Difference between revisions of "CentOS VPS Server Setup Tips"

From PeTechWiki
Jump to navigationJump to search
m
 
(36 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Useful Linux Tutorials and Handbooks ==
+
Here are some tips I found useful for setting up virtual private servers with CentOS.
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialInitProcess.html Linux Init Process and PC Boot Procedure]
+
See more pages in [[:Category:Linux]].
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking.html Linux Network Configuration]
 
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialSysAdmin.html Linux System Administration and Configuration]
 
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialRedHatInstallation.html Linux Tutorial - Fedora Core and Red Hat Linux CD Installation, Version Upgrade, Configuration and Basic Administration]
 
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html Linux Web Server and Domain Configuration Tutorial]
 
* [http://www.yolinux.com/TUTORIALS/unix_for_dos_users.html Linux-UNIX For DOS Users]
 
* [http://www.freeos.com/guides/lsst/ Linux Shell Scripting Tutorial - A Beginner's handbook]
 
  
== Set timezone using /etc/localtime configuration file [any Linux distro] ==
+
== Installing Webmin ==
 +
If you are using the RPM version of Webmin, first download the file from the [http://www.webmin.com/download.html downloads page], or run the command:
 +
wget http://prdownloads.sourceforge.net/webadmin/webmin-1.580-1.noarch.rpm
 +
and then run the command:
 +
rpm -U webmin-1.580-1.noarch.rpm
 +
The rest of the install will be done automatically to the directory <code>/usr/libexec/webmin</code>, the administration username set to <code>root</code> and the password to your current root password. You should now be able to login to Webmin at the URL http://localhost:10000/. Or if accessing it remotely, replace localhost with your system's IP address.
 +
 
 +
Reference: [http://www.webmin.com/rpm.html Webmin - Installing the RPM]
 +
 
 +
=== Webmin Error: Perl module Authen::PAM needed for PAM is not installed ===
 +
 
 +
If you guys are getting this error on your Webmin log file /var/webmin/miniserv.error here’s how I solved the problem.
 +
miniserv.pl started
 +
Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (@INC contains: /usr/libexec/webmin /usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib64/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/local/lib/perl5/site_perl /usr/lib/perl5/site_perl .) at (eval 10) line 1.
 +
BEGIN failed--compilation aborted at (eval 10) line 1.
 +
First off go to http://nik.pelov.name/Authen-PAM/ and download the latest Authen::PAM. At the time of this writing, the lastest one was Authen-PAM-0.16.
 +
 
 +
Log in as root.
 +
cd /tmp
 +
wget http://www.perl.com/CPAN/authors/id/N/NI/NIKIP/Authen-PAM-0.16.tar.gz
 +
Next step would be extracting the contents of Authen-PAM-0.16.tar.gz.
 +
tar xvzf Authen-PAM-0.16.tar.gz
 +
After that, go to Authen-PAM-0.16 which is the directory that is created once you’ve extracted the contents of Authen-PAM-0.16.tar.gz.
 +
cd Authen-PAM-0.16
 +
We’ll then generate a make file.<br>''Note: You must have '''gcc''' and '''pam-devel''' installed to generate the make file.'' --[[User:J|Jeremy]] ([[User talk:J|talk]]) 22:41, 30 June 2012 (EDT)
 +
perl Makefile.PL
 +
If it returned no errors we can then proceed to executing the following commands.
 +
make
 +
make install
 +
After that everything should be fine now. To check whether the module has been loaded or not do the following command.
 +
perl -e 'use Authen::PAM; print "Installation succestul.\n"'
 +
After that restart Webmin.
 +
service webmin restart
 +
If you look at your /var/webmin/miniserv.error this is what you should see if everything worked out fine.
 +
restarting miniserv
 +
Restarting
 +
miniserv.pl started
 +
PAM authentication enabled
 +
 
 +
Reference: http://rodoabad.joinpgn.com/2008/10/13/webmin-error-perl-module-authenpam-needed-for-pam-is-not-installed/
 +
 
 +
== Set timezone using /etc/localtime configuration file ==
 
Often /etc/localtime is a symlink to the file localtime or to the correct time zone file in the system time zone directory.
 
Often /etc/localtime is a symlink to the file localtime or to the correct time zone file in the system time zone directory.
  
Line 28: Line 63:
 
Reference: [http://www.cyberciti.biz/faq/howto-linux-unix-change-setup-timezone-tz-variable/ Howto: Linux server change or setup the timezone]
 
Reference: [http://www.cyberciti.biz/faq/howto-linux-unix-change-setup-timezone-tz-variable/ Howto: Linux server change or setup the timezone]
  
== How to install mcrypt for PHP 5.3.3 on CentOS ==
+
All you need to do is:
+
== Creating a Swap File ==
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
+
# Determine the size of the new swap file in megabytes and multiply by 1024 to determine the number of blocks. For example, the block size of a 64 MB swap file is 65536.
yum install php53-mcrypt
+
# At a shell prompt as root, type the following command with count being equal to the desired block size:<br><code>dd if=/dev/zero of=/swapfile bs=1024 count=65536</code>
The EPEL repo contains more, and more upgraded packages to compliment the default repository.
+
# Setup the swap file with the command:<br><code>mkswap /swapfile</code>
 +
# To enable the swap file immediately but not automatically at boot time:<br><code>swapon /swapfile</code>
 +
# To enable it at boot time, edit /etc/fstab to include the following entry:<br><code>/swapfile swap swap defaults 0 0</code><br>The next time the system boots, it enables the new swap file.
 +
# After adding the new swap file and enabling it, verify it is enabled by viewing the output of the command<br><code>cat /proc/swaps</code> or <code>free</code>.
 +
Reference: [http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-swap-creating-file.html Creating a Swap File]
  
Reference: [http://serverfault.com/questions/354871/how-to-install-mcrypt-for-php-5-3-3-on-centos-5-7-64-bit How to install mcrypt for PHP 5.3.3 on CentOS 5.7 64 bit?]
+
== iptables Setup ==
 +
[root@vps1 ~]# iptables -L -n -v
  
== suEXEC the CGI wrapper ==
+
Chain INPUT (policy DROP 0 packets, 0 bytes)
A CGI wrapper is a system that executes scripts in a safe and controlled fashion. It also allows scripts to be executed as the same user and group of the virtual host. This allows scripts to have proper permission to execute and use the users directory tree. It also stops scripts from effecting folders the owner shouldn't have access to.
+
  pkts bytes target    prot opt in     out    source              destination       
 +
  842 5263K ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
 +
    48  2952 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0         
 +
30301 8344K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
 +
    7  364 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:20
 +
    13  676 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:21
 +
  1231 64828 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80
 +
    9  464 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:443
 +
    6  240 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:3306
 +
    1    48 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:25
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:465
 +
    0    0            tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:587
 +
    0    0            tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:143
 +
    62  3224 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:993
 +
  502 22432 REJECT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited
  
=== Setting up suEXEC ===
+
  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
suEXEC can be difficult to setup, it depends on whether you compiled apache yourself, or whether it came with your distribution. Your distribution may have configured suEXEC correctly for you, in which case you'll just need to enable it. You can check your suEXEC settings with the command:-
+
  pkts bytes target    prot opt in    out    source              destination       
  suexec -V
 
In our example we are running RedHat 9, which comes with Apache 2 by default, however suEXEC is not configured properly by default so you need to recompile suEXEC (not the whole of apache) with the correct settings to get it working. Here is our quick guide.
 
  
# Check your suEXEC settings<br><code>suexec -V</code>
+
Chain OUTPUT (policy ACCEPT 41521 packets, 36M bytes)
# The interesting bit of info is AP_DOC_ROOT. Default is "/var/www". If this isn't the same as the directory where your site files are ("/home" for RH9) you're going to need to recompile it. If it is the same then you're lucky! You can skip to step 15.
+
  pkts bytes target    prot opt in     out    source              destination     
# Download and decompress the source RPM for httpd.
 
# Navigate to the "support" sub folder of the httpd source directory (such as "/usr/src/redhat/SOURCES/httpd-2.0.40/support/")
 
# Edit the file "suexec.h" and change the lines:-
 
# <code>#define AP_DOC_ROOT "/var/www"</code><br>to the location of your site files such as:-<br><code>#define AP_DOC_ROOT "/home"</code>
 
# <code>#define AP_HTTPD_USER "apache"</code><br>to the user you have set for apache
 
# <code>#define AP_LOG_EXEC "/some/long/thing/I've/forgot/suexec.log"</code><br>to something sensible like:-<br><code>#define AP_LOG_EXEC "/var/log/httpd/suexec.log"</code>
 
# Now you'll need to configure the apache source:-<br><code>./configure --prefix=/usr/local/apache2</code>
 
# Now:-<br><code>make</code>
 
# And Now:-<br><code>make suexec</code>
 
# Now replace your old suexec executable with your new one, backing up the old one first:-<br><code>cd /usr/sbin<br>mv suexec suexec.bak<br>cp /usr/src/redhat/SOURCES/httpd-2.0.40/support/suexec suexec</code>
 
# Don't forget to change the group and owner to the same as the old suexec file!!!<br><code>ls -l suexec<br>chgrp apache suexec<br>chown apache suexec</code>
 
# Now make executable:-<br><code>chmod 4510 suexec</code>
 
# Ok that's suexec ready to go. Now open httpd.conf (make a backup first) and add the line:-<br><code>LoadModule suexec_module modules/mod_suexec.so</code>
 
# Now suexec is in use you can define the user and group that scripts should be executed as for each VirtualHost. In the following examples username and groupname should be swapped with the actual user and group you wan to use. This should be the same as the owner and group of that VirtualHost.<br>In Apache 2:-<br><code><VirtualHost 111.111.111.111:80><br>...<br>SuexecUserGroup username groupname<br>...<br></VirtualHost></code>
 
# Restart apache and away you go!
 
  
Reference: [http://www.cosmicscripts.com/servers/suexec.html Setting up suEXEC - CosmicScripts.com]
+
References:<br>
 +
[http://www.bokko.nl/iptables-active-and-passive-ftp-in-centos/ Bokko.nl » Iptables active and passive FTP in CentOS]<br>
 +
[http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ 25 Most Frequently Used Linux IPTables Rules Examples]
  
== Using suexec To Secure A Shared Server ==
+
=== restorecon command not found ===
The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside. PHP has built-in features to help, but ultimately it’s the wrong place to address the problem.
+
Problem: Using ''iptables save'' results in the error ''restorecon command not found''.<br>
 +
Solution: Install policycoreutils package.
 +
yum install policycoreutils
 +
Reference:<br>
 +
[http://www.linuxquestions.org/questions/linux-software-2/restorecon-command-not-found-922667/ restorecon command not found]
  
So what can Apache do to help?
+
== Extra Packages for Enterprise Linux (EPEL) ==
 +
The EPEL repository contains more upgraded packages to compliment the default repository. To add the EL6 EPEL repository to ''yum'', run the following command as root:
 +
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
 +
Reference: [http://fedoraproject.org/wiki/EPEL EPEL - FedoraProject]
  
It turns out that there are quite a few alternative ways that Apache can help. This article will look at what we can do with stock Apache, and the next few articles will look at what we can do with some interesting third-party Apache modules.
+
== How to install mcrypt for PHP 5.3.3 on CentOS ==
*suexec: Running CGI Programs As A Specified User
+
Add the EPEL repository to ''yum'' as shown previously, and then run the following command as root:
*Configuring Apache With PHP/CGI
+
  yum install php53-mcrypt
*Configuring suexec With PHP/CGI
+
Reference: [http://serverfault.com/questions/354871/how-to-install-mcrypt-for-php-5-3-3-on-centos-5-7-64-bit How to install mcrypt for PHP 5.3.3 on CentOS 5.7 64 bit?]
*Configuring suexec For Shared Servers
 
*Some Benchmarks
 
*Other Considerations
 
*Conclusions
 
=== suexec: Running CGI Programs As A Specified User ===
 
To secure a shared hosting server, we want to be able to run PHP as the user who owns that particular website. One way to do this with stock Apache is with suexec.
 
 
 
suexec is a standard Apache module which allows you to run a CGI executable as a specified user and group. CGI executables date back to the very early days of the web, back when we all had to use Perl to create dynamic websites. Although PHP is commonly run as an Apache module, it still provides support for CGI.
 
 
 
Check with your Linux vendor to make sure that you have PHP/CGI installed on your box.
 
 
 
=== Configuring Apache With PHP/CGI ===
 
The first step for getting suexec working is to configure Apache to run PHP as a CGI executable, instead of using mod_php. Add the following configuration to your httpd.conf file:
 
ScriptAlias /php5-cgi /usr/bin/php-cgi
 
Action php5-cgi /php5-cgi
 
AddHandler php5-cgi .php
 
AddDirectoryIndex index.php
 
and add the following line to your virtual host:
 
  AddHandler php5-cgi .php
 
In your httpd.conf file (or in one of the files that httpd.conf includes), there will be a <Directory> entry for the directory on disk where your virtual host is stored. Inside that <Directory> entry, there should be an “Options” line, which might look like this:
 
Options Indexes FollowSymLinks
 
Add “ExecCGI” to the end of your Options line.
 
 
 
Make sure to comment out mod_php from Apache. Then, restart Apache, and do some testing to make sure that PHP 5 is working.
 
 
 
For reference, here is the Apache config from my test system:
 
ScriptAlias /php5-cgi /usr/bin/php-cgi
 
Action php5-cgi /php5-cgi
 
AddHandler php5-cgi .php
 
AddDirectoryIndex index.php index.phtml
 
<VirtualHost *:80>
 
  DocumentRoot /var/www/localhost/htdocs
 
  <Directory /var/www/localhost/htdocs>
 
    Options Indexes FollowSymLinks ExecCGI
 
    AllowOverride All
 
    Order allow,deny
 
    Allow from all
 
  </Directory>
 
  AddHandler php5-cgi .php
 
</VirtualHost>
 
 
 
=== Configuring suexec For PHP/CGI ===
 
With Apache now running PHP as a CGI executable, we’re ready to get Apache running PHP as the owner of each website.
 
 
 
In your test virtual host, add the following:
 
SuexecUserGroup stuart users
 
Replace “stuart” with the user who owns the website, and replace “users” with the group that the user belongs to. This sets the privileges that PHP will run as.
 
 
 
To ensure the security of your server, suexec is very particular about what conditions must be met before it will execute your PHP scripting engine. A full list of conditions can be found in the Apache docs. To make sense of the conditions, you’ll need to know what settings your copy of suexec has been compiled with. Run the command suexec -V to find out your system’s settings. This is the output from my Seed Linux LAMP Server system:
 
belal vhosts.d # suexec -V
 
  -D AP_DOC_ROOT="/var/www"
 
  -D AP_GID_MIN=100
 
  -D AP_HTTPD_USER="apache"
 
  -D AP_LOG_EXEC="/var/log/apache2/suexec_log"
 
  -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 
  -D AP_SUEXEC_UMASK=077
 
  -D AP_UID_MIN=1000
 
  -D AP_USERDIR_SUFFIX="public_html"
 
The first condition (and one that isn’t obvious from the Apache manual!) is that the PHP CGI executable must be installed under AP_DOC_ROOT. Chances are that it isn’t installed there at the moment, so go ahead and copy it there.
 
mkdir /var/www/localhost/cgi-bin
 
cp /usr/bin/php-cgi /var/www/localhost/cgi-bin
 
The second condition is that the PHP CGI executable must be owned by the same user and group you listed in the SuexecUserGroup statement earlier. This causes problems for shared hosting; I’ll show you how to fix that later in this article.
 
chown stuart users /var/www/localhost/cgi-bin/php-cgi
 
Update your Apache httpd.conf file to use this copy of PHP:
 
ScriptAlias /php5-cgi /var/www/localhost/cgi-bin/php-cgi
 
Restart Apache, and test to make sure that PHP 5 is still working. You should also start to see log messages appearing in AP_LOG_EXEC. This is the first place to look if PHP isn’t working (although the log messages can be a little terse and cryptic).
 
 
 
For reference, here is the Apache config from my test system:
 
ScriptAlias /php5-cgi /var/www/localhost/cgi-bin/php-cgi
 
Action php5-cgi /php5-cgi
 
AddHandler php5-cgi .php
 
AddDirectoryIndex index.php index.phtml
 
<VirtualHost *:80>
 
  DocumentRoot /var/www/localhost/htdocs
 
  <Directory /var/www/localhost/htdocs>
 
    Options Indexes FollowSymLinks ExecCGI
 
    AllowOverride All
 
    Order allow,deny
 
    Allow from all
 
  </Directory>
 
  SuexecUserGroup stuart users
 
  AddHandler php5-cgi .ph
 
</VirtualHost>
 
 
 
=== Configuring suexec For Shared Servers ===
 
I mentioned earlier that there was a problem with using suexec + PHP/CGI on shared servers – the very environment where suexec is needed the most :( In one of the steps above, we created a copy of the PHP CGI executable, and changed its ownership on disk to match the ownership of the website.
 
chown stuart users /var/www/localhost/cgi-bin/php-cgi
 
What happens when we have two websites, each owned by a different user? Or five, or ten, or hundreds? Apache’s suexec will refuse to re-use this copy of the PHP CGI executable for each of the websites, because it isn’t owned by the right user and group.
 
  
Each website needs its own copy of the PHP CGI executable, owned by the user and group that owns the website itself. We don’t want to create hundreds of copies of the actual PHP CGI executable (it’s a large waste of space, and a pain for managing PHP upgrades), so instead we can point each website at its own copy of a simple bash script:
+
== [http://www.sendmail.com/sm/open_source/docs/m4/readme.html Sendmail Configuration] ==
#!/bin/bash
+
=== Mail Filtering ===
/usr/bin/php-cgi "$@"
+
* greet_pause<br>To enable the feature, you need to make two changes. First, in your sendmail.mc file:<br><code>FEATURE(access_db)dnl<br>FEATURE(`greet_pause',5000)</code><br>You probably already have access_db defined; it just needs to appear somewhere prior to greet_pause. The number is how many milliseconds to pause; 5000 = five seconds. Then in your access file you should add this:<br><code>GreetPause:localhost    0</code><br>The second change prevents the pause from applying to connections from your local machine, which would otherwise be annoying when you're sending mail. If you're doing this on a server which accepts mail from multiple machines, you'll want to do the same for the whole local network.
This script simply executes our central copy of the PHP CGI executable, passing through whatever parameters Apache has called the bash script with.
+
* [http://www.sendmail.org/m4/tweaking_config.html#confBAD_RCPT_THROTTLE BAD_RCPT_THROTTLE]<br>To enable it, add the following code to your sendmail.mc file:<br><code>define(`confBAD_RCPT_THROTTLE', `1')dnl</code><br>The number is how many bad recipients is takes to trigger the throttle, so 1 is the strictest setting.
 +
* [http://www.sendmail.org/m4/tweaking_config.html#confMAX_RCPTS_PER_MESSAGE MAX_RCPTS_PER_MESSAGE]<br><code>define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl</code>
 +
* [http://www.sendmail.org/m4/tweaking_config.html#confCONNECTION_RATE_THROTTLE CONNECTION_RATE_THROTTLE]<br><code>define(`confCONNECTION_RATE_THROTTLE', `3')dnl</code>
 +
* [http://www.sendmail.org/m4/tweaking_config.html#confMAX_DAEMON_CHILDREN MAX_DAEMON_CHILDREN]<br><code>define(`confMAX_DAEMON_CHILDREN', `10')dnl</code>
 +
* [http://www.sendmail.org/m4/tweaking_config.html#confTO_INITIAL timeouts]<br><code>define(`confTO_ICONNECT', `15s')dnl<br>define(`confTO_CONNECT', `3m')dnl<br>define(`confTO_HELO', `2m')dnl<br>define(`confTO_MAIL', `1m')dnl<br>define(`confTO_RCPT', `1m')dnl<br>define(`confTO_DATAINIT', `1m')dnl<br>define(`confTO_DATABLOCK', `1m')dnl<br>define(`confTO_DATAFINAL', `1m')dnl<br>define(`confTO_RSET', `1m')dnl<br>define(`confTO_QUIT', `1m')dnl<br>define(`confTO_MISC', `1m')dnl<br>define(`confTO_COMMAND', `1m')dnl<br>define(`confTO_STARTTLS', `2m')dnl</code>
 +
Reference: [http://www.acme.com/mail_filtering/sendmail_config.html Mail Filtering - Sendmail Config]
  
To configure Apache to use this script, simply move the ScriptAlias statement from outside the VirtualHost config to inside.
+
=== Sendmail SMTP AUTH ===
 +
Make sure to install cyrus-sasl-plain package:
 +
yum install cyrus-sasl-plain
  
=== Some Benchmarks ===
+
== Installing denyhosts ==
Because Apache is having to execute a new suexec process every page hit (and suexec executes a new PHP CGI process every page hit), it’s going to be slower than running mod_php. But how much slower? To find out, I used Apache’s ab benchmarking program to load a phpinfo() page 1000 times. I ran the benchmark five times and averaged out the results.
+
denyhosts is not available in the repository, so download the latest version from [http://sourceforge.net/projects/denyhosts/files/denyhosts/2.6/DenyHosts-2.6.tar.gz sourceforge].
*suexec: average of 127.219 seconds
 
*suexec + bash script: average of 134.836 seconds
 
*mod_php: average of 3.753 seconds
 
suexec on its own is some 34 times slower than using mod_php; suexec + the bash script needed for shared hosting environments is even worse, at 36 times slower than using mod_php.
 
  
This benchmark doesn’t provide the full picture. Once you take into account the extra memory used by the suexec method, and the extra memory and CPU (and process context switches!) required to transfer output from PHP/CGI to Apache to send back to the website’s user, the final cost of using suexec + PHP/CGI will be substantially higher.
+
Reference: [http://linux-one.blogspot.ca/2011/11/linux-centos-62-installation.html linux CentOS 6.2 - installation]
  
=== Other Considerations ===
+
== VPN via the TUN/TAP device ==
Performance isn’t the only thing to think about when evaluating suexec + PHP/CGI.
 
*suexec + PHP/CGI does solve the security challenge, without requiring your application to support safe_mode.
 
*HTTP authentication is only supported by mod_php, not PHP/CGI. If your application relies on this, then suexec + PHP/CGI is not for you.
 
  
=== Conclusions ===
+
If you are using an OpenVZ container, you will need to ask your provider to grant your container access to the tun/tap device.
Apache’s suexec mechanism does secure a shared hosting server from attack from within. However, this is achieved at a heavy performance cost, which inevitably will translate into needing lots of extra servers – which is expensive.
 
  
So, if Apache itself doesn’t come with a solution that’s worth a damn, maybe there are third-party solutions out there that can do a better job? The next article in the series will take a look at what others have done to try and plug this gap.
+
Reference: [http://wiki.openvz.org/VPN_via_the_TUN/TAP_device VPN via the TUN/TAP device]
  
Reference: [http://blog.stuartherbert.com/php/2007/12/18/using-suexec-to-secure-a-shared-server/ Stuart Herbert On PHP - » Using suexec To Secure A Shared Server]
+
[[Category:Linux]]
 +
[[Category:Internet]]

Latest revision as of 11:22, 19 July 2015

Here are some tips I found useful for setting up virtual private servers with CentOS. See more pages in Category:Linux.

Installing Webmin

If you are using the RPM version of Webmin, first download the file from the downloads page, or run the command:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.580-1.noarch.rpm

and then run the command:

rpm -U webmin-1.580-1.noarch.rpm

The rest of the install will be done automatically to the directory /usr/libexec/webmin, the administration username set to root and the password to your current root password. You should now be able to login to Webmin at the URL http://localhost:10000/. Or if accessing it remotely, replace localhost with your system's IP address.

Reference: Webmin - Installing the RPM

Webmin Error: Perl module Authen::PAM needed for PAM is not installed

If you guys are getting this error on your Webmin log file /var/webmin/miniserv.error here’s how I solved the problem.

miniserv.pl started
Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (@INC contains: /usr/libexec/webmin /usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib64/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/local/lib/perl5/site_perl /usr/lib/perl5/site_perl .) at (eval 10) line 1.
BEGIN failed--compilation aborted at (eval 10) line 1.

First off go to http://nik.pelov.name/Authen-PAM/ and download the latest Authen::PAM. At the time of this writing, the lastest one was Authen-PAM-0.16.

Log in as root.

cd /tmp
wget http://www.perl.com/CPAN/authors/id/N/NI/NIKIP/Authen-PAM-0.16.tar.gz

Next step would be extracting the contents of Authen-PAM-0.16.tar.gz.

tar xvzf Authen-PAM-0.16.tar.gz

After that, go to Authen-PAM-0.16 which is the directory that is created once you’ve extracted the contents of Authen-PAM-0.16.tar.gz.

cd Authen-PAM-0.16

We’ll then generate a make file.
Note: You must have gcc and pam-devel installed to generate the make file. --Jeremy (talk) 22:41, 30 June 2012 (EDT)

perl Makefile.PL

If it returned no errors we can then proceed to executing the following commands.

make
make install

After that everything should be fine now. To check whether the module has been loaded or not do the following command.

perl -e 'use Authen::PAM; print "Installation succestul.\n"'

After that restart Webmin.

service webmin restart

If you look at your /var/webmin/miniserv.error this is what you should see if everything worked out fine.

restarting miniserv
Restarting
miniserv.pl started
PAM authentication enabled

Reference: http://rodoabad.joinpgn.com/2008/10/13/webmin-error-perl-module-authenpam-needed-for-pam-is-not-installed/

Set timezone using /etc/localtime configuration file

Often /etc/localtime is a symlink to the file localtime or to the correct time zone file in the system time zone directory.

Generic procedure to change timezone

Change directory to /etc

# cd /etc

Create a symlink to file localtime:

# ln -sf /usr/share/zoneinfo/EST localtime

OR some distro use /usr/share/zoneinfo/dirname/zonefile format (Red hat and friends)

# ln -sf /usr/share/zoneinfo/EST localtime

OR if you want to set up it to IST (Asia/Calcutta):

# ln -sf /usr/share/zoneinfo/Asia/Calcutta localtime

Please mote that in above example you need to use directory structure i.e. if you want to set the timezone to Calcutta (India) which is located in the Asia directory you will then have to setup using as above.

Use date command to verify that your timezone is changed:

$ date

Output:

Tue Aug 27 14:46:08 EST 2006

Reference: Howto: Linux server change or setup the timezone


Creating a Swap File

  1. Determine the size of the new swap file in megabytes and multiply by 1024 to determine the number of blocks. For example, the block size of a 64 MB swap file is 65536.
  2. At a shell prompt as root, type the following command with count being equal to the desired block size:
    dd if=/dev/zero of=/swapfile bs=1024 count=65536
  3. Setup the swap file with the command:
    mkswap /swapfile
  4. To enable the swap file immediately but not automatically at boot time:
    swapon /swapfile
  5. To enable it at boot time, edit /etc/fstab to include the following entry:
    /swapfile swap swap defaults 0 0
    The next time the system boots, it enables the new swap file.
  6. After adding the new swap file and enabling it, verify it is enabled by viewing the output of the command
    cat /proc/swaps or free.

Reference: Creating a Swap File

iptables Setup

[root@vps1 ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  842 5263K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   48  2952 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
30301 8344K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    7   364 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20 
   13   676 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
 1231 64828 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    9   464 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    6   240 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:465 
    0     0            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:587 
    0     0            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143 
   62  3224 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:993 
  502 22432 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 41521 packets, 36M bytes)
 pkts bytes target     prot opt in     out     source               destination      

References:
Bokko.nl » Iptables active and passive FTP in CentOS
25 Most Frequently Used Linux IPTables Rules Examples

restorecon command not found

Problem: Using iptables save results in the error restorecon command not found.
Solution: Install policycoreutils package.

yum install policycoreutils

Reference:
restorecon command not found

Extra Packages for Enterprise Linux (EPEL)

The EPEL repository contains more upgraded packages to compliment the default repository. To add the EL6 EPEL repository to yum, run the following command as root:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Reference: EPEL - FedoraProject

How to install mcrypt for PHP 5.3.3 on CentOS

Add the EPEL repository to yum as shown previously, and then run the following command as root:

yum install php53-mcrypt

Reference: How to install mcrypt for PHP 5.3.3 on CentOS 5.7 64 bit?

Sendmail Configuration

Mail Filtering

  • greet_pause
    To enable the feature, you need to make two changes. First, in your sendmail.mc file:
    FEATURE(access_db)dnl
    FEATURE(`greet_pause',5000)

    You probably already have access_db defined; it just needs to appear somewhere prior to greet_pause. The number is how many milliseconds to pause; 5000 = five seconds. Then in your access file you should add this:
    GreetPause:localhost 0
    The second change prevents the pause from applying to connections from your local machine, which would otherwise be annoying when you're sending mail. If you're doing this on a server which accepts mail from multiple machines, you'll want to do the same for the whole local network.
  • BAD_RCPT_THROTTLE
    To enable it, add the following code to your sendmail.mc file:
    define(`confBAD_RCPT_THROTTLE', `1')dnl
    The number is how many bad recipients is takes to trigger the throttle, so 1 is the strictest setting.
  • MAX_RCPTS_PER_MESSAGE
    define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
  • CONNECTION_RATE_THROTTLE
    define(`confCONNECTION_RATE_THROTTLE', `3')dnl
  • MAX_DAEMON_CHILDREN
    define(`confMAX_DAEMON_CHILDREN', `10')dnl
  • timeouts
    define(`confTO_ICONNECT', `15s')dnl
    define(`confTO_CONNECT', `3m')dnl
    define(`confTO_HELO', `2m')dnl
    define(`confTO_MAIL', `1m')dnl
    define(`confTO_RCPT', `1m')dnl
    define(`confTO_DATAINIT', `1m')dnl
    define(`confTO_DATABLOCK', `1m')dnl
    define(`confTO_DATAFINAL', `1m')dnl
    define(`confTO_RSET', `1m')dnl
    define(`confTO_QUIT', `1m')dnl
    define(`confTO_MISC', `1m')dnl
    define(`confTO_COMMAND', `1m')dnl
    define(`confTO_STARTTLS', `2m')dnl

Reference: Mail Filtering - Sendmail Config

Sendmail SMTP AUTH

Make sure to install cyrus-sasl-plain package:

yum install cyrus-sasl-plain

Installing denyhosts

denyhosts is not available in the repository, so download the latest version from sourceforge.

Reference: linux CentOS 6.2 - installation

VPN via the TUN/TAP device

If you are using an OpenVZ container, you will need to ask your provider to grant your container access to the tun/tap device.

Reference: VPN via the TUN/TAP device