Building a Secure Web Server with CentOS 5 - Part 2
Posted on 05 Jan 2010 by Ray Heffer
Edit /etc/hosts and /etc/sysconfig/network with hostnames Install Packages
Example of /etc/hosts:
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost 220.127.116.11 www.mydomain.com
Example of /etc/sysconfig/network
# yum -y install httpd openssl-devel openssl mod_ssl vsftpd rpm-build rpm-devel autoconf automake lynx gcc # yum -y install mysql mod_auth_mysql mysql-devel mysql-server # yum -y install mod_python python python-devel # yum -y install perl mod_perl mod_perl-devel openssl-perl perl-Convert-ASN1 perl-Date-Calc perl-DateManip perl-HTML-Parser perl-libwww-perl perl-CPAN perl-DBD-MySQL perl-XML-Parser # yum -y install php-devel php php-domxml php-gd php-mbstring php-mysql php-ncurses php-pear # yum -y install webalizer # yum -y install sendmail sendmail-cf
Creating Directory Structure
All websites will be held in /home/.sites/. The first site that needs to be created is the _default site, which will be used as this servers default website.
# mkdir /home/.sites # cd /home/.sites # mkdir _default # cd _default # mkdir logs private cgi-bin web # cd web # mkdir stats
Now change the ownership of these directories to adminftp as follows:
# cd /home/.sites
# chown adminftp _default -R
Configure the required system services sto start at boot:
# chkconfig httpd on # chkconfig mysqld on # chkconfig vsftpd on # chkconfig sshd on
Apache runs as the httpd service, and it’s configuration file is contained in /etc/httpd/conf. To run in a ‘virtual’ hosting environment, we will now configure the httpd.conf file. But first things first, lets backup the httpd.conf file!
# cd /etc/httpd/conf
# cp httpd.conf httpd.conf.backup
vi /etc/httpd/conf/httpd.conf) and make the following changes (substituting mydomain.com for your own domain).
The first section should be inside the httpd.conf file by default, so you just need to search for each line. You can easily do this using Vi by typing a forward slash then the keyword followed by enter (E.g. /ServerAdmin) and this will skip to that section if it is found. A bit like using Find in Windows.
ServerAdmin [email protected] ServerName www.mydomain.com:80 NameVirtualHost *:80 DirectoryIndex index.html index.htm index.html.var
Next, skip to the very bottom of the httpd.conf file and you should see something similar to this:
<VirtualHost *:80> ServerAdmin [email protected] DocumentRoot /www/docs/dummy-host.example.com ServerName dummy-host.example.com ErrorLog logs/dummy-host.example.com-error_log CustomLog logs/dummy-host.example.com-access_log common </VirtualHost>
Make sure that this section isn’t commented out (with #) on each line, and then change the ServerAdmin, DocumentRoot, ServerName, ErrorLog and CustomLog . See the following example:
<VirtualHost *:80> ServerAdmin [email protected] DocumentRoot /home/.sites/_default/web ServerName www.mydomain.com ScriptAlias /cgi-bin/ /home/.sites/_default/cgi-bin/ ErrorLog /home/.sites/_default/logs/error_log TransferLog /home/.sites/_default/logs/access_log Options FollowSymLinks Options +Includes AllowOverride All </VirtualHost>
You can host multiple websites by adding further VirtualHost sections, and each website is identified using the ServerName line. If your website has multiple domain names (E.g. www.mydomain.com www.mydomain.net mydomain.biz) then just add each one on a new line after ServerName with ServerAlias.
Save and exit the httpd.conf file and then restart the httpd service.
# /etc/init.d/httpd restart
VSFTP stands for Very Secure File Transfer Protocol. However using the installation defaults isn’t actually that secure as it allows anonymous access and doesn’t restrict which users can access the servers FTP service. In order to harden the security of VSFTP, several configuration changes must be made. Please note that some of these lines may be commented out by default, with a #, so remember to remove this if required.
# vi /etc/vsftpd/vsftpd.conf
anonymous_enable=NO xferlog_file=/var/log/vsftpd.log idle_session_timeout=600 nopriv_user=nobody ascii_upload_enable=YES ftpd_banner= **** WARNING - Your actions are being logged **** pam_service_name=vsftpd userlist_enable=YES listen=YES tcp_wrappers=YES chroot_local_user=YES userlist_deny=NO
Next, we need to configure vsftpd.userlist and specify which users can FTP to the server. This compliments the userlist_deny setting in vsftpd.conf. When set to NO, this makes the vsftpd.userlist file a list of users that ARE allowed to log in.
# vi /etc/vsftpd/user_list
Remove all of the users that are listed in this file by default, and add ONLY the users that require access to the FTP server.
MySQL is configured using /etc/my.cnf, but prior to any configuration this configuration file has only the bare minimum required to start the MySQL daemon. However there are 5 templates that we can base the configuration on; my-huge.cnf, my-innodb-heavy-4G.cnf, my-large.cnf, my-medium.cnf, and my-small.cnf. These are each configured depending on the RAM and the priority that MySQL has on this server.
We will use my-medium.cnf as this has been based on a web server where MySQL is not the primary role of the server but could have frequent use. If you are hosting a few sites with light use then use my-small.cnf.
# cd /usr/share/doc/mysql-server-
# cp my-medium.cnf /etc/my.cnf
Once this has overwritten my.cnf, the mysqld service must be restarted.
# /etc/init.d/mysqld restart
Now the root password for MySQL must be set using the following command. Do NOT use the same root password as the Linux root password.
# mysqladmin -u root password
Setting up phpMyAdmin
Administration of MySQL is carried out using phpMyAdmin which is a free open source software package licensed under the GNU. Nearly all hosting providers use this, and is pretty much the de-facto standard these days.
- Download phpMyAdmin,
- Extract the contents to a directory called phpMyAdmin (case sensitive)
- Transfer the phpMyAdmin directory to /home/.sites/_default/web (Use FTP and login using the user you setup previously, as described in the Configuring FTP using VSFTPD section).
Now we need to configure the confic.inc.php file as follows:
# vi /home/.sites/_default/web/phpMyAdmin/config.inc.php
$cfg['Servers'][$i]['auth_type'] = 'config’;
Change ‘config’ to ‘http’ then restart MySQL.
# /etc/init.d/mysqld restart
You should now be able to log into phpMyAdmin by going to http://www.mydomain.com/phpMyAdmin. Log on using ‘root’ and the password you specified for MySQL. You will now be presented with the phpMyAdmin web control panel. By default, MySQL contains a test database which is not required, so as a security measure, this needs to be deleted. To do this, click on ‘Databases’, then tick test. Click ‘Drop’ and then click ‘Yes’ to confirm.
When you are ready proceed to part 3.