Securing the Apache HTTP Server
The Apache HTTP Server is one of the most stable and secure services that ships with major Linux Server Distros.
Below is a few list of configuration options administrators should be careful using.
This directive is enabled by default, but may not be desirable. To prevent visitors from browsing files on the server, remove this directive.
This directive is enabled by default, be sure to use caution when creating symbolic links to the
document root of the Web server. For instance, it is a bad idea to provide a symbolic link to /.
The UserDir Directive
The UserDir directive is disabled by default because it can confirm the presence of a user account on the system. To enable user directory browsing on the server, use the following directives:
UserDir enabled UserDir disabled root
These directives activate user directory browsing for all user directories other than /root/. To add users to the list of disabled accounts, add a space delimited list of users on the UserDir disabled line.
Do Not Remove the IncludesNoExec Directive
Restrict Permissions for Executable Directories
Be certain to only assign write permissions to the root user for any directory containing scripts or CGIs. This can be accomplished by typing the following commands:
chown root[directory_name] chmod 755 [directory_name]
Tags: Apache, HTTP, Securing, server
Why we should not use the no_root_squash Option
By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account.
In this way, all root-created files are owned by nfsnobody, which prevents uploading of programs with the setuid bit set.
no_root_squash - Allows root users on client computers to have root access on the server. Mount requests for root are not be mounted to the anonomous user. This option is needed for diskless clients.
root_squash - Requests from root clients are mapped to the nobody user and group ID so they will only have file privileges associated with other.
ro - read only access
rw - read write access
If no_root_squash is used, remote root users are able to change any file on the shared file system and leave trojaned applications for other users to inadvertently execute.
Tags: NFS, no_root_squash, Option
Common NFS Syntax Errors
The NFS server determines which file systems to export and which hosts to export these direct-
ories to via the /etc/exports file.
Be careful not to add extraneous spaces when editing this file.
For instance, the following line in the /etc/exports file shares the directory /tmp/nfs/ to the host serverbuddies.example.com with read/write permissions.
/tmp/nfs/ serverbuddies.example.com(rw)
This line in the /etc/exports file, on the other hand, shares the same directory to the host serverbuddies.example.com with read-only permissions and shares it to the world with read/write permis-sions due to a single space character after the hostname.
/tmp/nfs/ serverbuddies.example.com (rw)
It is good practice to check any configured NFS shares by using the showmount command to verify what is being shared:
Tags: Common, errors, NFS, Syntax
Troubleshooting Issues with ensim installer
Issues that you may encounter during the installation. You may refer to the log file /var/log/ensim/installer..-.log for details.
Example:
During installation, the following message is displayed:
This means The host file is incorrect.
The file /etc/hosts should contain the host name and IP address of your server (see the following example). If it does not, use an editor to modify the file.
Example
—/etc/hosts begin file—
127.0.0.1
localhost.localdolocalhost
1.2.3.4 myhost.mydomain.com
myhost
—/etc/hosts end file—
where 1.2.3.4 is the IP address of myhost.mydomain.com
Also check the file /etc/sysconfig/network. The host name must be a fully qualified domain name.
See the following example.
Incorrect: myhost
Correct: myhost.mydomain.com
Tags: Ensim Support, Installer, Issues, Troubleshooting
Install Parallels Pro Control Panel into Virtuozzo Containers.
Steps:
Install the Containers and then install Parallels Pro CP.
Download the respective Parallels Pro Virtuozzo Container Template.
For CentOS 5 i386:
http://download.pro.parallels.com/ensim/apt/ensim/EPL/10.3.4/ez/ppcpl10-centos-5-x86-ez-4.0.0-3.parallels.noarch.rpm
Before installing Parallels Pro CP from Parallels Virtuozzo Containers Templates, prepare your Virtuozzo Containers according to the requirements below.
Important: before proceeding with the Containers installation, make sure that the hostname –i command doesn’t return 127.0.0.1 IP.
Before creating the Containers and installing Parallels Pro CP, log in as root to your Hardware Node. Open the /etc/sysconfig/vz file and change the value of the VZPRIVRANGE to “1 N” where N is max ID of Container you will be using, for example:
Refer to the log file /var/log/ensim/installer..-.log for errors during the installation.
Tags: Containers, Control, Panel, Parallels, Pro, Virtuozzo
