Comments on: Building a secure web server with CentOS 5, part 2 http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/ Enterprise Technologies Sun, 05 Feb 2012 18:34:01 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Rick Lemon http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-4758 Rick Lemon Fri, 23 Dec 2011 00:42:47 +0000 http://wp.rayheffer.com/?p=91#comment-4758 Just remember to also do this: chcon -R -t httpd_sys_content_t /home/.sites in CentOS 6 to fix the SELinux issues. Just remember to also do this:

chcon -R -t httpd_sys_content_t /home/.sites

in CentOS 6 to fix the SELinux issues.

]]> By: Ray Heffer http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-4744 Ray Heffer Mon, 12 Dec 2011 21:29:16 +0000 http://wp.rayheffer.com/?p=91#comment-4744 Did you take a backup of httpd.conf? Try and restore this and it should start, very likely to be an error in the config somewhere. Did you take a backup of httpd.conf? Try and restore this and it should start, very likely to be an error in the config somewhere.

]]> By: ivi0708 http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-4742 ivi0708 Mon, 12 Dec 2011 20:45:54 +0000 http://wp.rayheffer.com/?p=91#comment-4742 while trying to restart the httpd service it shows me [FAILED] whith no error description. I tried what the above commentors did but it doesn't work to me. need help while trying to restart the httpd service it shows me [FAILED] whith no error description. I tried what the above commentors did but it doesn’t work to me.

need help

]]> By: e0s http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-4614 e0s Thu, 24 Nov 2011 16:05:00 +0000 http://wp.rayheffer.com/?p=91#comment-4614 Starting httpd: Syntax error on line 994 of /etc/httpd/conf/httpd.conf: AllowOverride not allowed here [FAILED] I have AllowOverride in the virtualhost section and it is telling me it is not allowed here? Starting httpd: Syntax error on line 994 of /etc/httpd/conf/httpd.conf:
AllowOverride not allowed here
[FAILED]

I have AllowOverride in the virtualhost section and it is telling me it is not allowed here?

]]> By: webcredible http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-4328 webcredible Fri, 11 Nov 2011 06:30:37 +0000 http://wp.rayheffer.com/?p=91#comment-4328 I am not sure if anyone found this yet, I couldn't get my apache to restart. I did a quick search and found this, looks like it affects Red Hat and Cent OS (same). I couldn't run it at the full docroot, but used /home/.sites and that worked. It's alot better than disabling SELinux. http://slaptijack.com/system-administration/warning-documentroot-does-not-exist/ I am not sure if anyone found this yet, I couldn’t get my apache to restart. I did a quick search and found this, looks like it affects Red Hat and Cent OS (same). I couldn’t run it at the full docroot, but used /home/.sites and that worked. It’s alot better than disabling SELinux.

http://slaptijack.com/system-administration/warning-documentroot-does-not-exist/

]]> By: Tim D http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-3420 Tim D Fri, 12 Aug 2011 13:26:01 +0000 http://wp.rayheffer.com/?p=91#comment-3420 Brian or Ray, I added the the adminftp (actually I used a slightly diff name) but when I log in via SFTP with Filezilla I still get the errors when trying to upload the "phpMyAdmin" folder. "mkdir..... declined" . Do you know what I need to do to change the user permissions so that this folder can be uploaded? Brian or Ray,
I added the the adminftp (actually I used a slightly diff name) but when I log in via SFTP with Filezilla I still get the errors when trying to upload the “phpMyAdmin” folder. “mkdir….. declined” .

Do you know what I need to do to change the user permissions so that this folder can be uploaded?

]]> By: Tim D http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-3417 Tim D Fri, 12 Aug 2011 12:35:55 +0000 http://wp.rayheffer.com/?p=91#comment-3417 Is it not possible to just use "wget" command and download the file (I did that already) and then unzip it on the server? I tried but I don't know how to properly format the "tar" command. Maybe you can let me know if this would be possible. Thanx. Is it not possible to just use “wget” command and download the file (I did that already) and then unzip it on the server? I tried but I don’t know how to properly format the “tar” command. Maybe you can let me know if this would be possible. Thanx.

]]> By: Tim D http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-3416 Tim D Fri, 12 Aug 2011 12:34:09 +0000 http://wp.rayheffer.com/?p=91#comment-3416 Ray, Everything has gone great. The only problems that I ran into on step 1 was "perl-CPAN" did not install. Will research that later. My main issue is that I am trying to upload phpMyAdmin. I setup a username and password as instructed in the steps. I am able to connect via SFTP using Filezilla. But I keep getting "mkdir ...... declined " in the Filezilla progress window. I had actually created the directory while in SSH but then I logged back in and deleted the folder in case the problem was that I created the folder as root and trying to upload as . Any ideas on what is wrong here? Thanks again for this awesome tutorial. Ray,
Everything has gone great. The only problems that I ran into on step 1 was “perl-CPAN” did not install. Will research that later.

My main issue is that I am trying to upload phpMyAdmin. I setup a username and password as instructed in the steps. I am able to connect via SFTP using Filezilla. But I keep getting “mkdir …… declined ” in the Filezilla progress window. I had actually created the directory while in SSH but then I logged back in and deleted the folder in case the problem was that I created the folder as root and trying to upload as .

Any ideas on what is wrong here? Thanks again for this awesome tutorial.

]]> By: Philipp Burch http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-3205 Philipp Burch Sun, 12 Jun 2011 20:39:00 +0000 http://wp.rayheffer.com/?p=91#comment-3205 Hi Ray, hi Brian, thanks for this great Tutorial Ray. It saved me a lot of time searching for good options to configure my server. Or to configure the server which I will have in a few days, to be exactly ;) @Brian: I've run into the same problem of being not able to change the DocumentRoot into the home folder. I've read posts which advised to disable SELinux completely (just as you did above), but that doesn't seem to be a good idea for a "secure web server". Passwords are inconvenient as well, but would you simply leave them blank because of this? Anyway, I've stumbled across this nice introduction to SELinux: http://wiki.centos.org/HowTos/SELinux Section "5.1 Relabeling Files" almost exactly states what to do in this case: Change the security context of the folder (.sites) and its subfolders so that Apache (httpd) is permitted to access them. So all I had to do to get it working was issueing the following commands: # chcon -Rv --type=httpd_sys_content_t /home/sites/ # semanage fcontext -a -t httpd_sys_content_t "/home/sites(/.*)?" (I prefer unhidden folders, so that's why "sites" doesn't start with a period here.) The first command recursively changes the security context of all folders and files in /home/sites to httpd_sys_content_t. The second makes this change permanent, should you ever need to "relabel" the filesystem. Best regards, Philipp Hi Ray, hi Brian,

thanks for this great Tutorial Ray. It saved me a lot of time searching for good options to configure my server. Or to configure the server which I will have in a few days, to be exactly ;)

@Brian:

I’ve run into the same problem of being not able to change the DocumentRoot into the home folder. I’ve read posts which advised to disable SELinux completely (just as you did above), but that doesn’t seem to be a good idea for a “secure web server”. Passwords are inconvenient as well, but would you simply leave them blank because of this?
Anyway, I’ve stumbled across this nice introduction to SELinux:
http://wiki.centos.org/HowTos/SELinux
Section “5.1 Relabeling Files” almost exactly states what to do in this case: Change the security context of the folder (.sites) and its subfolders so that Apache (httpd) is permitted to access them.

So all I had to do to get it working was issueing the following commands:

# chcon -Rv –type=httpd_sys_content_t /home/sites/
# semanage fcontext -a -t httpd_sys_content_t “/home/sites(/.*)?”

(I prefer unhidden folders, so that’s why “sites” doesn’t start with a period here.)

The first command recursively changes the security context of all folders and files in /home/sites to httpd_sys_content_t. The second makes this change permanent, should you ever need to “relabel” the filesystem.

Best regards,
Philipp

]]> By: Brian Ernesto http://www.rayheffer.com/91/building-a-secure-web-server-with-centos-5-part-2/comment-page-1/#comment-2428 Brian Ernesto Sun, 27 Feb 2011 02:29:36 +0000 http://wp.rayheffer.com/?p=91#comment-2428 Got it.. damn SELINUX vi /etc/sysconfig/selinux and change it to disabled then reboot. Now if I can just get FTP to work. Got it.. damn SELINUX

vi /etc/sysconfig/selinux
and change it to disabled then reboot.

Now if I can just get FTP to work.

]]>