Deploy secure CentOS 7 LAMP server with virtual hosts

In this tutorial we will deploy secure LAMP based web server with multyple virtual hosts and ssl sites. We will assume sites site1.com, site2.com and ssl site site3.com

First step we will install LAMP

yum -y install mariadb-server mariadb
systemctl start mariadb.service
systemctl enable mariadb.service

Secure MariaDB installation

mysql_secure_installation

Install Apache server

yum -y install httpd
systemctl start httpd.service
systemctl enable httpd.service

Install php with all modules

yum -y install php
yum -y install php-mysql
yum -y install php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel

Restart apache

systemctl restart httpd.service

Now lets install phpMyAdmin

Lets add epel repository

rpm -iUvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Install phpMyAdmin

yum install phpMyAdmin

Make sure we allow access to the software

vi /etc/httpd/conf.d/phpMyAdmin.conf

Change authentication

vi /etc/phpMyAdmin/config.inc.php

[...]
$cfg['Servers'][$i]['auth_type']     = 'http';    // Authentication method (config, http or cookie based)?
[...]

Restart Apache

systemctl restart  httpd.service

Now we setup virtual hosts


mkdir -p /var/www/html/site1.com/public_html
mkdir -p /var/www/html/site2.com/public_html

useradd webadmin
passwd webadmin

chown -R webadmin:webadmin /var/www/html/site1/public_html
chown -R webadmin:webadmin /var/www/html/site2/public_html

chmod -R 755 /var/www/html

vi /etc/httpd/conf/httpd.conf
IncludeOptional sites-enabled/*.conf

mkdir /etc/httpd/sites-enabled
mkdir /etc/httpd/sites-available

cd sites-available
vi site1.com.conf


    ServerName www.site1.com
    DocumentRoot /var/www/html/site1/public_html
    ServerAlias site1.com
    ErrorLog /var/www/html/site1/error.log
    CustomLog /var/www/html/site1/requests.log combined


vi site2.com.conf


    ServerName www.site2.com
    DocumentRoot /var/www/html/site2/public_html
    ServerAlias site2.com
    ErrorLog /var/www/html/site2/error.log
    CustomLog /var/www/html/site2/requests.log combined



ln -s /etc/httpd/sites-available/site1.com.conf /etc/httpd/sites-enabled/site1.com.conf
ln -s /etc/httpd/sites-available/site2.com.conf /etc/httpd/sites-enabled/site2.com.conf

Make sure proper firewall accept ions are added


firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

Install OSSEC Host Intrusion Detection Software

yum install mysql-devel postgresql-devel gcc
wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz 
tar -zxvf ossec-hids-2.8.3.tar.gz 
cd ossec-hids-2.8.3 cd ossec-hids-2.8.3 
./install.sh

Choose local install, provide email and SMTP server for alerts

Install Fail2Ban

yum install fail2ban fail2ban-systemd
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Examine configuration file to make sure settings are as you want them

vi /etc/fail2ban/jail.local

Add ssh jail file

vi /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

With firewalld enabled and running

systemctl enable fail2ban
systemctl start fail2ban 

Tracking logon attempts

cat /var/log/secure | grep 'Failed password'

Check banned IP address

iptables -L -n

Check fail2ban status

fail2ban-client status

Remove ban from IP

fail2ban-client set sshd unbanip IPADDRESS


Install nagios to monitor server or vm

cd ~
curl -L -O http://nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz
tar xvf nagios-plugins-*.tar.gz
cd nagios-plugins-*
./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl
make
make install
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
systemctl start nagios.service
systemctl restart httpd.service
chkconfig nagios on

If you like to restrict access to Nagios web portion by IP

vi /etc/httpd/conf.d/nagios.conf

Find and comment the following two lines by adding # symbols in front of them:

Order allow,deny
Allow from all

Then uncomment the following lines, by deleting the # symbols, and add the IP addresses or ranges (space delimited) that you want to allow to in the

Allow from line:

#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1

Install Clamv virus scanner

yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf
sed -i ā€˜/^Example/dā€™ /etc/clamd.d/clamd.conf

freshclam


cp /etc/freshclam.conf /etc/freshclam.conf.bak
sed -i ā€˜/^Example/dā€™ /etc/freshclam.conf

vi /usr/lib/systemd/system/clam-freshclam.service
# Run the freshclam as daemon
[Unit]
Description = freshclam scanner
After = network.target

[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true

[Install]
WantedBy=multi-user.target


systemctl enable clam-freshclam.service
systemctl start clam-freshclam.service

Add ssl website

Install mod_ssl

yum install mod_ssl

Create certioficate CSR – Certificate Signing Request

openssl req -new -newkey rsa:2048 -nodes -keyout mysslsite.key -out mysslsite.csr

edit /etc/httpd/sites-available and add below.


     SSLEngine On
     SSLCertificateFile /etc/pki/tls/certs/mysslsite.crt
     SSLCertificateKeyFile /etc/pki/tls/private/mysslsite.key
     SSLCACertificateFile /etc/pki/tls/certs/root-certificate.crt  #root certificate provided by ca-certificates, omit this line

     ServerAdmin info@mysslsite.com
     ServerName www.mysslsite.com
     DocumentRoot /var/www/html/mysslsite.com/public_html/
     ErrorLog /var/www/html/mysslsite.com/logs/error.log
     CustomLog /var/www/html/mysslsite.com/logs/access.log combined

Finish configuration and setup correct permittions

mkdir /var/www/html/mysslsite.com/public_html
chown -R webadmin:webadmin /var/www/htmlmysslsite.com/public_html
ln -s /etc/httpd/sites-availablemysslsite/merchmrkt.com.conf /etc/httpd/sites-enabled/mysslsite.com.conf