Detailed step by step tutorial:

debian 7 + webserver (mysql, php, lighttpd/apache) + phpmyadmin + webmin + tor + hardening +

optimization

if something is forgoten, you are welcome to add.

measure No1:
you should keep Tor server at your home (or eventually in rented flat without contract), in that way nobody will have
access to your server except you. Rented servers can be accessed by workers or police without that you see it.
Dedicated server is in hands of employees od data center (remember snowden and NSA, hosting companies and
data centers are 90% snitches, even those who accept Tor nodes) and VPS is even worse option than dedicated
server. Home server is the best option, because of NSA you should be even more cautious, you should install
hidden camera in your server room and camera should make record when something is moving in the room. In that
way you will know if anybody touched your server.
If you don't have knowledge to install tor server by yourself, rent server with bitcoins for one month and give task to
some linux admin, then tell him to make backup of it for usage at some other computer (your home server). Of
course, after deploying backup at your home, change password, make other onion domain name and its private
key and server admin will not be able to locate your website any more.

measure No2:
if you rented VPS or dedicated server in data center, don't use windows to access server OR if you can't give up
from windows, use fresh installation to acces your server. Fresh installation at your pc/laptop means there is no
malware (keylogger, etc). if there is malware in your windows, hacker will get login information for your server and
he can steal information about users, their bitcoins, install malicious code in your website, he can steal your onion
domain and its private key it means he can steal your website, etc.
if you want to see wat commands are executed by your server admin, type in terminal:
lastcomm root (or whatever username he used)

------------------------------

Let's start...

if you want to use only terminal all the time, you can avoid installation of webmin and phpmyadmin. I will write
terminal commands even I use webmin to do some task. it is easier and faster for me.

with webmin and phpmyadmin you can avoid terminal work and later, when you finish work, you can remove
webmin and phpmyadmin and leave only ssh.

my first commands are always: checking OS, sometimes you need to know debian version for repositories:

lsb_release -a
# I got result debian 7 wheezy

# then I check processor, memory, HDD and speed of server (in my case it is 1 core, 512MB RAM, 50GB HDD):
cat /proc/cpuinfo
free -m
df -H
wget https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py
chmod +x speedtest_cli.py
./speedtest_cli.py

# this option with speedtest.net shows always little better results than it is in reallity. my result was: 19 MB/s
download and 13 MB/s upload.

# other option to test speed of network for your server:
wget -O /dev/null http://cachefly.cachefly.net/100mb.test
# my result was 931 KB/s

# update your system:

sudo apt-get update
sudo apt-get upgrade

If you get problem like me, for example there was no sudo command and apt-get install sudo told me I must
insert CD (and server is in other country), I had to change file /etc/apt/sources.list
I used editor vi (search vi editor commands at internet) and I removed lines with CD and added (check at:
https://wiki.debian.org/SourcesList):

deb http://http.debian.net/debian wheezy main
deb-src http://http.debian.net/debian wheezy main

deb http://http.debian.net/debian wheezy-updates main
deb-src http://http.debian.net/debian wheezy-updates main

# after that again:
apt-get update
apt-get upgrade
apt-get install sudo

# if you want to install webmin, first install dependencies:
sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl
apt-show-versions python

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.690_all.deb
dpkg --install webmin_1.690_all.deb

You should now be able to login to Webmin with Firefox at the URL: https://IPAddress:10000

# Now to install web-server, we can install first mysql, during installation you will be asked to create password for
root user:

sudo apt-get install mysql-server mysql-client

# after that you can install phpmyadmin, it will be located at http://IPAddress/phpmyadmin:
sudo apt-get install phpmyadmin
# you will get option to choose apache or lighttpd for phpmyadmin, use arrows and space at keyboard to choose
what you want and press Enter, after that you can also choose Yes (configure DB for phpmyadmin) and again you
can create password

# If you have server with small memory, I recommend you to install lighttpd instead of apache, type:

sudo apt-get install lighttpd
sudo apt-get install php5-cgi

# now we need to enable PHP5 in Lighttpd. modify /etc/php5/cgi/php.ini file with webmin or use terminal and vi
editor to change this file:
vi /etc/php5/cgi/php.ini
# add the line:
cgi.fix_pathinfo = 1
# close vi editor and save changes with command
:wq

# modify /etc/lighttpd/lighttpd.conf and add mod_fastcgi, to the server.modules stanza and then + add lines
below in the end of the file:
vi /etc/lighttpd/lighttpd.conf

fastcgi.server = ( .php => ((
bin-path => /usr/bin/php5-cgi,
socket => /tmp/php.socket
)))

# restart Lighttpd with command:
/etc/init.d/lighttpd restart

# Now, you can enter server IP address in your browser and you should see the Lighttpd welcome page.

-----------------------

# if you want to use apache instead of lighttpd, type:
sudo apt-get install apache2
sudo apt-get install php5 libapache2-mod-php5
/etc/init.d/apache2 restart
# to secure apache, read this advises: http://www.tecmint.com/apache-security-tips/
-----------------------

# to change server timezone, type:
dpkg-reconfigure tzdata
# Use arrows at keyboard and TAB button to choose OK.
# Tor is using UTC timezone, so, you should use the same.

----------------------



Hardening and optimization

PHP5 security:

# Disable PHP exposure, change php.ini file in /etc/php5/cgi and cli and apache2 folders:
expose_php = Off

# in the same php.ini files, uncomment and set mbstring defaults to UTF-8:
mbstring.language=UTF-8
mbstring.internal_encoding=UTF-8
mbstring.http_input=UTF-8
mbstring.http_output=UTF-8
mbstring.detect_order=auto'

----------------------------



Tuning Lighttpd:

# To disable directory listing, add next line to config file (/etc/lighttpd/lighttpd.config):
dir-listing.activate = "disable"

# I found also next file /etc/lighttpd/conf-available/10-dir-listing.conf and I changed line enable to disable:
server.dir-listing = "disable"

# Then restart lighttpd:
/etc/init.d/lighttpd restart

# you should also make new 404 error page and default index.html, in that way, you hide from hacker what kind
of server you have.

# you can also optimize lighttpd with editing configuration file:
vi /etc/lighttpd/lighttpd.config

# Maximum number of file descriptors, default = 1024
server.max-fds = 2048
# Maximum number of request within a keep-alive session before the server terminates the connection, default =
16
server.max-keep-alive-requests = 10
# Maximum number of seconds until an idling keep-alive connection is dropped, default = 5
server.max-keep-alive-idle = 4
# Which event handler to use, default = poll
server.event-handler = "linux-sysepoll"
# How to handle network writes, default = writev
server.network-backend = "linux-sendfile"
# Hide that you use lighttpd server
server.tag = WebServer
# mod_evasive is a very simplistic module to limit connections per IP, to protect you from ddos attack
evasive.max-conns-per-ip = 150
# disable multi range requests
server.range-requests = "disable"

With the default setting of 1024 file descriptors, lighttpd can handle a maximum of 307 connections. So, original
was 1024, 16, 5... I made it to 2048, 10 and 4 but you can change it also from 10 to 4. It would increase (number of
parallel connections) and release the connections earlier and would free file descriptors without a detrimental
performance loss, there is detailed explanation at: http://blog.fosketts.net/2009/06/29/tuning-lighttpd-linux/

---------------------------------



Tuning MySQL after installation

# First we want to get report about mysql:
wget mysqltuner.pl
chmod +x mysqltuner.pl (in my case it was saved as index.html file so I had to type: chmod +x index.html)
perl index.html (then I got report about mysql, with recommendations: Reduce your overall MySQL memory
footprint for system stability, Increase table_open_cache gradually to avoid file descriptor limits, etc)

# configuration file for mysql is located at /etc/mysql/my.cnf
# so this file should be changed.

This server had 512MB RAM and 133 was already used, so, I decided to use http://www.omh.cc/mycnf/ to decide
how many connections will demand some ammount of RAM, I decided to make configuration for 380MB RAM:

# under [mysqld] I added:

skip-innodb
default-storage-engine = myisam

# other parameters:
key_buffer = 100M
max_allowed_packet = 1M
thread_stack = 128K
thread_cache_size = 8
myisam-recover = BACKUP
myisam_sort_buffer_size = 32M
max_connections = 100
max_user_connections = 50
table_cache = 256
thread_concurrency = 4
wait_timeout = 60
connect_timeout = 30
interactive-timeout = 50
query-cache-type = 1
query_cache_limit = 1M
query_cache_size = 16M

# I removed also comment (#) from:
log_slow_queries = /var/log/mysql/mysql-slow.log
long_query_time = 2
log-queries-not-using-indexes

The rest I didn't touch.
As we can see, about 100 client connections can be made when you rent server with 512MB RAM.

some people believe, parameters should be like this:
query_cache_size=12.5% from available RAM,
key_buffer_size=12.5% from available RAM, some other people believe: 1/4 of system memory:
http://blog.jambura.com/2011/09/10/tuning-optimizing-my-cnf-file-for-mysql/
tmp_table_size=6.5% from available RAM
max_heap_table_size=6.5% from available RAM

# you can also use terminal and type:
wget http://hackmysql.com/scripts/mysqlreport
chmod +x mysqlreport
./mysqlreport --user root --host localhost --port 3306 --socket /var/lib/mysql/mysql.sock --password
# you will get result: how many connections are used, how much cache, buffer, etc.

------------------------------------


Now it is time to modify lighttpd and install Tor

Now that our web server is working, we need to configure it so that it does not publish web pages to the public, but
ONLY to Tor.

# Edit lighttpds configuration file:
vi /etc/lighttpd/lighttpd.conf

# Add the following two lines:
server.port = 4986 (there is already line server.port = 80, just change it, you can choose any port, for example
4444 or 5678)
server.bind = "127.0.0.1"

# Restart lighttpd with:
/etc/init.d/lighttpd restart

# Install Tor with:
sudo apt-get install tor
# if that's not working for you, you can see instruction at tor website:
https://www.torproject.org/docs/debian.html.en

# Edit torrc file to enable tor hidden service:
vi /etc/tor/torrc
# uncomment lines:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:4986 (change port as you chose before in this line: 4444 or 5678)

# restart Tor:
/etc/init.d/tor restart

After that, tor wrote domain name and private key in your tor hidden service files, if you are not happy with that
domain, you can make your own with Shallot, read bellow. Domain and key are written in 2 files:
/var/lib/tor/hidden_service/hostname
/var/lib/tor/hidden_service/private_key

Open hostname file and copy your onion domain in firefox url and try to connect. You must have installed tor
browser at your computer. Sometimes you must wait 30 minutes or one hour if your domain is not accessible
automatically after installation. I succeeded after 2 hours.

------------------------------------


Making Onion Domain

If you don't want automatically created domain name than you want to choose signs (letters and numbers), you will
have to use software Shallot.
If you have Linux at your home PC/Laptop, just install shallot (./configure && make) and use it (./shallot ^test).
If you use windows, you will have to use virtualbox + linux iso file, and then install shallot. I chose bodhi linux iso file
but it was the same case like debian and ubuntu, I had to install dependencies.
if your server is stronger than your PC, you can use server to install shallot but server should be later cleaned from
all unnecessary software.
# Shallot is located at: https://github.com/katmagic/Shallot
# For server, use wget command for downloading/grabing files to the server:
wget https://github.com/katmagic/Shallot/archive/master.zip
unzip master.zip (in my case I had to: sudo apt-get install zip unzip)
# then you will get folder named Shallot-master, walk into that folder:
cd Shallot-master
# then configure and use it:
./configure
make

After that, you can use it, command is: ./shallot ^test
But usually most of people will get "dependencies error", it means you must install g++ or c++, whatever else (you
can try: sudo apt-get install build-essential). Therefore I rather chose to install Shallot at my home PC.
Don't forget that security of Debian server means: minimal installation and minimal running processes.
Whatever you install now and then, later, you should remove from server.
Beside it, I succeeded to make onion domain with 7 letters (as I wanted) in 2 hours. But general rule is: There are
14 signs in onion domain and shallot will make for you 3 signs as you want in 1 second, 4 in 2 seconds, 5 in 1
minute, 6 in 30 minutes, 7 in 1 day, 8 signs in 25 days, and so on.

When you get onion domain as you wanted, copy private key in file called hostname which is located at
/var/lib/tor/hidden_service/
# it should be like this:
/var/lib/tor/hidden_service/hostname

# content of file should look like this:
testvztz3tfoiofv.onion

# second file should be:
/var/lib/tor/hidden_service/private_key
# it should look like this:

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQC3R85m6NQaA1ZjaYqvz1hvFIjbL4RtKdJbG8hlC9xEBkvfr/BG
8Z5vDiUzdbDt8mEBuZUDanx80uGJvbXTgmczX0UlkEOgGiZ8RKpnsbKaf/EJNrIw
T7MSXQmWNcm22nDeViV7fwy+Usyal2RE5cdVCFsPtEbVZqCumlKkEgCyFwIDBAZ7
AoGBAJSa2cGuru/XhzJAEAIwHZbgPDnum9T/srOYxUKW6afHZeOu5S4Cclwb+xb/
pGOtzn71XZfCKMfiVdxB/f3XTcRrYB2VnBoNToTD7WfH6DksdDf4zunqiEjvxi9K
R+tKhxmF7OedrRt8wIhUmFd1E2Q9nbTHI6icdB4kR4QkYKZzAkEA5M6samK7+495
6SWpRXiePIs7sHKWuxdCrG7kW5RNJrv2CcGYwK46TPcaXBcRfM4eq9+9PGoKi0IO
gSpOZ5vRYQJBAM0QAZYTZ6ApD014x372MX1ZNofuYL/+XF8ZPZV6Sh4+9MUBuNPb
yL7BENDr6pX4Zm6OepvAphhCa4vGno2pHncCQQCQnfhUCHANU4bjtX4EOoI63WDq
UwBOeIWxu0YvGt7Z25Dg9CNz/aX8UZIoj6VyKxLRbR9+K3mNrNgaopW+ZDKzAkEA
ttgTK1ALe+3v+5H+Ez1SvFPREDFcHihrfD1Ipc5zicY9ixTArgdyZvk+Pi+AMBVV
sL2HWvjRLEAgRclvKfkwWwJAFtM+BIGRM5me+fMALuBBEtKnbJ6maflsyucErEb0
pIIBkovF5oyWO3lSBmtStJIANNkHOg8aXqjcgPKusDN7CQ==
-----END RSA PRIVATE KEY-----



----------------------------------



Cleaning Debian

Securing Debian is long "howto", read and choose what you want to do:
https://www.debian.org/doc/manuals/securing-debian-howto/
Don't forget that your server will be behind TOR, it is not ordinary server, so, you can't apply all rules, Tor is like
network of proxies that should have access to your server.
Here is what I chose:
disable root login with command vi /etc/ssh/sshd_config change next lines: PermitRootLogin no,
X11Forwarding no, AllowUsers admin and restart sshd: /etc/init.d/sshd restart
disable login by password (allow only login by public-key)
change SSH port 22 with command: vi /etc/ssh/sshd_config (although hacker can scan port and see new one,
but at least you make some work for him), restart sshd: service sshd restart
Configure remote access to SSH only
disable unencrypted services (telnet, ftp, etc)

As I said already, minimal Debian is the most secure Debian, so, remove (purge) everything what you think you will
not use (webmin, phpmyadmin (after you imported database), etc).
sudo apt-get --purge autoremove webmin
sudo apt-get --purge autoremove phpmyadmin

I will just explain here some options for cleaning Debian from not used packages and dependencies.
Well learn more about automatically installed packages and how to get rid of them when you dont need them any
longer.
# if you want to see all programs that are used last 24 hours, type:
find /usr/bin -atime -1
# all programs that are not used last 7 days:
find /usr/bin -atime +7

# the most usual command is:
sudo apt-get autoremove --purge
# you can also find orphaned packages:
sudo apt-get install deborphan
# list packages with command:
deborphan --guess-data
# remove orphanes:
apt-get purge $(deborphan --guess-data)

# You can also turn off unnecessary services.
E.g. if you expect to run in runlevel 3, type in terminal chkconfig --list |grep 3:on and see what is running and turn
off what you don't need chkconfig <servicename> off e.g. chkconfig webmin off to turn off webmin.

# During the time, your Debian will download and cache the package in /var/cache/apt/archives directory. cd into
this directory with:
cd /var/cache/apt/archives
then type: du -ch
# you will get output similar to this: 881M total
# Remove all cached *.deb files using the following rm command:
rm -f *.deb

Debian packaging system is designed to keep configuration files when a package is removed. The solution is to
purge all packages which are in the config-files state.
# You can type in terminal:
aptitude search ~c
# you will get a list of affected packages, then remove them:
aptitude purge ~c

You can also remove obsolete package, that are no longer maintained by developers and consequently became
security risk.
aptitude search ~o
aptitude purge ~o

There are and third party packages that are not coming from Debian.
aptitude search '~S ~i !~ODebian !~o'
aptitude purge '~S ~i !~ODebian !~o'

You can also find broken packages and reinstall them. The following command will thus list all files which have
been modified on the system and which are not configuration files.
sudo debsums --changed
you can get result like this: /usr/lib/perl5/AptPkg.pm
you can reinstall listed package to overwrite the modified files with the original ones:
sudo aptitude reinstall libapt-pkg-perl

You can read more here: http://raphaelhertzog.com/mastering-debian/

That's all Folks :)