wordpres

1. sudo apt update
2. sudo apt install -y mariadb-server mariadb-client curl
3. sudo systemctl status mariadb
4.  
5. sudo apt update && sudo apt -y full-upgrade
6. [ -f /var/run/reboot-required ] && sudo reboot -f
7.  
8. sudo apt -y install lsb-release apt-transport-https ca-certificates
9. sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
10.  
11. echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list
12.  
13. sudo apt update
14. sudo apt install php7.4
15. sudo apt-get install php7.4-{bcmath,bz2,intl,gd,mbstring,mysql,zip}
16. sudo apt-get install nginx php7.4-fpm
17. systemctl status php7.4-fpm nginx
18.  
19. '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
20. /etc/php/7.4/fpm/pool.d/www.conf Запустить от имени nginx www-data
21.  
22. sudo sed -i 's/listen.owner \= www-data/listen.owner \= www-data/g' /etc/php/7.4/fpm/pool.d/www.conf
23. sudo sed -i 's/listen.group \= www-data/listen.group \= www-data/g' /etc/php/7.4/fpm/pool.d/www.conf
24.  
25.  
26.  
27.  
28. mkdir -p /var/www/html/load.sytes.net/public
29. mkdir -p /var/log/nginx/load.sytes.net
30.  
31.  
32. chmod -R 755 /var/log/nginx/load.sytes.net
33. chown -R www-data:www-data /var/log/nginx/load.sytes.net
34.  
35. chmod -R 755 /var/www/html/load.sytes.net
36. chown -R www-data:www-data /var/www/html/load.sytes.net
37.  
38. chmod -R 755 /var/www/html/load.sytes.net
39.  
40.  
41. chown -R www-data:www-data /var/www/html/load.sytes.net/public/wp-content/uploads/2023/03/
42.  
43.  
44.  
45.  
46. mcedit /etc/nginx/sites-available/load.sytes.net.conf
47.  
48. server {
49. server_name load.sytes.net www.load.sytes.net;
50. root /var/www/html/load.sytes.net/public;
51.  
52.  
53. location / {
54. index index.html index.htm index.php;
55. }
56.  
57. location ~ \.php$ {
58. include /etc/nginx/fastcgi_params;
59. fastcgi_pass unix:/run/php/php7.4-fpm.sock;
60. fastcgi_index index.php;
61. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
62. }
63. }
64.  
65. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
66.  
67. echo "<?php phpinfo(); ?>" | sudo tee /var/www/html/load.sytes.net/public/index.php
68.  
69. sudo systemctl restart nginx php7.4-fpm
70.  
71. **********************************************************************************
72.  
73. sudo sed -i 's/^max_execution_time \= .*/max_execution_time \= 300/g' /etc/php/7.4/fpm/php.ini
74. sudo sed -i 's/^upload_max_filesize \= .*/upload_max_filesize \= 64M/g' /etc/php/7.4/fpm/php.ini
75. sudo sed -i 's/^post_max_size \= .*/post_max_size \= 64M/g' /etc/php/7.4/fpm/php.ini
76.  
77.  
78. mcedit /etc/nginx/sites-available/load.sytes.net.conf
79.  
80. server {
81. server_name load.sytes.net www.load.sytes.net;
82. root /var/www/html/load.sytes.net/public;
83.  
84. index index.php index.html;
85.  
86. access_log /var/log/nginx/load.sytes.net.access.log;
87. error_log /var/log/nginx/load.sytes.net.error.log;
88.  
89. # Prevent access to hidden files
90. location ~* /\.(?!well-known\/) {
91. deny all;
92. }
93.  
94. # Prevent access to certain file extensions
95. location ~\.(ini|log|conf)$ {
96. deny all;
97. }
98.  
99. # Enable WordPress Permananent Links
100. location / {
101. try_files $uri $uri/ /index.php?$args;
102. }
103.  
104. location ~ \.php$ {
105. include fastcgi_params;
106. fastcgi_intercept_errors on;
107. fastcgi_pass unix:/run/php/php7.4-fpm.sock;
108. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
109. }
110.  
111. }
112.  
113.  
114. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
115.  
116. sudo nginx -t
117. sudo systemctl reload nginx php7.4-fpm
118.  
119. sudo apt update
120. sudo apt-get install python3-certbot-nginx
121. sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
122.  
123.  
124. sudo certbot certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/ -d load.sytes.net
125.  
126. sudo certbot --nginx
127.  
128.  
129. sudo mysql -u root -p
130.  
131. CREATE DATABASE wpdatabase;
132. CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'wppassword';
133. GRANT ALL PRIVILEGES ON wpdatabase.* TO 'wpuser'@'localhost';
134. EXIT
135.  
136. cd /usr/src
137. curl -O https://wordpress.org/latest.tar.gz
138. tar -xvzf latest.tar.gz
139. sudo mv wordpress/* /var/www/html/load.sytes.net/public
140. sudo chown -R www-data:www-data /var/www/html/load.sytes.net/public
141.  
142.  
143. sudo htpasswd /var/www/html/load.sytes.net/public/wp-admin/.htpasswd um
144. 022530
145. 022530
146.  
147.  
148. Получится так
149.  
150. mcedit /etc/nginx/sites-available/load.sytes.net.conf
151.  
152. server {
153. server_name load.sytes.net www.load.sytes.net;
154. root /var/www/html/load.sytes.net/public;
155.  
156. index index.php index.html;
157.  
158. access_log /var/log/nginx/load.sytes.net.access.log;
159. error_log /var/log/nginx/load.sytes.net.error.log;
160.  
161. # Prevent access to hidden files
162. location ~* /\.(?!well-known\/) {
163. deny all;
164. }
165.  
166.  
167. location /wp-admin {
168. try_files $uri $uri/ =404;
169. auth_basic "Administrator’s Area";
170. auth_basic_user_file /etc/nginx/.htpasswd;
171. }
172.  
173.  
174.  
175.  
176. # Prevent access to certain file extensions
177. location ~\.(ini|log|conf)$ {
178. deny all;
179. }
180.  
181. # Enable WordPress Permananent Links
182. location / {
183. try_files $uri $uri/ /index.php?$args;
184. }
185.  
186. location /wp-admin {
187. try_files $uri $uri/ =404;
188. auth_basic "Administrator’s Area";
189. auth_basic_user_file /etc/nginx/.htpasswd;.
190. }
191.  
192.  
193. location ~ \.php$ {
194. include fastcgi_params;
195. fastcgi_intercept_errors on;
196. fastcgi_pass unix:/run/php/php7.4-fpm.sock;
197. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
198. }
199.  
200.  
201.  
202. listen 443 ssl; # managed by Certbot
203. ssl_certificate /etc/letsencrypt/live/load.sytes.net/fullchain.pem; # managed by Certbot
204. ssl_certificate_key /etc/letsencrypt/live/load.sytes.net/privkey.pem; # managed by Certbot
205. include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
206. ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
207.  
208.  
209.  
210.  
211.  
212. }
213.  
214.  
215. server {
216. if ($host = load.sytes.net) {
217. return 301 https://$host$request_uri;
218. } # managed by Certbot
219.  
220.  
221. server_name load.sytes.net www.load.sytes.net;
222. listen 80;
223. return 404; # managed by Certbot
224.  
225.  
226. }
227.  
228. ##################################################################
229. sudo systemctl reload nginx php7.4-fpm
230. sudo systemctl restart nginx php7.4-fpm
231. ##################################################################
232. #### mkdir /etc/nginx/nginx.conf
233.  
234. user www-data;
235. worker_processes auto;
236. worker_cpu_affinity auto;
237. worker_rlimit_nofile 30000;
238. pid /var/run/nginx.pid;
239. pcre_jit on;
240.  
241. events {
242. worker_connections 8192;
243. multi_accept on;
244. }
245.  
246. http {
247.  
248. # Basic #######################
249.  
250. sendfile on;
251. tcp_nopush on;
252. tcp_nodelay on;
253. reset_timedout_connection on;
254. keepalive_timeout 120;
255. keepalive_requests 1000;
256. types_hash_max_size 2048;
257. server_tokens off;
258. send_timeout 30;
259. client_body_timeout 30;
260. client_header_timeout 30;
261. server_names_hash_max_size 4096;
262.  
263. # Limits ######################
264.  
265. client_max_body_size 10m;
266. client_body_buffer_size 128k;
267. client_body_temp_path /var/cache/nginx/client_temp;
268.  
269. proxy_connect_timeout 60;
270. proxy_send_timeout 60;
271. proxy_read_timeout 60;
272. proxy_buffer_size 4k;
273. proxy_buffers 8 16k;
274. proxy_busy_buffers_size 64k;
275. proxy_temp_file_write_size 64k;
276. proxy_temp_path /var/cache/nginx/proxy_temp;
277.  
278. include /etc/nginx/mime.types;
279. default_type application/octet-stream;
280.  
281. # Logs ########################
282.  
283. log_format main '$remote_addr - $host [$time_local] "$request" '
284. '$status $body_bytes_sent "$http_referer" '
285. '"$http_user_agent" "$http_x_forwarded_for"'
286. 'rt=$request_time ut=$upstream_response_time '
287. 'cs=$upstream_cache_status';
288. log_format full '$remote_addr - $host [$time_local] "$request" '
289. 'request_length=$request_length '
290. 'status=$status bytes_sent=$bytes_sent '
291. 'body_bytes_sent=$body_bytes_sent '
292. 'referer=$http_referer '
293. 'user_agent="$http_user_agent" '
294. 'upstream_status=$upstream_status '
295. 'request_time=$request_time '
296. 'upstream_response_time=$upstream_response_time '
297. 'upstream_connect_time=$upstream_connect_time '
298. 'upstream_header_time=$upstream_header_time';
299.  
300. access_log /var/log/nginx/access.log main;
301. error_log /var/log/nginx/error.log;
302.  
303. # Gzip ########################
304.  
305. gzip on;
306. gzip_static on;
307. gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/x-icon image/svg+xml application/x-font-ttf;
308. gzip_comp_level 9;
309. gzip_proxied any;
310. gzip_min_length 1000;
311. gzip_disable "msie6";
312. gzip_vary on;
313.  
314. etag off;
315.  
316. # Cache #######################
317.  
318. #proxy_cache_valid 1m;
319. #proxy_cache_key $scheme$proxy_host$request_uri$cookie_US;
320. #proxy_cache_path /web/sites/nginx_cache levels=1:2 keys_zone=main:1000m;
321.  
322. # Zone limits ################
323.  
324. limit_conn_zone $binary_remote_addr zone=perip:10m;
325. limit_req_zone $binary_remote_addr zone=lim_5r:10m rate=5r/s; # lim for dynamic page
326. limit_req_zone $binary_remote_addr zone=lim_1r:10m rate=1r/s; # lim for search page
327. limit_req_zone $binary_remote_addr zone=lim_10r:10m rate=10r/s;
328.  
329. # SSL #########################
330.  
331. ssl_session_cache shared:SSL:50m;
332. ssl_session_timeout 1d;
333. ssl_session_tickets on;
334. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
335. ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
336. ssl_prefer_server_ciphers on;
337. ssl_dhparam /etc/ssl/certs/dhparam.pem;
338. ssl_stapling on;
339. ssl_stapling_verify on;
340. add_header Strict-Transport-Security max-age=15768000;
341. resolver 8.8.8.8;
342.  
343. include /etc/nginx/conf.d/*.conf;
344. include /etc/nginx/sites-enabled/*;
345.  
346.  
347. # For monitoring ###########
348.  
349. server {
350. listen 127.0.0.1:80;
351. server_name status.localhost;
352. keepalive_timeout 0;
353. allow 127.0.0.1;
354. deny all;
355. access_log off;
356.  
357. location /server-status {
358. stub_status on;
359. }
360.  
361. location /status {
362. access_log off;
363. allow 127.0.0.1;
364. deny all;
365. include fastcgi_params;
366. fastcgi_pass unix:/run/php-fpm/www.sock;
367. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
368. }
369. }
370. }
371.  
372. ##################################################################
373. ##################################################################
374. mcedit /etc/nginx/sites-available/load.sytes.net.conf
375. ##################################################################
376. ##################################################################
377. server {
378. listen 443 ssl http2;
379. server_name load.sytes.net;
380. root /var/www/html/load.sytes.net/public;
381. index index.php index.html index.htm;
382. access_log /var/log/nginx/load.sytes.net.access.log;
383. error_log /var/log/nginx/load.sytes.net.error.log;
384.  
385. ssl_certificate /etc/letsencrypt/live/load.sytes.net/fullchain.pem; # managed by Certbot
386. ssl_certificate_key /etc/letsencrypt/live/load.sytes.net/privkey.pem; # managed by Certbot
387.  
388. location / {
389. try_files $uri $uri/ /index.php?$args;
390. }
391.  
392. location ~* ^.+.(js|css|png|jpg|jpeg|gif|ico|woff)$ {
393. access_log off;
394. expires max;
395. }
396.  
397. location ~ \.php$ {
398. try_files $uri =404;
399. fastcgi_pass unix:/run/php/php7.4-fpm.sock;
400. fastcgi_index index.php;
401. fastcgi_param DOCUMENT_ROOT /var/www/html/load.sytes.net/public/;
402. fastcgi_param SCRIPT_FILENAME /var/www/html/load.sytes.net/public$fastcgi_script_name;
403. fastcgi_param PATH_TRANSLATED /var/www/html/load.sytes.net/public$fastcgi_script_name;
404. include fastcgi_params;
405. fastcgi_param QUERY_STRING $query_string;
406. fastcgi_param REQUEST_METHOD $request_method;
407. fastcgi_param CONTENT_TYPE $content_type;
408. fastcgi_param CONTENT_LENGTH $content_length;
409. fastcgi_param HTTPS on;
410. fastcgi_intercept_errors on;
411. fastcgi_ignore_client_abort off;
412. fastcgi_connect_timeout 60;
413. fastcgi_send_timeout 180;
414. fastcgi_read_timeout 180;
415. fastcgi_buffer_size 128k;
416. fastcgi_buffers 4 256k;
417. fastcgi_busy_buffers_size 256k;
418. fastcgi_temp_file_write_size 256k;
419. }
420.  
421. location = /favicon.ico {
422. log_not_found off;
423. access_log off;
424. }
425.  
426. location = /robots.txt {
427. allow all;
428. log_not_found off;
429. access_log off;
430. }
431.  
432. location ~ /\.ht {
433. deny all;
434. }
435. }
436.  
437. server {
438. listen 443 ssl http2;
439. server_name www.load.sytes.net;
440. return 301 https://load.sytes.net$request_uri;
441. }
442.  
443. server {
444. listen 80;
445. server_name load.sytes.net;
446. root /var/www/html/load.sytes.net/public;
447. index index.php index.html index.htm;
448. access_log /var/log/nginx/load.sytes.net.access.log;
449. error_log /var/log/nginx/load.sytes.net.error.log;
450.  
451. location / {
452. return 301 https://load.sytes.net$request_uri;
453. }
454. }
455.  
456. server {
457. listen 80;
458. server_name www.load.sytes.net;
459. return 301 http://load.sytes.net$request_uri;
460. }
461. ##################################################################
462. ##################################################################
463.  
464. ##################################################################
465. ##################################################################
466.  
467. Snuffleupagus
468. https://zinglau.com/projects/ObfuscatedOpenSSHPatches.html
469. https://github.com/dev-sec/ansible-collection-hardening
470. https://www.sherbers.de/running-nginx-without-root/
471. https://www.upguard.com/blog/top-11-ways-to-improve-mysql-security
472.  
473.  
474.  
475.  
476.  
477.  
478.  
479.  
480.  
481.  
482.  
483.  
484.  
485.  
486. logrotate
487.  
488. ####################################################################################
489. mcedit /etc/logrotate.d/nginx
490.  
491.  
492. /var/log/nginx/*.log {
493. size = 10M
494. dateext
495. daily
496. dateformat -%Y-%m-%d_%H-%s
497. missingok
498. rotate 14
499. compress
500. delaycompress
501. notifempty
502. create 0640 www-data adm
503. sharedscripts
504. prerotate
505. if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
506. run-parts /etc/logrotate.d/httpd-prerotate; \
507. fi \
508. endscript
509. postrotate
510. invoke-rc.d nginx rotate >/dev/null 2>&1
511. endscript
512. }
513.  
514. ######################
515. mcedit /etc/logrotate.conf
516.  
517. ]
518. # see "man logrotate" for details
519.  
520. # global options do not affect preceding include directives
521.  
522. # rotate log files weekly
523. weekly
524.  
525. # keep 4 weeks worth of backlogs
526. rotate 4
527.  
528. # create new (empty) log files after rotating old ones
529. create
530.  
531. # use date as a suffix of the rotated file
532. dateext
533.  
534. # uncomment this if you want your log files compressed
535. #compress
536.  
537. # packages drop log rotation information into this directory
538. include /etc/logrotate.d
539.  
540. # system-specific logs may also be configured here.
541.  
542.  
543.  
544. #############################
545.  
546. mcedit /etc/crontab
547.  
548. # /etc/crontab: system-wide crontab
549. # Unlike any other crontab you don't have to run the `crontab'
550. # command to install the new version when you edit this file
551. # and files in /etc/cron.d. These files also have username fields,
552. # that none of the other crontabs do.
553.  
554. SHELL=/bin/sh
555. PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
556.  
557. # Example of job definition:
558. # .---------------- minute (0 - 59)
559. # | .------------- hour (0 - 23)
560. # | | .---------- day of month (1 - 31)
561. # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
562. # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
563. # | | | | |
564. # * * * * * user-name command to be executed
565. 17 *<-->* * *<->root cd / && run-parts --report /etc/cron.hourly
566. 25 6<-->* * *<->root<-->test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
567. 47 6<-->* * 7<->root<-->test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
568. 52 6<-->1 * *<->root<-->test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
569. #
570. */5 * * * * /etc/cron.daily/logrotate
571.  
572.