# Create User
> sudo adduser okhtay
> sudo usermod -aG sudo okhtay
> mkdir -p /home/okhtay/.ssh
> chmod 700 /home/okhtay/.ssh
> nano /home/okhtay/.ssh/authorized_keys
> chmod 600 /home/okhtay/.ssh/authorized_keys
> chown -R okhtay:okhtay /home/okhtay/.ssh
# On local PC: Generate SSH Key
> ssh-keygen -t ed25519 -C "okhsat@gmail.com"
> ssh-copy-id okhtay@SERVER_IP
# Harden SSH (Recommended Changes)
> sudo nano /etc/ssh/sshd_config
____________________________________
Port xxxx # custom SSH port
PermitRootLogin no # disable root login
PasswordAuthentication no # force key-based auth only
PubkeyAuthentication yes
UsePAM yes
____________________________________
> sudo sshd -T | egrep 'authenticationmethods|kbdinteractiveauthentication|permitrootlogin|passwordauthentication|pubkeyauthentication|usepam'
> sudo sshd -t
> sudo systemctl reload ssh
> sudo systemctl restart ssh
> ssh -i ~/.ssh/digitalocean -p xxxx okhtay@server_ip
# Setup Host Name
> hostnamectl status
> sudo hostnamectl set-hostname turan-server
> sudo nano /etc/hosts
____________________________________
127.0.1.1 turan-server
____________________________________
> hostname
> hostnamectl
> sudo reboot
# Install Base Software and Enable Auto Update
> sudo apt update && sudo apt upgrade -y
> sudo apt install git ufw curl nano software-properties-common fail2ban unattended-upgrades apt-listchanges -y
> sudo apt update
> sudo dpkg-reconfigure --priority=low unattended-upgrades
> sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
_____________________________________
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "false";
_____________________________________
> sudo nano /etc/apt/apt.conf.d/20auto-upgrades
_____________________________________
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
_____________________________________
> sudo systemctl enable unattended-upgrades
> sudo systemctl start unattended-upgrades
> sudo systemctl status unattended-upgrades
> sudo systemctl restart unattended-upgrades
> sudo unattended-upgrade --dry-run --debug
> sudo unattended-upgrade --dry-run
# UFW Config
> sudo ufw default deny incoming
> sudo ufw default allow outgoing
> sudo ufw allow xxxx/tcp comment 'SSH'
> sudo ufw limit xxxx/tcp
> sudo ufw allow 80/tcp
> sudo ufw allow 443/tcp
> sudo ufw enable
> sudo ufw status verbose
# Fail2Ban Config
> sudo systemctl enable fail2ban
> sudo systemctl start fail2ban
> sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
> sudo nano /etc/fail2ban/jail.local
____________________________________
[sshd]
enabled = true
port = xxxx
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600
____________________________________
> sudo systemctl restart fail2ban
> sudo systemctl status fail2ban
> sudo fail2ban-client reload
> sudo fail2ban-client status
> sudo fail2ban-client status sshd
# Base Nginx/PHP Setup
> sudo apt update && sudo apt upgrade -y
> sudo add-apt-repository ppa:ondrej/php -y
> sudo apt install nginx php8.4-fpm php8.4-cli php8.4-curl php8.4-mbstring php8.4-xml php8.4-zip certbot python3-certbot-nginx -y
> sudo apt update
# Project Setup (Clone GitHub repo)
> sudo mkdir /var/www/turan/develop
> sudo chown -R okhtay:okhtay /var/www/turan/develop
> sudo find /var/www/turan/develop -type d -exec chmod 750 {} \;
> sudo find /var/www/turan/develop -type f -exec chmod 640 {} \;
> cd /var/www/turan/develop
> git clone git@github.com:okhsat/turandevelop.git .
# Nginx Config
> cd /etc/nginx/sites-available
> sudo nano turandevelop
___________________________________
# Redirect all HTTP traffic to https://www.turandevelop.com
server {
listen 80;
listen [::]:80;
server_name turandevelop.com www.turandevelop.com;
return 301 https://www.turandevelop.com$request_uri;
}
# Redirect HTTPS non-www to HTTPS www
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name turandevelop.com;
return 301 https://www.turandevelop.com$request_uri;
}
# Main HTTPS server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.turandevelop.com;
root /var/www/turan/develop/public;
index index.php index.html index.htm;
ssl_certificate /etc/letsencrypt/live/turandevelop.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/turandevelop.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
access_log /var/log/nginx/turandevelop.access.log;
error_log /var/log/nginx/turandevelop.error.log;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
}
location ~ /\.ht {
deny all;
}
}
___________________________________
> sudo ln -s /etc/nginx/sites-available/turandevelop /etc/nginx/sites-enabled/
> sudo nginx -t
> sudo systemctl reload nginx
> sudo usermod -aG okhtay www-data (Not required)
> sudo systemctl restart nginx
> sudo chown -R okhtay:www-data /var/www/turan/develop
> sudo find /var/www/turan/develop -type d -exec chmod 750 {} \;
> sudo find /var/www/turan/develop -type f -exec chmod 640 {} \;
> sudo chown -R okhtay:www-data /var/www/turan/develop/storage
> sudo chmod -R 775 /var/www/turan/develop/storage
> sudo -u www-data ls /var/www/okhtay >/dev/null && echo "nginx can read"
> sudo -u www-data touch /var/www/okhtay/test 2>/dev/null || echo "nginx cannot write (good)"
> sudo certbot --nginx -d turandevelop.com -d www.turandevelop.com
> sudo certbot renew --dry-run
> sudo systemctl list-timers | grep certbot
# Final Test
> curl -I http://turandevelop.com
> curl -I http://www.turandevelop.com
> curl -I https://turandevelop.com
> curl -I https://www.turandevelop.com
# Sudoers
> sudo nano /etc/sudoers.d/turandevelop
____________________________________
okhtay ALL=(root) NOPASSWD: /usr/local/sbin/fix-www-perms-turandevelop.sh
____________________________________
> sudo nano /usr/local/sbin/fix-www-perms-turandevelop.sh
____________________________________
#!/bin/sh
set -e
mkdir -p /var/www/turan/develop
chown -R okhtay:www-data /var/www/turan/develop
find /var/www/turan/develop -type d -exec chmod 750 {} \;
find /var/www/turan/develop -type f -exec chmod 640 {} \;
____________________________________
> sudo chmod 750 /usr/local/sbin/fix-www-perms-turandevelop.sh
> sudo chown root:root /usr/local/sbin/fix-www-perms-turandevelop.sh
> sudo chmod 440 /etc/sudoers.d/turandevelop
> sudo visudo -cf /etc/sudoers.d/turandevelop
> sudo -n true && echo "NOPASSWD sudo works"