04 Sep 2017

First Steps After Getting a CentOS Server / VPS

In this tutorial, we will go through everything you need to do in order to setup your new CentOS Server.

Even though you can start using your server immediately, there are many additional things and tweaks you can do to get the most out of your new server and improve its security.

1. Connect to your VPS

The first thing you should do is to connect to your server via SSH. You will need to know the IP address and the SSH port of your server.
There are different ways to connect to your server, depending on the operating system you use.
For Windows, you can use a free open source application called PuTTY.
For Linux or Mac, you can use the Terminal.

2. Update your server

The next step, after successfully connecting to your server, is to update your server. On CentOS you can do this with the following command:

yum update

This will update the already installed packages on your system and install the latest security updates.
You should regularly update your server. Try to set up a reminder for yourself to do it at least once a month or optionally you can enable automatic updates, so you don’t have to do it manually.

3. Secure your server

Securing your server properly is one of the most important steps you need to do after getting a new VPS.
If you are a beginner and you are not familiar with CentOS servers, you can get a Managed CentOS Server from us and our expert Linux admins will secure the server for you.

Use strong passwords

No matter how many defensive mechanisms you use to secure your server, nothing can protect your server if you are using weak passwords.
So the most basic and simple way to secure your server is to use strong passwords.

Here are some general guidelines you should follow when creating a new password:
– make sure the password is at least 8 characters long
– use a combination of both lower and upper case letters
– use at least one numeric and/or special character signs (#,$,%, etc)

Secure SSH Access

Usually, a password authentication is used to connect remotely via SSH. You can harden your SSH access by using SSH keys instead.

Set up a firewall

One of the most important and crucial steps you can do to secure your server is configuring and setting up a firewall. You can check out our detailed guides on how to properly configure a firewall on your CentOS server using iptables or FirewallD.

In order to further protect your server from brute-force attacks, you can additionally install Fail2ban.

Next steps

From here, you can start using your server for any purpose you want.
You can set up a LAMP or LEMP stack and use it as a web server to host your websites.
You can set up a mail server.
You can set up an FTP server.
And many other things. You can check our blog and find many additional tutorials, tips, and tricks that you can use to further customize your server for your needs.

Of course, if you have a CentOS Server with us, you can simply ask our expert Linux admins to help you with anything you need. They are available 24×7 and will take care of your request immediately.

Share this
04 Sep 2017

How To Install Linux, Apache, MySQL, PHP (LAMP) stack On CentOS 7

Introduction

A “LAMP” stack is a group of open source software that is typically installed together to enable a server to host dynamic websites and web apps. This term is actually an acronym which represents the Linux operating system, with the Apache web server. The site data is stored in a MySQL database (using MariaDB), and dynamic content is processed by PHP.

In this guide, we’ll get a LAMP stack installed on an CentOS 7 Server / VPS. CentOS will fulfill our first requirement: a Linux operating system.

Step One — Install Apache

The Apache web server is currently the most popular web server in the world, which makes it a great default choice for hosting a website.

We can install Apache easily using CentOS’s package manager, yum. A package manager allows us to install most software pain-free from a repository maintained by CentOS.

For our purposes, we can get started by typing these commands:

sudo yum install httpd

Since we are using a sudo command, these operations get executed with root privileges. It will ask you for your regular user’s password to verify your intentions.

Afterwards, your web server is installed.

Once it installs, you can start Apache on your VPS:

sudo systemctl start httpd.service

You can do a spot check right away to verify that everything went as planned by visiting your server’s public IP address in your web browser (see the note under the next heading to find out what your public IP address is if you do not have this information already):

http://your_server_IP_address/

You will see the default CentOS 7 Apache web page, which is there for informational and testing purposes. It should look something like this:

CentOS 7 Apache default

CentOS 7 Apache default

If you see this page, then your web server is now correctly installed.

The last thing you will want to do is enable Apache to start on boot. Use the following command to do so:

sudo systemctl enable httpd.service

How To Find your Server’s Public IP Address

If you do not know what your server’s public IP address is, there are a number of ways you can find it. Usually, this is the address you use to connect to your server through SSH.

From the command line, you can find this a few ways. First, you can use the iproute2 tools to get your address by typing this:

ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'

This will give you one or two lines back. They are both correct addresses, but your computer may only be able to use one of them, so feel free to try each one.

An alternative method is to use an outside party to tell you how it sees your server. You can do this by asking a specific server what your IP address is:

curl http://icanhazip.com

Regardless of the method you use to get your IP address, you can type it into your web browser’s address bar to get to your server.

Step Two — Install MySQL (MariaDB)

Now that we have our web server up and running, it is time to install MariaDB, a MySQL drop-in replacement. MariaDB is a community-developed fork of the MySQL relational database management system. Basically, it will organize and provide access to databases where our site can store information.

Again, we can use yum to acquire and install our software. This time, we’ll also install some other “helper” packages that will assist us in getting our components to communicate with each other:

sudo yum install mariadb-server mariadb

When the installation is complete, we need to start MariaDB with the following command:

sudo systemctl start mariadb

Now that our MySQL database is running, we want to run a simple security script that will remove some dangerous defaults and lock down access to our database system a little bit. Start the interactive script by running:

sudo mysql_secure_installation

The prompt will ask you for your current root password. Since you just installed MySQL, you most likely won’t have one, so leave it blank by pressing enter. Then the prompt will ask you if you want to set a root password. Go ahead and enter Y, and follow the instructions:

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorization.

New password: password
Re-enter new password: password
Password updated successfully!
Reloading privilege tables..
 ... Success!

For the rest of the questions, you should simply hit the “ENTER” key through each prompt to accept the default values. This will remove some sample users and databases, disable remote root logins, and load these new rules so that MySQL immediately respects the changes we have made.

The last thing you will want to do is enable MariaDB to start on boot. Use the following command to do so:

sudo systemctl enable mariadb.service

At this point, your database system is now set up and we can move on.

Step Three — Install PHP

PHP is the component of our setup that will process code to display dynamic content. It can run scripts, connect to our MySQL databases to get information, and hand the processed content over to our web server to display.

We can once again leverage the yum system to install our components. We’re going to include the php-mysql package as well:

sudo yum install php php-mysql

This should install PHP without any problems. We need to restart the Apache web server in order for it to work with PHP. You can do this by typing this:

sudo systemctl restart httpd.service

Install PHP Modules

To enhance the functionality of PHP, we can optionally install some additional modules.

To see the available options for PHP modules and libraries, you can type this into your system:

yum search php-

The results are all optional components that you can install. It will give you a short description for each:

php-bcmath.x86_64 : A module for PHP applications for using the bcmath library
php-cli.x86_64 : Command-line interface for PHP
php-common.x86_64 : Common files for PHP
php-dba.x86_64 : A database abstraction layer module for PHP applications
php-devel.x86_64 : Files needed for building PHP extensions
php-embedded.x86_64 : PHP library for embedding in applications
php-enchant.x86_64 : Enchant spelling extension for PHP applications
php-fpm.x86_64 : PHP FastCGI Process Manager
php-gd.x86_64 : A module for PHP applications for using the gd graphics library
. . .

To get more information about what each module does, you can either search the internet, or you can look at the long description in the package by typing:

yum info package_name

There will be a lot of output, with one field called Description which will have a longer explanation of the functionality that the module provides.

For example, to find out what the php-fpm module does, we could type this:

yum info php-fpm

Along with a large amount of other information, you’ll find something that looks like this:

. . .
Summary     : PHP FastCGI Process Manager
URL         : http://www.php.net/
License     : PHP and Zend and BSD
Description : PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI
            : implementation with some additional features useful for sites of
            : any size, especially busier sites.

If, after researching, you decide you would like to install a package, you can do so by using the yum install command like we have been doing for our other software.

If we decided that php-fpm is something that we need, we could type:

sudo yum install php-fpm

If you want to install more than one module, you can do that by listing each one, separated by a space, following the yum install command, like this:

sudo yum install package1 package2 ...

At this point, your LAMP stack is installed and configured. We should still test out our PHP though.

Step Four — Test PHP Processing on your Web Server

In order to test that our system is configured properly for PHP, we can create a very basic PHP script.

We will call this script info.php. In order for Apache to find the file and serve it correctly, it must be saved to a very specific directory, which is called the “web root”.

In CentOS 7, this directory is located at /var/www/html/. We can create the file at that location by typing:

sudo vi /var/www/html/info.php

This will open a blank file. We want to put the following text, which is valid PHP code, inside the file:

<?php phpinfo(); ?>

When you are finished, save and close the file.

If you are running a firewall, run the following commands to allow HTTP and HTTPS traffic:

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

Now we can test whether our web server can correctly display content generated by a PHP script. To try this out, we just have to visit this page in our web browser. You’ll need your server’s public IP address again.

The address you want to visit will be:

http://your_server_IP_address/info.php

The page that you come to should look something like this:

Php Install on centos 7

This page basically gives you information about your server from the perspective of PHP. It is useful for debugging and to ensure that your settings are being applied correctly.

If this was successful, then your PHP is working as expected.

You probably want to remove this file after this test because it could actually give information about your server to unauthorized users. To do this, you can type this:

sudo rm /var/www/html/info.php

You can always recreate this page if you need to access the information again later.

Share this
04 Sep 2017

How To Install Linux, Apache, MySQL, PHP (LAMP) stack On CentOS 6

About LAMP

LAMP stack is a group of open source software used to get web servers up and running. The acronym stands for Linux, Apache, MySQL, and PHP. Since the server is already running CentOS, the linux part is taken care of. Here is how to install the rest.

Step One—Install Apache

Apache is a free open source software which runs over 50% of the world’s web servers.

To install apache, open terminal and type in this command:

sudo yum install httpd

Once it installs, you can start apache running on your VPS:

sudo service httpd start

That’s it. To check if Apache is installed, direct your browser to your server’s IP address (eg. http://192.168.0.1). The page should display the words “It works!” .

How to find your Server’s IP address

You can run the following command to reveal your server’s IP address.

ifconfig eth0 | grep inet | awk '{ print $2 }'

Step Two—Install MySQL

MySQL is a powerful database management system used for organizing and retrieving data on a virtual server

To install MySQL, open terminal and type in these commands:

sudo yum install mysql-server
sudo service mysqld start

During the installation, MySQL will ask you for your permission twice. After you say Yes to both, MySQL will install.

Once it is done installing, you can set a root MySQL password:

sudo /usr/bin/mysql_secure_installation

The prompt will ask you for your current root password.

Since you just installed MySQL, you most likely won’t have one, so leave it blank by pressing enter.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Then the prompt will ask you if you want to set a root password. Go ahead and choose Y and follow the instructions.

CentOS automates the process of setting up MySQL, asking you a series of yes or no questions.

It’s easiest just to say Yes to all the options. At the end, MySQL will reload and implement the new changes.

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y                                            
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

Step Three—Install PHP

PHP is an open source web scripting language that is widely used to build dynamic webpages.

To install PHP on your virtual private server, open terminal and type in this command:

sudo yum install php php-mysql

Once you answer yes to the PHP prompt, PHP will be installed.

PHP Modules

PHP also has a variety of useful libraries and modules that you can add onto your server. You can see the libraries that are available by typing:

yum search php-

Terminal then will display the list of possible modules. The beginning looks like this:

php-bcmath.x86_64 : A module for PHP applications for using the bcmath library
php-cli.x86_64 : Command-line interface for PHP
php-common.x86_64 : Common files for PHP
php-dba.x86_64 : A database abstraction layer module for PHP applications
php-devel.x86_64 : Files needed for building PHP extensions
php-embedded.x86_64 : PHP library for embedding in applications
php-enchant.x86_64 : Human Language and Character Encoding Support
php-gd.x86_64 : A module for PHP applications for using the gd graphics library
php-imap.x86_64 : A module for PHP applications that use IMAP

To see more details about what each module does, type the following command into terminal, replacing the name of the module with whatever library you want to learn about.

yum info name of the module

Once you decide to install the module, type:

sudo yum install name of the module

You can install multiple libraries at once by separating the name of each module with a space.

Congratulations! You now have LAMP stack on your droplet!

We should also set the processes to run automatically when the server boots (php will run automatically once Apache starts):

sudo chkconfig httpd on
sudo chkconfig mysqld on

Step Four—RESULTS: See PHP on your Server

Although LAMP is installed on your Dedicated / Virtual server, we can still take a look and see the components online by creating a quick php info page

To set this up, first create a new file:

sudo nano /var/www/html/info.php

Add in the following line:

<?php
phpinfo();
?>

Then Save and Exit.

Restart apache so that all of the changes take effect on your virtual server:

sudo service httpd restart

Finish up by visiting your php info page (make sure you replace the example ip address with your correct one): http://192.168.0.1/info.php

Share this
30 Aug 2017

Toll Free sales and support

We are glad to announce our new Toll free number for sales and support  for our Indian customers.

Get in touch with us on

1800-121-4247

 

Share this
23 Aug 2017

How To Install Linux, nginx, MySQL, PHP (LEMP) stack on CentOS 6

About Lemp

LEMP stack is a group of open source software to get web servers up and running. The acronym stands for Linux, nginx (Engine x), MySQL, and PHP. Since the server is already running CentOS, the linux part is taken care of. Here is how to install the rest.

Step One—Install the Required Repositories

We will be installing all of the required software with Yum. However, because nginx is not available straight from CentOS, we’ll need to install the epel repository.

sudo yum install epel-release

Step Two—Install MySQL

The next step is to begin installing the server software on the virtual private server, starting with MySQL and dependancies.

 sudo yum install mysql-server

Once the download is complete, restart MySQL:

sudo /etc/init.d/mysqld restart

You can do some configuration of MySQL with this command:

sudo /usr/bin/mysql_secure_installation

The prompt will ask you for your current root password.

Since you just installed MySQL, you most likely won’t have one, so leave it blank by pressing enter.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Then the prompt will ask you if you want to set a root password. Go ahead and choose Y and follow the instructions.

CentOS automates the process of setting up MySQL, asking you a series of yes or no questions.

It’s easiest just to say Yes to all the options. At the end, MySQL will reload and implement the changes.

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y                                            
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

Step Three—Install nginx

As with MySQL, we will install nginx on our virtual private server using yum:

sudo yum install nginx

nginx does not start on its own. To get nginx running, type:

sudo /etc/init.d/nginx start

You can confirm that nginx has installed on your virtual private server by directing your browser to your IP address.

You can run the following command to reveal your server’s IP address.

ifconfig eth0 | grep inet | awk '{ print $2 }'

Step Four—Install PHP

The php-fpm package is located within the REMI repository, which, at this point, is disabled. The first thing we need to do is enable the REMI repository and install php and php-fpm:

sudo yum install php-fpm php-mysql

Step Five—Configure php

We need to make one small change in the php configuration. Open up php.ini:

sudo vi /etc/php.ini

Find the line, cgi.fix_pathinfo=1, and change the 1 to 0.

cgi.fix_pathinfo=0

If this number is kept as a 1, the php interpreter will do its best to process the file that is as near to the requested file as possible. This is a possible security risk. If this number is set to 0, conversely, the interpreter will only process the exact file path—a much safer alternative. Save and Exit.

Step Six—Configure nginx

Open up the default nginx config file:

sudo vi /etc/nginx/nginx.conf

Raise the number of worker processes to 4 then save and exit that file.

Now we should configure the nginx virtual hosts.

In order to make the default nginx file more concise, the virtual host details are in a different location.

sudo vi /etc/nginx/conf.d/default.conf

The configuration should include the changes below (the details of the changes are under the config information):

#
# The default server
#
server {
    listen       80;
    server_name example.com;

   
    location / {
        root   /usr/share/nginx/html;
        index index.php  index.html index.htm;
    }

    error_page  404              /404.html;
    location = /404.html {
        root   /usr/share/nginx/html;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root           /usr/share/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}

Here are the details of the changes:

  • Add index.php within the index line.
  • Change the server_name to your domain name or IP address (replace the example.com in the configuration)
  • Change the root to /usr/share/nginx/html;
  • Uncomment the section beginning with “location ~ \.php$ {“,
  • Change the root to access the actual document root, /usr/share/nginx/html;
  • Change the fastcgi_param line to help the PHP interpreter find the PHP script that we stored in the document root home.

Save and Exit

Open up the php-fpm configuration:

sudo vi /etc/php-fpm.d/www.conf

Replace the apache in the user and group with nginx:

[...]
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;	will be used.
; RPM: apache Choosed to be able to access some dir as httpd
user = nginx
; RPM: Keep a group allowed to write in log dir.
group = nginx
[...]

Finish by restarting php-fpm.

sudo service php-fpm restart

Step Seven—RESULTS: Create a php info page

Although LEMP is installed, we can still take a look and see the components online by creating a quick php info page

To set this up, first create a new file:

sudo vi /usr/share/nginx/html/info.php

Add in the following line:

<?php
phpinfo();
?>

Then Save and Exit.

Restart nginx so that all of the changes take effect:

sudo service nginx restart

Finish up by visiting your php info page (make sure you replace the example ip address with your correct one): http://192.168.0.25/info.php

Step Eight—Set Up Autostart

You are almost done. The last step is to set all of the newly installed programs to automatically begin when the VPS boots.

sudo chkconfig --levels 235 mysqld on
sudo chkconfig --levels 235 nginx on
sudo chkconfig --levels 235 php-fpm on
Share this
23 Aug 2017

How to secure your LAMP server

The LAMP stack which stands for Linux, Apache, MySQL/MariaDB and PHP/Python/Perl is a very popular combination of free and open-source software used to run millions of websites today. Although many opt for the much efficient LEMP stack based on Nginx instead of Apache, there are still a significant number of users that choose LAMP for their projects. In fact, more than 30% of the active websites today run on top of LAMP. The stack is considered as reliable and very suitable for running high-performance high-availability web applications. In this tutorial we are going to show you how to secure the LAMP stack on your Linux Dedicated Server.

Secure Linux

Enable automatic updates

Having in mind that the LAMP stack is based on Linux and the whole open-source community works on improvements, it is considered as secure too. On an Ubuntu Server, all security updates and patches are available as an automatic unattended install as soon as they become available in the Ubuntu repos, and therefore, make sure you configure your system to automatically install the security updates if you are concerned about the security. In case this feature is not enabled on your server and you are not installing the latest upgrades and patches manually, you are putting your server at risk of being exploited.

To enable automatic unattended upgrades you should install the unattended-upgrades package.

sudo apt-get install unattended-upgrades

To configure which category of packages to be automatically upgraded you should edit the /etc/apt/apt.conf.d/50unattended-upgrades file.

Configure firewall

Having a properly configured firewall is another thing that is very important for the overall security. ufw is the default firewall configuration tool for Ubuntu and it is initially disabled. To enable ufw you can use:

sudo ufw enable

Enable access to the basic services like OpenSSH and Apache:

sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443

Enabling access to other services is pretty easy. Just replace the port number in the examples above with the port number of the service which you want to enable access to and that’s it. The firewall rules will be active even after system reboot.

Disable unused services

If you have active services which you are not using, you can simply disable them. For example, if you have service like Dovecot up and running on your server and you are not using it at all, stop and disable the service using the following commands:

sudo systemctl stop dovecot.service
sudo systemctl disable dovecot.service

Install Fail2ban

Fail2ban is a service which scans the log files for too many login failures and blocks the IP address which is showing malicious signs. This service is very useful if you are not using two factor or public/private authentication mechanisms on services like OpenSSH. To install Fail2ban, run this command:

sudo apt-get install fail2ban

Create a copy of the default configuration file so you can safely make changes without them being overwritten by system upgrades:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the jail.local file:

sudo nano /etc/fail2ban/jail.local

The [sshd] block should look like the following one:

[sshd]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5
bantime = 600

Save the file and restart Fail2ban for the changes to take effect:

sudo systemctl restart fail2ban.service

Enable Fail2ban on system boot:

sudo systemctl enable fail2ban.service

Secure Apache

Hide Apache sensitive information

The default Apache configuration provides much sensitive information which can be used against the service. Making this information hidden is crucial so go ahead and create a configuration file for your new settings:

sudo nano /etc/apache2/conf-available/custom.conf

Paste the following content:

ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header unset ETag
Header always unset X-Powered-By
FileETag None

Enable the headers Apache module if it is not already enabled:

sudo a2enmod headers

Enable the configuration:

sudo a2enconf custom.conf

Restart Apache for the changes to take effect:

sudo systemctl restart apache2.service

Install and enable mod_security

Mod_security is a web application firewall (WAF) which can be installed as an additional module for Apache. It can be used to protect the web server from numerous attacks like SQL injections, session hijacking, cross site scripting, bad user agents and many others. To install and enable mod_security run the commands below:

sudo apt-get install libapache2-modsecurity
sudo a2enmod security2

Once it is installed you should configure the module and enable the OWASP ModSecurity Core Rule Set (CRS).

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Then, open the /etc/modsecurity/modsecurity.conf file and edit/add the following settings:

SecRuleEngine On
SecResponseBodyAccess Off
SecRequestBodyLimit 8388608
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 262144

Save and close the file. Remove the current CRS and download the OWASP CRS by using the following commands:

sudo rm -rf /usr/share/modsecurity-crs
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
cd /usr/share/modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf

Edit the /etc/apache2/mods-enabled/security2.conf file. It should look like the one below:

<IfModule security2_module>
	SecDataDir /var/cache/modsecurity
	IncludeOptional /etc/modsecurity/*.conf
	IncludeOptional "/usr/share/modsecurity-crs/*.conf"
	IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>

Finally, restart Apache for the changes to take effect:

sudo systemctl restart apache2.service

Install and enable mod_evasive

Mod_evasive is an Apache module which can be used to protect the web server from DoS (Denial of Service), DDoS (Distributed Denial of Service) and brute-force attacks. To install mod_evasive on your server, run this command:

sudo apt-get install libapache2-mod-evasive

Open the default configuration file /etc/apache2/mods-enabled/evasive.conf and edit the settings to look like those below:

<IfModule mod_evasive20.c>
	DOSPageCount        5
	DOSSiteCount        50
	DOSPageInterval     1
	DOSSiteInterval     1
	DOSBlockingPeriod   600
	DOSLogDir           "/var/log/mod_evasive"
</IfModule>

Save and close the file. Create a directory for the log files:

sudo mkdir /var/log/mod_evasive
sudo chown -R www-data: /var/log/mod_evasive

Restart Apache:

sudo systemctl restart apache2.service

Secure MySQL

Secure the MySQL server deployment

The first thing you need to do to secure the MySQL service is to run the mysql_secure_installation script.

sudo mysql_secure_installation

The script will help you to perform important security tasks like setting up root password, disable remote root login, remove anonymous users etc.

Disable remote MySQL access

If you don’t perform remote operations over your MySQL server then disabling the remote access to the service is a very important thing to do. You can do this by editing the /etc/mysql/mysql.conf.d/mysqld.cnf file and changing the bind-address to 127.0.0.1.

bind-address = 127.0.0.1

Restart the service for the changes to take effect.

sudo systemctl restart mysql.service

Create separate MySQL users

Another thing you need to consider is creating separate MySQL users for each database and application.

Log in to MySQL as root:

mysql -u root -p

You can create MySQL database and grant all privileges to a new user using the following commands:

mysql> CREATE DATABASE new_db;
mysql> GRANT ALL PRIVILEGES on new_db.* to 'new_user'@'localhost' identified by 'PaSsW0rD';
mysql> FLUSH PRIVILEGES;
mysql> EXIT

Then, you can use the newly created database and user for your application.

Disable LOCAL INFILE

If you explicitly don’t use LOCAL INFILE then it is good to disable it. Again, edit the MySQL configuration file and add the following line under the [mysqld] block:

local-infile=0

Restart the MySQL service for the changes to take effect.

Secure PHP

If you performed the steps above, your server should be already secure. The last part of securing the LAMP server is securing PHP, which is a pretty straightforward process. Find the location of your PHP ini file:

php --ini | grep "Loaded Configuration File"

All changes we will be making into this file.

Hide PHP basic information

The first step is to hide the information provided by PHP which some attackers may find useful. Open the php.inifile and change the settings to match the following:

expose_php = Off
display_errors = Off
mail.add_x_header = Off

Save the file and restart Apahce:

sudo systemctl restart apache2.service

Disable dangerous PHP functions

The disable_functions directive allows you to disable some functions that could be harmful to your system. Edit the directive in your php.ini file to match the following:

disable_functions = show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open,allow_url_fopen,curl_exec,curl_multi_exec

While you are here, disable the remote PHP code execution by using the following settings:

allow_url_fopen=Off
allow_url_include=Off

Restrict file uploads

If you don’t use file uploading features it is totally safe to restrict the file uploads in PHP. Open the php.ini file and set the following setting:

file_uploads=Off

In case you are using file uploading features you can set the following:

file_uploads=On
upload_max_filesize=1M

where upload_max_filesize is the upload size limit.

Restart Apache after making these changes.

Set maximum execution time

Again, edit the php.ini file and change the following settings:

max_execution_time = 30
max_input_time = 30
memory_limit = 40M

This sets the maximum time in seconds a script is allowed to run or parse data as well as will set the maximum amount of memory that a script is allowed to allocate.

Enable open_basedir

The open_basedir directive allows you to set the location from which PHP is allowed to access files. Edit the php.ini file and set the correct location to match your current configuration:

open_basedir="/path/to/the/directory/"

Don’t forget to restart Apache so the changes can take effect.

Of course, if you are one of our Linux Dedicated Server Hosting customers, you don’t have to do any of this, simply ask our admins, sit back and relax. Our admins will secure your LAMP server for you immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons below or simply leave a comment in the comments section. Thanks.

Share this
21 Aug 2017

CCavenue Payment Gateway – Addition

Dear Customers,

For ease of use we have added a new payment gateway from CCavenue has been made available for all payments.

To use the gateway please select “Credit Cards” from the payment options dropdown.

If you require any assistance with the same please raise a ticket from the Customer Hub: https://www.webdios.com/hub/

ccavenue creditcard

Share this
19 Dec 2016

Adding Secondary / Additional IP Addresses (CentOS/RHEL)

Adding Secondary / Additional IP Addresses (CentOS/RHEL)

There are plenty of reasons you would need to add secondary /Additional IP addresss (and everyone agrees that SEO is not one of them). Getting a secondary IP address is a simple process if it is done for the right reasons and done correctly on CentOS. You do NOT need additional NIC cards but you will be creating virtual adapters as the secondary IP will be routing through the primary IP.

Also, this is a great thing to do at home as I’ve done it to run multiple internal IP addresses on one server to run multiple applications across the same ports (for KISS** sake). Please note that I am doing this is in a virtual testing environment so your settings will definitely be different.

** KISS = Keep It Stupid Simple **

You will need to be the root user and navigate to your /etc/sysconfig/network-scripts

# cd /etc/sysconfig/network-scripts

When getting a list of files in the directory you will see “ifcfg-eth0” (or eth1 if you’re doing it for a different adapter)

# ls -l | grep ifcfg-eth
-rw-r--r-- 1 root root   119 Jan 11 19:16 ifcfg-eth0
-rw-r--r-- 1 root root   119 Jan  3 08:45 ifcfg-eth0.bak
-rw-r--r-- 1 root root   119 Feb 24 04:34 ifcfg-eth1
-rw-r--r-- 1 root root   128 Jan 19 18:20 ifcfg-eth1.bak

Now adding the virtual adapters is easy. Basically if the main adapter is called “eth0” you have to call the next (virtual) adapter in a sequential order like so:

  • ifcfg-eth0 (primary adapter, physical)
  • ifcfg-eth0:1 (first virtual adapter to the physical primary adapter)
  • ifcfg-eth0:2 (second virtual adapter to the physical primary adapter)
  • and so on…

That being said, lets go ahead and copy our primary adapter configuration file and name it to be the first virtual adapter for the physical primary:

# cp ifcfg-eth0 ifcfg-eth0:1
# ls -l | grep ifcfg-eth
-rw-r--r-- 1 root root   119 Jan 11 19:16 ifcfg-eth0
-rw-r--r-- 1 root root   119 Feb 24 08:53 ifcfg-eth0:1
-rw-r--r-- 1 root root   119 Jan  3 08:45 ifcfg-eth0.bak
-rw-r--r-- 1 root root   119 Feb 24 04:34 ifcfg-eth1
-rw-r--r-- 1 root root   128 Jan 19 18:20 ifcfg-eth1.bak

Now, we have to configure this virtual adapter to be: a static IP (of course), no hardware address (MAC), configure netmask and of course rename the device.

# vim ifcfg-eth0:1
DEVICE=eth0:1
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.1.1.2
NETMASK=255.255.255.0

There is no need to specify a MAC address as it is a virtual adapter and there is also no need to specify a default gateway as it is already routed through the primary adapter. Basically there are only four things that you will need to change:

  • File name for the adapter itself
  • DEVICE=<device name> (should correspond with the file name)
  • IPADDR=<ip address>
  • NETMASK=<netmask>

Afterwards, just restart the networking service:

# service network restart

That’s it; lets check ifconfig to make sure the virtual adapter is there and working:

# ifconfig eth0:1
eth0:1    Link encap:Ethernet  HWaddr 08:00:27:ED:05:B7
inet addr:10.1.1.2  Bcast:10.1.1.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.073 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.042 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=64 time=0.029 ms
64 bytes from 10.1.1.2: icmp_seq=4 ttl=64 time=0.029 ms
--- 10.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.029/0.043/0.073/0.018 ms

 

Share this

© 2016 WebDios Technologies - www.webdios.com. All rights reserved.

Click Me