Part 1 | Part 2 | Part 3 | Troubleshooting

Introduction
This is an updated version of my original LAMP (Linux Apache MySQL and Perl/PHP) guide that was based on CentOS 4. Now updated and tweaked for CentOS 5, I will take you through the steps required to build a secure Linux web server (LAMP) on CentOS 5.

I have a background working for an ISP, so I’ve based this build on the same configuration many hosting providers use. It supports virtual hosts (multiple websites), secure FTP access, locked down SSH access, and a sensible directory structure.

If you follow this guide, you will get a web server up and running within a couple of hours depending on whether you follow it step by step, or prefer to experiment first. If you are new to Linux then give it a try and learn something new, you never know you may surprise yourself!

Good luck!

A word on web hosting

Before you get started with your server build, I’d like to talk about where you are going to host this server. There have been a number of developments in the past few years in regards to people hosting websites on their home ISP broadband connection.

Firstly, did you know that many of the major search engines will not crawl your website if it’s hosted on a residential IP address? What I mean by residential is an IP address provided by the likes of an ADSL or broadband provider (e.g. Virgin Media, BT, PlusNet, here in the UK). It will depend on the ISP whether you get a ‘fixed’ IP address or not, and even if you do your site will simply be ignored by the major search engines as they will recognise the IP address in a residential (non ISP) range. Don’t get me wrong, running web servers at home is great fun but I would recommend you avoid it unless it is purely for testing.

So, where is the best place to host your shiny new CentOS web server?

I would highly recommend getting a VPS (Virtual Private Server). There are plenty of hosting companies offering Virtual Private Servers, and VPS hosting is getting cheaper.

I would personally recommend Linode, I have been using them since 2006 and recently they have started hosting virtual servers in the London, UK as well as the USA. They provide a generous amount of bandwidth, starting at around 200GiB per month with 16GB+ of disk space depending on which option you go for. You can choose from a massive list of Linux distro’s, including CentOS 5! They use Xen virtualisation and they have an excellent web interface for accessing your server stats, server controls, DNS, and console access.

Getting Started

CentOS 5 is completely free and developed by a team of core developers at a North American Enterprise Linux vendor. In turn the core developers are supported by an active user community including system administrators, network administrators, enterprise users, managers, core Linux contributors and Linux enthusiasts from around the world.

CentOS has numerous advantages over some of the other clone projects including: an active and growing user community, quickly rebuilt, tested, and QA’ed errata packages, an extensive mirror network, developers who are contactable and responsive, multiple free support avenues including IRC Chat, Mailing Lists, Forums, a dynamic FAQ. Commercial support is offered via a number of vendors.

CentOS 5 is distributed on six CD’s, all of which are available for download from the CentOS website.

Download phpMyAdmin

This is optional, but I would highly recommend this excellent web interface for administering your MySQL databases. I have used this in the past to provide customers with their own phpMyAdmin login username, so they can manage their databases easily.

http://www.phpmyadmin.net

Installing CentOS

NOTE: If you are using a virtual private server (VPS) provided by a hosting company such as Linode, and CentOS is already installed then skip ahead to the next section.

• Insert CD of the CentOS 5 installation CD and boot your server.
• At the installation menu, just press ENTER for the graphical installation wizard.
• When prompted for an installation type select custom installation and de-select all options for bare install.
• Use automatic partitioning for the disks.
• Remove all partitions from system (make sure you are happy to wipe all existing data!!).
• Boot Loader: Leave default settings.
• Network Configuration: Configure this with an internal IP address and DNS name.
• Firewall: Select ‘No firewall’ as this will be installed and configured later.
• SELinux: Set to ‘Disabled’. This is still very experimental so I would leave this switched off unless you really know what you are doing.
• Authentication: Set a secure root password using random characters and numbers (upper an lower case).
• Package Selection: Choose minimal configuration (Other packages can be installed at a later stage according to the server role).

WARNING!! – The server should not be connected to the internet until the configuration is completed and secure!

Updating the System

Now that you have CentOS 5 installed, we need to make sure it’s up to date and then do some basic security configuration with SSH. Unlike CentOS 4, you no longer have to import the RPM key to update and install software. It does this for you.

To check for updates type the following:

# yum check-update

Now perform the update process. Note, the -y is to accept all updates which I recommend as it’s a clean installation.

# yum –y update

Setting the clock
I strongly advise that you setup the timezone and clock correctly. First, you set /etc/localtime to link to the correct timezone, then either set the time manually or configure NTPD to syncronise with an internet time server such as pool.ntp.org.

Example of setting the timezone to GMT:

# ln -sf /usr/share/zoneinfo/GMT /etc/localtime

Setting the hardware clock:

# vi /etc/sysconfig/clock

System Services Configuration

As this is going to be a finely tuned web server, we don’t want uneccessary daemons running! Firstly, lets list all the daemons that have been configured to run at startup.

# chkconfig –list|grep on

You should now get an output similar to the following:

anacron 0:off 1:off 2:off 3:off 4:off 5:off 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
crond 0:off 1:on 2:off 3:on 4:on 5:on 6:off
cups 0:off 1:on 2:off 3:on 4:on 5:on 6:off
haldaemon 0:off 1:on 2:off 3:off 4:on 5:on 6:off
messagebus0:off 1:on 2:off 3:off 4:on 5:on 6:off
network 0:off 1:on 2:off 3:off 4:on 5:on 6:off
syslog 0:off 1:on 2:off 3:off 4:on 5:on 6:off

Your list will probably be a lot longer as this is just an example, but what you can see here is the different run levels and their on/off status. Most daemons start at run level 3. Now lets switch off the daemons that aren’t needed. I’ve listed a few more here that you are likely to find.

# chkconfig cups off
# chkconfig apmd off
# chkconfig netfs off
# chkconfig pcmcia off
# chkconfig smartd off
# chkconfig anacron off
# chkconfig mdmonitor off
# chkconfig isdn off

NOTE: If you are using Linode then you should also switch off Kudzu (hardware detection) as this serves no purpose on a virtual UML system.

Host Access (TCP_WRAPPERS)

There are two host access files (/etc/hosts.allow and /etc/hosts.deny), that are part of the TCP_WRAPPER package. This makes it possible to allow or deny access to certain services based on the IP.

Edit the hosts.allow and hosts.deny files:
# vi /etc/hosts.allow

sshd:<IP ADDRESS>
vsftpd:ALL
sendmail:ALL

# vi /etc/hosts.deny

ALL:ALL

The <IP ADDRESS> above is the internet IP you are connecting from (don’t include < or >). You can enter multiple IP address here (separated by spaces) or to allow SSH from any IP just replace with ALL.

The root account should never be able to login via SSH (without first logging in as a user). You must change this, so edit /etc/ssh/sshd_config and ensure the following is set:

# vi /etc/ssh/sshd_config

Change the following lines as follows:

PermitRootLogin no
Protocol 2

Note: Some of these lines may already exist but will be commented out using #. To enable these commands the # needs to be removed.

Add Default Accounts

Before proceeding with any of the steps below, first create a user account that you will use to log in to this server. This account will be used for SSH connections.

# adduser <username>
# passwd <username>

You should now have access to the server via SSH. Download PuTTY and make sure it works.

When you are ready proceed to part 2.

Part 1 | Part 2 | Part 3 | Troubleshooting

Part 2: Configuring the Server

Configuring CentOS

• Edit /etc/hosts and /etc/sysconfig/network with hostnames
• Install Packages

Example of /etc/hosts:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost
67.34.32.11 www.mydomain.com

Example of /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=www.mydomain.com

Installing Packages

# yum -y install httpd openssl-devel openssl mod_ssl vsftpd rpm-build rpm-devel autoconf automake lynx gcc
# yum -y install mysql mod_auth_mysql mysql-devel mysql-server
# yum -y install mod_python python python-devel
# yum -y install perl mod_perl mod_perl-devel openssl-perl perl-Convert-ASN1 perl-Date-Calc perl-DateManip perl-HTML-Parser perl-libwww-perl perl-CPAN perl-DBD-MySQL perl-XML-Parser
# yum -y install php-devel php php-domxml php-gd php-mbstring php-mysql php-ncurses php-pear
# yum -y install webalizer
# yum -y install sendmail sendmail-cf

Creating Directory Structure

All websites will be held in /home/.sites/. The first site that needs to be created is the _default site, which will be used as this servers default website.

# mkdir /home/.sites
# cd /home/.sites
# mkdir _default
# cd _default
# mkdir logs private cgi-bin web
# cd web
# mkdir stats

Now change the ownership of these directories to adminftp as follows:

# cd /home/.sites
# chown adminftp _default -R

Configure the required system services sto start at boot:

# chkconfig httpd on
# chkconfig mysqld on
# chkconfig vsftpd on
# chkconfig sshd on

Configuring Apache

Apache runs as the httpd service, and it’s configuration file is contained in /etc/httpd/conf. To run in a ‘virtual’ hosting environment, we will now configure the httpd.conf file. But first things first, lets backup the httpd.conf file!

# cd /etc/httpd/conf
# cp httpd.conf httpd.conf.backup

Now edit httpd.conf (vi /etc/httpd/conf/httpd.conf) and make the following changes (substituting mydomain.com for your own domain).

The first section should be inside the httpd.conf file by default, so you just need to search for each line. You can easily do this using Vi by typing a forward slash then the keyword followed by enter (E.g. /ServerAdmin) and this will skip to that section if it is found. A bit like using Find in Windows.

ServerAdmin admin@mydomain.com
ServerName www.mydomain.com:80
NameVirtualHost *:80
DirectoryIndex index.html index.htm index.html.var

Next, skip to the very bottom of the httpd.conf file and you should see something similar to this:

<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /www/docs/dummy-host.example.com
ServerName dummy-host.example.com
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

Make sure that this section isn’t commented out (with #) on each line, and then change the ServerAdmin, DocumentRoot, ServerName, ErrorLog and CustomLog . See the following example:

<VirtualHost *:80>
ServerAdmin admin@mydomain.com
DocumentRoot /home/.sites/_default/web
ServerName www.mydomain.com
ScriptAlias /cgi-bin/ /home/.sites/_default/cgi-bin/
ErrorLog /home/.sites/_default/logs/error_log
TransferLog /home/.sites/_default/logs/access_log

Options FollowSymLinks
Options +Includes
AllowOverride All
</VirtualHost>

You can host multiple websites by adding further VirtualHost sections, and each website is identified using the ServerName line. If your website has multiple domain names (E.g. www.mydomain.com www.mydomain.net mydomain.biz) then just add each one on a new line after ServerName with ServerAlias.

Save and exit the httpd.conf file and then restart the httpd service.

# /etc/init.d/httpd restart

Configuring VSFTP

VSFTP stands for Very Secure File Transfer Protocol. However using the installation defaults isn’t actually that secure as it allows anonymous access and doesn’t restrict which users can access the servers FTP service. In order to harden the security of VSFTP, several configuration changes must be made. Please note that some of these lines may be commented out by default, with a #, so remember to remove this if required.

# vi /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
xferlog_file=/var/log/vsftpd.log
idle_session_timeout=600
nopriv_user=nobody
ascii_upload_enable=YES
ftpd_banner= **** WARNING - Your actions are being logged ****

pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
chroot_local_user=YES
userlist_deny=NO

Next, we need to configure vsftpd.userlist and specify which users can FTP to the server. This compliments the userlist_deny setting in vsftpd.conf. When set to NO, this makes the vsftpd.userlist file a list of users that ARE allowed to log in.

# vi /etc/vsftpd/user_list

Remove all of the users that are listed in this file by default, and add ONLY the users that require access to the FTP server.

Configuring MySQL

MySQL is configured using /etc/my.cnf, but prior to any configuration this configuration file has only the bare minimum required to start the MySQL daemon. However there are 5 templates that we can base the configuration on; my-huge.cnf, my-innodb-heavy-4G.cnf, my-large.cnf, my-medium.cnf, and my-small.cnf. These are each configured depending on the RAM and the priority that MySQL has on this server.

We will use my-medium.cnf as this has been based on a web server where MySQL is not the primary role of the server but could have frequent use. If you are hosting a few sites with light use then use my-small.cnf.

# cd /usr/share/doc/mysql-server-
# cp my-medium.cnf /etc/my.cnf

Once this has overwritten my.cnf, the mysqld service must be restarted.

# /etc/init.d/mysqld restart

Now the root password for MySQL must be set using the following command. Do NOT use the same root password as the Linux root password.

# mysqladmin -u root password

Setting up phpMyAdmin

Administration of MySQL is carried out using phpMyAdmin which is a free open source software package licensed under the GNU. Nearly all hosting providers use this, and is pretty much the de-facto standard these days.

1) Download phpMyAdmin,
2) Extract the contents to a directory called phpMyAdmin (case sensitive)
3) Transfer the phpMyAdmin directory to /home/.sites/_default/web (Use FTP and login using the user you setup previously, as described in the Configuring FTP using VSFTPD section).

Now we need to configure the confic.inc.php file as follows:

# vi /home/.sites/_default/web/phpMyAdmin/config.inc.php

Look for:

$cfg['Servers'][$i]['auth_type'] = 'config’;

Change ‘config’ to ‘http’ then restart MySQL.

# /etc/init.d/mysqld restart

You should now be able to log into phpMyAdmin by going to http://www.mydomain.com/phpMyAdmin. Log on using ‘root’ and the password you specified for MySQL. You will now be presented with the phpMyAdmin web control panel. By default, MySQL contains a test database which is not required, so as a security measure, this needs to be deleted. To do this, click on ‘Databases’, then tick test. Click ‘Drop’ and then click ‘Yes’ to confirm.

When you are ready proceed to part 3.