Install ModSecurity in Apache2 – The Easiest Way

ModSecurity is a module for Apache to act as a web application firewall, which bring another security layer to your website. Nowadays, it is very important to have this protection so your website will be protected from Internet threats. Based on my experience as system administrator, our intrusion detection system averagely detected 10 – 15 internet threats per server per day. These include brute-force attack, blind SQL injection, XSS attack and many more.

Apache is the most popular web server in the world. For those who use Apache, I strongly advise you to have ModSecurity enabled in your production web server. You will never know when your website being target, or why it being target. Protection is the best cure!

I will use standard CentOS 6 distribution with Apache installed using yum run as DSO. Variables as below:

OS: CentOS 6 64bit
Apache directory: /etc/httpd
Apache configuration: /etc/httpd/conf/httpd.conf
ModSecurity configuration: /etc/httpd/conf.d/modsecurity.conf

1. Install Apache via yum and make sure it running properly:

$ yum install -y httpd*
$ chkconfig httpd on
$ service httpd start

2. Install all the needed packages via yum:

$ yum install pcre* libxml2* libcurl* lua* libtool openssl -y

3. Download mod_security source file at http://www.modsecurity.org/download/. In this case I will download modsecurity-apache_2.6.2.tar.gz :

$ cd /usr/local/src
$ tar -xzf  modsecurity-apache_2.6.2.tar.gz

4. Extract the downloaded files, navigate to the folder, configure and install:

$ cd modsecurity-apache*
$ ./configure
$ make
$ make install

5. Copy the ModSecurity configuration file into Apache configuration directory:

$ cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

6. Activate the mod_security and unique_id modules in Apache configuration file. Open /etc/httpd/conf/httpd.conf via text editor and add following line:

LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so

7. Now we need to turn on the protection in ModSecurity configuration file. Open /etc/httpd/conf.d/modsecurity.conf via text editor and change following line:

SecRuleEngine DetectionOnly

To:

SecRuleEngine On

8. Restart Apache so mod_security can be loaded into Apache environment:

$ service httpd restart

Done! Your website now has been protected with Apache ModSecurity. You can tweak the rules inside modsecurity.conf files to suit your website requirement. You can check what is happening by reviewing the log file located under /var/log/modsec_audit.log.

Installing Java 1.6 in CentOS 6 – The Simplest Way

Default repository in CentOS 6 will give you Java 1.5 JRE and SDK packages. I will show you on how to install version 1.6 using yum.  You just need to enable RPMforge repository and another simple steps required after that.

Variables as follow:

OS: CentOS 6 64bit
Current Java version: 1.5
Upgraded Java version: 1.6

1. Install RPMforge into yum repository:

$ cd /usr/local/src
$ rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
$ wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
$ rpm -Uhv rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

2.  Remove previous Java version 1.5, if you have it installed:

$ yum remove java-1.5-*

3. Lets install Java 1.6. The package name will be java-1.6.0-openjdk.x86_64:

$ yum install java-1.6.0-openjdk.x86_64 -y

4. We need to export the JAVA_HOME environment. This steps is optional:

$ export JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre

5. Lets check our latest Java version:

$ java -version
java version "1.6.0_17"
OpenJDK Runtime Environment (IcedTea6 1.7.9) (rhel-1.36.b17.el6_0-x86_64)
OpenJDK 64-Bit Server VM (build 14.0-b16, mixed mode)

As simple as ABC!

Linux: Yum Repository from DVD

In my case, I need to setup one web server without internet connection. As I am convenience to use yum for any package installation in Linux, we need to tell yum to look for the CentOS DVD instead Internet (default).

Kindly find variables as below:

OS: CentOS 6 64bit
DVD path: /mnt/cdrom
Mount point: /media/CentOS

1. Create mount point directory:

$ mkdir /media/CentOS

2. Insert CentOS installation DVD #1 into and mount it to the mount point that we want:

$ mount /mnt/cdrom /media/CentOS
mount: block device /dev/sr0 is write-protected, mounting read-only

3. We need to tell yum to refer to the installation DVD instead of repository via internet. To do this, I need to enable the CentOS-Media repository. Open /etc/yum.repos.d/CentOS-Media.repo via text editor and changed following line to 1:

enabled=0

To:

enabled=1

4. Since I will not use the default one at all, I will move all other .repo files to another folder called yum.repos.d.bak under /etc directory:

$ mkdir /etc/yum.repos.d.bak
$ ls -1 | grep -v CentOS-Media.repo | xargs -I {} mv /etc/yum.repos.d.bak

Done! Now you can run yum package installer from installation disc directly. If you planned to use this method from now onwards, you might need to edit the /etc/fstab files or playing with /etc/rc.local script to automatically mount the installation disc when reboot.

Linux: Install DNS Resolver for Private Use – The Simplest Way

DNS resolver is really needed in order to help resolving domain name to IP address. The most popular public DNS resolver should be Google resolver 8.8.8.8 and 8.8.4.4.

For some cases, if you have web server in DMZ, your web server IP should be different when pinging from internal network or external network. This situation has lead me to run our own private DNS resolver since the development team need to have the development server run with domain name (due to URL binding and some programming stuff requirement). The domain name that I will use to resolve locally is myserver.net, while other domains will resolve correctly same as public DNS resolver.

I will show you how I do that with most simplest way, using yum, Bind and Webmin. Variables as follow:

OS: CentOS 6 64bit
IP: 192.168.0.200
Hostname: dns.local
Internal web server IP: 192.168.0.202
DNS Zone:  myserver.net

1. Install Bind using yum:

yum install bind* -y

2. Download Webmin so we can easily manage the zone via web-based interface:

cd /usr/local/src
wget http://prdownloads.sourceforge.net/webadmin/webmin-1.560-1.noarch.rpm
rpm -Uhv  webmin-1.560-1.noarch.rpm

3. Start the Webmin service:

service webmin start

4. Allow port 10000 in IPtables. Open /etc/sysconfig/iptables via text editor and add following line BEFORE any “-j REJECT” word:

-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT

5. Restart the IPtables:

service iptables restart

6. Access the Webmin interface via http://192.168.0.200:10000 and login user root with the root password. We are going to use Webmin from now on. Lets initialize BIND DNS server first. After login go to Servers > BIND DNS Server > Select “Setup as an internet name server, and download root server information” > Click “Create Primary Configuration File and Start Nameserver” :

7. Configuration done. Lets create our domain myserver.net to be resolved locally. Go to “Create master zone” and enter required information. Example as below:

8. Now we lets add required A record information. Go to “Address” and enter the host value with IP address as example below:

9. Once host record complete, we need to click “Apply Zone” at top corner of the page to reload the DNS zone with new value. To double check, you can click “Edit Records File” and view the complete list of DNS records.

10. DNS resolver completed. You just need to point your DNS resolver in your PC to 192.168.0.200 and everything will happen as what we expected. Dont forget to flush dns cache “ipconfig /flushdns” for Windows PC.

To check, you can ping to yahoo.com or google.com as usual and in the same time you can ping your domain and get resolved to local IP as what we defined in DNS zone of our resolver.

Linux: Install Subversion (SVN) Server

Since my programmers are already familiar with SVN instead of WebDAV, so I will need to setup a Subversion server  for them. By using PHP Designer 7 on Windows 7, they can connect SVN server via TortoiseSVN plugin which available at http://tortoisesvn.tigris.org/.

Subversion is a full-featured version control system originally designed to be a better CVS. In layman term is it control the versioning of files being shared between users.In this case, I will use Subversion package which available in yum repo. Variables as below:

OS: CentOS 6.0 64bit
Server IP: 192.168.0.170
SVN directory for webproject1: /home/user1/webproject1
SVN user for webproject1: project1
SVN password for webproject1:  mypasswording1
SVN directory for webproject2: /home/user1/webproject2
SVN user for webproject2: project2
SVN password for webproject2:  mypasswording2

1. Firstly, we need to install SVN or subversion package via yum:

$ yum install subversion -y

Continue reading “Linux: Install Subversion (SVN) Server” »

ELS: Great Server Administration Tool

ELS stands for Easy Linux Security. ELS was created by the Server Monkeys Founder, Richard Gannon. ELS takes many of the tasks performed by server administrators and puts it into an easy to use program. It is released under the GNU/GPL so it is free to use.

If you want to know more about this project, please go to this website, http://servermonkeys.com/els.php . To install this tool, just execute following command as root:

wget --output-document=installer.sh http://servermonkeys.com/projects/els/installer.sh; chmod +x installer.sh; sh installer.sh

Once installed, you should able to perform following command and output below should appear:
Continue reading “ELS: Great Server Administration Tool” »

Setup Mail Gateway/Forwarding using Postfix

I will show you on how to setup a mail forwarding run in Postfix, which is my MX record will be the email gateway and this server will forward all emails to my mail server which run under cPanel.

What we really need is an MTA (mail transfer agent), application which route your email here and there until all the transaction complete and the email reach the destination. Variables as below:

OS: CentOS 5.5 64bit
MTA version: Postfix 2.3.3
Mail gateway IP: 28.90.150.2
Mail gateway IP: forwarder.getmail.com
Destination server (cPanel): 28.90.166.73
Domain: getmail.com, yoursetup.net and mymouse.biz

1. In this case, I already have MX record which pointing to my cPanel server for 3 domains as below:

getmail.com.    MX    10    mail.getmail.com.
mail             A          28.90.166.173
 
yoursetup.net.    MX    10    mail.yoursetup.net.
mail               A          28.90.166.173
 
mymouse.biz.    MX    10    mail.mymouse.biz.
mail             A          28.90.166.173

2. Lets setup and configure MTA and all required applications. We also need to stop sendmail (by default has been enabled by system), remove sendmail from start-up service, disable SElinux and install Postfix using yum:

service sendmail stop
chkconfig sendmail off
setenforce 0
yum install postfix -y

3. We need to do some configuration to tell Postfix what type of MTA it should be. Edit /etc/postfix/main.cf with text editor and change or uncomment following value: Continue reading “Setup Mail Gateway/Forwarding using Postfix” »

cPanel: Setup Nginx as Reverse Proxy with Apache

cPanel comes with Apache web server by default. Its not mean that we cannot integrated Nginx inside. With some minor changes, we can install Nginx to listen to port 80 and forward any PHP process to Apache on another port, 88. Apache is not really good in handling static files, so we will pass this task to Nginx. You will noticed that your memory and CPU will decrease once you have done this setup.

Warning: This setting is not suitable for shared hosting environment. I strongly recommend you to apply this if you have 1 busy website running under cPanel. Make sure you have compiled your Apache modules and features using EasyApache.

I am using variables as below:

OS: CentOS 5.6 32bit
cPanel: cPanel 11.30.1 (build 4)
Domain IP: 123.124.125.88
Apache port: 88
Domain: mywebs.net
User: mywebs
Home directory: /home/mywebs

1. Since Nginx will be reverse proxy for Apache, we don’t want our log file to record the proxy IP. We want the real IP as usual. This will make sure our stats page like Webalizer and AWstats will record the correct information. So we need to install mod_rpaf which is “Reverse Proxy Add Forward” module for Apache. You can download that at http://stderr.net/apache/rpaf/download:

cd /usr/local/src
wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
tar -xzf mod_rpaf-0.6.tar.gz
cd mod_rpaf-*
apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

2. Once installed, we need to load the module into Apache configuration. Since cPanel already has Include Editor for Apache, we will use that functions. Login to WHM > Service Configuration > Apache Configuration > Include Editor > Pre Main Include > All Versions and paste following text:

LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFproxy_ips 127.0.0.1  123.124.125.88 # replace the value with your server IP
RPAFsethostname On
RPAFheader X-Real-IP

3. Click Update > Restart Apache. The module should be loaded after restart.

Continue reading “cPanel: Setup Nginx as Reverse Proxy with Apache” »

FreeBSD: NginX+PHP 5.3 FastCGI (FPM) Installation

NginX (pronounced “engine x”), is a high performance web server and a reverse proxy server. This server is well-known for its low memory footprint rather than Apache. You can refer here for Nginx vs Apache Performance Benchmark result. Nginx is way too better for Apache.

Popular websites that run on Nginx are SourceForge, WordPress, and Hulu. By making Nginx run in FreeBSD, you can deliver light, efficient, powerful, stable and secure web server in a simple way.

What is PHP? I think you all already know and no need to explain further. The PHP handler we will use is FastCGI Process Manager (FPM), is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. This setup will surely deliver high-performance web service with low specs hardware.

OS: FreeBSD 8 64bit
Nginx version: 0.8.54
PHP version: 5.3.6
Website: http://mydomain.net/
Website IP: 192.168.60.2
Web directory: /home/mydomain/public_html

1. Lets start by installing Nginx web server:

cd /usr/ports/www/nginx
make install clean

Once installation start, it will prompt nginx module selection page. You can select any Nginx module you want, but for me, I will select following module to be compiled right away:

[X] HTTP_MODULE               Enable HTTP module
[X] HTTP_ADDITION_MODULE      Enable http_addition module
[X] HTTP_CACHE_MODULE         Enable http_cache module
[X] HTTP_DAV_MODULE           Enable http_webdav module
[X] HTTP_FLV_MODULE           Enable http_flv module
[X] HTTP_GEOIP_MODULE         Enable http_geoip module
[X] HTTP_GZIP_STATIC_MODULE   Enable http_gzip_static module
[X] HTTP_IMAGE_FILTER_MODULE  Enable http_image_filter module
[X] HTTP_PERL_MODULE          Enable http_perl module
[X] HTTP_RANDOM_INDEX_MODULE  Enable http_random_index module
[X] HTTP_REALIP_MODULE        Enable http_realip module
[X] HTTP_REWRITE_MODULE       Enable http_rewrite module
[X] HTTP_SECURE_LINK_MODULE   Enable http_secure_link module
[X] HTTP_SSL_MODULE           Enable http_ssl module
[X] HTTP_STATUS_MODULE        Enable http_stub_status module
[X] HTTP_SUB_MODULE           Enable http_sub module
[X] HTTP_XSLT_MODULE          Enable http_xslt module

If you receive any prompt after that, just accept all values if you want to have a complete setup, or else select what you want, if you know what you are doing.

2. Web server installation done. Make sure Nginx is enabled by adding following line to /etc/rc.conf:

nginx_enable="YES"

Continue reading “FreeBSD: NginX+PHP 5.3 FastCGI (FPM) Installation” »

Debian – Update Source List

If you are a Debian administrator, its advisable to run apt-get update before proceed to install any package to make sure that you can get connected to the mirror and the installation will run smoothly with latest package list. Sometimes, you will see following error when trying to update:

W: Some index files failed to download, they have been ignored, or old ones used instead.

This means that the mirror provider which has been setup in your source list is down, or unreachable, or you have routing problem between you and mirror server and any related connectivity problem. So, we need to change the sources list and provide another mirror server which you can get from Debian website, http://www.debian.org/mirror/list . In my case, I will use Japan mirror.

1. Login to the server via SSH/console and open /etc/apt/sources.list via text editor:

[email protected]: ~# nano /etc/apt/sources.list

2. Edit the file following example below. Since I will use Japan mirror, my sources list will be like this:

#
 
# deb cdrom:[Debian GNU/Linux 6.0.1a _Squeeze_ - Official amd64 NETINST Binary-1 20110320-15:00]/ squeeze main
 
#deb cdrom:[Debian GNU/Linux 6.0.1a _Squeeze_ - Official amd64 NETINST Binary-1 20110320-15:00]/ squeeze main
 
deb http://ftp.jp.debian.org/debian/ squeeze main non-free contrib
deb-src http://ftp.jp.debian.org/debian/ squeeze main non-free contrib
 
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
 
deb http://ftp.jp.debian.org/debian/ squeeze-updates main non-free contrib
deb-src http://ftp.jp.debian.org/debian/ squeeze-updates main non-free contrib

3. Update the package list from new provider:

[email protected]: ~# apt-get update

After you run that, make sure you will see no error at the end of the output. You should able to do apt-get installation without any problem anymore.

Setup NTP Server and Sync Time with Client

I show you how to setup and sync time with your client to a server for example when you want to have successful master/slave MySQL replication. Most of replication or client/server services should have time sync and identical to make sure no duplicate or backdated data.

In this case we will using 2 servers. Variables as follow:

Server1 = 192.168.1.1
Client1 = 192.168.1.2

Now we setup NTP server in Server1:

1. Install NTP via yum:

yum install ntp -y
									

2. Enable NTP services to be auto start upon boot:

chkconfig ntpd on
									

3. Open /etc/ntp.conf via text editor and add following line:

restrict 192.168.1.0 mask 255.255.255.0
									

4. Save the file and allow the port 123 in your firewall in iptables:

iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
									

5. Start NTP service:

service ntpd start
									

Now we need to configure Client1 to sync time with our NTP server. Login to your client and as follow:

1. Install NTP service:

yum install ntp -y
									

2. Sync the time with Server1:

ntpdate -u 192.168.1.1
									

3. Start the NTP service:

service ntpd start
									

4. Verify the synchronization with command date:

date
									

Installation – Standalone Spam Assassin Server

This is my way on installing dedicated spam assassin server to be integrated with my internal mail server. This server better be run as virtual machine due to easy deployment and not heavy resources needed (depending on how many spam process you want it to run). In this case, we will use CentOS 5.5 64bit.

1. Install required RPM

yum install -y db4 db4-devel gcc libstdc++ libstdc++-devel

2. Update kernel, and others

yum update kernel
yum update

3. Reboot

4. Open Perl shell and install required perl modules

perl -MCPAN -e shell

(for first time user, you might need to accept default value if prompted)

install HTML::Parser
install NetAddr::IP
install Net::DNS::Resolver::Programmable
install Net::Ident
install Net::DNS
install DB_File
install Digest::SHA1
install Time::HiRes
install MIME::Base64
install Getopt::Long
install File::Copy
install Mail::SPF
install Mail::SPF::Query
install Mail::DKIM
install IP::Country
install IO::Socket::INET6
install IO::Socket::SSL
install Compress::Zlib
install LWP::UserAgent
install HTTP::Date
install Archive::Tar
install IO::Zlib
install Encode::Detect
install URI::Escape

Continue reading “Installation – Standalone Spam Assassin Server” »