Setup a LAMP (Debian 11) - Optimized method

deb http://deb.debian.org/debian/ {dist} main 

apt-get update apt-get upgrade 

apt-get upgrade --without-new-pkgs apt-get full-upgrade reboot 

rm -fr /var/lib/apt/lists/* apt-get --purge autoremove apt-get clean all 

uname -r lsb_release -a 

apt-get install openssh-server # apt-get install ssh (client/server) 

passwd root 

adduser {username} 

usermod -aG sudo {username} 

{username} ALL=(ALL) ALL # {username} ALL=(ALL) NOPASSWD:ALL 

Port {port} LoginGraceTime 60 PermitRootLogin no StrictModes yes MaxAuthTries 6 MaxSessions 3 

#Subsystem sftp /usr/lib/openssh/sftp-server (comment) Subsystem sftp internal-sftp 

Match [User|Group] {username|groupname} ForceCommand internal-sftp -u 077 PasswordAuthentication yes ChrootDirectory /var/www AllowTCPForwarding no X11Forwarding no 

sshd -t systemctl restart sshd 

tail -f /var/log/auth.log 

apt-get install apache2 apt-get install libapache2-mod-php7.4 

a2enmod rewrite a2dissite 000-default a2dissite default-ssl a2ensite {site} a2dissite {site} apache2ctl configtest service apache2 restart 

apt-get install mariadb-server mysql_secure_installation 

mysql -u root 

CREATE USER '{username}'@'localhost' IDENTIFIED BY '{password}'; GRANT ALL PRIVILEGES ON *.* TO '{username}'@'localhost' WITH GRANT OPTION; FLUSH PRIVILEGES; CREATE DATABASE IF NOT EXISTS {database}; exit; 

service mysql restart 

mysqldump -u {username} –p {password} {database} > {dump.sql} 

apt-get install php7.4 (php7.4-common) apt-get install php7.4-cli apt-get install php7.4-curl apt-get install php7.4-intl apt-get install php7.4-imagick apt-get install php7.4-{extension} 

a2dismod php7.0 a2enmod php7.4 service apache2 restart 

apt-get install phpmyadmin 

Include /etc/phpmyadmin/apache.conf 

echo 'Include /etc/phpmyadmin/apache.conf' >> /etc/apache2/apache2.conf service apache2 restart 

apt-get install vsftpd 

listen=YES write_enable=YES chown_uploads=YES chown_username=www-data chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd pam_service_name=vsftpd local_umask=0022 anon_upload_enable=YES anon_mkdir_write_enable=YES 

allow_writeable_chroot=YES chmod_enable=YES ftp_username=www-data force_dot_files=YES max_clients=10 max_per_ip=3 hide_ids=YES user_config_dir=/etc/vsftpd file_open_mode=0777 user_sub_token=$USER vsftpd_log_file=/var/log/vsftpd.log 

mkdir /etc/vsftpd nano /etc/vsftpd/{username} 

local_root=/var/wwwsername} 

service vsftpd restart 

apt-get install bind9 service bind9 restart 

apt-get install postfix mailutils (postfix-mysql) service postfix restart service apache2 restart 

apt-get install openssl apt-get install certbot python3-certbot-apache 

certbot --apache # certbot renew (/etc/letsencrypt/renewal) # certbot certonly --cert-name domain.com -d domain.com service apache2 restart crontab -e 

12 3 * * * letsencrypt renew >> /var/log/letsencrypt/renew.log 

service cron restart 

apt-get install ufw 

ufw disable ufw default deny incoming ufw default allow outgoing ufw allow 80 ufw allow 443 ufw allow ssh ufw allow from {IPV4} to any port {port} ufw allow from {IPV6} to any port {port} ufw enable # ufw reset 

useradd {username} 

# adduser {username} {group} usermod -aG www-data {username} usermod -d /var/www -m {username} 

chown -R {username}:www-data /var/www/ find /var/www -type d -exec chmod 755 {} \; find /var/www -type f -exec chmod 644 {} \; 

apt-get install acl setfacl -R -m g:www-data:rwx /var/www setfacl -R -m u:{username}:rwx /var/www 

export APACHE_RUN_USER={username} 

echo 'export APACHE_RUN_USER={username}' >> /etc/apache2/envvars 

apt-get install redis-server apt-get install php7.4-redis apt-get install php7.4-igbinary 

# bind 127.0.0.1 ::1 (comment) maxmemory 1024mb maxmemory-policy allkeys-lru 

service redis-server restart 

redis-cli redis-cli FLUSHALL 

wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar chmod u+x wp-cli.phar mv wp-cli.phar /usr/local/bin/wp 

apt-get install git 

git config --global user.name "{username}" git config --global user.email "{email}" 

apt-get install fail2ban 

# Decrease Timeout value Timeout 60 

# Use only TLS, Disable SSLv2, SSLv3 SSLProtocol -all +TLSv1 # Disable Weak Ciphers SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4 

# Limit HTTP Request Methods allow only GET, POST and HEAD 

ServerTokens Prod TraceEnable off ServerSignature Off FileETag None 

# Set rules for Directory /var/www/html Options None AllowOverride All Order Allow,Deny Allow from All 

a2enmod headers 

# Cookie with HttpOnly and Secure flag Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure # Clickjacking Attack Protection Header always append X-Frame-Options SAMEORIGIN # XSS Protection Header set X-XSS-Protection "1; mode=block" # Enforce secure connections to the server (HSTS) Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" # MIME sniffing Protection Header set X-Content-Type-Options: "nosniff" # Prevent Cross-site scripting and injections Header set Content-Security-Policy "script-src 'self'; object-src 'self'" 

service apache2 restart 

iptables -A INPUT -p tcp --dport 21 -j DROP 

apt-get install net-tools 

systemctl stop {service} systemctl disable {service} systemctl unmask {service} rm /etc/systemd/system/{service} rm /usr/lib/systemd/system/{service} systemctl daemon-reload systemctl reset-failed