Bash scripts to automatically setup LAMP server following best practices.

Current version: lamp-ubuntu20.sh

• Log in to your fresh Ubuntu server as root
• Download the most recent version of the script: wget https://raw.githubusercontent.com/Lyquix/ubuntu-lamp/master/lamp-ubuntu22.sh
• Change permissions: chmod 755 lamp-ubuntu22.sh
• Run and follow prompts: ./lamp-ubuntu22.sh

• Checks that you are root
• Set the hostname. In general it is a good idea to use the real domain for your site as hostname.
• Update packages from repo
• Install utility software, Apache, PHP and MySQL (see detailed list below)
• Setup unattended upgrades
• Change www-data user password, and allow shell access
• Apache configuration (see details below)
• PHP configuration
• MySQL configuration
• Configure log rotation
• Setup automatic daily database dump and rotation
• Setup basic firewall rules
• Setup fail2ban
• Setup mod_security

• Utility software:
  • curl
  • vim
  • openssl
  • git
  • htop
  • nload
  • nethogs
  • zip
  • unzip
  • sendmail
  • sendmail-bin
  • libcurl3-openssl-dev
  • psmisc
  • build-essential
  • zlib1g-dev
  • libpcre3
  • libpcre3-dev
  • memcached
  • fail2ban
  • iptables-persistent
• Apache and modules
  • apache2
  • apache2-doc
  • apachetop
  • libapache2-mod-php
  • libapache2-mod-fcgid
  • apache2-suexec-pristine
  • libapache2-mod-security2
• PHP 8.1
  • mcrypt
  • imagemagick
  • php8.1
  • php8.1-common
  • php8.1-gd
  • php8.1-imap
  • php8.1-mysql
  • php8.1-mysqli
  • php8.1-cli
  • php8.1-cgi
  • php8.1-zip
  • php-pear
  • php-auth
  • php-mcrypt
  • php-imagick
  • php8.1-curl
  • php8.1-mbstring
  • php8.1-bcmath
  • php8.1-xml
  • php8.1-soap
  • php8.1-opcache
  • php8.1-intl
  • php-apcu
  • php-mail
  • php-mail-mime
  • php8.1-memcached
  • php-all-dev
  • php8.1-dev
  • libapache2-mod-php8.1
• MySQL
• NodeJS 12

• Change maximum number of concurrent request to unlimited: MaxKeepAliveRequests 0
• Change the default timeout: Timeout 60
• Add global settings for /srv/www directory, security settings, and caching:

<Directory /srv/www/>
    Options FollowSymLinks -Indexes -Includes
    AllowOverride all
    Require all granted
    Header set Access-Control-Allow-Origin "*"
    Header set Timing-Allow-Origin: "*"
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options sameorigin
    Header unset X-Powered-By
    Header set X-UA-Compatible "IE=edge"
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
    Header set X-XSS-Protection "1; mode=block"
</Directory>

# Disable HTTP 1.0
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

# Disable unused HTTP request methods
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>

# Disable Trace HTTP request
TraceEnable off

# Disable SSL v2 & v3
SSLProtocol –ALL +TLSv1.2 +TLSv1.3

# Disable server signature
ServerSignature Off
ServerTokens Prod

# Browser Caching #
ExpiresActive On
ExpiresDefault "access plus 30 days"
ExpiresByType text/html "access plus 15 minutes"
Header unset Last-Modified
Header unset ETag
FileETag None

• Configure compression of svg images and font files
• Set correct mime type for font files
• Set correct priority of index files extensions
• Configure memory limits based on actual server memory
• Install ModPageSpeed and set CoreFilters
• Virtual servers configuration
• Log rotation and compression

output_buffering = Off
max_execution_time = 60
max_input_vars = 5000
memory_limit = 256M
error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
log_errors_max_len = 0
post_max_size = 20M
upload_max_filesize = 20M

key_buffer = 16M
max_allowed_packet = 16M
thread_stack = 192K
thread_cache_size = 8
table_cache = 64
log_slow_queries = /var/log/mysql/mysql-slow.log
long_query_time = 1