Chapter 9. Bonus Section

Table of Contents

Additional Items
MySQL Installation & Hardening
Installing Additional Software
SSH Extras
Apache Extras
FTP Extras
Additional Items Check Point

Additional Items

This chapter contains a few additional items that may be of interest. The configuration outlines below may or may not contain images that will assist with the process. In all cases, a list of the steps needed to complete the configuration is included.

MySQL Installation & Hardening

In this section the installation of the MySQL database is addressed. The first consideration is the installation of the software. In the next part, we take steps to secure the installation. Finally, we consider a browser-based MySQL administration utility called phpMyAdmin .

MySQL Installation

MySQL is a "working-man's" database that has been in continuous use for several years. There are two main components to install: first, the service, which creates and maintains the databases. Second, the client, which accesses and interacts with the databases. In this section we will install both parts.

    `yum -y install mysql mysql-server` 1
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    epel/metalink                                                                                        |  15 kB     00:00     
    ...     
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package mysql.x86_64 0:5.1.73-3.el6_5 will be installed
    --> Processing Dependency: mysql-libs = 5.1.73-3.el6_5 for package: mysql-5.1.73-3.el6_5.x86_64
    ---> Package mysql-server.x86_64 0:5.1.73-3.el6_5 will be installed
    --> Processing Dependency: perl-DBI for package: mysql-server-5.1.73-3.el6_5.x86_64
    --> Processing Dependency: perl-DBD-MySQL for package: mysql-server-5.1.73-3.el6_5.x86_64
    --> Processing Dependency: perl(DBI) for package: mysql-server-5.1.73-3.el6_5.x86_64
    --> Running transaction check
    ---> Package mysql-libs.x86_64 0:5.1.71-1.el6 will be updated
    ---> Package mysql-libs.x86_64 0:5.1.73-3.el6_5 will be an update
    ---> Package perl-DBD-MySQL.x86_64 0:4.013-3.el6 will be installed
    ---> Package perl-DBI.x86_64 0:1.609-4.el6 will be installed
    --> Finished Dependency Resolution

    Dependencies Resolved
    ...
    Complete!
    
    `service mysqld start` 2
    Initializing MySQL database:  Installing MySQL system tables...
    OK
    Filling help tables...
    OK

    To start mysqld at boot time you have to copy
    support-files/mysql.server to the right place for your system

    PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !  3
    To do so, start the server, then issue the following commands:

    /usr/bin/mysqladmin -u root password 'new-password'
    /usr/bin/mysqladmin -u root -h alpha.talos-iv.net password 'new-password'

    Alternatively you can run:
    /usr/bin/mysql_secure_installation

    which will also give you the option of removing the test
    databases and anonymous user created by default.  This is
    strongly recommended for production servers.

    See the manual for more instructions.

    You can start the MySQL daemon with:
    cd /usr ; /usr/bin/mysqld_safe &

    You can test the MySQL daemon with mysql-test-run.pl
    cd /usr/mysql-test ; perl mysql-test-run.pl

    Please report any problems with the /usr/bin/mysqlbug script!
                                                               [  OK  ]
    Starting mysqld:                                           [  OK  ]

    `chkconfig mysqld on`  4

1

Installing both the server and client in one step. Note that there are several dependencies installed as part of the process.

2

Starting the server for the first time service after installation. Subsequent starts won't be this complicated.

3

Note this warning. It is wise to address this situation immediately after installation. See the section called "MySQL Hardening & Configuration" below.

4

Configuring the service to start when the machine boots.

MySQL Hardening & Configuration

The default installation of MySQL has several inherent vulnerabilities. Included with the software is a command that will take the user through several steps to address these issues. See `man mysql_secure_installation` for more information. Also, the MySQL website has a dedicated Securing MySQL Installation page for this utility. See the program listing below for a line-by-line sequence of how this command works.

 
    `mysql_secure_installation` 1

    NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
          SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

    In order to log into MySQL to secure it, we'll need the current
    password for the root user.  If you've just installed MySQL, and
    you haven't set the root password yet, the password will be blank,
    so you should just press enter here.

    Enter current password for root (enter for none): 
    OK, successfully used password, moving on... 2 

    Setting the root password ensures that nobody can log into the MySQL
    root user without the proper authorization.

    Set root password? [Y/n] y 3
    New password: 
    Re-enter new password: 
    Password updated successfully!
    Reloading privilege tables..
     ... Success!


    By default, a MySQL installation has an anonymous user, allowing anyone
    to log into MySQL without having to have a user account created for
    them.  This is intended only for testing, and to make the installation
    go a bit smoother.  You should remove them before moving into a
    production environment.

    Remove anonymous users? [Y/n] y 4
     ... Success!

    Normally, root should only be allowed to connect from 'localhost'.  This
    ensures that someone cannot guess at the root password from the network.

    Disallow root login remotely? [Y/n] y 5
     ... Success!

    By default, MySQL comes with a database named 'test' that anyone can
    access.  This is also intended only for testing, and should be removed
    before moving into a production environment.

    Remove test database and access to it? [Y/n] y 6
     - Dropping test database...
     ... Success!
     - Removing privileges on test database...
     ... Success!

    Reloading the privilege tables will ensure that all changes made so far
    will take effect immediately.

    Reload privilege tables now? [Y/n] y 7
     ... Success!

    Cleaning up...

    All done!  If you've completed all of the above steps, your MySQL
    installation should now be secure.

    Thanks for using MySQL!

1

Initially invoking the command.

2

The initial root account in MySQL has no password. Make sure to address this. Press ENTER at the prompt to proceed.

3

This is where the new root password is set for MySQL. Make sure to write the password down or somehow keep track of it.

4

Yes, we want to remove the anonymous user.

5

We DO NOT want the root MySQL user to have remote login capability.

6

For a production machine, the test database should be removed. In a development or test environment, it can remain.

7

The privileges table must be reloaded, otherwise all changes won't take effect until the service is restarted.

MySQL Administration via PHPMyAdmin

phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL, MariaDB and Drizzle. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement.

--phpMyAdmin

MySQL can be more easily administered with the web-based tool phpMyAdmin . Download phpMyAdmin from the website. There is also extensive phpMyAdmin Documentation that details the utility. We will not cover the details of installation and configuration of phpMyAdmin in this chapter. However, the following steps are the general outline of how to get it installed and configured.

  1. Download the software from the phpMyAdmin website.
  2. Uncompress the software somewhere on your system. The location of the uncompressed files must be a web-accessible directory that is capable of parsing PHP scripts.
  3. Configure the software per the instructions in the phpMyAdmin Documentation

While phpMyAdmin is capable of very sophisticated management tasks, a simple installation is sufficient for most uses and relatively painless.

Installing Additional Software

Installing additional software is often easiest on Linux systems by using Repositories, which are "arsenals" of pre-configured packages. Listed below are two of the more popular Software Repository warehouses for the system we've been working on: EPEL Repository and RPMForge . On the typical RackSpace VM, the EPEL Repository is already installed and enabled. For this reason, we won't detail the steps to install the EPEL repository, the instructions available at the EPEL Installation via RackSpace Wiki . The description below gives an excellent description of the EPEL repository.

EPEL (Extra Packages for Enterprise Linux) is open source and free community based repository project from Fedora team which provides 100% high quality add-on software packages for Linux distribution including RHEL (Red Hat Enterprise Linux), CentOS, and Scientific Linux. Epel project is not a part of RHEL/Cent OS but it is designed for major Linux distributions by providing lots of open source packages like networking, sys admin, programming, monitoring and so on. Most of the epel packages are maintained by Fedora repo.

--EPEL Repository

The second additional repo we'll consider is RPMForge . The description below tells what this repo is, and in the programlisting below we will address the installation of RPMForge. These steps are taken from the RPMForge Installation via CentOS Wiki article.

RPMforge is a collaboration of Dag and other packagers. They provide over 5000 packages for CentOS, including wine, vlc, mplayer, xmms-mp3, and other popular media tools. It is not part of Red Hat or CentOS but is designed to work with those distributions.

--RPMForge
 
    `uname -a` 1
    Linux alpha.talos-iv.net 2.6.32-431.20.3.el6.x86_64 #1 SMP Thu Jun 19 21:14:45 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
    `wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm` 2 
    `rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt` 3
    `rpm -K rpmforge-release-0.5.3-1.el6.rf.*.rpm` 4
    `yum -y localinstall rpmforge-release-0.5.3-1.el6.rf.*.rpm` 5

1

Run this command to find system details. The return has an x86_64 part that tells us we're on a 64 bit system. Therefore, we want the 64 bit version of the package. If you're on a 32 bit system, go to RPMForge Installation via CentOS Wiki for specifics.

2

Downloading the package. The link came from the website mentioned in #1 above.

3

We need to import the GPG key. An error message such as "error: http://apt.sw.be/RPM-GPG-KEY.dag.txt: key 1 import failed." tells us that the key has already been imported.

4

Once the package has been downloaded, its authenticity is verified. This compares the package signature against the key we downloaded in step #3 above.

5

Finally, install the package. This will add a yum repository config file in '/etc/yum.repos.d', and import the appropriate GPG keys.

Typically, these repositories will "just work" when installed. Advanced configuration of these repositories is beyond the scope of this lesson. If you have problems with package repositories, please consider the following steps when troubleshooting:

  • Repository configuration files are typically located in '/etc/yum.repos.d'. Is the repo file in question in that location? Look at the contents of the file for anomalies.
  • Inside the repo config file, is it set to 'enabled=1'?[31]
  • Is the directive 'gpgcheck=1' set?[32]
  • Is the GPG key for the repo installed? This will be important if the 'gpgcheck=1' directive is set as mentioned above.

SSH Extras

In this section we'll address two pieces of SSH that will secure the service and make life easier for us. First, we'll set the system to forbid root login. This will require that we have a regular user on the system, which should be in place from the section called "Adding a Regular User". Next, we'll set that user up to be able to login without a password via a generated cryptographic key.

SSH Login without a Password

First, we'll address the key-based login. This section requires that the regular user already exist on the system as outlined in the section called "Adding a Regular User".

[Important] Keys Generated on Desktop or Laptop, Not on Web Server

The keys are generated on your desktop, not on your web machine. Once generated on your desktop (or laptop), the public key is placed on your web server.

We need to issue the two commands shown in the program listing below on our local desktop or laptop.[33]

 
    `ssh-keygen -t dsa` 1
    `ssh-copy-id -i ~/.ssh/id_dsa.pub <user>@<your-server> 2

1

This command will generate a pair of keys at the location `~/.ssh`.

2

This command will copy the public (.pub) half of the key to the user folder on your server as indicated. Make sure to copy the public part of the key. You'll have to enter the password of the user as part of the command. Note the output of the command in the screenshot below.

Figure 9.1. SSH Copy ID

SSH Copy ID

The image above shows successful copy of the public key to the server as indicated.

Figure 9.2. SSH Key Login

SSH Key Login

At this point, if all has gone well, you should be able to log in to your machine without being prompted for a password, as indicated in the image above. If that is true, please continue. If not, stop here and figure out why it's failing.

The key generation and copy shown above take place on your workstation, desktop, or laptop. From this point forward, we will be configuring the web server.

Figure 9.3. SSH AllowUsers Config Directive

SSH AllowUsers Config Directive

The screenshot above shows the directive we need to place in '/etc/ssh/sshd_config'. You'll have to manually create the directive near the end of the file. Make sure to backup the file before editing it. Also, restart the service after altering the file.

Figure 9.4. SSH No Root Login

SSH No Root Login

The image above shows the PermitRootLogin no directive that we need to configure to forbid root login to our system. Once this directive has been uncommented in '/etc/ssh/sshd_config' as shown, the sshd service will need to be restarted.[34]

Figure 9.5. Set sudo Privileges

Set sudo Privileges

Now we need to set our regular user to be able to sudo commands, or change identity to the root user. This is a two-step process, shown in the screenshots above and below. First, as shown above, issue the command `visudo`, and find the line that is shown in the screenshot below.

Figure 9.6. Set sudo Commands for 'wheel' Group

Set sudo Commands for 'wheel' Group

Make sure to uncomment the line that contains NOPASSWD: ALL. This will make life much easier.

Figure 9.7. wheel Group Modification

wheel Group Modification

The screenshot above shows the output of two commands, the first will add our regular user to the wheel group. The second command verifies that the user is a member of the group as expected.

Figure 9.8. SSH Key Login with sudo Privileges

SSH Key Login with sudo Privileges

Finally, as shown above, we are able to login to our server without a password and immediately change to the root user. This process greatly enhances the security of our system as well as makes our life just a little easier.

[Important] Setting the PermitRootLogin Config Directive

Setting the PermitRootLogin no directive in the 'sshd_config' file is strongly encouraged. Attacks by script kiddies (see Script Kiddie on Wikipedia ) specifically target the root user account. If this account is set to not permit login, it can never be cracked. If you don't set the PermitRootLogin no directive, it is only a matter of time until your box is hacked. This is the quintessential example of "an ounce of prevention is worth a pound of cure".

Apache Extras

In this section we'll address apache configurations and utilities that are fairly common. The first is generating a self-signed SSL certificate that will permit the use of https (Secure HTTP). Next, we'll look at using a per-directory .htaccess file for Apache directives. Then we look at two utilities that can help tune our web server: ab, or ApacheBench, and apachetop. ab is a stress testing utility included with the Apache software.

Create a Self Signed SSL Certificate

The programlisting below shows the sequence of events that were used to create a self-signed SSL Certificate. This process is lengthy, tedious, and can easily become confusing. Follow the steps listed closely to complete the exercise.

[Caution] Caveats of the Self-Signed SSL Certificate

The upside of the self-signed SSL Certificate is that we can do it ourself from freely available tools,[35] and it costs nothing. The downside is that, when employed for random users, the warning that it generates tends to scare some users away from the website where it's used. In practice, it works exactly the same as one that comes from Verisign or Thawte, etc. However, since we are not listed in every browser as a Certificate Authority (CA), therefore not verified as an authority, the browser throws a warning. The bottom line: If you're employing financial transactions or a highly-trafficked web site with https, pay the $$$ for a CA signed certificate. If access is limited to users who know you, you're just as well off using the self-signed certificate.

 
    13:59:04
    root@alpha ~/
    --> cd /etc/pki/tls/private
    13:59:19
    root@alpha /etc/pki/tls/private/
        --> openssl genrsa -out alpha.talos-iv.net.key 1024 1 
        Generating RSA private key, 1024 bit long modulus
        ...++++++
        ..........++++++
        e is 65537 (0x10001)
    14:00:16
    root@alpha /etc/pki/tls/private/
    --> lsa
        total 8.0K
        -rw-r--r-- 1 root root 891 Aug 15 14:00 alpha.talos-iv.net.key 2
        -rw------- 1 root root 891 Feb 12  2014 localhost.key
    14:00:22
    root@alpha /etc/pki/tls/private/
    --> openssl req -days 3650 -new -key alpha.talos-iv.net.key -x509 -out alpha.talos-iv.net.crt 3
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        -----
        Country Name (2 letter code) [XX]:US
        State or Province Name (full name) []:Texas
        Locality Name (eg, city) [Default City]:Austin
        Organization Name (eg, company) [Default Company Ltd]:webpointmorpheus   
        Organizational Unit Name (eg, section) []:
        Common Name (eg, your name or your server's hostname) []:alpha.talos-iv.net
        Email Address []:bob.carnaghi@gmail.com
    14:01:59
    root@alpha /etc/pki/tls/private/
    --> lsa
        total 12K
        -rw-r--r-- 1 root root 1.1K Aug 15 14:01 alpha.talos-iv.net.crt 4
        -rw-r--r-- 1 root root  891 Aug 15 14:00 alpha.talos-iv.net.key
        -rw------- 1 root root  891 Feb 12  2014 localhost.key
    14:02:04
    root@alpha /etc/pki/tls/private/
    --> cat alpha.talos-iv.net.key  5
        -----BEGIN RSA PRIVATE KEY-----
        MIICXgIBAAKBgQC9VkqL9+hiExZtopBSgVtaA6gLh2Dke4a+YuY+c9qAjmhLKt/j
        ...
        5N4lT51vqUz6ETkUuX3XUfWYCNytNNFd7g6GrlDHlobrFw==
        -----END RSA PRIVATE KEY-----
    14:02:19
    root@alpha /etc/pki/tls/private/
    --> cat alpha.talos-iv.net.crt
        -----BEGIN CERTIFICATE-----
        MIIC6jCCAlOgAwIBAgIJAIdy3aoQPccIMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
        ...
        TUIPBQ8JvkToALmwz1OikuaujPMK39thQ4Z/c1Hv
        -----END CERTIFICATE-----
    14:02:24
    root@alpha /etc/pki/tls/private/
    --> cd ..
    14:02:30
    root@alpha /etc/pki/tls/
    --> mv private/alpha.talos-iv.net.crt certs/ 6
    14:03:03
    root@alpha /etc/pki/tls/
    --> lsa private/ 7
    total 8.0K
        -rw-r--r-- 1 root root 891 Aug 15 14:00 alpha.talos-iv.net.key
        -rw------- 1 root root 891 Feb 12  2014 localhost.key
    14:03:12
    root@alpha /etc/pki/tls/
    --> lsa certs
        total 1.7M
        -rw-r--r-- 1 root root 1.1K Aug 15 14:01 alpha.talos-iv.net.crt
        -rw-r--r-- 1 root root 740K Dec 17  2013 ca-bundle.crt
        -rw-r--r-- 1 root root 956K Dec 17  2013 ca-bundle.trust.crt
        -rw------- 1 root root 1.2K Feb 12  2014 localhost.crt
        -rwxr-xr-x 1 root root  610 Jan  8  2014 make-dummy-cert
        -rw-r--r-- 1 root root 2.2K Jan  8  2014 Makefile
        -rwxr-xr-x 1 root root  829 Jan  8  2014 renew-dummy-cert
    14:03:15
    root@alpha /etc/pki/tls/
    --> chmod 400 private/alpha.talos-iv.net.key  8
    14:03:50
    root@alpha /etc/pki/tls/
    --> lsa private/
        total 8.0K
        -r-------- 1 root root 891 Aug 15 14:00 alpha.talos-iv.net.key 9
        -rw------- 1 root root 891 Feb 12  2014 localhost.key
    14:04:01
    root@alpha /etc/pki/tls/
    --> cd /etc/httpd/conf.d/ 10
    14:04:21
    root@alpha /etc/httpd/conf.d/
    --> lsa
        total 40K
        -rw-r--r-- 1 root root  295 Aug  2  2013 manual.conf
        -rw-r--r-- 1 root root 1.8K Apr 22  2005 perl.conf
        -rw-r--r-- 1 root root  674 Dec 10  2013 php.conf
        -rw-r--r-- 1 root root  392 Aug 13  2013 README
        -rw-r--r-- 1 root root 9.3K Aug  2  2013 ssl.conf
        -rw-r--r-- 1 root root  352 Sep  9  2004 webalizer.conf
        -rw-r--r-- 1 root root  299 Aug  2  2013 welcome.conf
        -rw-r--r-- 1 root root   43 Aug 23  2012 wsgi.conf
    14:04:23
    root@alpha /etc/httpd/conf.d/
    --> cat ssl.conf > ssl.conf.init 11
    14:04:32
    root@alpha /etc/httpd/conf.d/
    --> vi ssl.conf
    14:10:21
    root@alpha /etc/httpd/conf.d/
    --> cat ssl.conf 12
        LoadModule ssl_module modules/mod_ssl.so
        Listen 443
        SSLPassPhraseDialog  builtin
        SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
        SSLSessionCacheTimeout  300
        SSLMutex default
        SSLRandomSeed startup file:/dev/urandom  256
        SSLRandomSeed connect builtin
        #SSLRandomSeed startup file:/dev/random  512
        #SSLRandomSeed connect file:/dev/random  512
        #SSLRandomSeed connect file:/dev/urandom 512
        SSLCryptoDevice builtin
        #SSLCryptoDevice ubsec

        NameVirtualHost *:443

        ## SSL Virtual Host Context
        <VirtualHost *:443>

        ServerName alpha.talos-iv.net
        DocumentRoot /var/www/html
        ServerAdmin bob.carnaghi@gmail.com

        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel warn

        SSLEngine on

        SSLProtocol all -SSLv2

        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

        #   Server Certificate:
        SSLCertificateFile /etc/pki/tls/certs/alpha.talos-iv.net.crt

        #   Server Private Key:
        SSLCertificateKeyFile /etc/pki/tls/private/alpha.talos-iv.net.key

        #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
        #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

        #SSLVerifyClient require
        #SSLVerifyDepth  10

        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>

        <Directory "/var/www/cgi-bin">
            SSLOptions +StdEnvVars
        </Directory>

        SetEnvIf User-Agent ".*MSIE.*" \
                 nokeepalive ssl-unclean-shutdown \
                 downgrade-1.0 force-response-1.0

        CustomLog logs/ssl_request_log \
                  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

        </VirtualHost>                                  

    14:10:30
    root@alpha /etc/httpd/conf.d/
    --> service httpd restart 13
        Stopping httpd:                                            [  OK  ]
        Starting httpd:                                            [  OK  ]
    14:10:59
    root@alpha /etc/httpd/conf.d/
    --> httpd -S 14
        VirtualHost configuration:
        wildcard NameVirtualHosts and _default_ servers:
        *:80                   is a NameVirtualHost
                 default server alpha.talos-iv.net (/etc/httpd/conf/httpd.conf:1003)
                 port 80 namevhost alpha.talos-iv.net (/etc/httpd/conf/httpd.conf:1003)
                 port 80 namevhost virtual-host.talos-iv.net (/etc/httpd/conf/httpd.conf:1011)
        *:443                  is a NameVirtualHost
                 default server alpha.talos-iv.net (/etc/httpd/conf.d/ssl.conf:25)
                 port 443 namevhost alpha.talos-iv.net (/etc/httpd/conf.d/ssl.conf:25)
        Syntax OK
    14:11:10
    root@alpha /etc/httpd/conf.d/
    --> system-config-firewall-tui 15

1

This command generates the private key. Note the location in the file system that we're working from.

2

Here you can see that the key has been generated as expected. Make sure your key reflects your domain name, not mine.

3

The command listed in this step uses the private key from the previous step to generate the certificate. You will be prompted several times, as indicated. Make sure to enter your correct information, or press ENTER to leave the entry blank.

4

Now you can see that the certificate has been generated as expected. Both the private key and the certificate are sitting side by side, we'll move the key shortly. [36].

5

The next two commands simply show the contents of the key and certificate. Note that full output will be different, as I've truncated the output of my files.

6

In this command the certificate is moved into the '/etc/pki/tls/certs' directory. Note that I've changed my location slightly.

7

The next two commands verify that the private key is in the '/etc/pki/tls/private' folder, and the certificate is in the '/etc/pki/tls/certs' folder. While not strictly enforced, these locations make the process simpler to understand.

8

This step is important. Access to the private key must be read only for the root user. If this isn't right, the process will not work correctly.

9

This is what the permission listing should look like for the private key.

10

Note that this step changes my working location on the file system. The next command lists the contents of the '/etc/httpd/conf.d' directory.

11

Backing up the 'ssl.conf' file. We've done this many times during the course to create an unaltered version of the initial file that was installed on the system. It's there if we ever need it for reference or backup.

12

This step shows the output of the ssl.conf file after we have edited it. Make sure your ssl.conf file looks like the output that is indicated.[37]

13

The web server must be restarted to incorporate the changes we've made to the configuration files.

14

This command shows that our httpd process is now serving requests on port 443 as desired.

15

We'll need to open port 443 on the firewall, there's more on that below. It's the exact same process that we've done to open other ports during the course.

Figure 9.9. Open SSL Port 443

Open SSL Port 443

The image above shows opening port 443 on the firewall. The entire process isn't shown since we've done it many times before. Refer to the section called "HTTP Firewall" for more details. At this point, our web server should be accessible by calling the https protocol.

Figure 9.10. HTTPS Browser Certificate Warning

HTTPS Browser Certificate Warning

This image[38] shows that it's all working as expected, and we're presented with a browser warning that our certificate is Untrusted. That's what we expect, because it's not signed by an accredited Certificate Authority (CA). Click on "I Understand the Risks" to proceed.

Figure 9.11. SSL Certificate Contents

SSL Certificate Contents

In this image we can see the details presented by the certificate. Note that it reflects exactly what we entered to the prompts above.

Figure 9.12. HTTPS in the Browser

HTTPS in the Browser

Finally, we can see that we've got exactly what we want in the browser: our website running via secured and encrypted https. Note the lock and use of the https:// protocol that's indicated in the browser location bar.[39]

Use apache .htaccess Files

As the content and complexity of a web server grows, it becomes increasingly difficult to manage the configuration. Breaking the configuration into several files helps. Also, by using per-directory .htaccess files, the server won't need to be restarted every time a new directive is placed in those files. The steps below are set in '/etc/httpd/httpd.conf', and show how to establish use of these per-directory configuration files.

 
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
        AllowOverride All 1
    ...
    #
    # AccessFileName: The name of the file to look for in each directory
    # for additional configuration directives.  See also the AllowOverride
    # directive.
    #
    AccessFileName .htaccess 2

1

Find this directive and set it to All.

2

Make sure this directive is in place. The name can be changed if necessary, but the default (as indicated) is standard practice.

ab - ApacheBench Benchmarking Tool

Apache ab is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server. It is designed to give you an impression of how your current Apache installation performs. This especially shows you how many requests per second your Apache installation is capable of serving. See `man ab` for more details.

This single-threaded command line computer program for measuring the performance of HTTP web servers was originally designed to test the Apache HTTP Server, however, it is generic enough to test any web server. The ab tool comes bundled with the standard Apache source distribution, and like the Apache web server itself, is free, open source software and distributed under the terms of the Apache License. See ab - Apache Bench for details.

The following command shows example usage: `ab -n 100 -c 10 http://www.cnn.com/`. This will execute 100 HTTP GET requests, processing up to 10 requests concurrently, to the specified URL. Note that ApacheBench will only use one operating system thread regardless of the concurrency level. In some cases, especially when running high-capacity tests, the single instance of ApacheBench can itself be a bottleneck. When using ApacheBench on hardware with multiple processor cores, additional instances of ApacheBench may be used in parallel to more fully saturate the target URL.

apachetop - Server Monitoring Tool

apachetop Server Monitoring Tool - This is a console-based (non-gui) monitoring tool which reads the server-status pages from one or more Apache servers and combines the information onto one easy monitoring screen. Installation and use is left as an exercise to the student.

FTP Extras

The two configurations below will expand use of the FTP service on the machine. First, anonymous downloads may be useful under certain circumstances. Then, an anonymous FTP drop-box may be needed.

Anonymous FTP Download

In order to activate anonymous download on the FTP server, the following directive must be uncommented in '/var/vsftpd/vsftpd.conf' as shown below. This will permit users to access the FTP server via the user scheme anonymous@<server-name>. Make sure to back up the file before configuration and to restart the service after.

    anonymous_enable=YES        // permits anonymous downloads; must be specifically set to NO to forbid anonymous login

Creating an FTP Dropbox

The configuration shown below is complex and requires close attention to detail. The first block of commands must be executed on the file system. The second block must be configured in the '/etc/vsftpd/vsftpd.conf' file.

1. Create an upload directory owned by root:ftp and configured with 730 permissions:
    `cd /var/ftp/pub` 1
    `mkdir incoming`
    `chgrp ftp incoming`
    `chmod 730 incoming`

2. Modify '/etc/vsftpd/vsftpd.conf' as follows:
    anonymous_enable=YES 2
    local_enable=NO
    write_enable=YES
    anon_upload_enable=YES
    chown_uploads=YES
    chown_username=daemon
    ...
    anon_umask=077 3 
    anon_root=/var/ftp/pub/

1

These commands will establish the upload directory with proper permissions on the file system.

2

These directives are part of the default config file. Find each of them in turn and alter as indicated.

3

These directives must be added manually to the config file.

The operation of this configuration is such that a user can access the server by ftp anonymous@<server-name>, and upload a file. Then the file will become unavailable to that person or anyone else who tries to download it. You must access the uploaded file from inside the server.

Additional Items Check Point

All the items in this chapter are optional. There is no check point for this chapter. If you are working on any of the configurations listed above and have problems, email me for assistance.



[31] This is the case if you want it enabled. Sometimes conflicts are avoided by setting the repo to be enabled=0, and enabling it on a per-command basis: `yum install xyz --enablerepo=rpmforge`.

[32] This directive makes for a more secure installation by verifying the checksum of the packages. However, it also involves making sure the GPG key for the repo is installed on the system.

[33] If you're using Windows with PuTTY, the commands will be different.

[34] Note that forbidding root login via SSH does not mean that the root user can't log in to the server at all. That account just can't log in via SSH.

[35] Make sure the package mod_ssl is installed. The most comprehensive way to get all the tools you need is to run the command `yum -y groupinstall web-server`.

[36] It is possible, at this point in the process, to create a CSR (Certificate Signing Request). This certificate is then sent to a CA (Certificate Authority) for signing if that is what is desired. That's how to get around the warning from the browser that is indicated in the Caution note above. If this is what you need, it's left as an exercise for you.

[37] A couple of important points regarding this output. One is that, while I was editing this file, I removed all the comments. Also, note that the locations of the private key and certificate that we generated above are listed in the file. Finally, make sure the ServerName, ServerAdmin, and DocumentRoot directives reflect your web server, not mine.s

[38] NOTE that this is what's presented with Firefox. YMMV.

[39] The SSL/TLS protocol is ubiquitous in our lives today. The actual initiation of communication between client and server is both clever and brilliant, in that the keys used are never sent over the wire. It's a multipart interaction called the SSL Handshake. See TLS Protocol on Wikipedia for more details.