Setup a Production CentOS LAMP Web Server

9
August 26, 2012 // Web Development

Overview
This article explains how to configure a production web server with CentOS Linux, Apache, MySQL, and PHP.  It will also explain how to harden the system to protect from typical intrusions.  All steps are required unless otherwise stated as “Optional”. Please read the steps thoroughly prior to doing them, since doing them incorrectly can leave the system in an unstable or unusable state.

Prerequisites
You should be proficient in getting around a Linux operating system. You should be familiar with the vi text editor for Linux. You should know common vi commands to open, insert, and save documents since they are not listed in this article. You should have a basic understanding of what a LAMP system is.

Problems or Feedback?
If you run into problems while running the following steps, please post comments below. I will try my best to help you get the issue(s) squared away, plus we can open it to the community for brainstorming. This article is by no means perfect, so it’s always good to hear feedback too. If you feel like something should be added to this article, please let me know.

Install Operating System
First you will need to get a server pre-installed with the latest stable release of CentOS. Most hosting companies do this step for you.  However, installing the CentOS operating system is outside the scope of this article.  Once that is done, you must SSH into the machine as the root user:

# ssh root@<new_server_ip_address>

Note: Any line that starts with a “#” symbol is used to denote entering text into a terminal window. Do not actually type the “#” symbol.

Tip: I recommend storing your root password in a safe place, such as PasswordSafe.

Update Yum and Install Initial Packages
We will be using Yellowdog Updater Modified (yum) as our package management utility. After you SSH into the web server as root, you will need to run the following commands to update the system:
# yum -y update
# yum -y groupinstall "Development Tools"
# yum -y install zlib-devel
# yum -y install httpd openssl-devel openssl mod_ssl vsftpd rpm-build rpm-devel autoconf automake lynx gcc
# yum -y install mysql mod_auth_mysql mysql-devel mysql-server
# yum -y install mod_python python python-devel
# yum -y install php-devel php php-common php-gd php-mcrypt php-mhash php-xml php-xmlrpc php-domxml php-gd php-mbstring php-mysql php-ncurses php-pear
# yum -y install sendmail sendmail-cf
# yum -y install wget
# yum -y install yum-utils
# yum -y install yum-plugin-replace
# yum -y install vim-X11 vim-common vim-enhanced vim-minimal
# yum -y install iptables
# yum -y install nmap
# yum -y install vixie-cron

Setup host access
We need to setup host access (TCP_WRAPPERS).  There are two host access files (/etc/hosts.allow and /etc/hosts.deny) that are part of the TCP_WRAPPER package.  This makes it possible to allow or deny access to certain services based on the IP.  We need to edit the hosts.allow and hosts.deny files:

Run the following command to edit the file in vi text editor:
# vi /etc/hosts.allow

Paste the following into the file and then save the file:
sshd:ALL
vsftpd:ALL
sendmail:ALL

Tip: I recommend limiting access to your production servers based on specific IP addresses.  This helps to prevent intruders from getting access to your server.  For example, let's say you have an office IP address of 55.55.55.55, you would make the sshd line look like this:
sshd:55.55.55.55

You can enter multiple IP addresses also (separated by spaces).

Run the following command:
# vi /etc/hosts.deny

Paste the following into the file to deny all other services and then save the file:
ALL:ALL

Create User Account
Create a user account that you will use to log in to this server.  Try to select a name that is distinct from your website.  For example, if your website is mywebsite.com, do not make your username called mywebsite.  In this example, we will use the username jesseforrest.  You will want to replace jesseforrest with a more logical username that fits your needs. This account will be used for SSH connections.

# adduser jesseforrest
# passwd jesseforrest

Enter in a password and hit enter.
Retype the password and hit enter.

Tip: Make sure to save the username and password in your PasswordSafe.

Allow the user jesseforrest to “su -” into the root user:
# usermod -G wheel jesseforrest

Test SSH Connectivity
You should now have SSH access to the new server and be able to “su -” into the root user. To test, open a new terminal window and run the following commands:

# ssh jesseforrest@<new_server_ip_address>
# su -

Enter in the root password.

Disable root SSH Access and Change Default SSH Port Number
The root account should never be able to login via SSH. The user should have to first login as a specific user and then “su -” into root.  We should also change the default port used for SSH connectivity to prevent from common attacks. We will switch the SSH port to 11985, but you can pick any open port you like.

Run the following command:
# vi /etc/ssh/sshd_config

Then change the following lines to match the following and then save it:
PermitRootLogin no
Protocol 2
Port 11985

Allow SSH Keys to Connect
You will want to use SSH keys to connect to your server instead of entering in a password.

Open a new terminal window and run the following command:
# ssh-keygen -t rsa -b 2048

Enter in a path to store your *_id_rsa file. The path should be similar to this:
~/.ssh/jesseforrest_id_rsa

Create a new passphrase.

Tip: Store this passphrase in your PasswordSafe.

On the client machine (the computer you will be connecting from) tighten up file system permissions:
# chmod 700 ~/.ssh
# chmod 600 ~/.ssh/*

Now copy the public key to the machine you want to SSH into and fix permissions:
# scp ~/.ssh/jesseforrest_id_rsa.pub jesseforrest@<ip_address_of_server>:

Connect to the remote server:
# ssh jesseforrest@<ip_address_of_server> -p 11985

You will need to create the ~/.ssh directory if it does not yet exist
# mkdir ~/.ssh

Append your public key to the authorized_keys file.
# cat ~/jesseforrest_id_rsa.pub >> ~/.ssh/authorized_keys

Remove the public key file from the server
# rm ~/jesseforrest_id_rsa.pub

Set the permissions so it is only readable and writable by you, the owner.
# chmod 600 ~/.ssh/authorized_keys
# chmod 700 ~/.ssh

Restart SSH Daemon:
# /etc/init.d/sshd restart

Setup Keychain 
Use Keychain, an SSH Agent, so that you don’t need to enter a passphrase every time you connect.  Install keychain if it is not installed yet:
# wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
# rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
# rpm -i rpmforge-release-0.5.2-2.el5.rf.*.rpm
# yum install keychain

We need to add keychain to start automatically.
# vi ~/.bash_profile

Add the following line:
eval $(keychain --eval --agents ssh -Q --quiet jesseforrest_id_rsa)

Test SSH Connectivity
You should now have SSH access to the new server through SSH keys:
# ssh jesseforrest@<new_server_ip_address> -p 11985
# su -

Enter in the root password.

Disabling Password Logins (only allow SSH)
# vi /etc/ssh/sshd_config

Modify to the following and then save it:
PasswordAuthentication no
ChallengeResponseAuthentication no

Restart SSH Daemon:
# /etc/init.d/sshd restart

Update Path Variable
# vi ~/.bash_profile

Change the line “PATH=$PATH:$HOME/bin” to:
PATH=$PATH:/usr/sbin/:/sbin:$HOME/bin

Optional – Update Hosts File
If this server is not in the Domain Name System (DNS), you must explicitly add it to the /etc/hosts file so that you can reference it by host name.

If necessary, edit /etc/hosts by running the following command:
# vi /etc/hosts

Paste the IP address and host name of the server like this:
<ip_address> <host_name>

Example:
173.232.244.226 mywebsite.com

Setup Hostnames
Make sure the following is set in /etc/sysconfig/network with hostnames changed to the actual host name.

NETWORKING=yes
HOSTNAME=<host_name>

Example:
NETWORKING=yes
HOSTNAME=mywebsite

Start Cron Daemon
# /sbin/service crond start

Disabling SELinux
# vim /etc/selinux/config

Verify it is set to the following:
SELINUX=disabled

Configure the Required System Services to Start at Boot
# chkconfig httpd on
# chkconfig mysqld on
# chkconfig vsftpd on
# chkconfig sshd on
# chkconfig crond on
# chkconfig iptables on

Configure Apache
# vim /etc/httpd/conf/httpd.conf

Fill out the following information (replace <hostname> with something like mywebsite.com):

ServerAdmin support@mywebsite.com
ServerName <hostname>:80
NameVirtualHost *:80
DirectoryIndex index.php index.html index.htm
ServerTokens Prod
ServerSignature Off

Make this change wherever needed:
Options -Indexes FollowSymLinks

Add the following line if it does not exist:
TraceEnable Off

Save the file.

# vim /etc/httpd/conf.d/ssl.conf

Update the SSLCipherSuite line and change +LOW to !LOW

Save the file.

Restart HTTP Daemon
# /etc/init.d/httpd restart

Configure VSFTP
# vim /etc/vsftpd/vsftpd.conf

Make the following changes:
anonymous_enable=NO
xferlog_file=/var/log/vsftpd.log
idle_session_timeout=600
nopriv_user=nobody
ascii_upload_enable=YES
ftpd_banner= **** WARNING - Your actions are being logged ****
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
chroot_local_user=YES
userlist_deny=NO

Next, we need to configure vsftpd.userlist and specify which users can FTP to the server.  This compliments the userlist_deny setting in vsftpd.conf.  When set to NO, this makes the vsftpd.userlist file a list of users that ARE allowed to log in.

# vim /etc/vsftpd/user_list

We recommend removing all users so that nobody is able to FTP in.  However, if you want to allow a user to FTP in, you can add them here.

Configure MySQL
# cd /usr/share/doc/mysql-server-
(hit tab to get current version installed and then hit enter)

# cp my-medium.cnf /etc/my.cnf
(hit enter and then “y” to confirm)

# vim /etc/my.cnf

Paste the following and save. You might want to tweak these values based on your system specifications and database requirements:

[mysqld]
set-variable = max_connections=500
log-slow-queries
safe-show-database
query-cache-type = 1
query-cache-size = 150M
table_cache = 512
thread_cache_size=32
key_buffer_size=128M
long_query_time=2
log_queries_not_using_indexes

Note: This configuration will setup a query cache, log queries that take longer than 2 seconds to run, and log queries that are not using indexes. If you want to change any of this behavior you will need to make the appropriate changes to fit your needs.

Restart MySQL Daemon:
# /etc/init.d/mysqld restart

Now the root password for MySQL must be set using the following command.  Do NOT use the same root password as the Linux root password.

# mysqladmin -u root password "<password>"

Tip: Make sure to save the username and password in your PasswordSafe.

Optional – Install and Configure Memcached
Install the memcache daemon:
# yum install memcached

Start the daemon:
# /etc/init.d/memcached start

Even though memcached is running on the server, it’s not accessible from PHP without the PECL extension. So run this:
# pecl install memcache

(Use all defaults)

# vim /etc/php.ini
Paste the following at the bottom of the file:

[memcache]
extension=memcache.so

# vim /etc/sysconfig/memcached

Make the following changes:

PORT="11986"
CACHESIZE="1024"

Restart Apache
# /etc/init.d/httpd restart

Make the service startup on reboot
# chkconfig memcached on

Start Memcache
# /etc/init.d/memcached start

Optional – Install a GoDaddy Signed SSL Certificate

Generate private key:
# openssl genrsa -out ca.key 2048

Copy the necessary key to the required location
# cp ca.key /etc/pki/tls/private/<hostname>.key

Generate CSR:
# openssl req -new -key ca.key -out ca.csr

Enter in all required information.

Get the contents of the CSR by running:
# cat ca.csr

Copy all the contents into “Enter your Certificate Signing Request (CSR) below:” in GoDaddy.  Download bundle from GoDaddy and copy those files to the correct locations:

# cp <hostname>.crt /etc/pki/tls/certs/<hostname>.crt
# cp gd_bundle.crt /etc/pki/tls/certs/<hostname>-chain.crt

Update the Apache SSL configuration file:
# vim +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

Change the paths to match where the Key file is stored:
SSLCertificateFile /etc/pki/tls/certs/<hostname>.crt

Change the path for the Certificate Key File:
SSLCertificateKeyFile /etc/pki/tls/private/<hostname>.key

Change the path to the intermediate bundle file:
SSLCertificateChainFile /etc/pki/tls/certs/<hostname>-chain.crt

Save and close

Restart HTTP Daemon
# /etc/init.d/httpd restart

Optional – Install a Self-Signed SSL Certificate
If you want to install a self-signed SSL certificate, you can follow these steps.

Generate private key:
# openssl genrsa -out ca.key 1024

Generate CSR:
# openssl req -new -key ca.key -out ca.csr

Enter in all required information

Generate self-signed key:
# openssl x509 -req -days 1825 -in ca.csr -signkey ca.key -out ca.crt

Copy the files to the correct locations (do not move them if you use SELinux):
# cp ca.crt /etc/pki/tls/certs
# cp ca.key /etc/pki/tls/private/ca.key
# cp ca.csr /etc/pki/tls/private/ca.csr

Update the Apache SSL configuration file:
# vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

Change the paths to match where the Key file is stored:
SSLCertificateFile /etc/pki/tls/certs/ca.crt

Change the path for the Certificate Key File:
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Save and close

Restart HTTP Daemon
# /etc/init.d/httpd restart

Optional – Example Configuring Iptables 
This will configure Iptables to open the following input ports: 80 (HTTP), 443 (HTTPS), 11985 (SSH). It will also open the following output ports: 80 (HTTP), 443 (HTTPS).

# /sbin/iptables -P INPUT ACCEPT
# /sbin/iptables -F
# /sbin/iptables -A INPUT -i lo -j ACCEPT
# /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Drop packets where new incoming tcp connections are not SYN
# /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Drop packets with incoming fragments
# /sbin/iptables -A INPUT -f -j DROP
Drop incoming malformed XMAS packets
# /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop incoming malformed NULL packets
# /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# /sbin/iptables -A INPUT -p tcp --dport 11985 -j ACCEPT
# /sbin/iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
# /sbin/iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
# /sbin/iptables -P INPUT DROP
# /sbin/iptables -P FORWARD DROP
# /sbin/iptables -P OUTPUT ACCEPT

Verify and Save Iptables
Some ports might appear in the nmap output even if you specified them restricted in iptables.  This is probably because they are being run from localhost.  To verify your iptables configuration you can run:
# /sbin/iptables -L

Run the following if correctly configured:
# /sbin/service iptables save

Verify only the ports you want opened are listed by running the following
# nmap -sT -O localhost

Update PHP Configuration
# vim /etc/php.ini

Make these changes:

display_errors = Off
date.timezone = America/New_York
html_errors = Off
expose_php = Off
error_log = /var/log/php_errors.log

Tip: Set date.timezone to whatever is applicable to your server.  A list of timezones are available on PHP’s List of Supported Timezones web page. 

Save and quit.

Optional – Install GeoIP
# yum -y install GeoIP GeoIP-devel
# pecl install geoip
# vim /etc/php.ini

Add this to end of php.ini:

[geoip]
extension=geoip.so

Save and quit.

Protect Files and Folders

Set the correct restrictions:
# chown -R apache:apache /var/www/html/

Write protect Apache, PHP, and MySQL configuration files:

# chattr +i /etc/php.ini
# chattr +i /etc/php.d/*
# chattr +i /etc/my.cnf
# chattr +i /etc/httpd/conf/httpd.conf

Restart HTTP Daemon
# /etc/init.d/httpd restart

Verifying Configuration Works
# vim /var/www/html/info.php

Enter:
<?php phpinfo();

Save and quit.

Use browser to hit:
http://<Server_IP_Address>/info.php

Optional – Install locate and updatedb on CentOS

# yum install mlocate
# /etc/cron.daily/mlocate.cron

References
http://www.rayheffer.com/36/building-a-secure-web-server-with-centos-5-part-1/
https://wiki.archlinux.org/index.php/SSH_Keys

 

About the author

9 Comments

  1. Hey Jesse – just a quick note to say thanks for this fantastic resource, it’s been really helpful. Cheers

  2. Great tutorial, well explained and contains useful information to harden a production server without loosing performance.

  3. Thanks for the awesome guide. Was very helpful setting up the VPS for my website. One thing to note though is in the iptables configuration part. Make sure you specify the correct interface. It stumped me for a while until I realized my interfaces were labeled venet0:1 and venet0:2 and not eth0. Thanks again.

  4. vim-X11 was optional

  5. Pingback: New web and mail servers - Geeky Nick

  6. Might be good to include that you need to enable the EPEL repository in order to install several of the packages listed in this guide.

  7. Hi, i think that blank ftp is not very secure i would be great if you add a tls layer or change it for a SFTP server.

  8. Jesse, Great article.

    I think the following link would be a worthwhile addition to this article.
    http://howtolamp.com/lamp/

    Contains detailed instructions on setting up LAMP Stack. And I mean very detailed!!

  9. Pingback: 6 Choices for a localhost Web Development Environment | JKL WordPress

Leave a Comment


*