- Impact
- 66
Hello There,
Basically during these 2 part tutorial. I am going to explain the requirements to securing a server or vps. In these tutorials I will explain how to install APF Firewall, install Brute Force Detection, Secure /tmp, install mod_security for Apache.
Aswell for these tutorials I am going to explain how to optimize MySql, aswell as Apache, Install Perl_Mod, Optimize PHP.
Securing /tmp
Lets being. I suggest your turn off Apache to prevent any un-needed problems. You can turn it off with
service httpd stop
First of all you will need SSH access via root to do this. SSH is installed on 99% of all Linux Dedicated servers and should be set to on when you purchese. This is the same for VPS.
We first need to conntact to SSH via a SSH Client. PuTTY is a very good free one. You can obtain it here. http://www.chiark.greenend.org.uk/~sgtatham/putty/
Login to SSH using your IP or Hostname of your server/vps and your root login.
First thing we need to do is secure the /tmp partion on the server. This is the folder where linux stores your temp documents. Both Windows and Linux have temp folders, though Linux cleans and keeps them more tidy than Windows. The reason behind securing the /tmp folder is to prevent exploits both internal and external.
Now we should be open with your SSH client and loged into root sitting on our /root OR ~ (default folder when connecting to ssh). First thing we need to do is go to the /dev folder.
Lets go there by processing the cmd
cd /dev
Now we need to create a 100MB file for our /tmp partition. If you think you may need more than 100MB make the count # larger.
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
Now we need to make an extending filesystem with our tmpMnt
/sbin/mke2fs /dev/tmpMnt
Now lets return to root folder
cd /
Now we need to backup our current /tmp folder
cp -R /tmp /tmp_backup
Now we need to mount the new tmp folder with the -noexec command to prevent any un-needed usage.
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
Now we need to give the new tmp folder the proper premissions
chmod /tmp 1777
Now we need to copy everything in our backup to our new /tmp folder.
cp -R /tmp_backup/* /tmp/
Now delete the backup folder.
rm -rf /tmp_backup
Now we need to edit the fstab file so it mounts the tmp folder with the -noexec cmd on restart
pico -w /etc/fstab
If you get pico: no command found. Try
vico /etc/fstab
If you get vico: no command found. Try
nano /etc/fstab
If you still get problems with those. I suggest you DL WinSCP
http://winscp.net/eng/index.php
And go into the parent directory when you connect than into the /etc directory and edit the fstab file. This is a needed edit. If you do not feel save doing this PM me and I will send you directions on how to install pico.
In the fstab file you should see something like this
/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0
At the very bottom add
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
Now save and exit. Depending on what program you are using it may be different for pico it is Ctrl+X than Y
Now you are done securing /tmp
Installing APF and turning on BFT Module
Connect into root using SSH as you did with /tmp. Go into the download directory. (This can be /root,/,/root/downloads, or anything else. I do suggest you have one just to store downloads. To make everything nice and clean. If you wish to make one you can use mkdir directoryname to make a diectory)
cd /
Now we need to download the latest version of APF Firewall.
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
Now this will save it into your directory where you are currently. It will say when it is done something like. Saved 'apf-current.tar.gz' than you should see your blinking white box again. Now we downloaded a gziped tar file. So we need to un-gzip then un-tar use the following to do so.
tar -xvzf apf-current.tar.gz
Now this will list off a pile of folders and files. All begining with
apf-version number
Where version number will be something like 0.9.5-1
We need to go into this folder so cd (change directory) into it
cd apf-0.9.5-1 (OR WHAT EVER IT IS)
Now lets run the sh install file. Which will install it for you.
./install.sh
You will receive a message like
Installing APF 0.9.5-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Note that install and config path and you will be using it.
Now as all firewalls we need to edit the rules.
As you did in tmp secure run your edit cmd wether it is pico,nano,vico or WinSCP and edit /etc/apf/conf.apf or the path noted by the install success message.
pico /etc/apf/conf.apf
First thing we need to do is turn on DSheilds block list.
Use Ctrl+W in Pico to search for
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"
Next we need to config our ports for cpanel
Find your Common ingress ports list and change too. If you host another program or something which uses a port. Add it here.
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Now we need to edit Egress ports. Or outbound ports.
Find Egree ports list. First turning EGF on.
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Now if you are experienced you can edit other things.
We are done editing. Now save changes using Ctrl+X than Y in Pico or how ever you did it in /tmp secure for the others.
Now lets start up our APF Firewall
/usr/local/sbin/apf -s OR the path noted by install script.
Below are some more cmds
usage ./apf [OPTION]
-s|--start - Start firewall
-r|--restart - Restart firewall
-f|--flush|--stop - Reload rules (If you changed firewall config)
-l|--list - List Chain Rules
-st|--status - Firewall Status
-a HOST CMT|--allow HOST COMMENT - Add IP to allow list
-d HOST CMT|--deny HOST COMMENT - Add IP to deny list (Block)
APF Firewall comes with AntiDoS without any need configuring. Unless you wish to be emailed everytime you get any reports from APF about possible DDoS attack. If you wish to get emails edit the AntiDoS config file.
pico /etc/apf/ad/conf.antidos
Now around the top you should see
# [E-Mail Alerts]
Under this heading we have the following:
# Organization name to display on outgoing alert emails
CONAME="Your Company"
Enter your company information name or server name..
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
Change this to 1 to get email alerts
# User for alerts to be mailed to
USR="[email protected]"
Enter your email address to receive the alerts
Just edit it. It is pretty self explainatory. Turn on USR_ALERT and edit email.
Save and restart firewall using the commands above.
You may want to delete your downloaded tar.gz for apf. To do so.
rm filename
End of APF Firewall
Install Brute Force Detection
Alright now rfxnetworks has another usful script called Brute Force Detection. This script cetchs the people that try 1,000's of times using different passwords.
As well did with APF. Go into your downloads directory
cd /root
Now download the latest bfd file onto your server
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
Untar and UnGZip
tar -xvzf bfd-current.tar.gz
Now go into the directory listed. (It is the directory the files where put it. When you untar it should list a pile of files. Like
bfd-0.7/install.sh
Go into the directory bfd-0.7/)
cd bfd-version/
Run the install file as you did with APF
./install.sh
You will receive success message like
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
Note the filepaths. They may be different, if so change the filepaths to the ones listed for everything else you do.
Edit the config file. (No real editing needed. Unless you wish to enable email upon incendent.)
pico /usr/local/bfd/conf.bfd
Find: ALERT_USR="0" CHANGE TO: ALERT_USR="1"
Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="[email protected]"
That will enable email upon incendent. I suggest you use a secondary email. As you may get alot of emails.
Now you want to add your own IP to prevent you for getting locked out if you forget your password.
pico -w /usr/local/bfd/ignore.hosts
Now just type in your IP. (You can get it at http://whatsmyip.com)
If you wish to add commands put them in a #
# Example Comment
Now save and exit
Now run the bfd
/usr/local/sbin/bfd -s (OR the path noted by install file)
End BFD
Install mod_security for Apache
Mod_Security is an open source detection script which is great for preventing SQL Interjection. But may cause problems with your scripts if you use ?a=% for example in query scripts. You will get an error (500 Internal Server Error)
Now we need to login to your server through SSH.
Now lets go into the download folder where we downloaded APF, and BFD.
To see what files are in the folder you can type ls. This will list the files. If you wish to delete the files you can use rm *. This will delete files with your confirmation (except folders).
Now lets download the mod_security files.
Go to http://www.modsecurity.org/download/ and grab the url to the newest file.
wget http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz
Or what ever the newest file is too you.
Now lets untar and go into the modsecurity directory.
tar zxvf modsecurity-apache-1.9.2.tar.gz
Now lets go into the directory listed by the untar.
cd modsecurity-apache-1.9.2
Now we need to determine what version of Apache you have.
/usr/local/apache/bin/httpd -v
This will say
Server version: Apache/(NUMBERS) (Unix)
We need those numbers. If it starts with 1.3 you are using 1.3 if it starts with 2.0 you are using 2.0
APACHE 1.3.x users
cd apache1/
APACHE 2.x users
cd apache2/
Now we need to do some compling.
/usr/local/apache/bin/apxs -cia mod_security.c
Durning this don't get scared. You will see funny looks characters and everything. This is totally normal.
Now time to edit httpd config. Lets backup just incase.
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
Now lets edit the config file
pico /usr/local/apache/conf/httpd.conf
Now lets locate the modules
Find
<IfModule mod_dir.c>
or any other of the
<IfModule>'s would be fine.
Now add this
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "../"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule>
If you know what you are doing. You can edit above. If you do not. DON'T it may wreck your server.
Save the config file and restart apache
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start
End of Mod_Security
Optimization Part
First off lets start with MySql. MySql probley being the most hard on your CPU Usage. There is a few things you can do. First of all. You can use PHPMyAdmin to optimize there database tables. This may help abit. (This is just like Windows Register Cleaners. It just removes usless stuff)
Lets now backup my.cnf file which is the mysql config file.
cp /etc/my.cnf /etc/mycnf.backup
Now lets edit it.
pico /etc/my.cnf
If you have done no editing. You should see maybe 1-2 lines. Something like
[mysqld]
set-variable = max_connections=500
safe-show-database
Now we need to add some more configurations.
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
skip-locking
skip-innodb
query_cache_limit=8M
query_cache_size=256M
query_cache_type=1
max_connections=500
max_user_connections=10
interactive_timeout=20
wait_timeout=20
connect_timeout=6
thread_cache_size=128
key_buffer=16M
join_buffer=1M
max_allowed_packet=16M
table_cache=1024
record_buffer=1M
sort_buffer_size=2M
read_buffer_size=2M
max_connect_errors=10
# Try number of CPU's*2 for thread_concurrency
thread_concurrency=4
myisam_sort_buffer_size=64M
#log-bin
server-id=1
[mysql.server]
user=mysql
basedir=/var/lib
[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/lib/mysql/mysql.pid
open_files_limit=8192
[mysqldump]
quick
max_allowed_packet=16M
[mysql]
no-auto-rehash
#safe-updates
[isamchk]
key_buffer=32M
sort_buffer=32M
read_buffer=16M
write_buffer=16M
[myisamchk]
key_buffer=32M
sort_buffer=32M
read_buffer=16M
write_buffer=16M
You can edit the above to improve the mysql preformance. I would edit the thread_concurrency. If you have HT it is 2 processors. So if you have a Dual Xeon with HT it is 2x2 or 4 processors. If you have a p4 with HT it is 2. If you don't have HT it is 1. Now I suggest you take the amount of CPUs and times it by 2 again.
For info on more functions you can add. And on those ones you can search the mysql website.
Now save your my.cnf file and restart mysql
/etc/rc.d/init.d/mysql restart
If you use alot of Perl scripts. You know these are also hard on your CPU. I suggest you do a Apache Update with Perl Module checked.
Thats all for now.
Most of these articles are written by other people. I thank IncognitoNetworks on WHT for the MySql optimizer tutorial.
iNod.
Basically during these 2 part tutorial. I am going to explain the requirements to securing a server or vps. In these tutorials I will explain how to install APF Firewall, install Brute Force Detection, Secure /tmp, install mod_security for Apache.
Aswell for these tutorials I am going to explain how to optimize MySql, aswell as Apache, Install Perl_Mod, Optimize PHP.
Securing /tmp
Lets being. I suggest your turn off Apache to prevent any un-needed problems. You can turn it off with
service httpd stop
First of all you will need SSH access via root to do this. SSH is installed on 99% of all Linux Dedicated servers and should be set to on when you purchese. This is the same for VPS.
We first need to conntact to SSH via a SSH Client. PuTTY is a very good free one. You can obtain it here. http://www.chiark.greenend.org.uk/~sgtatham/putty/
Login to SSH using your IP or Hostname of your server/vps and your root login.
First thing we need to do is secure the /tmp partion on the server. This is the folder where linux stores your temp documents. Both Windows and Linux have temp folders, though Linux cleans and keeps them more tidy than Windows. The reason behind securing the /tmp folder is to prevent exploits both internal and external.
Now we should be open with your SSH client and loged into root sitting on our /root OR ~ (default folder when connecting to ssh). First thing we need to do is go to the /dev folder.
Lets go there by processing the cmd
cd /dev
Now we need to create a 100MB file for our /tmp partition. If you think you may need more than 100MB make the count # larger.
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
Now we need to make an extending filesystem with our tmpMnt
/sbin/mke2fs /dev/tmpMnt
Now lets return to root folder
cd /
Now we need to backup our current /tmp folder
cp -R /tmp /tmp_backup
Now we need to mount the new tmp folder with the -noexec command to prevent any un-needed usage.
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
Now we need to give the new tmp folder the proper premissions
chmod /tmp 1777
Now we need to copy everything in our backup to our new /tmp folder.
cp -R /tmp_backup/* /tmp/
Now delete the backup folder.
rm -rf /tmp_backup
Now we need to edit the fstab file so it mounts the tmp folder with the -noexec cmd on restart
pico -w /etc/fstab
If you get pico: no command found. Try
vico /etc/fstab
If you get vico: no command found. Try
nano /etc/fstab
If you still get problems with those. I suggest you DL WinSCP
http://winscp.net/eng/index.php
And go into the parent directory when you connect than into the /etc directory and edit the fstab file. This is a needed edit. If you do not feel save doing this PM me and I will send you directions on how to install pico.
In the fstab file you should see something like this
/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0
At the very bottom add
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
Now save and exit. Depending on what program you are using it may be different for pico it is Ctrl+X than Y
Now you are done securing /tmp
Installing APF and turning on BFT Module
Connect into root using SSH as you did with /tmp. Go into the download directory. (This can be /root,/,/root/downloads, or anything else. I do suggest you have one just to store downloads. To make everything nice and clean. If you wish to make one you can use mkdir directoryname to make a diectory)
cd /
Now we need to download the latest version of APF Firewall.
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
Now this will save it into your directory where you are currently. It will say when it is done something like. Saved 'apf-current.tar.gz' than you should see your blinking white box again. Now we downloaded a gziped tar file. So we need to un-gzip then un-tar use the following to do so.
tar -xvzf apf-current.tar.gz
Now this will list off a pile of folders and files. All begining with
apf-version number
Where version number will be something like 0.9.5-1
We need to go into this folder so cd (change directory) into it
cd apf-0.9.5-1 (OR WHAT EVER IT IS)
Now lets run the sh install file. Which will install it for you.
./install.sh
You will receive a message like
Installing APF 0.9.5-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Note that install and config path and you will be using it.
Now as all firewalls we need to edit the rules.
As you did in tmp secure run your edit cmd wether it is pico,nano,vico or WinSCP and edit /etc/apf/conf.apf or the path noted by the install success message.
pico /etc/apf/conf.apf
First thing we need to do is turn on DSheilds block list.
Use Ctrl+W in Pico to search for
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"
Next we need to config our ports for cpanel
Find your Common ingress ports list and change too. If you host another program or something which uses a port. Add it here.
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Now we need to edit Egress ports. Or outbound ports.
Find Egree ports list. First turning EGF on.
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Now if you are experienced you can edit other things.
We are done editing. Now save changes using Ctrl+X than Y in Pico or how ever you did it in /tmp secure for the others.
Now lets start up our APF Firewall
/usr/local/sbin/apf -s OR the path noted by install script.
Below are some more cmds
usage ./apf [OPTION]
-s|--start - Start firewall
-r|--restart - Restart firewall
-f|--flush|--stop - Reload rules (If you changed firewall config)
-l|--list - List Chain Rules
-st|--status - Firewall Status
-a HOST CMT|--allow HOST COMMENT - Add IP to allow list
-d HOST CMT|--deny HOST COMMENT - Add IP to deny list (Block)
APF Firewall comes with AntiDoS without any need configuring. Unless you wish to be emailed everytime you get any reports from APF about possible DDoS attack. If you wish to get emails edit the AntiDoS config file.
pico /etc/apf/ad/conf.antidos
Now around the top you should see
# [E-Mail Alerts]
Under this heading we have the following:
# Organization name to display on outgoing alert emails
CONAME="Your Company"
Enter your company information name or server name..
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
Change this to 1 to get email alerts
# User for alerts to be mailed to
USR="[email protected]"
Enter your email address to receive the alerts
Just edit it. It is pretty self explainatory. Turn on USR_ALERT and edit email.
Save and restart firewall using the commands above.
You may want to delete your downloaded tar.gz for apf. To do so.
rm filename
End of APF Firewall
Install Brute Force Detection
Alright now rfxnetworks has another usful script called Brute Force Detection. This script cetchs the people that try 1,000's of times using different passwords.
As well did with APF. Go into your downloads directory
cd /root
Now download the latest bfd file onto your server
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
Untar and UnGZip
tar -xvzf bfd-current.tar.gz
Now go into the directory listed. (It is the directory the files where put it. When you untar it should list a pile of files. Like
bfd-0.7/install.sh
Go into the directory bfd-0.7/)
cd bfd-version/
Run the install file as you did with APF
./install.sh
You will receive success message like
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
Note the filepaths. They may be different, if so change the filepaths to the ones listed for everything else you do.
Edit the config file. (No real editing needed. Unless you wish to enable email upon incendent.)
pico /usr/local/bfd/conf.bfd
Find: ALERT_USR="0" CHANGE TO: ALERT_USR="1"
Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="[email protected]"
That will enable email upon incendent. I suggest you use a secondary email. As you may get alot of emails.
Now you want to add your own IP to prevent you for getting locked out if you forget your password.
pico -w /usr/local/bfd/ignore.hosts
Now just type in your IP. (You can get it at http://whatsmyip.com)
If you wish to add commands put them in a #
# Example Comment
Now save and exit
Now run the bfd
/usr/local/sbin/bfd -s (OR the path noted by install file)
End BFD
Install mod_security for Apache
Mod_Security is an open source detection script which is great for preventing SQL Interjection. But may cause problems with your scripts if you use ?a=% for example in query scripts. You will get an error (500 Internal Server Error)
Now we need to login to your server through SSH.
Now lets go into the download folder where we downloaded APF, and BFD.
To see what files are in the folder you can type ls. This will list the files. If you wish to delete the files you can use rm *. This will delete files with your confirmation (except folders).
Now lets download the mod_security files.
Go to http://www.modsecurity.org/download/ and grab the url to the newest file.
wget http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz
Or what ever the newest file is too you.
Now lets untar and go into the modsecurity directory.
tar zxvf modsecurity-apache-1.9.2.tar.gz
Now lets go into the directory listed by the untar.
cd modsecurity-apache-1.9.2
Now we need to determine what version of Apache you have.
/usr/local/apache/bin/httpd -v
This will say
Server version: Apache/(NUMBERS) (Unix)
We need those numbers. If it starts with 1.3 you are using 1.3 if it starts with 2.0 you are using 2.0
APACHE 1.3.x users
cd apache1/
APACHE 2.x users
cd apache2/
Now we need to do some compling.
/usr/local/apache/bin/apxs -cia mod_security.c
Durning this don't get scared. You will see funny looks characters and everything. This is totally normal.
Now time to edit httpd config. Lets backup just incase.
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
Now lets edit the config file
pico /usr/local/apache/conf/httpd.conf
Now lets locate the modules
Find
<IfModule mod_dir.c>
or any other of the
<IfModule>'s would be fine.
Now add this
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "../"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule>
If you know what you are doing. You can edit above. If you do not. DON'T it may wreck your server.
Save the config file and restart apache
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start
End of Mod_Security
Optimization Part
First off lets start with MySql. MySql probley being the most hard on your CPU Usage. There is a few things you can do. First of all. You can use PHPMyAdmin to optimize there database tables. This may help abit. (This is just like Windows Register Cleaners. It just removes usless stuff)
Lets now backup my.cnf file which is the mysql config file.
cp /etc/my.cnf /etc/mycnf.backup
Now lets edit it.
pico /etc/my.cnf
If you have done no editing. You should see maybe 1-2 lines. Something like
[mysqld]
set-variable = max_connections=500
safe-show-database
Now we need to add some more configurations.
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
skip-locking
skip-innodb
query_cache_limit=8M
query_cache_size=256M
query_cache_type=1
max_connections=500
max_user_connections=10
interactive_timeout=20
wait_timeout=20
connect_timeout=6
thread_cache_size=128
key_buffer=16M
join_buffer=1M
max_allowed_packet=16M
table_cache=1024
record_buffer=1M
sort_buffer_size=2M
read_buffer_size=2M
max_connect_errors=10
# Try number of CPU's*2 for thread_concurrency
thread_concurrency=4
myisam_sort_buffer_size=64M
#log-bin
server-id=1
[mysql.server]
user=mysql
basedir=/var/lib
[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/lib/mysql/mysql.pid
open_files_limit=8192
[mysqldump]
quick
max_allowed_packet=16M
[mysql]
no-auto-rehash
#safe-updates
[isamchk]
key_buffer=32M
sort_buffer=32M
read_buffer=16M
write_buffer=16M
[myisamchk]
key_buffer=32M
sort_buffer=32M
read_buffer=16M
write_buffer=16M
You can edit the above to improve the mysql preformance. I would edit the thread_concurrency. If you have HT it is 2 processors. So if you have a Dual Xeon with HT it is 2x2 or 4 processors. If you have a p4 with HT it is 2. If you don't have HT it is 1. Now I suggest you take the amount of CPUs and times it by 2 again.
For info on more functions you can add. And on those ones you can search the mysql website.
Now save your my.cnf file and restart mysql
/etc/rc.d/init.d/mysql restart
If you use alot of Perl scripts. You know these are also hard on your CPU. I suggest you do a Apache Update with Perl Module checked.
Thats all for now.
Most of these articles are written by other people. I thank IncognitoNetworks on WHT for the MySql optimizer tutorial.
iNod.
Last edited:
