Linux Centos Roundcube installer

Langkah Pertama

# yum -y update
# yum -y groupinstall "Development Tools"
# yum -y install zlib-devel
# yum -y install httpd openssl-devel openssl mod_ssl vsftpd rpm-build rpm-devel autoconf automake lynx gcc
# yum -y install mysql mod_auth_mysql mysql-devel mysql-server
# yum -y install mod_python python python-devel
# yum -y install php-devel php php-common php-gd php-mcrypt php-mhash php-xml php-xmlrpc php-domxml php-gd php-mbstring php-mysql php-ncurses php-pear
# yum -y install sendmail sendmail-cf
# yum -y install wget
# yum -y install yum-utils
# yum -y install yum-plugin-replace
# yum -y install vim-X11 vim-common vim-enhanced vim-minimal
# yum -y install iptables
# yum -y install nmap
# yum -y install vixie-cron

Setup host access
We need to setup host access (TCP_WRAPPERS). There are two host access files (/etc/hosts.allow and /etc/hosts.deny) that are part of the TCP_WRAPPER package. This makes it possible to allow or deny access to certain services based on the IP. We need to edit the hosts.allow and hosts.deny files:

Run the following command to edit the file in vi text editor:

# vi /etc/hosts.allow

Paste the following into the file and then save the file:

sshd:ALL
vsftpd:ALL
sendmail:ALL

Tip: I recommend limiting access to your production servers based on specific IP addresses. This helps to prevent intruders from getting access to your server. For example, let’s say you have an office IP address of 55.55.55.55, you would make the sshd line look like this:
sshd:55.55.55.55

You can enter multiple IP addresses also (separated by spaces).

Run the following command:
# vi /etc/hosts.deny

Paste the following into the file to deny all other services and then save the file:
ALL:ALL

Create User Account
Create a user account that you will use to log in to this server. Try to select a name that is distinct from your website. For example, if your website is mywebsite.com, do not make your username called mywebsite. In this example, we will use the username jesseforrest. You will want to replace jesseforrest with a more logical username that fits your needs. This account will be used for SSH connections.

# adduser jesseforrest
# passwd jesseforrest

Enter in a password and hit enter.
Retype the password and hit enter.

Tip: Make sure to save the username and password in your PasswordSafe.

On the client machine (the computer you will be connecting from) tighten up file system permissions:
# chmod 700 ~/.ssh
# chmod 600 ~/.ssh/*

Now copy the public key to the machine you want to SSH into and fix permissions:
# scp ~/.ssh/jesseforrest_id_rsa.pub jesseforrest@:

Connect to the remote server:
# ssh jesseforrest@ -p 11985

You will need to create the ~/.ssh directory if it does not yet exist
# mkdir ~/.ssh

Append your public key to the authorized_keys file.
# cat ~/jesseforrest_id_rsa.pub >> ~/.ssh/authorized_keys

Remove the public key file from the server
# rm ~/jesseforrest_id_rsa.pub

Set the permissions so it is only readable and writable by you, the owner.
# chmod 600 ~/.ssh/authorized_keys
# chmod 700 ~/.ssh

Restart SSH Daemon:
# /etc/init.d/sshd restart

Setup Keychain
Use Keychain, an SSH Agent, so that you don’t need to enter a passphrase every time you connect. Install keychain if it is not installed yet:
# wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
# rpm –import http://apt.sw.be/RPM-GPG-KEY.dag.txt
# rpm -i rpmforge-release-0.5.2-2.el5.rf.*.rpm
# yum install keychain

We need to add keychain to start automatically.
# vi ~/.bash_profile

Add the following line:
eval $(keychain –eval –agents ssh -Q –quiet jesseforrest_id_rsa)

Test SSH Connectivity
You should now have SSH access to the new server through SSH keys:
# ssh jesseforrest@ -p 11985
# su –
Enter in the root password.

Disabling Password Logins (only allow SSH)
# vi /etc/ssh/sshd_config

Modify to the following and then save it:
PasswordAuthentication no
ChallengeResponseAuthentication no

Restart SSH Daemon:
# /etc/init.d/sshd restart

Update Path Variable
# vi ~/.bash_profile

Change the line “PATH=$PATH:$HOME/bin” to:
PATH=$PATH:/usr/sbin/:/sbin:$HOME/bin

Optional – Update Hosts File
If this server is not in the Domain Name System (DNS), you must explicitly add it to the /etc/hosts file so that you can reference it by host name.

If necessary, edit /etc/hosts by running the following command:
# vi /etc/hosts

Paste the IP address and host name of the server like this:

Example:
173.232.244.226 mywebsite.com

Setup Hostnames
Make sure the following is set in /etc/sysconfig/network with hostnames changed to the actual host name.

NETWORKING=yes
HOSTNAME=

Example:
NETWORKING=yes
HOSTNAME=mywebsite

Start Cron Daemon
# /sbin/service crond start

Disabling SELinux
# vim /etc/selinux/config

Verify it is set to the following:
SELINUX=disabled

Configure the Required System Services to Start at Boot
# chkconfig httpd on
# chkconfig mysqld on
# chkconfig vsftpd on
# chkconfig sshd on
# chkconfig crond on
# chkconfig iptables on

Configure Apache
# vim /etc/httpd/conf/httpd.conf

Fill out the following information (replace with something like mywebsite.com):

ServerAdmin support@mywebsite.com
ServerName :80
NameVirtualHost *:80
DirectoryIndex index.php index.html index.htm
ServerTokens Prod
ServerSignature Off

Make this change wherever needed:
Options -Indexes FollowSymLinks

Add the following line if it does not exist:
TraceEnable Off

Save the file.

# vim /etc/httpd/conf.d/ssl.conf

Update the SSLCipherSuite line and change +LOW to !LOW

Save the file.

Restart HTTP Daemon
# /etc/init.d/httpd restart

Configure VSFTP
# vim /etc/vsftpd/vsftpd.conf

Make the following changes:
anonymous_enable=NO
xferlog_file=/var/log/vsftpd.log
idle_session_timeout=600
nopriv_user=nobody
ascii_upload_enable=YES
ftpd_banner= **** WARNING – Your actions are being logged ****
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
chroot_local_user=YES
userlist_deny=NO

Next, we need to configure vsftpd.userlist and specify which users can FTP to the server. This compliments the userlist_deny setting in vsftpd.conf. When set to NO, this makes the vsftpd.userlist file a list of users that ARE allowed to log in.

# vim /etc/vsftpd/user_list

We recommend removing all users so that nobody is able to FTP in. However, if you want to allow a user to FTP in, you can add them here.

Configure MySQL
# cd /usr/share/doc/mysql-server-
(hit tab to get current version installed and then hit enter)

# cp my-medium.cnf /etc/my.cnf
(hit enter and then “y” to confirm)

# vim /etc/my.cnf

Paste the following and save. You might want to tweak these values based on your system specifications and database requirements:

[mysqld]
set-variable = max_connections=500
log-slow-queries
safe-show-database
query-cache-type = 1
query-cache-size = 150M
table_cache = 512
thread_cache_size=32
key_buffer_size=128M
long_query_time=2
log_queries_not_using_indexes

Note: This configuration will setup a query cache, log queries that take longer than 2 seconds to run, and log queries that are not using indexes. If you want to change any of this behavior you will need to make the appropriate changes to fit your needs.

Restart MySQL Daemon:
# /etc/init.d/mysqld restart

Now the root password for MySQL must be set using the following command. Do NOT use the same root password as the Linux root password.

# mysqladmin -u root password “”

Tip: Make sure to save the username and password in your PasswordSafe.

Optional – Install and Configure Memcached
Install the memcache daemon:
# yum install memcached

Start the daemon:
# /etc/init.d/memcached start

Even though memcached is running on the server, it’s not accessible from PHP without the PECL extension. So run this:
# pecl install memcache

(Use all defaults)

# vim /etc/php.ini
Paste the following at the bottom of the file:

[memcache]
extension=memcache.so

# vim /etc/sysconfig/memcached

Make the following changes:

PORT=”11986″
CACHESIZE=”1024″

Restart Apache
# /etc/init.d/httpd restart

Make the service startup on reboot
# chkconfig memcached on

Start Memcache
# /etc/init.d/memcached start

Optional – Install a GoDaddy Signed SSL Certificate

Generate private key:
# openssl genrsa -out ca.key 2048

Copy the necessary key to the required location
# cp ca.key /etc/pki/tls/private/.key

Generate CSR:
# openssl req -new -key ca.key -out ca.csr

Enter in all required information.

Get the contents of the CSR by running:
# cat ca.csr

Copy all the contents into “Enter your Certificate Signing Request (CSR) below:” in GoDaddy. Download bundle from GoDaddy and copy those files to the correct locations:

# cp .crt /etc/pki/tls/certs/.crt
# cp gd_bundle.crt /etc/pki/tls/certs/-chain.crt

Update the Apache SSL configuration file:
# vim +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

Change the paths to match where the Key file is stored:
SSLCertificateFile /etc/pki/tls/certs/.crt

Change the path for the Certificate Key File:
SSLCertificateKeyFile /etc/pki/tls/private/.key

Change the path to the intermediate bundle file:
SSLCertificateChainFile /etc/pki/tls/certs/-chain.crt

Save and close

Restart HTTP Daemon
# /etc/init.d/httpd restart

Optional – Install a Self-Signed SSL Certificate
If you want to install a self-signed SSL certificate, you can follow these steps.

Generate private key:
# openssl genrsa -out ca.key 1024

Generate CSR:
# openssl req -new -key ca.key -out ca.csr

Enter in all required information

Generate self-signed key:
# openssl x509 -req -days 1825 -in ca.csr -signkey ca.key -out ca.crt

Copy the files to the correct locations (do not move them if you use SELinux):
# cp ca.crt /etc/pki/tls/certs
# cp ca.key /etc/pki/tls/private/ca.key
# cp ca.csr /etc/pki/tls/private/ca.csr

Update the Apache SSL configuration file:
# vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

Change the paths to match where the Key file is stored:
SSLCertificateFile /etc/pki/tls/certs/ca.crt

Change the path for the Certificate Key File:
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Save and close

Restart HTTP Daemon
# /etc/init.d/httpd restart

Optional – Example Configuring Iptables
This will configure Iptables to open the following input ports: 80 (HTTP), 443 (HTTPS), 11985 (SSH). It will also open the following output ports: 80 (HTTP), 443 (HTTPS).

# /sbin/iptables -P INPUT ACCEPT
# /sbin/iptables -F
# /sbin/iptables -A INPUT -i lo -j ACCEPT
# /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Drop packets where new incoming tcp connections are not SYN
# /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Drop packets with incoming fragments
# /sbin/iptables -A INPUT -f -j DROP
Drop incoming malformed XMAS packets
# /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop incoming malformed NULL packets
# /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# /sbin/iptables -A INPUT -p tcp --dport 11985 -j ACCEPT
# /sbin/iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
# /sbin/iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
# /sbin/iptables -P INPUT DROP
# /sbin/iptables -P FORWARD DROP
# /sbin/iptables -P OUTPUT ACCEPT

Verify and Save Iptables
Some ports might appear in the nmap output even if you specified them restricted in iptables. This is probably because they are being run from localhost. To verify your iptables configuration you can run:
# /sbin/iptables -L

Run the following if correctly configured:
# /sbin/service iptables save

Verify only the ports you want opened are listed by running the following
# nmap -sT -O localhost

Update PHP Configuration
# vim /etc/php.ini

Make these changes:

display_errors = Off
date.timezone = America/New_York
html_errors = Off
expose_php = Off
error_log = /var/log/php_errors.log

Tip: Set date.timezone to whatever is applicable to your server. A list of timezones are available on PHP’s List of Supported Timezones web page.

Save and quit.

Optional – Install GeoIP
# yum -y install GeoIP GeoIP-devel
# pecl install geoip
# vim /etc/php.ini

Add this to end of php.ini:

[geoip]
extension=geoip.so

Save and quit.

Protect Files and Folders

Set the correct restrictions:
# chown -R apache:apache /var/www/html/

Write protect Apache, PHP, and MySQL configuration files:

# chattr +i /etc/php.ini
# chattr +i /etc/php.d/*
# chattr +i /etc/my.cnf
# chattr +i /etc/httpd/conf/httpd.conf

Restart HTTP Daemon
# /etc/init.d/httpd restart

Verifying Configuration Works
# vim /var/www/html/info.php

Enter:
<?php phpinfo();

Save and quit.

Use browser to hit:
http:///info.php

Optional – Install locate and updatedb on CentOS

# yum install mlocate
# /etc/cron.daily/mlocate.cron

References
http://www.rayheffer.com/36/building-a-secure-web-server-with-centos-5-part-1/
https://wiki.archlinux.org/index.php/SSH_Keys

Tutorial

http://jesseforrest.name/setup-a-production-centos-lamp-web-server/212
Advertisements

About idkaskus

Smart and Honest

Posted on May 2, 2014, in Email, Linux. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: