Building a secure web server with CentOS 5, part 1
Posted on 05.Jan 2010 by Ray Heffer in LAMP, Linux, Web Hosting
Part 1 | Part 2 | Part 3 | Troubleshooting
Introduction
This is an updated version of my original LAMP (Linux Apache MySQL and Perl/PHP) guide that was based on CentOS 4. Now updated and tweaked for CentOS 5, I will take you through the steps required to build a secure Linux web server (LAMP) on CentOS 5.
I have a background working for an ISP, so I’ve based this build on the same configuration many hosting providers use. It supports virtual hosts (multiple websites), secure FTP access, locked down SSH access, and a sensible directory structure.
If you follow this guide, you will get a web server up and running within a couple of hours depending on whether you follow it step by step, or prefer to experiment first. If you are new to Linux then give it a try and learn something new, you never know you may surprise yourself!
Good luck!
A word on web hosting
Before you get started with your server build, I’d like to talk about where you are going to host this server. There have been a number of developments in the past few years in regards to people hosting websites on their home ISP broadband connection.
Firstly, did you know that many of the major search engines will not crawl your website if it’s hosted on a residential IP address? What I mean by residential is an IP address provided by the likes of an ADSL or broadband provider (e.g. Virgin Media, BT, PlusNet, here in the UK). It will depend on the ISP whether you get a ‘fixed’ IP address or not, and even if you do your site will simply be ignored by the major search engines as they will recognise the IP address in a residential (non ISP) range. Don’t get me wrong, running web servers at home is great fun but I would recommend you avoid it unless it is purely for testing.
So, where is the best place to host your shiny new CentOS web server?
I would highly recommend getting a VPS (Virtual Private Server). There are plenty of hosting companies offering Virtual Private Servers, and VPS hosting is getting cheaper.
I would personally recommend Linode, I have been using them since 2006 and recently they have started hosting virtual servers in the London, UK as well as the USA. They provide a generous amount of bandwidth, starting at around 200GiB per month with 16GB+ of disk space depending on which option you go for. You can choose from a massive list of Linux distro’s, including CentOS 5! They use Xen virtualisation and they have an excellent web interface for accessing your server stats, server controls, DNS, and console access.
Getting Started
CentOS 5 is completely free and developed by a team of core developers at a North American Enterprise Linux vendor. In turn the core developers are supported by an active user community including system administrators, network administrators, enterprise users, managers, core Linux contributors and Linux enthusiasts from around the world.
CentOS has numerous advantages over some of the other clone projects including: an active and growing user community, quickly rebuilt, tested, and QA’ed errata packages, an extensive mirror network, developers who are contactable and responsive, multiple free support avenues including IRC Chat, Mailing Lists, Forums, a dynamic FAQ. Commercial support is offered via a number of vendors.
CentOS 5 is distributed on six CD’s, all of which are available for download from the CentOS website.
Download phpMyAdmin
This is optional, but I would highly recommend this excellent web interface for administering your MySQL databases. I have used this in the past to provide customers with their own phpMyAdmin login username, so they can manage their databases easily.
Installing CentOS
NOTE: If you are using a virtual private server (VPS) provided by a hosting company such as Linode, and CentOS is already installed then skip ahead to the next section.
- Insert CD of the CentOS 5 installation CD and boot your server.
- At the installation menu, just press ENTER for the graphical installation wizard.
- When prompted for an installation type select custom installation and de-select all options for bare install.
- Use automatic partitioning for the disks.
- Remove all partitions from system (make sure you are happy to wipe all existing data!!).
- Boot Loader: Leave default settings.
- Network Configuration: Configure this with an internal IP address and DNS name.
- Firewall: Select ‘No firewall’ as this will be installed and configured later.
- SELinux: Set to ‘Disabled’. This is still very experimental so I would leave this switched off unless you really know what you are doing.
- Authentication: Set a secure root password using random characters and numbers (upper an lower case).
- Package Selection: Choose minimal configuration (Other packages can be installed at a later stage according to the server role).
WARNING!! – The server should not be connected to the internet until the configuration is completed and secure!
Updating the System
Now that you have CentOS 5 installed, we need to make sure it’s up to date and then do some basic security configuration with SSH. Unlike CentOS 4, you no longer have to import the RPM key to update and install software. It does this for you.
To check for updates type the following:
# yum check-update
Now perform the update process. Note, the -y is to accept all updates which I recommend as it’s a clean installation.
# yum –y update
Setting the clock
I strongly advise that you setup the timezone and clock correctly. First, you set /etc/localtime to link to the correct timezone, then either set the time manually or configure NTPD to syncronise with an internet time server such as pool.ntp.org.
Example of setting the timezone to GMT:
# ln -sf /usr/share/zoneinfo/GMT /etc/localtime
Setting the hardware clock:
# vi /etc/sysconfig/clock
System Services Configuration
As this is going to be a finely tuned web server, we don’t want uneccessary daemons running! Firstly, lets list all the daemons that have been configured to run at startup.
# chkconfig –list|grep on
You should now get an output similar to the following:
anacron 0:off 1:off 2:off 3:off 4:off 5:off 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
crond 0:off 1:on 2:off 3:on 4:on 5:on 6:off
cups 0:off 1:on 2:off 3:on 4:on 5:on 6:off
haldaemon 0:off 1:on 2:off 3:off 4:on 5:on 6:off
messagebus0:off 1:on 2:off 3:off 4:on 5:on 6:off
network 0:off 1:on 2:off 3:off 4:on 5:on 6:off
syslog 0:off 1:on 2:off 3:off 4:on 5:on 6:off
Your list will probably be a lot longer as this is just an example, but what you can see here is the different run levels and their on/off status. Most daemons start at run level 3. Now lets switch off the daemons that aren’t needed. I’ve listed a few more here that you are likely to find.
# chkconfig cups off
# chkconfig apmd off
# chkconfig netfs off
# chkconfig pcmcia off
# chkconfig smartd off
# chkconfig anacron off
# chkconfig mdmonitor off
# chkconfig isdn off
NOTE: If you are using Linode then you should also switch off Kudzu (hardware detection) as this serves no purpose on a virtual UML system.
Host Access (TCP_WRAPPERS)
There are two host access files (/etc/hosts.allow and /etc/hosts.deny), that are part of the TCP_WRAPPER package. This makes it possible to allow or deny access to certain services based on the IP.
Edit the hosts.allow and hosts.deny files:
# vi /etc/hosts.allow
sshd:<IP ADDRESS>
vsftpd:ALL
sendmail:ALL
# vi /etc/hosts.deny
ALL:ALL
The <IP ADDRESS> above is the internet IP you are connecting from (don’t include < or >). You can enter multiple IP address here (separated by spaces) or to allow SSH from any IP just replace with ALL.
The root account should never be able to login via SSH (without first logging in as a user). You must change this, so edit /etc/ssh/sshd_config and ensure the following is set:
# vi /etc/ssh/sshd_config
Change the following lines as follows:
PermitRootLogin no
Protocol 2
Note: Some of these lines may already exist but will be commented out using #. To enable these commands the # needs to be removed.
Add Default Accounts
Before proceeding with any of the steps below, first create a user account that you will use to log in to this server. This account will be used for SSH connections.
# adduser <username>
# passwd <username>
You should now have access to the server via SSH. Download PuTTY and make sure it works.
When you are ready proceed to part 2.
Thanks for reading! Please comment or Tweet this page (see below)
Tweet
apache, centos, lamp, Linux, mysql, perl, php, phpmyadmin, secure, web server
Hi, how to active SFTPD?
i’m getting error
Very effective and useful tool to monitor everything thats going on in your system and track down potential attempted intrusions.
[...] make sure you are allowed to run a webserver. Some providers block port 80 To setup a webserver http://www.rayheffer.com/36/building…ntos-5-part-1/ Kind [...]
I’d strongly recommend using a virtual server with a provider like Linode, they don’t block any ports and it’s perfect for doing your own web hosting.
They block port 80, eh? Hummm. So you can’t browse either? LOL.
I think what the other post meant was they block port 80 outbound on non-established connections. In other words, http traffic that originates from your home connection. This prevents people running their own servers, but I’m not sure which ISP’s do this.
You only need port 80 inbound to your home for browsing.
The list option for the chkconfig is used with 2 dashes in my case:
#chkconfig –list|grep on
Btw, I don’t know all of the daemons you suggest to disable. Maybe I need some of them, or maybe some others can be turn off. Do you have a reference somewhere which will give us more information about those daemons ?
I am SO excited to have found your site. I have been working on a new kickbutt cloud server for about 10 days straight. I kept having to reimage it (centOS 5) b/c I kept screwing something up. I tried imaging w/ plesk and w/ cpanel. I hated cpanel whm and I ran into issues w/ plesk as it contained modified versions of php (no mcrypt which is required by magento!). So I am now down bare CentOS install and going to use webmin and virtualmin. Wish I would have found this 10 days ago. Sure would have saved me alot of time!!! Thank you
I’m glad you found my site useful!
I was searching for a few things and stumbled upon your site. Your intentions seem good so I thought I’d offer up a couple comments which might help from the “secure” point of view.
phpMyAdmin : I’d avoid this like the plague; it has had a million-and-one security flaws over the years and even if you got it cleaned up completely, it’s a vector of choice into your system. Meaning attackers will be constantly looking to use it as a way into you system. One look at your logs will show you that bots are scanning for it’s presence.
Turning off un-needed daemons : why install them to begin with? It serves no purpose to install potential vulnerabilities if all your going to do is turn it off. Since you’re starting with a fresh OS build, deselect all software you don’t need. This narrows your attack surface and offers the added bonus of conserving resources.
Yum : as soon as you type that into your console you’ve lost any sense of security. You have no idea where that software has come from, who packaged it, nor how it was built. remember the great redhat gcc 2.96 issue? They grabbed a developers snapshot of gcc (without gnu’s knowledge) and used it to build all their rpms for their redhat 8 release. Over the next six months people everywhere were discovering corrupt tables in their mysql implementations with no way to recover. The issue was eventually traced back to redhat’s rpms. If you didn’t build it, don’t trust it! (secure is the goal, right?). This gives you the added bonus of letting you remove pieces of the software that you don’t need, narrowing the attack surface. Not going to offer CGI access? Don’t even even compile in CGI capabilities.
MySQL : remove its networking capabilities and force it to work over unix domain sockets. When you run “netstat -an | grep LISTEN”, you should NOT see 3306 as a bound port. The DBMS is for the local hosting user’s, they don’t need to access the daemon from outside of the environment; and now, attackers can’t either.
VSFTP : is not very secure at all. Your already supporting sshd, why not offer SFTP access? You don’t need to add any extra software, you just need to enable it and add a couple rules to your firewall. Now you’ll have end-to-end encryption, again, narrowing your attack surface.
Apache conf : turn off tokens (set to prod), don’t use * in the virtualhost; it’s a rare thing when you really want all sites gloaming onto all adapters. More often then not you’ll want to restrict each container to a specific IP.
I hope you founf something helpful or useful in that.
Hi Dave,
Thanks for your comments, feedback is always welcome! I agree with your observations for the most part, but remember that my guide is aimed at the newbie or intermediate Linux user and someone that wants to host their own LAMP server. Anyway, here are my views…
phpMyAdmin: phpMyAdmin isn’t alone in having security vulnerabilities. WordPress, Apache, MySQL all have them, the list goes on. My recommendation is to use Yum (more on that in a moment) and keep everything up to date. In 8 years my LAMP servers have never had a security vulnerability compromised as a result of using phpMyAdmin. But a lazy administrator may do if it’s not kept up to date, good passwords, etc… as with any other service.
Turning off unwanted daemons: My guide does already state that CentOS should be installed using the ‘custom’ setting, and removing everything from the list. Still, when you do this daemons such as CUPS are still present (you can’t remove this at install time). Surely it’s good to know how to list these running services and learn how to disable them.
Yum: I know exactly where my software and updates come from… the CentOS Project repositories and it’s very closely aligned to the RHEL repositories. In fact you can’t always get the latest versions of software unless they’re approved by CentOS and fully tested (PHP is a good example). I wouldn’t recommend that people use repositories like utterramblings unless they know what they are doing and it’s not for an enterprise production LAMP server. For example, Read this, I won’t start quoting from their FAQ but I trust it no less than the RHEL repositories.
MySQL: I’ve not done this so I will test when I get time. I don’t think having networking enabled for MySQL is a high security risk though given IPTABLES is running and my guide states the use of TCP Wrappers. http://dev.mysql.com/doc/refman/5.0/en/security-against-attack.html
VSFTP: I’m not trying to secure the transport layer otherwise SSH is also a great option and one I use myself. I’m aiming this guide at novice to moderate users of Linux that want a web server up and running (LAMP).
Apache: Great tips here especially not using * in the virtualhost section.
It’s good to get others views on this as it’s a popular topic on my website, despite being over 5 years old now!
Ray
Hi Ray,
Glad you took my comments as intended and didn’t think I was flaming you.
You are 100% correct in stating that “phpMyAdmin isn’t alone in having security vulnerabilities”. In Fact, phpMyAdmin has a good track record in resolving all security threats reported to/by US-CERT.
The reason for my comments regarding phpMyAdmin and others was because your article targeted novices. This is also why I strongly recommend disabling networking. A novice should learn the intricacies of GRANTS and MySQL administration in general before deploying and administrating a tool intended to make it easy for them shoot off a toe. Hopefully, anyone intending to administrate a DBMS is comfortable with some SQL, if not, this is the ideal time to learn some, and better to do so locally than through a web interface which will abstract away the SQL layer.
As regards Yum and other such tools… I wouldn’t trust any; RedHat or otherwise. Source builds are the only way to install “secure” software… but in fairness to your efforts, that may not be a “novice” topic.
The reason to remove networking on the DBMS is not so much a fear of a threat originating from the network layer, but more of a concern regarding a novice administrator who may make mistakes in configuration while learning (and inadvertently exposing himself to something hostile on the network layer).
Good luck with your site!
D
Thanks. I’ve been wondering how to change the default home directory for a while now. Glad I found this to explain how.
Your comment is awaiting moderation.