Securing the Apache HTTP Server
The Apache HTTP Server is one of the most stable and secure services that ships with major Linux Server Distros.
Below is a few list of configuration options administrators should be careful using.
This directive is enabled by default, but may not be desirable. To prevent visitors from browsing files on the server, remove this directive.
This directive is enabled by default, be sure to use caution when creating symbolic links to the
document root of the Web server. For instance, it is a bad idea to provide a symbolic link to /.
The UserDir Directive
The UserDir directive is disabled by default because it can confirm the presence of a user account on the system. To enable user directory browsing on the server, use the following directives:
UserDir enabled UserDir disabled root
These directives activate user directory browsing for all user directories other than /root/. To add users to the list of disabled accounts, add a space delimited list of users on the UserDir disabled line.
Do Not Remove the IncludesNoExec Directive
Restrict Permissions for Executable Directories
Be certain to only assign write permissions to the root user for any directory containing scripts or CGIs. This can be accomplished by typing the following commands:
chown root[directory_name] chmod 755 [directory_name]
Installation Instructions
Obtaining the Installer Script
You can obtain the installer script from the FTP server or from the download page
http://download.pro.parallels.com/ensim/apt/ensim/EPL/10.3.4/ensim-installer.py
Before you start the installation make sure that if you select any option other than the Everything option, then refer the List of RPMs to verify the RPMs required on the Parallels Pro Control Panel server.
Attended Installation
python ensim-installer.py -n [admin_username] -p [admin_passwd] -m [admin_email]
[installation_files_source] [os_update_repository]
Examples
In the following example, the command installs Parallels Pro Control Panel on RHEL by obtaining the necessary Parallels Pro Control Panel files from Parallels FTP server and the operating system RPMs, updates RPM and extras RPM from RHN.
python ensim-installer.py -n admin -p passwd -m example1@example.com
Note:
Parallels Pro Control Panel can also be installed on a Virtuozzo server. The Virtuozzo server allows you to create multiple, isolated virtual environments on a single physical server.
Controlling Server Resources from denial of service using Xinetd
Another important feature of xinetd is its ability to control the amount of resources which services under its control can utilize.
It does this by way of the following directives:
cps = [number_of_connections] [wait_period] — Dictates the connections allowed to the service per second. This directive accepts only integer values.
instances = [number_of_connections] — Dictates the total number of connections allowed to a service. This directive accepts either an integer value or UNLIMITED.
per_source = [number_of_connections] — Dictates the connections allowed to a service by each host. This directive accepts either an integer value or UNLIMITED.
rlimit_as = [number[K|M]] — Dictates the amount of memory address space the service can occupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED.
rlimit_cpu = [number_of_seconds] — Dictates the amount of time in seconds that a service may occupy the CPU. This directive accepts either an integer value or UNLIMITED.
Using these directives can help prevent any one xinetd service from overwhelming the system, resulting in a denial of service.
How to install CSF Firewall on your Server.
Installation
Installation is quite straightforward:
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Next, test whether you have the required iptables modules:
Don’t worry if you cannot run all the features, so long as the script doesn’t report any FATAL errors
You should not run any other iptables firewall configuration script. For example, if you previously used APF+BFD you can remove the combination (which you will need to do if you have them installed otherwise they will conflict horribly):
sh /etc/csf/remove_apf_bfd.sh
That’s it. You can then configure csf and lfd by edit the files directly in /etc/csf/*, or on cPanel servers use the WHM UI
csf installation for cPanel is preconfigured to work on a cPanel server with all the standard cPanel ports open.
csf installation for DirectAdmin is preconfigured to work on a DirectAdmin server with all the standard DirectAdmin ports open.
csf auto-configures your SSH port on installation where it’s running on a non-standard port.
csf auto-whitelists your connected IP address where possible on installation.
You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers have this disabled and you should check /etc/init.d/syslog and make sure that any klogd lines are not commented out. If you change the file, remember to restart syslog.
Download the firewall script from : http://www.configserver.com/
Connecting to and Disconnecting from the MySQL Server
you should be able to connect like this:
shell> mysql -h host -u user -p
Enter password: ********
host and user represent the host name where your MySQL server is running and the user name of your MySQL account. Substitute appropriate values for your setup.
The ******** represents your password; enter it when mysql displays the Enter password: prompt.
If that works, you should see some introductory information followed by a mysql> prompt:
shell> mysql -h host -u user -p
The mysql> prompt tells you that mysql is ready for you to enter commands.
