Tuesday, December 11, 2018

Setting up and configuring a LAMP Server for Joomla

As a webdev, I spent a lot of time using projects such as xampp and wampp as a quick and easy way to start developing websites but have not had the chance to really deploy one myself, really besides the home server.  Even then I never really took the time to "Secure" the server properly and documentation for this is very wide ranging and opinionated at best.  There are lots of resources out there, but nothing that puts it into a nice neat package with any kind of explanation.  Most of the webservers I've used have been setup by other people, with little to no security in mind and why?  Because security is hard.  It breaks things, and it takes time to do it right.  In this post I will go over how to setup a secure web server from start to finish and this may be a good starting point for everyone who what to learn how to setup a secure server.  As always if you have any comments or pointer please do!

You can watch my video on setting up a Ubuntu 18.04.1 LTS Server on Microsoft Azure

https://www.youtube.com/watch?v=y9RQirmC_pk

This is my video of this post but with out really explaination of why I do some things.  It is just a start to finish this is how you setup the server.

https://www.youtube.com/watch?v=qszvUjjL-ZI

With our server already setup via Azure or even on our localhost though Hyper-V or KVM login into your server and update and upgrade any missing packages.


  1. Install Apache2

sudo apt install apache2



Once that is complete then we are going to install Mariadb


2. Install Mariadb

Add MariaDB Key

apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8

Add MariaDB Repo

add-apt-repository 'deb [arch=amd64] http://mirror.nodesdirect.com/mariadb/repo/10.3/ubuntu bionic main'

update

sudo apt-get install mariadb-server mariadb-client

sudo mysql_secure_installation

Enter current password for root (enter for none): Just press the Enter

Set root password? [Y/n]: Y

New password: $password

Re-enter new password: $password

Remove anonymous users? [Y/n]: Y

Disallow root login remotely? [Y/n]: Y

Remove test database and access to it? [Y/n]: Y

Reload privilege tables now? [Y/n]: Y

sudo mysql -u root -p

$password


3. Create The Joomla Database


CREATE DATABASE $DBNAME;

Now here I would recommend creating a new user for the database we just created.

Create the User
create user $DBUSER

Grant privileges while assigning the password
grant all on $DBNAME.* to ‘$DBUSER’@’localhost’ identified by ‘$DBUSER_PASSWORD’


Note: The localhost field usually doesn’t have to be edited, but you can set it to the specific address. The above example grants all privileges, obviously. But you may want to limit privileges.

exit


4. Install Unzip

Install Unzip
sudo apt-get install unzip


5. Install PHP

Install PHP
sudo add-apt-repository ppa:ondrej/php
sudo apt update

sudo apt install php7.2 libapache2-mod-php7.2 php7.2-common php7.2-mbstring php7.2-xmlrpc php7.2-soap php7.2-gd php7.2-xml php7.2-intl php7.2-mysql php7.2-cli php7.2-zip php7.2-curl

if libzip error
vi /etc/apt/sources.list and add the following repositories

deb http://archive.ubuntu.com/ubuntu bionic universe multiverse
deb-src http://archive.ubuntu.com/ubuntu bionic universe multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb-src http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb-src http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse
deb-src http://security.ubuntu.com/ubuntu bionic-security multiverse

Then edit and make the following changes to the PHP INI File

sudo vi /etc/php/7.2/apache2/php.ini

file_uploads = On
allow_url_fopen = On
memory_limit = 256M
upload_max_filesize = 25M
max_execution_time = 360
date.timezone = America/Edmonton

Restart Apache

sudo systemctl restart apache2.service

Create the file phpinfo.php

sudo vi /var/www/html/phpinfo.php
<?php
phpinfo();
?>





6. Setup Virtual Hosts


Now that we have our apache server, mysql and php setup now we want to enable virtualhosts so we can host multiple websites on the same server.

In this configuration our default site configuration is located in /etc/apache2/sites-available we want to copy the default virtual host file called 000-default.conf contents to the new virtual host files like below.

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/$myvirtualdomain.ca.conf

you would do this for however many sites you need, but I would recommend getting one setup first then copying the finished config as may times as you need using the command above.  Then edit and change the settings highlighted in yellow to suit what you need as many times as you need it.


Edit the virtual host file (sudo vi $myvirtualdomain.ca.conf)

# The ServerName directive sets the request scheme, hostname and port that

# the server uses to identify itself. This is used when creating

# redirection URLs. In the context of virtual hosts, the ServerName

# specifies what hostname must appear in the request's Host: header to

# match this virtual host. For the default virtual host (this file) this

# value is not decisive as it is used as a last resort host regardless.

# However, you must set it for any further virtual host explicitly.

#ServerName www.example.com

ServerAdmin demoadmin@domain.ca

ServerName webserver.domain.ca

ServerAlias www.domain.ca

DocumentRoot /var/www/html/domain.ca/public_html



# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

# error, crit, alert, emerg.

# It is also possible to configure the loglevel for particular

# modules, e.g.

#LogLevel info ssl:warn


ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined


# For most configuration files from conf-available/, which are

# enabled or disabled at a global level, it is possible to

# include a line for only one particular virtual host. For example the

# following line enables the CGI configuration for this host only

# after it has been globally disabled with "a2disconf".

#Include conf-available/serve-cgi-bin.conf




Now disable the default config and enable your virtual host configuration files.

sudo a2dissite 000-default.conf - disables this config file

sudo a2ensite domain.ca.conf - enables config file of your virtual host you just setup.

you will have to restart apache for your setting to take effect.

sudo service apache2 restart


***NOTE it is very important that the ServerAlias matches the DNS otherwise the virtual host will not redirect the browser properly.

If your working locally, you can make changes to your local hosts file.  Once you've gotten everything setup you can make changes to the DNS for Production.



7. Copy Joomla to the Webserver

Now upload the latest version of Joomla to the server via SCP.  Make sure you have a writable directory you can save to if you don't make one.

SCP /path-to-file/file.zip $username@$HOST:/path-to-destination-folder/


in this case I typically use just the home directory


SCP /path-to-file/file.zip $username@$HOST:/~/file.zip


Then copy and paste the zip file to the virtual host directory we created for the site.


sudo cp Joomla_X.X.X-Stable-Full_Package.zip /Path/To/Virtual/Site



Once copied to the server move it to the /var/www/html/$site virtual directory we just enabled and unzip the file.

Run unzip sudo unzip Joomla_X.X.X-Stable-Full_Package.zip

The default settings in Joomla are a little different from what however before we do that you will want to fix a couple settings in your php.ini file.

There are 2 things we need to fix.  Now for Joomla, recommended settings are to disable output buffering, to do that we need to edit the php.ini file

sudo vi  /etc/php/7.2/apache2

Find
output_buffering = 4096
and change it to Off
output_buffering = Off

while were here we are going to increase the max file upload size

Save your changes restart apache

With the file now unzipped we are going to add our user/owner to the www-data group so we can properly run and execute Joomla.

By default the www-data user and group are unprivileged; however Joomla requires the www-data group to have certain permissions.  So we are going to add the owner of the files to the www-data group so that Joomla can install modules, run updates, etc.  We don't want to set ownership of any files to the www-data user. The whole point of the www-data user is that it is an unprivileged user, not able to write to any files. Server daemons accessible from the outside network (such as the web server) typically run as an unprivileged user so that in the event that they are hacked due to a vulnerability, the possible things the attacker can do is minimal. In these cases you should set ownership to www-data ONLY for those files, keeping the number of files writable by www-data at a minimum it's the same reason, don't set any files to be world-writable.  You need to give www-data write permission to the joomla directory files. We don't want to give www-data ownership because of the security implications.  So to do this we are going to add our user to the www-data group, which will  give Joomla the permissions we need for it to run.

add $USER to www-data

sudo usermod -a -G www-data $USER

sudo chgrp -R www-data /var/www/html/$Site
sudo chown -R www-data:$USER /var/www/html/$Site

Do this for the setup then change your files and folders for

If you want to re-verify the proper permissions on the files and folders run the following commands

find /var/www/html/$Site -type d -exec chmod 755 {} \;
find /var/www/html/$Site -type f -exec chmod 644 {} \;

Logout and log back into to verify the changes were made.  Now you should be able to run the Joomla installer without any write or execute permission issues.

Now open your browser and run though the Joomla setup.  http://yournewjoomlasite/index.php


Enable .htaccess and security headers

To enable .htaccess and security headers you will need to add the following to your Site Config file located in /etc/apache2/sites-available called $Site-Domain.conf

Add the following just under the tag

Options Indexes FollowSymLinks
Options FollowSymLinks
AllowOverride ALL
Require all granted


Save the config file then eneable a2enmod by
sudo a2enmod rewrite
then restart apache
sudo systemctl restart apache2


Securing The Webserver

enable module headers

sudo a2enmod headers

Now edit the security.conf file typically localed in  /etc/apache2/conf-available/security.conf

Header unset X-Powered-By
Header always unset X-Powered-By
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure - Enable once you have ssl setup.
Header set X-Permitted-Cross-Domain-Policies "none"
Header always set X-XSS-Protection "1; mode=block"
Header always set x-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' Header always set Referrer-Policy "strict-origin"

<!--very secure policy--!>
Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"

Very Insecure policy if your going to be using several different joomla extensions.

Header always set Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';"

So if you want a copy paste security headers

Header unset X-Powered-By
Header always unset X-Powered-By
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set X-Permitted-Cross-Domain-Policies "none"
Header always set X-XSS-Protection "1; mode=block"
Header always set x-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' Header always set Referrer-Policy "strict-origin"
Header always set Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';"

then restart apache

sudo systemctl restart apache2


Disable Expose PHP

sudo vi /etc/php/7.2/apache2/php.ini

expose_php = Off

Setup your domains and DNS

Now before we setup our SSL Cert, we need to setup our DNS.  For my DNS I needed to setup both an A record.




Now once the DNS resolves we can setup our SSL Certificate using Let's Encrypt.

Setup the SSL Certificate

Digital Ocean has a great post on setting up Let's Encrypt on Ubuntu.  You can get the source link in the resources.

Step 1 - Add the repository and install Certbot

sudo add-apt-repository ppa:certbot/certbot

Install Certbot's Apache package with apt:

sudo apt install python-certbot-apache


Step 2 - Set Up the SSL Certificate

Verify that the Server name matches the domain name your going to use.  If it doesn't change it so it matches.

sudo vi /etc/apache2/sites-available/$SITE.conf

Your server name should match the domain your setting up with lets encrypt.
ServerName YOURDOMAIN.CA; 

You can verify the syntax of your configuration edits:

sudo apache2ctl configtest

If you get an error, reopen the virtual host file and check for any typos or missing characters. Once your configuration file's syntax is correct, reload Apache to load the new configuration:

sudo systemctl reload apache2

Certbot can now find the correct VirtualHost block and update it.

Step 3 - Allowing HTTPS and SSH Through the Firewall

You can see the current setting by typing:

sudo ufw status

sudo ufw allow 'ssh'
sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'

if it is disabled do a sudo ufw enable to enable the firewall

Your status should now look like this:

sudo ufw status
Output
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Apache Full                ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Apache Full (v6)           ALLOW       Anywhere (v6)        


Step 4 - Obtaining an SSL Certificate
Certbot has an Apache plugin that will take care of reconfiguring Apache and reloading the config whenever necessary.

sudo certbot --apache -d domain.ca -d dev.domain.ca
This runs certbot with the --apache plugin, using -d to specify the names you'd like the certificate to be valid for.

The first time you run certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for.

If that's successful, certbot will ask how you'd like to configure your HTTPS settings:

Example:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
I would suggest selecting option 2.  The configuration on you server will be updated, and Apache will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

Example:
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-07-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser's security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

Let's finish by testing the renewal process.

Step 5 - Verifying Certbot Auto-Renewal

Let's Encrypt's certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that's within thirty days of expiration.

To test the renewal process, you can do a dry run with certbot:

sudo certbot renew --dry-run


If you see no errors, you're all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

Security Tests and Scanners

https://app.upguard.com
https://pentest-tools.com/
https://sitecheck.sucuri.net
https://hackertarget.com/
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
https://securityheaders.com/
https://tools.geekflare.com/report/header-security-test/
https://app.upguard.com/webscan#/
https://qualysguard.qg3.apps.qualys.com/fo/home/Dashboard.php?skip=1
https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner#
https://observatory.mozilla.org/


Browser addons

https://chrome.google.com/webstore/detail/csp-evaluator/fjohamlofnakbnbfjkohkbdigoodcejf
https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/


References

Setting up a lampp server
https://websiteforstudents.com/installing-apache2-mariadb-on-ubuntu-16-04-17-10-18-04-with-php-7-2-support-lamp/

Configuring Virtual Hosts
https://www.ostechnix.com/configure-apache-virtual-hosts-ubuntu-part-1/
https://httpd.apache.org/docs/current/vhosts/

Server Hardening
https://askubuntu.com/questions/778463/www-data-vs-username
https://stackoverflow.com/questions/9133024/www-data-permissions/19620585#19620585
https://unix.stackexchange.com/questions/268905/is-giving-all-permissions-to-www-data-group-a-good-idea
https://www.tecmint.com/hide-apache-web-server-version-information/

.HTACCESS
https://www.opentechguides.com/how-to/article/apache/115/htaccess-file-dir-security.html

adding user to www-data group & Joomla Security Checklist
https://www.cyberciti.biz/faq/ubuntu-add-user-to-group-www-data/
https://docs.joomla.org/Security_Checklist/Joomla!_Setup
https://docs.joomla.org/Security_and_Performance_FAQs

Security Headers
https://kb.sucuri.net/warnings/hardening
https://www.ryadel.com/en/apache-setup-httpd-conf-file-send-http-security-headers-web-site/
https://jsblog.insiderattack.net/apache-security-configuring-secure-response-headers-e8a83b72ce5e
https://geekflare.com/apache-web-server-hardening-security/
https://geekflare.com/httponly-secure-cookie-apache/

Setup SSL
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04




How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...