Archive for 2008

HowTo: Mod_Security Installation on Linux/Plesk server

Posted by Jason Web Hosting Monday 17 November 2008 9:37 pm

The following is a step by step guide on “How to install Mod_security2 on a Linux/Plesk server” which is use to secure your server from Apache exploits.

First download and extract mod_security
cd /etc/httpd/
wget http://www.modsecurity.org/download/modsecurity-apache_2.5.7.tar.gz
tar -zxf modsecurity-apache_2.5.7.tar.gz
cd modsecurity-apache_2.5.7/apache2

Next compile mod_security at a module using apxs. BTW, APXS is an Apache tool for building Apache modules.
apxs -cia mod_security2.c

you may realise you don’t have the apxs on your server, in that case you will have to install httpd-devel package using yum.
yum install httpd-devel

Once mod_security2 is installed, make sure you have the ‘LoadModule‘ line in your Apache configuration (httpd.conf) file and the module “mod_security2.so” itself under ‘modules’ directory.

LoadModule security2_module modules/mod_security2.so

Now, create a modsecurity configuration file as modsecurity.conf under /etc/httpd/conf.d/ directory, as *.conf in the conf.d directory gets loaded. Below is the sample configuration file you may use:

#SecFilterEngine DynamicOnly
SecFilterEngine On
SecFilterDefaultAction “deny,log,status:500″
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
SecFilterCookieFormat 1
SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes “(null) text/html text/plain”

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsecurity/audit_log

# You normally won’t need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/modsecurity/modsec_debug_log

#Include the sample rule files, you just downloaded
Include /etc/httpd/conf.d/apache2-rules.conf*
Include /etc/httpd/conf.d/badips.conf*
Include /etc/httpd/conf.d/blacklist.conf*
Include /etc/httpd/conf.d/blacklist2.conf*
Include /etc/httpd/conf.d/proxy.conf*
Include /etc/httpd/conf.d/rootkits.conf*
Include /etc/httpd/conf.d/rules.conf*

Download the sample rules from
wget http://hostanswers.net/modsecurity/sample_mod_rules.tar.gz

Please note: These are just the default rules that come with Mod_security2 and you need to modify them as per your needs.

At the end, make sure you create a modsecurity directory and ‘audit_log’ file and restart apache.
mkdir /var/log/modsecurity
touch /var/log/modsecurity/audit_log
service httpd restart

If you have problems accessing websites look at error log at
/etc/httpd/logs/audit_log

Just FYI, if you wish to disable mod_security, just comment the modsecurity ‘LoadModule’ line in your Apache configuration file and restart apache.

0 Comments Leave a comment

How to create a self-signed certificate using OpenSSl?

Posted by Jason Web Hosting Sunday 16 November 2008 8:40 pm

The openssl toolkit is used to generate an RSA Key and CSR (Certificate Signing Request). The CSR and the KEY can then be used to generate a self-signed certificates which can be used for a website OR any of your service on the server. Follow the below steps to generate a self-signed certificate:

Step 1: Creating a RSA private key
root@localhost [~]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
………………….++++++
……………++++++
e is 65537 (0×10001)

You have now created a RSA key with 1024 bit encryption which is stored under server.key file.

Step 2: Creating a CSR (Certificate Signing Request)
root@localhost [~]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:GB
State or Province Name (full name) [Berkshire]:Berkshire
Locality Name (eg, city) [Newbury]:Newbury
Organization Name (eg, company) [My Company Ltd]:My Company Ltd
Organizational Unit Name (eg, section) []:section
Common Name (eg, your name or your server’s hostname) []:localhost
Email Address []:email@section

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Using the server.key (RSA key created in the first step) we are now generating a CSR (Certificate Signing Request) which is used for generating a SSL certificate. The CSR is stored in server.csr file. You need to provide all your information like Country, City State etc while generating the CSR.

Step 3: Creating a Certificate
root@localhost [~]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/OU=section/CN=localhost/emailAddress=email@section
Getting Private key

You have now generated a x509 Self Signed Certificate for a period of 365 days using the above generated RSA and CSR key. The certificate is now stored in server.crt file. Make sure you use server.crt (certificate) and server.key (private key) while installing it on any service of website.

0 Comments Leave a comment

phpMyAdmin - Error #2002 - MySQL server’s socket is not correctly configured

Posted by Jason Web Hosting Sunday 16 November 2008 8:10 pm

In order to get rid of this issue, edit the file, /usr/local/cpanel/base/3rdparty/phpMyAdmin/config.inc.php

and search for
$cfg['Servers'][$i]['socket'] = ”;

change to
$cfg['Servers'][$i]['socket'] = ‘/var/lib/mysql/mysql.sock’;

next line
$cfg['Servers'][$i]['connect_type'] = ‘tcp’;

change to
$cfg['Servers'][$i]['connect_type'] = ’socket’;

If this doesn’t fix the issue, make sure Mysql is running on your server and you have a symlink for mysql.sock under /tmp. To create a symlink, execute:

ln -s /varlib/mysql/mysql.sock /tmp

0 Comments Leave a comment

Categories

Archives

Web Hosting Blogroll