Table of Contents

0 Preliminary stuff

0.1 System update

apt update
apt upgrade
apt dist-upgrade
apt autoremove
apt autoclean

1 SSH Setup

1.1 Add authorized keys

✏️ /root/.ssh/authorized_keys

If you need to generate a key, you can use PuTTyGen or the following command:

ssh-keygen -t rsa -b 4096 -C ""

1.2 ssh config

✏️ /etc/ssh/sshd_config


  • Port <Change to whatever>
  • PermitRootLogin prohibit-password
  • PubkeyAuthentication yes
  • PasswordAuthentication no
  • PermitEmptyPasswords no
  • ChallengeResponseAuthentication no
  • UsePAM no
  • X11Forwarding no
  • PrintMotd no
  • UseDNS no
  • AcceptEnv LANG LC_*

📝 Example file

⚙️ Restart ssh and reconnect:

service ssh restart

2 General config

2.1 Tools

Common tools

apt install -y software-properties-common gnupg2 curl wget

2.1.1 git

Git logo

Git will be used to manage websites from github repositories.


apt install -y git
git --version


git config --global "Your name"
git config --global ""
git config --global core.editor "vim"

💡 Documentation (

2.1.2 vim

Vim logo

Vim is a free and open-source, screen-based text editor program.

apt install vim

2.2 Rsync

2.3 Cron

2.4 Other

Change timezone

timedatectl set-timezone Europe/Paris

3 Webserver

3.1 Apache2

Apache Logo

Apache 2.4 will operate PHP

💡 Documentation (

3.1.1 Install

apt install -y apache2

Check its status:

systemctl status apache2

Ensure that the service will be started at boot:

systemctl enable apache2

3.1.2 Configuration

✏️ /etc/apache2/ports.conf

# If you just change the port or add more ports here, you will likely also have to change the VirtualHost statement in /etc/apache2/sites-enabled/000-default.conf
Listen 8085

# <IfModule ssl_module>
# 	Listen 443
# </IfModule>

# <IfModule mod_gnutls.c>
# 	Listen 443
# </IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

✏️ /etc/apache2/conf-available/charset.conf

# Read the documentation before enabling AddDefaultCharset.
# In general, it is only a good idea if you know that all your files have this encoding. It will override any encoding given in the files in meta http-equiv or xml encoding tags.

AddDefaultCharset UTF-8

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

✏️ /etc/apache2/conf-available/javascrip-common.conf

Alias /javascript /usr/share/javascript/

<Directory "/usr/share/javascript/">
	Options FollowSymLinks MultiViews

✏️ /etc/apache2/conf-available/security.conf

  • ServerTokens Prod
  • ServerSignature Off
  • TraceEnable Off

✏️ /etc/apache2/conf-custom/wordpress.conf

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]

Enable configurations

a2enconf charset  javascrip-common  security

Enable mods

a2enmod rewrite http2 mime ssl deflate env headers mpm_event deflate actions

3.1.3 VirtualHosts config

⚙️ Then, restart the service.

systemctl restart apache2

3.2 Nginx

Nginx Logo

Nginx will be used as a reverse-proxy for Apache and NodeJS. It will operate static files.

💡 Documentation (

3.2.1 Install

apt install -y nginx

3.2.2 Configuration

✏️ /etc/nginx/nginx.conf

✏️ /etc/nginx/conf.d/cache.conf

add_header Cache-Control "public, max-age=31536000, immutable";

✏️ /etc/nginx/conf.d/charset.conf

map $sent_http_content_type $charset {
    default '';
    ~^text/ utf-8;
    text/css utf-8;
    application/javascript utf-8;
    application/rss+xml utf-8;
    application/json utf-8;
    application/manifest+json utf-8;
    application/geo+json utf-8;

charset $charset;
charset_types *;

✏️ /etc/nginx/conf.d/default.conf

upstream apachephp {
    server <SERVER_IP>:<PORT_APACHE>;

server {
    charset utf-8;
    source_charset utf-8;
    override_charset on;
    server_name localhost;

✏️ /etc/nginx/conf.d/headers.conf

# add_header X-Frame-Options "SAMEORIGIN";
# add_header X-XSS-Protection "1;mode=block";
add_header X-Content-Type-Options nosniff;
add_header Cache-Control "public, immutable";
add_header Strict-Transport-Security "max-age=500; includeSubDomains; preload;";
add_header Referrer-Policy origin-when-cross-origin;
add_header Content-Security-Policy "default-src 'self'; connect-src 'self' http: https: blob: * *; img-src 'self' data: http: https: blob: * *; script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https: blob: * * * *; style-src 'self' 'unsafe-inline' http: https: blob: * *; font-src 'self' data: http: https: blob: * *; child-src http: https: blob:; base-uri 'self'; frame-ancestors 'self'";

✏️ /etc/nginx/conf.d/proxy.conf

proxy_redirect			off;
proxy_set_header		Host		$host;
proxy_set_header		X-Real-IP	$remote_addr;
proxy_set_header		X-Forwarded-For	$proxy_add_x_forwarded_for;

client_max_body_size		10m;
client_body_buffer_size		128k;
proxy_connect_timeout		90;
proxy_send_timeout		90;
proxy_read_timeout		90;
proxy_buffer_size		16k;
proxy_buffers			32	16k;
proxy_busy_buffers_size		64k;

✏️ /etc/nginx/conf.d/webmanifest.conf

add_header X-Content-Type-Options nosniff;
add_header Cache-Control "max-age=31536000,immutable";

✏️ /etc/nginx/snippets/cache.conf

add_header Cache-Control "public, no-transform";

✏️ /etc/nginx/snippets/expires.conf

map $sent_http_content_type $expires {
	default off;
	text/html epoch;
	text/css max;
	application/javascript max;
	~image/ max;

✏️ /etc/nginx/snippets/favicon_error.conf

location = /favicon.ico {
    access_log off;
    log_not_found off;
location = /robots.txt {
    return 204;
    access_log off;
    log_not_found off;

✏️ /etc/nginx/snippets/gzip-config.conf

types {
	application/x-font-ttf           ttf;
	font/opentype                    ott;

gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 256;
gzip_buffers 16 8k;
gzip_http_version 1.1;
#gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

# Compress all output labeled with one of the following MIME-types.
# text/html is always compressed by gzip module
# don't compress woff/woff2 as they're compressed already

✏️ /etc/nginx/snippets/ssl-config.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# Dropping SSL and TLSv1
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# Cache credentials
ssl_session_timeout 1h;

# Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;

✏️ /etc/nginx/mime.types

3.2.3 VirtualHosts config

⚙️ Then, check if your config is okay and restart the service.

nginx -t
systemctl restart nginx

3.3 PHP


3.3.1 Installation

To use php 8, a third party repository is needed. If you want to stick with php 7.4, ignore the first steps and replace "8.3" by "7.4".

apt -y install apt-transport-https lsb-release ca-certificates curl wget
wget -O /etc/apt/trusted.gpg.d/php.gpg
sh -c 'echo "deb $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'

Then update php and check if php 8 is available for installation.

apt update
apt-cache policy php

If everything is reay, install the version of php you need, then check if it's installed correctly.

apt install php8.3 php8.3-opcache libapache2-mod-php8.3 php8.3-mysql php8.3-curl php8.3-gd php8.3-intl php8.3-mbstring php8.3-xml php8.3-zip php8.3-fpm php8.3-readline php8.3-xml
php -v

Add a mod fof factcgi in apache.

✏️ /etc/apache2/mods-enabled/fastcgi.conf

<IfModule mod_fastcgi.c>
	AddHandler fastcgi-script .fcgi
	FastCgiIpcDir /var/lib/apache2/fastcgi

	AddType application/x-httpd-fastphp .php
	Action application/x-httpd-fastphp /php-fcgi
	Alias /php-fcgi /usr/lib/cgi-bin/php-fcgi
	FastCgiExternalServer /usr/lib/cgi-bin/php-fcgi -socket /run/php/php8.3-fpm.sock -pass-header Authorization

	<Directory /usr/lib/cgi-bin>
		Require all granted

And enable it.

a2enmod fastcgi

Enable the php8.3-fpm service.

a2enmod proxy_fcgi setenvif
a2enconf php8.3-fpm
a2dismod php8.3

⚙️ Then restart Apache2.

Once everything is working, configure your php instance.

✏️ /etc/php/8.1/fpm/php.ini

  • max_execution_time = 300
  • post_max_size = 512M
  • upload_max_filesize = 512M
  • date.timezone = Europe/Paris

3.4 NodeJS

NodeJS Logo

NodeJS can be installed with the package manager, but in order to get more flexibility over the version, I prefer to use NVM (Node Version Manager).

💡 Documentation (

Download the latest installer script from the repository and run it.

curl -sL -o
source ~/.profile
nvm -v

Then, install the desired version of NodeJS with nvm command:

nvm ls-remote
nvm install v17.2.0
nvm use v17.2.0
nvm alias default 17.2.0

NPM should have been installed with NodeJS. It can be updated right away with the command:

npm i -g npm@latest

3.4.1 Npm-check-Update

Check for outdated, incorrect and unused dependencies, globally or locally.

💡 Documentation (

npm install -g npm-check-updates

3.4.2 PM2

PM2 is a production process manager for Node.js applications with a built-in load balancer. It allows you to keep applications alive forever, to reload them without downtime and to facilitate common system admin tasks.

💡 Documentation (

npm install pm2 -g

Once it has been started, we need to make sure it restart automatically with each reboot.

pm2 startup

When a process is started with pm2, save a list of currently active processes so it’s restored on reboot.

pm2 save

If needed, a save can be loaded manually.

pm2 restore

4 Databases

4.1 MariaDB

Maria DB Logo

MariaDB Server is one of the most popular open source relational databases. It’s made by the original developers of MySQL and guaranteed to stay open source. It is part of most cloud offerings and the default in most Linux distributions.

It is built upon the values of performance, stability, and openness, and MariaDB Foundation ensures contributions will be accepted on technical merit. Recent new functionality includes advanced clustering with Galera Cluster 4, compatibility features with Oracle Database and Temporal Data Tables, allowing one to query the data as it stood at any point in the past.

💡 Documentation (

4.1.1 Install

apt install mariadb-server mariadb-client

Run secure script to set password, remove test database and disabled remote root user login.


Create an admin utilisator for external connections.

mysql -u root -p

4.2 MongoDB

MongoDB Logo

MongoDB is a source-available cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas. MongoDB is developed by MongoDB Inc. and licensed under the Server Side Public License (SSPL).

💡 Documentation (

4.2.1 Install

🛑 MongoDB has odd compatibility issues with CPUs. It needs AVX, which is not available on all CPUs, mostly server CPUs.

If you can't use the last version, you must try with previous ones.

MongoDB must be added to package manager, and require a pgp key to do so.


curl -fsSL | \ gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg \ --dearmor
echo "deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] bullseye/mongodb-org/7.0 main" | tee /etc/apt/sources.list.d/mongodb-org-7.0.list
apt update
apt install -y mongodb-org

4.2.2 Configure

✏️ /etc/mongod.conf

  port: <CUSTOM_PORT>`
chown -R mongodb:mongodb /var/lib/mongodb
chown -R mongodb:mongodb /var/log/mongodb

Then, start the service.

systemctl start mongod
chown mongodb:mongodb /tmp/mongodb-<CUSTOM_PORT>.sock
systemctl enable mongod
mongod --version

🛑 After installation, MongoDB is not secured at all, and can be accessed without password. It MUST be setup properly. 🛑

First, connect to the database and use admin database to create a new user.

mongo --port <CUSTOM_PORT>
use admin
db.createUser({ user: "admin", pwd: "admin", roles: [{role: "userAdminAnyDatabase", db: "admin"}, "readWriteAnyDatabase" ]})

Next, configure MongoDB file configuration.

✏️ /etc/mongod.conf

  authorization: enabled`

⚙️ Then restart the service.

systemctl restart mongod

To connect to the database, use the command:

mongo --port <CUSTOM_PORT> -u mongouser -p --authenticationDatabase admin

4.3 PhpMyAdmin

🔺I’ll be testing and using Adminer on my new server. The configuration shown here is for documentation purpose. Jump to next section for Adminer installation.

4.4 Adminer

Alternative to PhpMyAdmin, Adminer is a web-based MySQL management tool. It is a free and open-source database management tool written in PHP.

💡 Documentation (

wget "" -O /var/www/emmanuelbeziat/sql/adminer.php
wget "" -O /var/www/emmanuelbeziat/sql/adminer.css
chown -R www-data:www-data /var/www/emmanuelbeziat/sql
chmod -R 755 /var/www/emmanuelbeziat/sql/adminer.php

To add plugins, create an index file in the same directory:

function adminer_object() {
    // required to run any plugin
    include_once './plugins/plugin.php';

    // autoloader
    foreach (glob("plugins/*.php") as $filename) {
        include_once "./$filename";

    $plugins = [
        // specify enabled plugins here

    /* It is possible to combine customization and plugins:
    class AdminerCustomization extends AdminerPlugin {
    return new AdminerCustomization($plugins);

    return new AdminerPlugin($plugins);

// include original Adminer or Adminer Editor
include './adminer.php';


Letsencrypt logo

Create SSL certificates for virtualhosts.

5.1 Certbot

Preliminary, it is needed to install the package manager snap (, as it’s now the preferred way of installing certbot.

apt install snapd
snap install snapd

💡 Documentation (

snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

Simply add a new domain:

certbot certonly --webroot -w /var/www/mywebsite/ -d -d

If, at any point, this certificate needs to be expanded to include a new domain, you can use the --cert-name command (the expand command would create a -0001 version):

certbot --cert-name -d,,

Renewal should be enabled by default.

6 Webhook

6.1 Install Go

Go logo

Webhook require Go to be installed.

Go to Go website to get the latest version.

tar -xvf go1.17.4.linux-amd64.tar.gz -C /usr/local

Add go to PATH variable and check if it is working.

export PATH=$PATH:/usr/local/go/bin
go version

6.2 Install Webhook

💡 Documentation (

apt install -y webhook

Prepare the general config file.

✏️ /usr/share/hooks/hooks.json

Add the script to be executed by the hooks

✏️ /usr/share/hooks/mywebsite/


exec > /usr/share/hooks/mywebsite/output.log 2>&1

git fetch --all
git checkout --force "origin/main"

Then make it executable.

chmod +x /usr/share/hooks/mywebsite/

⚙️ Run webhook with:

/usr/bin/webhook -hooks hooks.json -secure -verbose

6.2.1 Custom service

In case webhook default service isn't providing enough flexibility, you can create a custom service.

Start by disabling the default service:

systemctl disable webhook

Let’s create a service file:

✏️ /opt/webhook/webhook.service:

Description=Webhook Custom Service

ExecStart=/usr/bin/webhook -hooks=/usr/share/hooks.json -hotreload=true -port=9000 -secure=false -verbose=true -debug=false


Now, it needs to be linked in /etc/systemd/system/:

ln -s /opt/webhook/webhook.service /etc/systemd/system/mywebhook.service
systemctl daemon-reload
systemctl enable mywebhook
systemctl start mywebhook

Every change made will be automatically taken in account, so you don’t have to reload the configuration manually like apache or nginx.

💡 Documentation (

7 Mail server

This configuration will create a forwarding system to any regular mail service (like gmail).

Configure a full mail server is a pain in the ass, I highly recommand to check out this whole guide from

First, you need to create a DNS record for your domain.

@ 86400 IN MX 10

You can also create a DNS record for SPF. For example, with google services:

@ 10800 IN TXT "v=spf1 +mx +a +ip4:<YOUR_IP> ?all"

7.1 Postfix

Install Postfix (duh).

apt install -y postfix

7.1.1 Configure Postfix as a Forwarding System Mail

During the install, an assistant will ask which type of mail configuration you wish to use. Chose "no configuration".

Let’s configure the file:

✏️ /etc/postfix/

  • myhostname = <DOMAIN>

At the end of the file, add:

inet_protocols = all
inet_interfaces = all

virtual_alias_domains = <DOMAIN>
virtual_alias_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/postfix/virtual
alias_database = hash:/etc/postfix/virtual
mydestination = localhost
relayhost =
mailbox_size_limit = 0
recipient_delimiter = +

# TLS parameters
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Now, we need to create a virtual file, and add all the domains to be used as virtual mailboxes (one per line):

✏️ /etc/postfix/virtual


⚙️ Then, you need to build the virtual file as a data service. Then, restart Postfix:

postmap /etc/postfix/virtual
systemctl restart postfix

7.2 Spamassassin


Start by installing Spamassassin.

apt install spamassassin

Then, we need to create a user and a group:

adduser spamassassin

Edit the configuration file:

✏️ /etc/default/spamassassin

OPTIONS="--username spamassassin --nouser-config --max-children 2 --helper-home-dir ${SAHOME} --socketowner=spamassassin --socketgroup=spamassassin --socketmode=0660"

Lastly, create a file named spamassassin in /var/spool/postfix/private, and give it the owner postfix (110/117).

7.2.2 Configure with Postfix

✏️ /etc/postfix/

Replace line smtp:

smtp inet n - - - - smtpd -o content_filter=spamassassin

At the end, add:

spamassassin unix - n n - - pipe
user=spamassassin argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Reload configuration by restarting:

systemctl restart spamassassin
systemctl restart postfix

💡 Documentation (

7.3 DKIM

DKIM is a signature authentification for mailing. It prevent mails from ending into spam folders.

apt install opendkim opendkim-tools spamass-milter

Let’s configure the file opendkim.conf file, by adding this at the end:

✏️ /etc/opendkim.conf

AutoRestart             Yes
AutoRestartRate         10/1h
UMask                   007
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /run/opendkim/
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost

Then create the folders:

mkdir /etc/opendkim
mkdir /etc/opendkim/keys

✏️ /etc/default/openkimd

smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301
non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:12301

🔺In the next steps, mail is going to be a reference to the selector. In this example, the target mail address would be It could be changed to anything, but be sure to keep the selector of your choice and use it in replacement for mail in every step.

And finally, each configuration files:

✏️ /etc/opendkim/TrustedHosts

✏️ /etc/opendkim/KeyTable

✏️ /etc/opendkim/SigningTable


When using spamassassin, change the option in spamass-milter:

✏️ /etc/default/spamass-milter

OPTIONS="-u spamass-milter -i -m -I -- --socket=/var/run/spamassassin/spamd.sock"

Next step is generating a key pair:

cd /etc/opendkim/keys
opendkim-genkey -s mail -d

This will generate mail.private and mail.txt, which contains the public key you need to note.

You need to set the owner on the private file.

chown opendkim:opendkim mail.private

Now restart opendkim to reload the configuration:

systemctl restart opendkim

Then, you need to create a new DNS record.

mail._domainkey 10800 IN TXT "v=DKIM1; k=rsa; p=<YOUR_PUBLICKEY>"


apt install opendmarc

✏️ /etc/opendmarc.conf

Socket inet:54321@localhost

✏️ /etc/postfix/

smtpd_milters = inet:localhost:12301 inet:localhost:54321
non_smtpd_milters = inet:localhost:12301 inet:localhost:54321
systemctl restart opendmarc
systemctl restart postfix

DNS: 3600 IN TXT "v=DMARC1;p=quarantine;pct=100;;;adkim=s;aspf=r"

7.5 Testing

A few tools to test your mail configuration:

8 Security

8.1 UFW

UFW is a firewall that provides a simple, easy-to-use interface for managing network.

apt install ufw

🔺 UFW is NOT enabled by default, to avoid being locked out the server. To check the status, use:

ufw status

Default rules are located in /etc/default/ufw. Applications rules are defined in /etc/ufw/applications.d/.

🛑 Let’s start by allow your SSH port to avoid being locked out. There must be a rule for SSH. Use ufw app list to list all applications.

if not, let’s create it:

✏️ /etc/ufw/applications.d/openssh-server:

title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.

If it exist, be sure to change the SSH port. Then add it to the active rules:

ufw allow in "OpenSSH"

Now, proceed to add other needed rules, either with ufw allow or ufw deny, on a chosen port. Alternatively, you can use ufw allow <app> to allow all traffic on a given application.

ufw allow in "WWW full"
ufw allow in "postfix"

⚙️ Finally, enable UFW and check its status:

ufw enable
ufw status

If you have installed Webhook, let’s make a custom application rule:

✏️ /etc/ufw/applications.d/webhook

title=Webhook Service
description=Lightweight configurable tool written that allows you to easily create HTTP endpoints

Ufw usually reload after adding a new rule. Check the status, and reload if needed.


You can list all ufw rules with a specific number, for example to easily delete them.

ufw status numbered
ufw delete <number>

8.2 Fail2ban

8.2.1 Installation

apt install fail2ban

To avoid custom rules to be erased by a new update, create a copy of the configuration file.

cp /etc/fail2ban/jail.conf  /etc/fail2ban/jail.local

8.2.2 Custom configuration

✏️ /etc/fail2ban/jail.local

  • Under [DEFAULT] section, change / add the following parameters:

    • bantime = 5h
    • findtime = 20m
    • maxretry = 5
    • ignoreip = ::1
    • banaction = ufw
    • banaction_allports = ufw
  • Under [sshd]:

    • port = <SSH_PORT>
    • enabled = true
  • Under [POSTFIX] (if installed):

    • port = <SMTP_PORT>
    • enabled = true
    • mode = aggressive

⚙️ Then, restart the service to load the new configuration and check its status.

systemctl restart fail2ban
fail2ban-client status
fail2ban-client status sshd

⚙️ If everything works fine, enable the service at startup:

systemctl enable fail2ban.service

8.2.3 Custom filters

If you want to use custom filters with fail2ban it's possible by creating new files in /etc/fail2ban/filter.d/.


10 Services

10.1 Screenshot app (Monosnap, ShareX, etc.)

ShareX Logo

The point here is to define an access for a screenshot app to upload files in a specific directory via sftp.

Start by creating a new user:

adduser screenshot

Let’s allow the user to connect to ssh with a password. Edit the ssh config file and add the following at the end:

✏️ /etc/ssh/sshd_config

# Example of overriding settings on a per-user basis
Match User screenshot
	PasswordAuthentication yes

⚙️ Restart ssh

service ssh restart

Now you just need to give the user access to the directory where the files will be uploaded:

chown -R screenshot:screenshot /path/to/folder/

10.2 VPN

10.3 Auto saves via FTP


