In this tutorial we will deploy secure LAMP based web server with multyple virtual hosts and ssl sites. We will assume sites site1.com, site2.com and ssl site site3.com
First step we will install LAMP
yum -y install mariadb-server mariadb systemctl start mariadb.service systemctl enable mariadb.service
Secure MariaDB installation
mysql_secure_installation
Install Apache server
yum -y install httpd systemctl start httpd.service systemctl enable httpd.service
Install php with all modules
yum -y install php yum -y install php-mysql yum -y install php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel
Restart apache
systemctl restart httpd.service
Now lets install phpMyAdmin
Lets add epel repository
rpm -iUvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Install phpMyAdmin
yum install phpMyAdmin
Make sure we allow access to the software
vi /etc/httpd/conf.d/phpMyAdmin.conf
Change authentication
vi /etc/phpMyAdmin/config.inc.php [...] $cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (config, http or cookie based)? [...]
Restart Apache
systemctl restart httpd.service
Now we setup virtual hosts
mkdir -p /var/www/html/site1.com/public_html mkdir -p /var/www/html/site2.com/public_html useradd webadmin passwd webadmin chown -R webadmin:webadmin /var/www/html/site1/public_html chown -R webadmin:webadmin /var/www/html/site2/public_html chmod -R 755 /var/www/html vi /etc/httpd/conf/httpd.conf IncludeOptional sites-enabled/*.conf mkdir /etc/httpd/sites-enabled mkdir /etc/httpd/sites-available cd sites-available vi site1.com.confServerName www.site1.com DocumentRoot /var/www/html/site1/public_html ServerAlias site1.com ErrorLog /var/www/html/site1/error.log CustomLog /var/www/html/site1/requests.log combined vi site2.com.confServerName www.site2.com DocumentRoot /var/www/html/site2/public_html ServerAlias site2.com ErrorLog /var/www/html/site2/error.log CustomLog /var/www/html/site2/requests.log combined ln -s /etc/httpd/sites-available/site1.com.conf /etc/httpd/sites-enabled/site1.com.conf ln -s /etc/httpd/sites-available/site2.com.conf /etc/httpd/sites-enabled/site2.com.conf
Make sure proper firewall accept ions are added
firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --reload
Install OSSEC Host Intrusion Detection Software
yum install mysql-devel postgresql-devel gcc wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz tar -zxvf ossec-hids-2.8.3.tar.gz cd ossec-hids-2.8.3 cd ossec-hids-2.8.3 ./install.sh
Choose local install, provide email and SMTP server for alerts
Install Fail2Ban
yum install fail2ban fail2ban-systemd cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Examine configuration file to make sure settings are as you want them
vi /etc/fail2ban/jail.local
Add ssh jail file
vi /etc/fail2ban/jail.d/sshd.local [sshd] enabled = true port = ssh #action = firewallcmd-ipset logpath = %(sshd_log)s maxretry = 5 bantime = 86400
With firewalld enabled and running
systemctl enable fail2ban systemctl start fail2ban
Tracking logon attempts
cat /var/log/secure | grep 'Failed password'
Check banned IP address
iptables -L -n
Check fail2ban status
fail2ban-client status
Remove ban from IP
fail2ban-client set sshd unbanip IPADDRESS
Install nagios to monitor server or vm
cd ~ curl -L -O http://nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz tar xvf nagios-plugins-*.tar.gz cd nagios-plugins-* ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl make make install htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin systemctl start nagios.service systemctl restart httpd.service chkconfig nagios on
If you like to restrict access to Nagios web portion by IP
vi /etc/httpd/conf.d/nagios.conf
Find and comment the following two lines by adding # symbols in front of them:
Order allow,deny Allow from all
Then uncomment the following lines, by deleting the # symbols, and add the IP addresses or ranges (space delimited) that you want to allow to in the
Allow from line: # Order deny,allow # Deny from all # Allow from 127.0.0.1
Install Clamv virus scanner
yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf sed -i ā/^Example/dā /etc/clamd.d/clamd.conf freshclam cp /etc/freshclam.conf /etc/freshclam.conf.bak sed -i ā/^Example/dā /etc/freshclam.conf vi /usr/lib/systemd/system/clam-freshclam.service # Run the freshclam as daemon [Unit] Description = freshclam scanner After = network.target [Service] Type = forking ExecStart = /usr/bin/freshclam -d -c 4 Restart = on-failure PrivateTmp = true [Install] WantedBy=multi-user.target systemctl enable clam-freshclam.service systemctl start clam-freshclam.service
Add ssl website
Install mod_ssl
yum install mod_ssl
Create certioficate CSR – Certificate Signing Request
openssl req -new -newkey rsa:2048 -nodes -keyout mysslsite.key -out mysslsite.csr
edit /etc/httpd/sites-available and add below.
SSLEngine On SSLCertificateFile /etc/pki/tls/certs/mysslsite.crt SSLCertificateKeyFile /etc/pki/tls/private/mysslsite.key SSLCACertificateFile /etc/pki/tls/certs/root-certificate.crt #root certificate provided by ca-certificates, omit this line ServerAdmin info@mysslsite.com ServerName www.mysslsite.com DocumentRoot /var/www/html/mysslsite.com/public_html/ ErrorLog /var/www/html/mysslsite.com/logs/error.log CustomLog /var/www/html/mysslsite.com/logs/access.log combined
Finish configuration and setup correct permittions
mkdir /var/www/html/mysslsite.com/public_html chown -R webadmin:webadmin /var/www/htmlmysslsite.com/public_html ln -s /etc/httpd/sites-availablemysslsite/merchmrkt.com.conf /etc/httpd/sites-enabled/mysslsite.com.conf