LAMP on the AWS EC2

1. Creation a VPC

2. Make a SSH connection

3. Update the operating system

sudo yum update

4. Create a swap file


sudo dd if=/dev/zero of=/swapfile bs=1K count=2M
sudo mkswap /swapfile
sudo chmod 600 /swapfile
sudo swapon /swapfile

5. Add a swap entry to the fstab and edit the tmpfs entry

sudo vim /etc/fstab

/swapfile   swap        swap    defaults        0   0
tmpfs /dev/shm tmpfs size=1G 0 0

6. Install LAMP

sudo yum install httpd24 php70 php70-gd php70-soap php70-mbstring mysql56-server php70-mysqlnd mod24_ssl m4 sendmail-cf php70-zip php70-pecl-apcu php70-opcache stunnel mod24_security glibc.i686 git

7. Install mod_cloudflare

sudo rpm -i mod_cloudflare-el7-x86_64.latest.rpm
rm *.rpm
sudo yum update

8. Php settings

sudo vim /etc/php.ini

max_execution_time = 100
max_input_time = 100
post_max_size = 100M
upload_max_filesize = 100M
memory_limit = 512M
output_buffering = 0

sudo vim /etc/php.d/10-opcache.ini


9. Add default vhost

sudo vim /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:80 *:443>
ServerName default
ServerAlias *
DocumentRoot /var/www/html
<IfModule security2_module>
SecRuleRemoveById 200003 941100 949110 980130 941200 941350 941160 200001 942360 941310 921120 920130
SecRequestBodyLimit 104857600
<Directory /var/www/html>
AllowOverride All
SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000
KeepAlive Off

10. Obtain the boilerplate config

cd /etc/httpd/conf.d
sudo wget
sudo mv .htaccess h5bp.conf
cd ~

11. Install owasp

cd /etc/httpd/modsecurity.d
sudo git clone
cd owasp-modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf
cd rules
cd ~

sudo vim /etc/httpd/conf.d/mod_security.conf

 IncludeOptional modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf

12. Start an Apache

sudo service httpd start
sudo chkconfig httpd on

13. Add permissions

sudo usermod -a -G apache ec2-user
sudo chown -R apache:apache /var/www

14. Exit ssh


15. Make a ssh connection

16. Enabling MySQL 4-byte support

sudo vim /etc/my.cnf


17. Start & secure mysqld

sudo service mysqld start
sudo chkconfig mysqld on
sudo mysql_secure_installation

18. Generate stunnel certificate

cd /etc/stunnel
sudo openssl req -new -out csr.pem -keyout csr.pem -nodes -x509 -days 365
cd ~

19. Configure localhost port 2525 for the SMTP and route traffic for https

sudo vim /etc/stunnel/stunnel.conf

fips = no
accept = 2525
client = yes
connect =
delay = yes
cert = /etc/stunnel/csr.pem

20. Add the line to the end of the file to start stunnel after the boot

sudo vim /etc/rc.local

stunnel /etc/stunnel/stunnel.conf

21. Run stunnel

sudo stunnel /etc/stunnel/stunnel.conf

22. Edit SMTP authinfo

sudo vim /etc/mail/authinfo

AuthInfo: "U:root" "I:USERNAME" "P:PASSWORD" "M:PLAIN"

23. Add the following group of lines to the /etc/mail/ file before any MAILER() definitions.

sudo vim /etc/mail/

FEATURE(`authinfo', `hash -o /etc/mail/authinfo.db')dnl
define(`SMART_HOST', `[]')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 2525')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 2525')dnl

24. Setup the sendmail

sudo makemap hash /etc/mail/authinfo.db < /etc/mail/authinfo
sudo chmod 666 /etc/mail/
sudo m4 /etc/mail/ > /etc/mail/
sudo chmod 644 /etc/mail/
sudo /etc/init.d/sendmail restart

25. Setup the aws

cd ~
aws configure

P.S. Backup


. /u01/app/oracle/product/11.2.0/xe/bin/
mysqldump -q -uwordpress-user -p<your_strong_password> wordpress-db | gzip -c > wordpress.sql.gz
aws s3 mv wordpress.sql.gz s3://
tar -zcf wordpress.tar.gz -C /var/www/html .
aws s3 mv wordpress.tar.gz s3://
mysqldump -q -upiwik-user -p<your_strong_password> piwik-db | gzip -c > piwik.sql.gz
aws s3 mv piwik.sql.gz s3://
tar -zcf piwik.tar.gz -C /var/www/piwik .
aws s3 mv piwik.tar.gz s3://
mysqldump -q -unextcloud-user -p<your_strong_password> nextcloud-db | gzip -c > nextcloud.sql.gz
aws s3 mv nextcloud.sql.gz s3://
tar -zcf nextcloud.tar.gz -C /var/www/nextcloud .
aws s3 mv nextcloud.tar.gz s3://
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp FULL=YES
gzip -c /tmp/expdat.dmp > ~/expdat.dmp.gz
sudo rm /tmp/expdat.dmp
aws s3 mv expdat.dmp.gz s3://
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp SCHEMAS=medicine DUMPFILE=medicine.dmp
gzip -c /tmp/medicine.dmp > ~/medicine.dmp.gz
sudo rm /tmp/medicine.dmp
aws s3 mv medicine.dmp.gz s3://
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp SCHEMAS=w2bw2bw DUMPFILE=w2bw2bw.dmp
gzip -c /tmp/w2bw2bw.dmp > ~/w2bw2bw.dmp.gz
sudo rm /tmp/w2bw2bw.dmp
aws s3 mv w2bw2bw.dmp.gz s3://
chmod u+x

crontab -e

0 0 * * * ~/

P.P.S View logs

sudo tac /etc/httpd/logs/error_log | less
sudo tac /var/log/httpd/modsec_audit.log | less