Personal Web Server Raspberry Pi

Project Description

"LAMP" web service stack consisting of free open source software.

Recommendation

Related Projects

Raspbian Fire Wall sFTP Apache Web Server PHP MariaDB Web Min Fail2ban Security Let's Encrypt Cloudflare Node.js

Raspbian

Insert a micro SD card, then download and run this installer for your Operating System.

Insert the micro SD card into the pi and boot it up with a monitor and keyboard connected.

Go through the wizard and set the keyboard/language settings.

Change the default password; strive for length over complexity.

Connect to the wifi if the pi is not connected by an ethernet cable.

The wizard will update the system automatically.

(*Optional and potentially dangerous*) Open up a terminal and set the root password.

sudo passwd root

Go to the Configuration to customize the hostname and disallow auto-login and decide if you would like to enable SSH.

Reboot the pi for the changes to take affect.

Open up terminal and run the following commands to customize the username. The sudo -s tells the command to be ran in a new shell as the given user. The exec tells the shell to overwrite itself with the new process. This means the user is overwriting their shell with a new shell that has been created as a different user ( in this case root ). Then it modifies all the user to change from pi to the new custom username. Then change the group of every file/folder from pi to the new username.

exec sudo -s

usermod -l {newname} -d /home/{newname} -m pi

groupmod --new-name {newname} pi

( Optional/Better Security ) Turn off login for root by running this in terminal:

sudo passwd -l root

sFTP

Create a group for sFTP users and setup their playground:

sudo addgroup exchangefiles

# Create the chroot directory

sudo mkdir /home/exchangefiles/

sudo chmod g+rx /home/exchangefiles/

# Create the group-writable directory

sudo mkdir -p /home/exchangefiles/files/

sudo chmod g+rwx /home/exchangefiles/files/

# Give them both to the new group.

sudo chgrp -R exchangefiles /home/exchangefiles/

Set a custom port for SSH and lock down privileges for SSH. Edit the configuration file:

sudo nano /etc/ssh/sshd_config

Change the Port number by uncommenting this line and setting your own number

#Port 22

Find the comment for built-in implementaiton and change the line below it:

# Enable to built-in implementation of SFTP.

Subsystem sftp internal-sftp

Add this section to lockdown privileges for anyone in the exchangefiles group.

Match Group exchangefiles

  # Force the connection to use SFTP and chroot to the required directory.

  ForceCommand internal-sftp

  ChrootDirectory /home/exchangefiles

  # Disable tunneling, authentication agent, TCP and X11 forwarding.

  PermitTunnel no

  AllowAgentForwarding no

  AllowTcpForwarding no

  X11Forwarding no

Add users to the group, set their password, and restart the ssh service for it to take effect.

sudo adduser --ingroup exchangefiles testfiles

sudo service ssh restart

Uncomplicated Fire Wall

Uncomplicated Fire Wall, ufw, provides a simpler interface than iptables for packet filtering and netfiltering.

Install ufw with the following commands

sudo apt install ufw

ufw is a fairly straightforward command line tool that needs to be run with superuser privileges; all commands are preceded with sudo. Use the option --dry-run with any ufw commands to view the results of the command without actually making any changes.

Run the following command to enable the firewall and ensure it starts up on boot:

sudo ufw enable

Here are examples commands for opening/closing ports and servfices:

sudo ufw allow 443

sudo ufw deny 22/tcp

sudo ufw allow ssh

This status command lists all current settings for the firewall:

sudo ufw status

Limit login attempts on ssh port using tcp. This command will deny connection if an IP address has attempted to connect six or more times in the last 30 seconds:

sudo ufw limit ssh/tcp

Deny access to port 30 from IP address 192.168.2.1

sudo ufw deny from 192.168.2.1 port 30

quietestWorkSpace

Apache Web Server

Apache is a web server application that serves HTML files over HTTP/HTTPS.

Install Apache with the following command:

sudo apt install apache2 -y

Open a web browser and go to this URL:

http://localhost/

http://{pi ip address}

Find out the Raspberry Pi’s IP address by using:

hostname -I

This default generated web page is an HTML file located at:

/var/www/html/index.html

Add your user to the www-data group and grant the group access to change the content:

Design and build your new websites.

connectingThingsTogether

PHP: Hypertext Preprocessor

PHP is a preprocessor: it’s code that runs when the server receives a request for a web page via a web browser. This allows PHP to dynamically create different content under different circumstances.

Install the PHP package with the following command:

sudo apt-get install php -y

Install the latest version of the PHP module for Apache to allow processing PHP files with the following command:

sudo apt install php libapache2-mod-php -y

Test PHP functionality by adding the following command and saving an html file as .php

<?php echo "hello world"; ?>

<?php echo date('Y-m-d H:i:s'); ?>

<?php phpinfo(); ?>

closeEncountersOfTheChipKind

MariaDB

MariaDB is a lightweight service that will host the database. MariaDB is a fork of MySQL.

Install MariaDB with the following command:

sudo apt install mariadb-server

sudo mysql_secure_installation

Then you can use mysql command for connecting:

mysql -root -p {PASSWORD}

Design, model, and build your datatables to use for applications.

2manyTools

Web Min

Webmin is a web-based interface for system administration for Apache, SQL, PHP, and system package upgrades.

Install the Webmin with the following commands:

sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python

Download the required deb file; update to the latest version by checking here

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.953_all.deb

Run dpkg

sudo dpkg --install webmin_1.953_all.deb

Access Webmin by going to the Pi’s IP address followed by the port 10000. Find out the Raspberry Pi’s IP address by using:

hostname -I

Ignore the SSL Certificate error and login using your pi's root credentials.

Fail2ban

Fail2ban improves security by blocking malicious connections to the server. Fail2ban scans log files looking for signs of potential attacks such as password failures, exploits, and more. It will automatically update the firewall to ban the offending IP address.

Install Fail2Ban with the following command:

sudo apt-get install fail2ban

Make a copy of the generated jail.config file for Fail2Ban to load:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open up that new file to setup the local configuration:

sudo nano /etc/fail2ban/jail.local

This is a suggested configuration:

[sshd]
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = -1
maxretry = 3
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[apache-badbots]
enabled = true
filter = apache-badbots

Save the file by pressing CTRL + X then Y and finally hit ENTER, then restart the service:

sudo service fail2ban restart

Those settings will help protect SSH and Apache Web Server.

unsecure

Security

Here are a few helpful tricks and security tips:

Change every default password
Create a new user and disable the default pi user
Change the default host name for network friendliness
Check for updates regularly
Enable SSH and use a custom port number
Update and upgrade often with sudo apt-get
Install OpenVPN
Schedule tasks with Cron
Buy a domain

Let's Encrypt

This piece of software is called “Cerbot”. Install it with the following command:

sudo apt-get install python-certbot-apache

Make sure port 80 and 443 are unblocked in ufw and external access is forwarded to the Pi's IP from the router. Replace the exmpl.com with the purchased domain name.

certbot certonly --standalone -d exmpl.com -d www.exmpl.com:

Follow along with the prompts and enter requested details. It will proceed to grab the certificate from Let’s Encrypt and store it in the following folder:

/etc/letsencrypt/live/example.com/

Test your site using https.

Node.js

Download and install the latest version of Node.js with the following command:

scurl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -

Then install using the following command:

sudo apt-get install -y nodejs

Check the version number of Node.js with this command:

node -v

Cloudflare

** I recommend finishing the previous tab for Let's Encrypt otherwise the revese proxy will break their authentication **

Cloudflare, Inc. provides content-delivery-network services, DDoS mitigation, Internet security, and distributed domain-name-server services. Cloudflare's services sit between the end user and the hosting website's server, acting as a reverse proxy for websites. The site can be distributed among a pool of different servers all handling requests for the same site. In this case, a reverse proxy can provide a load balancing solution which will distribute the incoming traffic evenly among the different servers to prevent any single server from becoming overloaded. The website can be distributed on several servers around the globe and the reverse proxy will send clients to the server that’s geographically closest to them. This decreases the distances that requests and responses need to travel, minimizing load times.