Building a Secure Web Server with CentOS 5 - Part 3

Posted on 05 Jan 2010 by Ray Heffer

In the following steps, we will base our configuration on a fictitious company called Happy Burger who has already registered the domain name, We will point to the IP address of this web server. When you are creating your own site, substitute the customer name and domain name for that of the actual customer. If a Happy Burger really exists, then this is in no way associated with them and is purely coincidental!

Create a User Account

The first step is to create a user account that will be associated with this website and be used to authenticate via FTP. When creating the password, make sure that it is at least 8 characters, alphanumeric, mixed case and includes numbers. I usually generate random passwords for this.

# adduser –s /sbin/nologin happyburger # passwd happyburger

Creating the directory structure

Each website must have the following directory structure in order to support access logs, web statistics, .htpasswd files, CGI scripts and the public web directory.

/home/.sites/happyburger/: This path will contain a directory for each website. Each directory should be named after the customer name, in lowercase.
/home/.sites/happyburger/web/: This path contains the website contents (public root).
/home/.sites/happyburger/web/stats/: This path will contain the Webalizer statistics, and is password protected using .htaccess.
/home/.sites/happyburger/private/: This path is not accessible from the internet, and contains the .htpasswd file.
/home/.sites/happyburger/cgi-bin/: Apache uses this path as the CGI script directory, by using a script alias.
/home/.sites/happyburger/logs/: This path stores the log files that Apache generates.

Create the structure as follows:

# cd /home/.sites
# mkdir happyburger
# cd happyburger
# mkdir web cgi-bin private logs
# cd web
# mkdir stats

Now change the ownership of these directories, substituting (in this case, happyburger):

# cd /home/.sites # chown <username> happyburger -R

Configuring Apache

As Apache will be configured using multiple ‘virtual hosts’ we need to create a separate configuration file for each virtual host. To do this we will create a vhost directory, and configure the Apache configuration file to read each of these virtual host configurations.

# cd /etc/httpd/vhost (If this directory does not exist then you will need to create it)

Now we will create the virtual host configuration file for this particular website.

# vi happyburger.conf

Now enter the following into the newly created configuration file:

<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /home/.sites/happyburger/web
ScriptAlias /cgi-bin/ /home/.sites/happyburger/cgi-bin/
<Directory /home/.sites/happyburger/web>
Options FollowSymLinks
Options +Includes +ExecCGI
AllowOverride All

Once this has been saved, we will then need to configure Apache to include this in the main configuration.

# vi /etc/httpd/conf/httpd.conf

At the end of the configuration file add the following line:

Include /etc/httpd/vhost/happyburger.conf

Now restart httpd:

# /etc/init.d/httpd restart

Configuring FTP (VSFTP)

Before the new account can login with FTP, you must add the new user to vsftp.user_list which contains a list of all accounts permitted to use the FTP service.

# vi /etc/vsftpd.user_list

Add the new user to the list.