a secure location; you will never see this data again.

admin details output from script

The “PhpMyAdmin .htaccess” user name is actually “admin_2919” in the above image.

Username Generation

The Admin account username is randomized every time the installer runs. This randomized username means there are now 9999 different possible usernames that may be applied. No one is brute-forcing this login with 9999 different possible usernames and a random 16 character password; good luck!

Website Management Design

DHL deploys websites in a way you would expect a shared-hosting system would. Each Website has its own user account, access rights, logins, and segmented directories. Below is a list of the services a user has access to so they can manage their own website.

  • SFTP – To upload and download files
  • Access to Apache logs for their website only. Allows the User to troubleshoot there own issues.
  • User can add .htaccess file to any web directory to quickly add another layer of security to a directory.
  • Access to PhpMyAdmin to fully manager their own database.

User and Site Segmentation

The core guiding principle behind the user site configuration is segmentation. I wanted to make sure one poorly coded website could not affect others on the same server. So to the furthest extent possible, sites share nothing between them. This is done in the following ways.

  • AppArmor sandboxes the user account and the website.
  • Each website runs in Apache with its own user account.
  • Each website has its own “.secret/.htpasswd” file for passwords.
  • One site, One database, with permissions to nothing else.
  • No shared logging.
  • Strict adherence to principle of least privilege
SFTP folder veiw
Restrict SFTP user to home directory.

Adding a New Webhosting User

To add a new Webhosting User use the below command.

# Run DHL's Add Web User Command. 
./DiamondWebServerManager.sh --addwebuser

Running the command will prompt you for details about the new user account.

Copy these details to a secure location; you will never see this data again.

DHL Help Menu

Setup Complete!

That’s it, DHL is ready to go! If you have any issues, reach out to me on GitHub. Also, there are some helpful tools for troubleshooting websites by using the “–manage” flag.

# My GitHub
https://github.com/Brets0150/DiamondHardLAMP

Related posts:

Linux Web Server Hardening: The Basics Linux Web Server Hardening: MAC with AppArmor Linux Web Server Hardening: Preventing Apache Information Disclosure Linux Web Server Hardening: WAF for Web Servers Linux Server Hardening: Banning Malicious Traffic Linux Penguin with OSSEC insideLinux Server Hardening: Host-Based Intrusion Detection Linux Tux Penguin with SSL LogoHow to get a 100% SSL/TLS Score on SSLLabs Logo - Checklist of items needed to build a secure LAMP Server.Linux Web Server Security Hardening Checklist Linux Server Hardening: Enforce Strong Passwords Windows Client Hardening