Deploy secure CentOS 7 LAMP server with virtual hosts

In this tutorial we will deploy secure LAMP based web server with multyple virtual hosts and ssl sites. We will assume sites, and ssl site

First step we will install LAMP

yum -y install mariadb-server mariadb
systemctl start mariadb.service
systemctl enable mariadb.service

Secure MariaDB installation


Install Apache server

yum -y install httpd
systemctl start httpd.service
systemctl enable httpd.service

Install php with all modules

yum -y install php
yum -y install php-mysql
yum -y install php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel

Restart apache

systemctl restart httpd.service

Now lets install phpMyAdmin

Lets add epel repository

rpm -iUvh

Install phpMyAdmin

yum install phpMyAdmin

Make sure we allow access to the software

vi /etc/httpd/conf.d/phpMyAdmin.conf

Change authentication

vi /etc/phpMyAdmin/

$cfg['Servers'][$i]['auth_type']     = 'http';    // Authentication method (config, http or cookie based)?

Restart Apache

systemctl restart  httpd.service

Now we setup virtual hosts

mkdir -p /var/www/html/
mkdir -p /var/www/html/

useradd webadmin
passwd webadmin

chown -R webadmin:webadmin /var/www/html/site1/public_html
chown -R webadmin:webadmin /var/www/html/site2/public_html

chmod -R 755 /var/www/html

vi /etc/httpd/conf/httpd.conf
IncludeOptional sites-enabled/*.conf

mkdir /etc/httpd/sites-enabled
mkdir /etc/httpd/sites-available

cd sites-available

    DocumentRoot /var/www/html/site1/public_html
    ErrorLog /var/www/html/site1/error.log
    CustomLog /var/www/html/site1/requests.log combined


    DocumentRoot /var/www/html/site2/public_html
    ErrorLog /var/www/html/site2/error.log
    CustomLog /var/www/html/site2/requests.log combined

ln -s /etc/httpd/sites-available/ /etc/httpd/sites-enabled/
ln -s /etc/httpd/sites-available/ /etc/httpd/sites-enabled/

Make sure proper firewall accept ions are added

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

Install OSSEC Host Intrusion Detection Software

yum install mysql-devel postgresql-devel gcc
wget -U ossec 
tar -zxvf ossec-hids-2.8.3.tar.gz 
cd ossec-hids-2.8.3 cd ossec-hids-2.8.3 

Choose local install, provide email and SMTP server for alerts

Install Fail2Ban

yum install fail2ban fail2ban-systemd
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Examine configuration file to make sure settings are as you want them

vi /etc/fail2ban/jail.local

Add ssh jail file

vi /etc/fail2ban/jail.d/sshd.local
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

With firewalld enabled and running

systemctl enable fail2ban
systemctl start fail2ban 

Tracking logon attempts

cat /var/log/secure | grep 'Failed password'

Check banned IP address

iptables -L -n

Check fail2ban status

fail2ban-client status

Remove ban from IP

fail2ban-client set sshd unbanip IPADDRESS

Install nagios to monitor server or vm

cd ~
curl -L -O
tar xvf nagios-plugins-*.tar.gz
cd nagios-plugins-*
./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl
make install
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
systemctl start nagios.service
systemctl restart httpd.service
chkconfig nagios on

If you like to restrict access to Nagios web portion by IP

vi /etc/httpd/conf.d/nagios.conf

Find and comment the following two lines by adding # symbols in front of them:

Order allow,deny
Allow from all

Then uncomment the following lines, by deleting the # symbols, and add the IP addresses or ranges (space delimited) that you want to allow to in the

Allow from line:

#  Order deny,allow
#  Deny from all
#  Allow from

Install Clamv virus scanner

yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf
sed -i ā€˜/^Example/dā€™ /etc/clamd.d/clamd.conf


cp /etc/freshclam.conf /etc/freshclam.conf.bak
sed -i ā€˜/^Example/dā€™ /etc/freshclam.conf

vi /usr/lib/systemd/system/clam-freshclam.service
# Run the freshclam as daemon
Description = freshclam scanner
After =

Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true


systemctl enable clam-freshclam.service
systemctl start clam-freshclam.service

Add ssl website

Install mod_ssl

yum install mod_ssl

Create certioficate CSR – Certificate Signing Request

openssl req -new -newkey rsa:2048 -nodes -keyout mysslsite.key -out mysslsite.csr

edit /etc/httpd/sites-available and add below.

     SSLEngine On
     SSLCertificateFile /etc/pki/tls/certs/mysslsite.crt
     SSLCertificateKeyFile /etc/pki/tls/private/mysslsite.key
     SSLCACertificateFile /etc/pki/tls/certs/root-certificate.crt  #root certificate provided by ca-certificates, omit this line

     DocumentRoot /var/www/html/
     ErrorLog /var/www/html/
     CustomLog /var/www/html/ combined

Finish configuration and setup correct permittions

mkdir /var/www/html/
chown -R webadmin:webadmin /var/www/
ln -s /etc/httpd/sites-availablemysslsite/ /etc/httpd/sites-enabled/