Building a Secure Web Server with CentOS 5 - Part 2

05 Jan 2010 by rayheffer

Configuring CentOS

Edit /etc/hosts and /etc/sysconfig/network with hostnames
Install Packages

Example of /etc/hosts:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost
67.34.32.11 www.mydomain.com

Example of /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=www.mydomain.com

Installing Packages

# yum -y install httpd openssl-devel openssl mod_ssl vsftpd rpm-build rpm-devel autoconf automake lynx gcc
# yum -y install mysql mod_auth_mysql mysql-devel mysql-server
# yum -y install mod_python python python-devel
# yum -y install perl mod_perl mod_perl-devel openssl-perl perl-Convert-ASN1 perl-Date-Calc perl-DateManip perl-HTML-Parser perl-libwww-perl perl-CPAN perl-DBD-MySQL perl-XML-Parser
# yum -y install php-devel php php-domxml php-gd php-mbstring php-mysql php-ncurses php-pear
# yum -y install webalizer
# yum -y install sendmail sendmail-cf

Creating Directory Structure

All websites will be held in /home/.sites/. The first site that needs to be created is the _default site, which will be used as this servers default website.

# mkdir /home/.sites
# cd /home/.sites
# mkdir _default
# cd _default
# mkdir logs private cgi-bin web
# cd web
# mkdir stats

Now change the ownership of these directories to adminftp as follows:

# cd /home/.sites # chown adminftp _default -R

Configure the required system services sto start at boot:

# chkconfig httpd on
# chkconfig mysqld on
# chkconfig vsftpd on
# chkconfig sshd on

Configuring Apache

Apache runs as the httpd service, and it’s configuration file is contained in /etc/httpd/conf. To run in a ‘virtual’ hosting environment, we will now configure the httpd.conf file. But first things first, lets backup the httpd.conf file!

# cd /etc/httpd/conf # cp httpd.conf httpd.conf.backup

Now edit httpd.conf (vi /etc/httpd/conf/httpd.conf) and make the following changes (substituting mydomain.com for your own domain).

The first section should be inside the httpd.conf file by default, so you just need to search for each line. You can easily do this using Vi by typing a forward slash then the keyword followed by enter (E.g. /ServerAdmin) and this will skip to that section if it is found. A bit like using Find in Windows.

ServerAdmin admin@mydomain.com
ServerName www.mydomain.com:80
NameVirtualHost *:80
DirectoryIndex index.html index.htm index.html.var

Next, skip to the very bottom of the httpd.conf file and you should see something similar to this:

<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /www/docs/dummy-host.example.com
ServerName dummy-host.example.com
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

Make sure that this section isn’t commented out (with #) on each line, and then change the ServerAdmin, DocumentRoot, ServerName, ErrorLog and CustomLog . See the following example:

<VirtualHost *:80>
ServerAdmin admin@mydomain.com
DocumentRoot /home/.sites/_default/web
ServerName www.mydomain.com
ScriptAlias /cgi-bin/ /home/.sites/_default/cgi-bin/
ErrorLog /home/.sites/_default/logs/error_log
TransferLog /home/.sites/_default/logs/access_log

Options FollowSymLinks
Options +Includes
AllowOverride All
</VirtualHost>

You can host multiple websites by adding further VirtualHost sections, and each website is identified using the ServerName line. If your website has multiple domain names (E.g. www.mydomain.com www.mydomain.net mydomain.biz) then just add each one on a new line after ServerName with ServerAlias.

Save and exit the httpd.conf file and then restart the httpd service.

# /etc/init.d/httpd restart

Configuring VSFTP

VSFTP stands for Very Secure File Transfer Protocol. However using the installation defaults isn’t actually that secure as it allows anonymous access and doesn’t restrict which users can access the servers FTP service. In order to harden the security of VSFTP, several configuration changes must be made. Please note that some of these lines may be commented out by default, with a #, so remember to remove this if required.

# vi /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
xferlog_file=/var/log/vsftpd.log
idle_session_timeout=600
nopriv_user=nobody
ascii_upload_enable=YES
ftpd_banner= **** WARNING - Your actions are being logged ****

pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
chroot_local_user=YES
userlist_deny=NO

Next, we need to configure vsftpd.userlist and specify which users can FTP to the server. This compliments the userlist_deny setting in vsftpd.conf. When set to NO, this makes the vsftpd.userlist file a list of users that ARE allowed to log in.

# vi /etc/vsftpd/user_list

Remove all of the users that are listed in this file by default, and add ONLY the users that require access to the FTP server.

Configuring MySQL

MySQL is configured using /etc/my.cnf, but prior to any configuration this configuration file has only the bare minimum required to start the MySQL daemon. However there are 5 templates that we can base the configuration on; my-huge.cnf, my-innodb-heavy-4G.cnf, my-large.cnf, my-medium.cnf, and my-small.cnf. These are each configured depending on the RAM and the priority that MySQL has on this server.

We will use my-medium.cnf as this has been based on a web server where MySQL is not the primary role of the server but could have frequent use. If you are hosting a few sites with light use then use my-small.cnf.

# cd /usr/share/doc/mysql-server- # cp my-medium.cnf /etc/my.cnf

Once this has overwritten my.cnf, the mysqld service must be restarted.

# /etc/init.d/mysqld restart

Now the root password for MySQL must be set using the following command. Do NOT use the same root password as the Linux root password.

# mysqladmin -u root password

Setting up phpMyAdmin

Administration of MySQL is carried out using phpMyAdmin which is a free open source software package licensed under the GNU. Nearly all hosting providers use this, and is pretty much the de-facto standard these days.

  1. Download phpMyAdmin,
  2. Extract the contents to a directory called phpMyAdmin (case sensitive)
  3. Transfer the phpMyAdmin directory to /home/.sites/_default/web (Use FTP and login using the user you setup previously, as described in the Configuring FTP using VSFTPD section).

Now we need to configure the confic.inc.php file as follows:

# vi /home/.sites/_default/web/phpMyAdmin/config.inc.php

Look for:

$cfg['Servers'][$i]['auth_type'] = 'config’;

Change ‘config’ to ‘http’ then restart MySQL.

# /etc/init.d/mysqld restart

You should now be able to log into phpMyAdmin by going to http://www.mydomain.com/phpMyAdmin. Log on using ‘root’ and the password you specified for MySQL. You will now be presented with the phpMyAdmin web control panel. By default, MySQL contains a test database which is not required, so as a security measure, this needs to be deleted. To do this, click on ‘Databases’, then tick test. Click ‘Drop’ and then click ‘Yes’ to confirm.

When you are ready proceed to part 3.

Comments are closed for this post.