Recovery the server

1. Creation a VPC

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html

2. Make a SSH connection

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

3. Update the operating system

sudo yum update

4. Create a swap file

SWAP = 2*RAM; SWAP>=2G

sudo dd if=/dev/zero of=/swapfile bs=1K count=2M
sudo mkswap /swapfile
sudo chmod 600 /swapfile
sudo swapon /swapfile

5. Add a swap entry to the fstab and edit the tmpfs entry

sudo vim /etc/fstab

/swapfile   swap        swap    defaults        0   0
tmpfs /dev/shm tmpfs size=1G 0 0

6. Install LAMP

sudo yum install httpd24 php70 php70-gd php70-soap php70-mbstring mysql56-server php70-mysqlnd mod24_ssl m4 sendmail-cf php70-zip php70-pecl-apcu php70-opcache stunnel mod24_security glibc.i686 git

7. Install mod_cloudflare

wget https://www.cloudflare.com/static/misc/mod_cloudflare/centos/mod_cloudflare-el7-x86_64.latest.rpm 
sudo rpm -i mod_cloudflare-el7-x86_64.latest.rpm
rm *.rpm
sudo yum update

8. Php settings

sudo vim /etc/php.ini

max_execution_time = 100
max_input_time = 100
post_max_size = 100M
upload_max_filesize = 100M
memory_limit = 512M
output_buffering = 0

sudo vim /etc/php.d/10-opcache.ini

opcache.enable_cli=1
opcache.max_accelerated_files=10000
opcache.save_comments=1
opcache.revalidate_freq=1

9. Add default vhost

sudo vim /etc/httpd/conf.d/vhosts.conf

<VirtualHost *:80>
ServerName stat.w--w--w.com
Redirect permanent / https://stat.w--w--w.com
</VirtualHost>
<VirtualHost *:443>
ServerName stat.w--w--w.com
DocumentRoot /var/www/piwik
<IfModule security2_module>
SecRuleEngine Off
</IfModule>
<Directory /var/www/piwik>
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName cloud.w--w--w.com
Redirect permanent / https://cloud.w--w--w.com
</VirtualHost>
<VirtualHost *:443>
ServerName cloud.w--w--w.com
DocumentRoot /var/www/nextcloud
<IfModule security2_module>
# VIDEOS
SecRuleRemoveById 958291 # Range Header Checks
SecRuleRemoveById 981203 # Correlated Attack Attempt
# PDF
SecRuleRemoveById 950109 # Check URL encodings
# ADMIN (webdav)
SecRuleRemoveById 960024 # Repeatative Non-Word Chars (heuristic)
SecRuleRemoveById 981173 # SQL Injection Character Anomaly Usage
SecRuleRemoveById 981204 # Correlated Attack Attempt
SecRuleRemoveById 981243 # PHPIDS - Converted SQLI Filters
SecRuleRemoveById 981245 # PHPIDS - Converted SQLI Filters
SecRuleRemoveById 981246 # PHPIDS - Converted SQLI Filters
SecRuleRemoveById 981318 # String Termination/Statement Ending Injection Testing
SecRuleRemoveById 973332 # XSS Filters from IE
SecRuleRemoveById 973338 # XSS Filters - Category 3
SecRuleRemoveById 981143 # CSRF Protections ( TODO edit LocationMatch filter )
# COMING BACK FROM OLD SESSION
SecRuleRemoveById 970903 # Microsoft Office document properties leakage
# NOTES APP
SecRuleRemoveById 981401 # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff'
SecRuleRemoveById 200002 # Failed to parse request body
# UPLOADS ( 100 MB max excluding file size )
SecRequestBodyLimit 104857600
# GENERAL
SecRuleRemoveById 960017 # Host header is a numeric IP address
# REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM
SecRuleRemoveById 981220 900046 981407
SecRuleRemoveById 981222 981405 981185 981184
</IfModule>
<Directory /var/www/nextcloud>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName ide.w--w--w.com
Redirect permanent / https://ide.w--w--w.com
</VirtualHost>
<VirtualHost *:443>
Redirect permanent / /apex
ServerName ide.w--w--w.com
<IfModule security2_module>
SecRuleEngine Off
</IfModule>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /apex http://127.0.0.1:8080/apex
ProxyPassReverse /apex http://127.0.0.1:8080/apex
ProxyPass /i http://127.0.0.1:8080/i
ProxyPassReverse /i http://127.0.0.1:8080/i
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
<VirtualHost *:80>
ServerName pills.komplemed.ru
Redirect permanent / https://pills.komplemed.ru
</VirtualHost>
<VirtualHost *:443>
ServerName pills.komplemed.ru
RewriteCond %{QUERY_STRING} !^p=102 [NC]
RewriteRule ^/apex/f / [R=301,L]
RewriteRule ^/$ apex/f?p=102 [R=302,L]
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /apex http://127.0.0.1:8080/apex
ProxyPassReverse /apex http://127.0.0.1:8080/apex
ProxyPass /i http://127.0.0.1:8080/i
ProxyPassReverse /i http://127.0.0.1:8080/i
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
<VirtualHost *:80>
ServerName day.w--w--w.com
Redirect permanent / https://day.w--w--w.com
</VirtualHost>
<VirtualHost *:443>
ServerName day.w--w--w.com
RewriteCond %{QUERY_STRING} !^p=100 [NC]
RewriteRule ^/apex/f / [R=301,L]
RewriteRule ^/$ apex/f?p=100 [R=302,L]
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /apex http://127.0.0.1:8080/apex
ProxyPassReverse /apex http://127.0.0.1:8080/apex
ProxyPass /i http://127.0.0.1:8080/i
ProxyPassReverse /i http://127.0.0.1:8080/i
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
<VirtualHost *:80 *:443>
ServerName default
ServerAlias *
DocumentRoot /var/www/html
<IfModule security2_module>
SecRuleRemoveById 200003 941100 949110 980130 941200 941350 941160 200001 942360 941310 921120 920130
SecRequestBodyLimit 104857600
</IfModule>
<Directory /var/www/html>
AllowOverride All
</Directory>
</VirtualHost>
SecPcreMatchLimit 500000 SecPcreMatchLimitRecursion 500000
KeepAlive Off

10. Obtain the boilerplate config

cd /etc/httpd/conf.d
sudo wget https://raw.githubusercontent.com/h5bp/server-configs-apache/master/dist/.htaccess
sudo mv .htaccess h5bp.conf
cd ~

11. Install owasp

cd /etc/httpd/modsecurity.d
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
cd owasp-modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf
cd rules
sudo mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.exampleREQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
sudo mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cd ~

sudo vim /etc/httpd/conf.d/mod_security.conf

 IncludeOptional modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf

12. Start an Apache

sudo service httpd start
sudo chkconfig httpd on

13. Add permissions

sudo usermod -a -G apache ec2-user
sudo chown -R apache:apache /var/www

14. Exit ssh

exit

15. Make a ssh connection

16. Enabling MySQL 4-byte support

sudo vim /etc/my.cnf

innodb_large_prefix=1
innodb_file_format=barracuda
innodb_file_per_table=1

17. Start & secure mysqld

sudo service mysqld start
sudo chkconfig mysqld on
sudo mysql_secure_installation

18. Generate stunnel certificate

cd /etc/stunnel
sudo openssl req -new -out csr.pem -keyout csr.pem -nodes -x509 -days 365
cd ~

19. Configure localhost port 2525 for the SMTP and route traffic for https

sudo vim /etc/stunnel/stunnel.conf

fips = no
[smtp-tls-wrapper]
accept = 2525
client = yes
connect = email-smtp.us-east-1.amazonaws.com:465
delay = yes
cert = /etc/stunnel/csr.pem

20. Add the line to the end of the file to start stunnel after the boot

sudo vim /etc/rc.local

stunnel /etc/stunnel/stunnel.conf

21. Run stunnel

sudo stunnel /etc/stunnel/stunnel.conf

22. Edit SMTP authinfo

sudo vim /etc/mail/authinfo

AuthInfo:127.0.0.1 "U:root" "I:USERNAME" "P:PASSWORD" "M:PLAIN"

23. Add the following group of lines to the /etc/mail/sendmail.mc file before any MAILER() definitions.

sudo vim /etc/mail/sendmail.mc

FEATURE(`authinfo', `hash -o /etc/mail/authinfo.db')dnl
define(`SMART_HOST', `[127.0.0.1]')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 2525')dnl
define(`ESMTP_MAILER_ARGS', `TCP $h 2525')dnl
MASQUERADE_AS(`w--w--w.com')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl

24. Setup the sendmail

sudo makemap hash /etc/mail/authinfo.db < /etc/mail/authinfo
sudo chmod 666 /etc/mail/sendmail.cf
sudo m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
sudo chmod 644 /etc/mail/sendmail.cf
sudo /etc/init.d/sendmail restart

25. Setup the aws

cd ~
aws configure

26. Copy backup files

aws s3 cp s3://backup.w--w--w.com/wordpress.sql.gz wordpress.sql.gz
aws s3 cp s3://backup.w--w--w.com/wordpress.tar.gz wordpress.tar.gz
aws s3 cp s3://backup.w--w--w.com/piwik.sql.gz piwik.sql.gz
aws s3 cp s3://backup.w--w--w.com/piwik.tar.gz piwik.tar.gz
aws s3 cp s3://backup.w--w--w.com/nextcloud.sql.gz nextcloud.sql.gz
aws s3 cp s3://backup.w--w--w.com/nextcloud.tar.gz nextcloud.tar.gz

 27. Setup a mySql databases

mysql -u root -p
CREATE USER 'wordpress-user'@'localhost' IDENTIFIED BY 'your_strong_password';
CREATE DATABASE `wordpress-db`;
GRANT ALL PRIVILEGES ON `wordpress-db`.* TO "wordpress-user"@"localhost";
CREATE USER 'piwik-user'@'localhost' IDENTIFIED BY 'your_strong_password';
CREATE DATABASE `piwik-db`;
GRANT ALL PRIVILEGES ON `piwik-db`.* TO "piwik-user"@"localhost";
CREATE USER 'nextcloud-user'@'localhost' IDENTIFIED BY 'your_strong_password';
CREATE DATABASE `nextcloud-db` CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES ON `nextcloud-db`.* TO "nextcloud-user"@"localhost";
FLUSH PRIVILEGES;
exit

28. Restore databases

gunzip -cd wordpress.sql.gz | mysql -uwordpress-user -p<your_strong_password> wordpress-db
gunzip -cd piwik.sql.gz | mysql -upiwik-user -p<your_strong_password> piwik-db
gunzip -cd nextcloud.sql.gz | mysql -unextcloud-user -p<your_strong_password> nextcloud-db
rm *.sql.gz

29. Restore the wordpress

cd /var/www/html
sudo mv ~/wordpress.tar.gz .
sudo tar -zxvf wordpress.tar.gz
sudo rm wordpress.tar.gz
sudo chown -R apache:apache /var/www/html

 30. Restore the piwik

sudo mkdir /var/www/piwik
cd /var/www/piwik
sudo mv ~/piwik.tar.gz .
sudo tar -zxvf piwik.tar.gz
sudo rm piwik.tar.gz
sudo chown -R apache:apache /var/www/piwik

31. Restore the nextcloud

sudo mkdir /var/www/nextcloud
cd /var/www/nextcloud
sudo mv ~/nextcloud.tar.gz .
sudo tar -zxvf nextcloud.tar.gz
sudo rm nextcloud.tar.gz
sudo chown -R apache:apache /var/www/nextcloud

32. Paste ssl from cloudflare

cd ~
sudo vim /etc/pki/tls/certs/localhost.crt
sudo vim /etc/pki/tls/private/localhost.key
sudo service httpd restart

33. Setup a crontab

sudo crontab -u apache -e

5 * * * * php -f /var/www/piwik/console core:archive --url=https://stat.w--w--w.com/
*/15 * * * * php -f /var/www/nextcloud/cron.php

34. Backup

vim ~/backup.sh

#!/bin/bash
. /u01/app/oracle/product/11.2.0/xe/bin/oracle_env.sh
mysqldump -q -uwordpress-user -p<your_strong_password> wordpress-db | gzip -c > wordpress.sql.gz
aws s3 mv wordpress.sql.gz s3://backup.w--w--w.com/wordpress.sql.gz
tar -zcf wordpress.tar.gz -C /var/www/html .
aws s3 mv wordpress.tar.gz s3://backup.w--w--w.com/wordpress.tar.gz
mysqldump -q -upiwik-user -p<your_strong_password> piwik-db | gzip -c > piwik.sql.gz
aws s3 mv piwik.sql.gz s3://backup.w--w--w.com/piwik.sql.gz
tar -zcf piwik.tar.gz -C /var/www/piwik .
aws s3 mv piwik.tar.gz s3://backup.w--w--w.com/piwik.tar.gz
mysqldump -q -unextcloud-user -p<your_strong_password> nextcloud-db | gzip -c > nextcloud.sql.gz
aws s3 mv nextcloud.sql.gz s3://backup.w--w--w.com/nextcloud.sql.gz
tar -zcf nextcloud.tar.gz -C /var/www/nextcloud .
aws s3 mv nextcloud.tar.gz s3://backup.w--w--w.com/nextcloud.tar.gz
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp FULL=YES
gzip -c /tmp/expdat.dmp > ~/expdat.dmp.gz
sudo rm /tmp/expdat.dmp
aws s3 mv expdat.dmp.gz s3://backup.w--w--w.com/expdat.dmp.gz
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp SCHEMAS=medicine DUMPFILE=medicine.dmp
gzip -c /tmp/medicine.dmp > ~/medicine.dmp.gz
sudo rm /tmp/medicine.dmp
aws s3 mv medicine.dmp.gz s3://backup.w--w--w.com/medicine.dmp.gz
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp SCHEMAS=w2bw2bw DUMPFILE=w2bw2bw.dmp
gzip -c /tmp/w2bw2bw.dmp > ~/w2bw2bw.dmp.gz
sudo rm /tmp/w2bw2bw.dmp
aws s3 mv w2bw2bw.dmp.gz s3://backup.w--w--w.com/w2bw2bw.dmp.gz
expdp \"sys/<your_strong_password> as sysdba\" NOLOGFILE=YES DIRECTORY=tmp SCHEMAS=diary DUMPFILE=diary.dmp
gzip -c /tmp/diary.dmp > ~/diary.dmp.gz
sudo rm /tmp/diary.dmp
aws s3 mv diary.dmp.gz s3://backup.w--w--w.com/diary.dmp.gz
chmod u+x backup.sh

crontab -e

0 0 * * * ~/backup.sh