Building a Secure Web Server with CentOS 5 - Part 1

05 Jan 2010 by rayheffer

Update (September 2015): This guide is five years old, so I would no longer recommend disabling SELinux. There have been many improvements since CentOS 5, so I strongly recommend you start with my Essential Linux Skills guides.

This is an updated version of my original LAMP (Linux Apache MySQL and Perl/PHP) guide that was based on CentOS 4. Now updated and tweaked for CentOS 5, I will take you through the steps required to build a secure Linux web server (LAMP) on CentOS 5.

I have a background working for an ISP, so I’ve based this build on the same configuration many hosting providers use. It supports virtual hosts (multiple websites), secure FTP access, locked down SSH access, and a sensible directory structure.

If you follow this guide, you will get a web server up and running within a couple of hours depending on whether you follow it step by step, or prefer to experiment first. If you are new to Linux then give it a try and learn something new, you never know you may surprise yourself!

Good luck! A word on web hosting

Before you get started with your server build, I’d like to talk about where you are going to host this server. There have been a number of developments in the past few years in regards to people hosting websites on their home ISP broadband connection.

Firstly, did you know that many of the major search engines will not crawl your website if it’s hosted on a residential IP address? What I mean by residential is an IP address provided by the likes of an ADSL or broadband provider (e.g. Virgin Media, BT, PlusNet, here in the UK). It will depend on the ISP whether you get a ‘fixed’ IP address or not, and even if you do your site will simply be ignored by the major search engines as they will recognise the IP address in a residential (non ISP) range. Don’t get me wrong, running web servers at home is great fun but I would recommend you avoid it unless it is purely for testing.

So, where is the best place to host your shiny new CentOS web server?

I would highly recommend getting a VPS (Virtual Private Server). There are plenty of hosting companies offering Virtual Private Servers, and VPS hosting is getting cheaper.

I would personally recommend Linode, I have been using them since 2006 and recently they have started hosting virtual servers in the London, UK as well as the USA. They provide a generous amount of bandwidth, starting at around 200GiB per month with 16GB+ of disk space depending on which option you go for. You can choose from a massive list of Linux distro’s, including CentOS 5! They use Xen virtualisation and they have an excellent web interface for accessing your server stats, server controls, DNS, and console access.

Getting Started

CentOS 5 is completely free and developed by a team of core developers at a North American Enterprise Linux vendor. In turn the core developers are supported by an active user community including system administrators, network administrators, enterprise users, managers, core Linux contributors and Linux enthusiasts from around the world.

CentOS has numerous advantages over some of the other clone projects including: an active and growing user community, quickly rebuilt, tested, and QA’ed errata packages, an extensive mirror network, developers who are contactable and responsive, multiple free support avenues including IRC Chat, Mailing Lists, Forums, a dynamic FAQ. Commercial support is offered via a number of vendors.

CentOS 5 is distributed on six CD’s, all of which are available for download from the CentOS website.

Download phpMyAdmin

This is optional, but I would highly recommend this excellent web interface for administering your MySQL databases. I have used this in the past to provide customers with their own phpMyAdmin login username, so they can manage their databases easily.

http://www.phpmyadmin.net

Installing CentOS

NOTE: If you are using a virtual private server (VPS) provided by a hosting company such as Linode, and CentOS is already installed then skip ahead to the next section.

Insert CD of the CentOS 5 installation CD and boot your server.
At the installation menu, just press ENTER for the graphical installation wizard.
When prompted for an installation type select custom installation and de-select all options for bare install.
Use automatic partitioning for the disks.
Remove all partitions from system (make sure you are happy to wipe all existing data!!).
Boot Loader: Leave default settings.
Network Configuration: Configure this with an internal IP address and DNS name.
Firewall: Select ‘No firewall’ as this will be installed and configured later.
SELinux: Set to ‘Disabled’. This is still very experimental so I would leave this switched off unless you really know what you are doing.
Authentication: Set a secure root password using random characters and numbers (upper an lower case).
Package Selection: Choose minimal configuration (Other packages can be installed at a later stage according to the server role).

WARNING!! – The server should not be connected to the internet until the configuration is completed and secure!

Updating the System

Now that you have CentOS 5 installed, we need to make sure it’s up to date and then do some basic security configuration with SSH. Unlike CentOS 4, you no longer have to import the RPM key to update and install software. It does this for you.

To check for updates type the following:

# yum check-update

Now perform the update process. Note, the -y is to accept all updates which I recommend as it’s a clean installation.

# yum –y update

Setting the clock

I strongly advise that you setup the timezone and clock correctly. First, you set /etc/localtime to link to the correct timezone, then either set the time manually or configure NTPD to syncronise with an internet time server such as pool.ntp.org.

Example of setting the timezone to GMT:

# ln -sf /usr/share/zoneinfo/GMT /etc/localtime

Setting the hardware clock:

# vi /etc/sysconfig/clock

System Services Configuration

As this is going to be a finely tuned web server, we don’t want uneccessary daemons running! Firstly, lets list all the daemons that have been configured to run at startup.

# chkconfig –list|grep on

You should now get an output similar to the following:

anacron 0:off 1:off 2:off 3:off 4:off 5:off 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
crond 0:off 1:on 2:off 3:on 4:on 5:on 6:off
cups 0:off 1:on 2:off 3:on 4:on 5:on 6:off
haldaemon 0:off 1:on 2:off 3:off 4:on 5:on 6:off
messagebus0:off 1:on 2:off 3:off 4:on 5:on 6:off
network 0:off 1:on 2:off 3:off 4:on 5:on 6:off
syslog 0:off 1:on 2:off 3:off 4:on 5:on 6:off

Your list will probably be a lot longer as this is just an example, but what you can see here is the different run levels and their on/off status. Most daemons start at run level 3. Now lets switch off the daemons that aren’t needed. I’ve listed a few more here that you are likely to find.

# chkconfig cups off
# chkconfig apmd off
# chkconfig netfs off
# chkconfig pcmcia off
# chkconfig smartd off
# chkconfig anacron off
# chkconfig mdmonitor off
# chkconfig isdn off

NOTE: If you are using Linode then you should also switch off Kudzu (hardware detection) as this serves no purpose on a virtual UML system.

Host Access (TCP_WRAPPERS)

There are two host access files (/etc/hosts.allow and /etc/hosts.deny), that are part of the TCP_WRAPPER package. This makes it possible to allow or deny access to certain services based on the IP.

Edit the hosts.allow and hosts.deny files: # vi /etc/hosts.allow

sshd:<IP ADDRESS>
vsftpd:ALL
sendmail:ALL

# vi /etc/hosts.deny

ALL:ALL

The above is the internet IP you are connecting from (don't include < or >). You can enter multiple IP address here (separated by spaces) or to allow SSH from any IP just replace with ALL.

The root account should never be able to login via SSH (without first logging in as a user). You must change this, so edit /etc/ssh/sshd_config and ensure the following is set:

# vi /etc/ssh/sshd_config

Change the following lines as follows:

PermitRootLogin no
Protocol 2

Note: Some of these lines may already exist but will be commented out using #. To enable these commands the # needs to be removed.

Add Default Accounts

Before proceeding with any of the steps below, first create a user account that you will use to log in to this server. This account will be used for SSH connections.

# adduser <username>
# passwd <username>

You should now have access to the server via SSH. Download PuTTY and make sure it works.

When you are ready proceed to part 2.

Comments are closed for this post.