Apache Security Tips - Permissions on ServerRoot Directories
In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:
mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs
It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:
cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd
You can create an htdocs subdirectory which is modifiable by other users — since root never executes any files out of there, and shouldn’t be creating files in there.
Settings for ifcfg-eth0
The /etc/sysconfig/network-scripts/ifcfg-eth0 file should have the following.
—/etc/sysconfig/network-scripts/ifcfg-eth0 begin file–
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=IP_address_host_server
NETMASK=netmask_value (please check with your service provider)
GATEWAY=ip_address_gateway
—/etc/sysconfig/network-scripts/ifcfg-eth0 end file–
Before you use Parallels Pro Control Panel to perform provisioning or management operations, you must provide the license key information, if you have not provided the information at the time of installation. You receive the license key in the order confirmation email when you buy Parallels Pro Control Panel.
Ensim Install tips
Important: If you use the -x option with the installer to specify the network interface on which sites are to be provisioned, make sure that you add the IP address of the interface as the first entry in the /etc/hosts file before running the installer.
/etc/resolv.conf file
—/etc/resolv.conf begin file—
primary_name_server ip_address
secondary_name_server ip_address
—/etc/resolv.conf end file—
/etc/sysconfig/network file
—/etc/sysconfig/network begin file—
NETWORKING=yes
DOMAIN=mydomain.com
HOSTNAME=myhost.mydomain.com
GATEWAY=ip_address_gateway
—/etc/sysconfig/network end file—
The OpenSSH SSH client supports SSH protocols 1 and 2. Protocol 2 is the default, with ssh falling back to protocol 1 if it detects protocol 2 is unsupported. These settings may be altered using the Protocol option in ssh_config(5)
-v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems.
Multiple -v options increase the verbosity. The maximum is 3.
Example:
jyothis@dell:~$ ssh root@192.168.1.1 -v
OpenSSH_4.7p1 Debian-8, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/jyothis/.ssh/identity type -1
debug1: identity file /home/jyothis/.ssh/id_rsa type 1
debug1: identity file /home/jyothis/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.1p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
