1. Add non-free archive to apt sources (pico /etc/apt/sources.list)

deb http://ftp.uk.debian.org/debian/ squeeze main non-free
deb-src http://ftp.uk.debian.org/debian/ squeeze main non-free


Add non-free behind main in both lines

2. Update the package list

apt-get update


3. Install Nikto

apt-get install nikto

4. Test the local web server

nikto -h localhost

Nikto also supports testing on different ports. Click here for Nikto usage information.

1. Install rkhunter

apt-get install rkhunter


2. Run rkhunter to check your server

rkhunter --check


1. Install the apache2-mpm-itk package

apt-get install apache2-mpm-itk


2. Configure user and group for each virtual host by adding the following line somewhere between <VirtualHost *:80>...</VirtualHost>

AssignUserId [user] [group]


Replace [user] and [group] with a username and group name that already exists on the system.

3. Change the owner of the web root

chown [user].[group] [location]


Replace [user] and [group] with the username and group name configured on the virtual host. Replace [location] with the location specified as DocumentRoot for the virtual host, eg. /var/www

4. Make sure the location isn't accessible by other users (optional)

chmod o= [location]


Replace [location] with the location specified as DocumentRoot for the virtual host, eg. /var/www

5. Restart apache

/etc/init.d/apache restart


1. Install fail2ban

apt-get install fail2ban


2. Test by connecting via ssh and making three incorrect password attempts. By default fail2ban blocks the IP address for 10 minutes.

You can tail the fail2ban log file to monitor actions:

tail -f /var/log/fail2ban.log


Sample results

2010-06-21 22:27:58,953 fail2ban.jail : INFO Jail 'ssh' started
2010-06-21 22:29:36,430 fail2ban.actions: WARNING [ssh] Ban 192.168.1.18


3. (optional) Specify a list of IP addresses ignored by fail2ban. This can be useful to avoid getting locked out (pico /etc/fail2ban/jail.conf)

ignoreip = 127.0.0.1 192.168.1.0/24


Modify the ignoreip property and type a list of IP addresses or networks seperated by a space.

4. Restart fail2ban (only required if you modified the ignoreip property)

/etc/init.d/fail2ban restart


1. Install HAVP

apt-get install havp


2. Start HAVP if it didn't start after the installation

/etc/init.d/havp start


It's ready, by default HAVP listens on port 8080. You can configure your web browser to use the server as a proxy.

You can customize the error pages by editing the html files in this directory: /etc/havp/templates/en/

After a user authenticates themselves, the user's identity will be available in the REMOTE_USER variable. A cookie named open_id_session_id is saved to maintain each user's session.

1. Install the module

apt-get install libapache2-mod-auth-openid


2. Enable the module

a2enmod authopenid


3. You can now add the line below to any Directory, Location or File directive in the virtual host configuration or a .htaccess file .

AuthOpenIDEnabled On


Click here for more configuration options, including only allowing logins from specific OpenID providers and using a custom login page

4. Restart Apache

/etc/init.d/apache2 restart


It queries sbl-xbl.spamhaus.org, taking advantage of the Spamhaus Block List (SBL) and the Exploits Block List (XBL).

1. Download the latest mod_spamhaus deb package from sid package repository (mod_spamhaus is not available for lenny but we can use the sid package)

wget http://ftp.us.debian.org/debian/pool/main/m/mod-spamhaus/libapache2-mod-spamhaus_0.7-1_i386.deb


This package is for i386. If you are using other architecture, you can find a suitable package on the bottom of this page: http://packages.debian.org/sid/libapache2-mod-spamhaus

2. Install the package

dpkg -i libapache2-mod-spamhaus_0.7-1_i386.deb


Apache is automatically restarted and the module is enabled. If you would like to test the module you can add a line to your hosts file to make it think that your IP address is blocked (pico /etc/hosts)

127.0.0.4 1.0.168.192.sbl-xbl.spamhaus.org


Replace 1.0.168.192 with your IP address and reverse it. The IP address 192.168.0.1 should read 1.0.168.192.

By default, only POST, PUT, OPTIONS, CONNECT methods are blocked. You can add GET to the list of methods blocked in /etc/apache2/mods-enabled/mod-spamhaus.conf to block the spammers from seeing your website.

1. Install the required packages

apt-get install pptpd


2. Configure the IP range assigned to clients (pico /etc/pptpd.conf)

localip 192.168.1.2
remoteip 192.168.1.10-20


Using this config the clients are assigned any IP address between and including 192.168.1.10 and 192.168.1.20.

3. Restart the PPTP daemon

/etc/init.d/pptpd restart


4. Create a user allowed to connect (pico /etc/ppp/chap-secrets)

user1 pptpd secretpassword *


Passwords are not encrypted. This allows the a user with the username: user1 and the password: secretpassword to login from any ip address.

5. Enable IP forward at startup to allow the VPN clients to connect to the server's local network. (pico /etc/sysctl.conf)

net.ipv4.ip_forward=1


Also run this command to activate the IP forward instantly:

echo 1 > /proc/sys/net/ipv4/ip_forward


6. Create a routing rule to allow the VPN clients to route network traffic through the server.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Read this tutorial to learn how to create iptables rules on startup:
Loading iptables rules on startup

1. Install suPHP

apt-get install libapache2-mod-suphp


2. Disable the php5 apache module

a2dismod php5


3. Restart Apache

/etc/init.d/apache2 restart


4. You can test if suPHP is working correctly by creating a php file containing the following lines:

<?php
system('id');
?>


The script will return user/group id and name. Make sure you set the file owner to a user/group with id greater than 99.

1. Install Nikto

apt-get install nikto


2. Test the local web server

nikto -h localhost


Nikto also supports testing on different ports. Click here for Nikto usage information.