LAMP on the AWS EC2

1. Creation a VPC

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html

2. Make a SSH connection

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

3. Update the operating system

sudo yum update

4. Create a swap file

SWAP = 2*RAM; SWAP>=2G

sudo dd if=/dev/zero of=/swapfile bs=1K count=2M
sudo mkswap /swapfile
sudo chmod 600 /swapfile
sudo swapon /swapfile

5. Add a swap entry to the fstab and edit the tmpfs entry

sudo vim /etc/fstab

/swapfile   swap        swap    defaults        0   0
tmpfs /dev/shm tmpfs size=1G 0 0

6. Install LAMP

sudo yum install httpd24 php70 php70-gd php70-soap php70-mbstring mysql56-server php70-mysqlnd mod24_ssl m4 sendmail-cf php70-zip php70-pecl-apcu php70-opcache stunnel mod24_security glibc.i686 git

7. Install mod_cloudflare

wget https://www.cloudflare.com/static/misc/mod_cloudflare/centos/mod_cloudflare-el7-x86_64.latest.rpm 
sudo rpm -i mod_cloudflare-el7-x86_64.latest.rpm
rm *.rpm
sudo yum update

8. Php settings

sudo vim /etc/php.ini

max_execution_time = 100
max_input_time = 100
post_max_size = 100M
upload_max_filesize = 100M
memory_limit = 512M
output_buffering = 0

sudo vim /etc/php.d/10-opcache.ini

opcache.enable_cli=1
opcache.max_accelerated_files=10000
opcache.save_comments=1
opcache.revalidate_freq=1

9. Add default vhost

sudo vim /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:80 *:443>
ServerName default
ServerAlias *
DocumentRoot /var/www/html
<IfModule security2_module>
SecRuleRemoveById 200003 941100 949110 980130 941200 941350 941160 200001 942360 941310 921120 920130
SecRequestBodyLimit 104857600
</IfModule>
<Directory /var/www/html>
AllowOverride All
</Directory>
</VirtualHost>
SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000
KeepAlive Off

10. Obtain the boilerplate config

cd /etc/httpd/conf.d
sudo wget https://raw.githubusercontent.com/h5bp/server-configs-apache/master/dist/.htaccess
sudo mv .htaccess h5bp.conf
cd ~

11. Install owasp

cd /etc/httpd/modsecurity.d
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
cd owasp-modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf
cd rules
sudo mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.exampleREQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
sudo mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cd ~

sudo vim /etc/httpd/conf.d/mod_security.conf

 IncludeOptional modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf

12. Start an Apache

sudo service httpd start
sudo chkconfig httpd on

13. Add permissions

sudo usermod -a -G apache ec2-user
sudo chown -R apache:apache /var/www

14. Exit ssh

exit

15. Make a ssh connection

16. Enabling MySQL 4-byte support

sudo vim /etc/my.cnf

innodb_large_prefix=1
innodb_file_format=barracuda
innodb_file_per_table=1

17. Start & secure mysqld

sudo service mysqld start
sudo chkconfig mysqld on
sudo mysql_secure_installation

18. Generate stunnel certificate

cd /etc/stunnel
sudo openssl req -new -out csr.pem -keyout csr.pem -nodes -x509 -days 365
cd ~

19. Configure localhost port 2525 for the SMTP and route traffic for https

sudo vim /etc/stunnel/stunnel.conf

fips = no
[smtp-tls-wrapper]
accept = 2525
client = yes
connect = email-smtp.us-east-1.amazonaws.com:465
delay = yes
cert = /etc/stunnel/csr.pem

20. Add the line to the end of the file to start stunnel after the boot

sudo vim /etc/rc.local

stunnel /etc/stunnel/stunnel.conf

21. Run stunnel

sudo stunnel /etc/stunnel/stunnel.conf

22. Edit SMTP authinfo

sudo vim /etc/mail/authinfo

AuthInfo:127.0.0.1 "U:root" "I:USERNAME" "P:PASSWORD" "M:PLAIN"

23. Add the following group of lines to the /etc/mail/sendmail.mc file before any MAILER() definitions.

sudo vim /etc/mail/sendmail.mc

FEATURE(`authinfo', `hash -o /etc/mail/authinfo.db')dnl
define(`SMART_HOST', `[127.0.0.1]')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 2525')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 2525')dnl
MASQUERADE_AS(`w--w--w.com')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl

24. Setup the sendmail

sudo makemap hash /etc/mail/authinfo.db < /etc/mail/authinfo
sudo chmod 666 /etc/mail/sendmail.cf
sudo m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
sudo chmod 644 /etc/mail/sendmail.cf
sudo /etc/init.d/sendmail restart

25. Setup the aws

cd ~
aws configure

P.S. Backup

vim backup.sh

#!/bin/bash
. /u01/app/oracle/product/11.2.0/xe/bin/oracle_env.sh
mysqldump -q -uwordpress-user -p<your_strong_password> wordpress-db | gzip -c > wordpress.sql.gz
aws s3 mv wordpress.sql.gz s3://backup.w--w--w.com/wordpress.sql.gz
tar -zcf wordpress.tar.gz -C /var/www/html .
aws s3 mv wordpress.tar.gz s3://backup.w--w--w.com/wordpress.tar.gz
mysqldump -q -upiwik-user -p<your_strong_password> piwik-db | gzip -c > piwik.sql.gz
aws s3 mv piwik.sql.gz s3://backup.w--w--w.com/piwik.sql.gz
tar -zcf piwik.tar.gz -C /var/www/piwik .
aws s3 mv piwik.tar.gz s3://backup.w--w--w.com/piwik.tar.gz
mysqldump -q -unextcloud-user -p<your_strong_password> nextcloud-db | gzip -c > nextcloud.sql.gz
aws s3 mv nextcloud.sql.gz s3://backup.w--w--w.com/nextcloud.sql.gz
tar -zcf nextcloud.tar.gz -C /var/www/nextcloud .
aws s3 mv nextcloud.tar.gz s3://backup.w--w--w.com/nextcloud.tar.gz
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp FULL=YES
gzip -c /tmp/expdat.dmp > ~/expdat.dmp.gz
sudo rm /tmp/expdat.dmp
aws s3 mv expdat.dmp.gz s3://backup.w--w--w.com/expdat.dmp.gz
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp SCHEMAS=medicine DUMPFILE=medicine.dmp
gzip -c /tmp/medicine.dmp > ~/medicine.dmp.gz
sudo rm /tmp/medicine.dmp
aws s3 mv medicine.dmp.gz s3://backup.w--w--w.com/medicine.dmp.gz
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp SCHEMAS=w2bw2bw DUMPFILE=w2bw2bw.dmp
gzip -c /tmp/w2bw2bw.dmp > ~/w2bw2bw.dmp.gz
sudo rm /tmp/w2bw2bw.dmp
aws s3 mv w2bw2bw.dmp.gz s3://backup.w--w--w.com/w2bw2bw.dmp.gz
chmod u+x backup.sh

crontab -e

0 0 * * * ~/backup.sh

P.P.S View logs

sudo tac /etc/httpd/logs/error_log | less
sudo tac /var/log/httpd/modsec_audit.log | less