█ INSTALLING APACHE2 & PHP5 ▐▌
█ APACHE2 NOTES ▐▌
█ ERROR FIXING ▐▌
█ CREATING SYMBOLIC LINKS | ALIAS & MOUNTING JAIL/GLFTPD ▐▌
█ USER AUTHENTICATION | PASSWORD PROTECT YOUR SITE ▐▌
█ SSL | HTTPS ▐▌
█ FORCE REDIRECT HTTP TO SSL HTTPS ▐▌
█ TO CHANGE SIZE OF FILES ALLOWED TO UPLOAD ▐▌
█ APACHE AUTO RUN AFTER REBOOT ▐▌
█ SECURITY TIPS ▐▌
█ APACHE2 LOGS ▐▌
█ OTHER PROGRAMS NEEDED FOR VARIOUS WEB APPS ▐▌
█ ▐▌
█ INSTALLING APACHE2 & PHP5: ▐▌
█ `````````````````````````` ▐▌
█ su ▐▌
█ aptitude update ▐▌
█ aptitude install apache2 apache2.2-common apache2-mpm-prefork apache2-utils libexpat1
█ aptitude install php5 ▐▌
█ Then to install other supported PHP packages - copy/paste in all three ▐▌
█ lines below in one paste: ▐▌
aptitude install libapache2-mod-php5 libapache2-mod-perl2 php5 php5-cli \
php5-common php5-curl php5-dev php5-domxml php5-gd php5-imap php5-ldap \
php5-mcal php5-mhash php5-mysql php5-odbc php5-pear php5-xslt
█ ▐▌
█ Done :) You can now go to http://yoursite.com & ▐▌
█ http://yoursite.com/apache2-default/ ▐▌
█ ▐▌
█ APACHE2 NOTES: ▐▌
█ `````````````` ▐▌
█ 1. To start, stop, restart apache2: ▐▌
█ /etc/init.d/apache2 reload ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ /etc/init.d/apache2 stop ▐▌
█ /etc/init.d/apache2 start ▐▌
█ Also service apache2 restart (etc. as above) ▐▌
█ Older version: ▐▌
█ apache2 -k stop ▐▌
█ apache2 -k restart ▐▌
█ ▐▌
█ 2. To verify Apache is running: ▐▌
█ ps ax | grep apache2 | grep -v grep ▐▌
█ (yours might be httpd instead of apache2) ▐▌
█ Or: ▐▌
█ service apache2 status ▐▌
█ Or to view all services: ▐▌
█ service --status-all ▐▌
█ ▐▌
█ To view which process' are running on Apache's port 80: ▐▌
█ netstat -ntlp | grep ':80' ▐▌
█ To verify http and https is listening and where: ▐▌
█ netstat -l | grep http ▐▌
█ ▐▌
█ 3. To view your version of Apache: ▐▌
█ /usr/sbin/apache2 -v ▐▌
█ Server version: Apache/2.2.22 (Debian) ▐▌
█ Server built: Mar 4 2013 21:32:29 ▐▌
█ For a list of other switches: ▐▌
█ /usr/sbin/apache2 help ▐▌
█ service apache2 status ▐▌
█ ▐▌
█ 4. Apache2 config file is here: /etc/apache2/apache2.conf ▐▌
█ Document Root, web site files: /var/www/ ▐▌
█ And there is also: /var/www/apache2-default/ ▐▌
█ ▐▌
█ ERROR FIXING: ▐▌
█ ````````````` ▐▌
█ 1. Error logs are here: /var/log/apache2/ and will provide you with useful ▐▌
█ information to trouble shoot problems. For example view last 100 entries: ▐▌
█ tail -100 /var/log/apache2/error.log ▐▌
█ Or view only last 100 errors: ▐▌
█ tail -100 /var/log/apache2/error.log | grep error ▐▌
█ ▐▌
█ 2. "Server error (apache2: Could not reliably determine the server's fully ▐▌
█ qualified domain name, using 127.0.0.1 for ServerName)on starting apache" ▐▌
█ su ▐▌
█ pico /etc/apache2/apache2.conf ▐▌
█ Put your domain name, example: ▐▌
█ ServerName "mewbies.com" ▐▌
█ Or if you do not have a domain name enter the IP of the server. ▐▌
█ ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ exit ▐▌
█ ▐▌
█ 3. PHP pages are not being parsed - showing only raw the code: ▐▌
█ I had this happen after an upgrade from Squeeze to Wheezy. ▐▌
█ First check that php-pear is still installed, if not install it: ▐▌
█ dpkg -l php-pear ▐▌
█ For myself I found that the PHP5 module wasn't enabled anymore: ▐▌
█ ls -al /etc/apache2/mods-enabled/ ▐▌
█ Output should be similar to but wasn't listed: ▐▌
█ php5.conf -> ../mods-available/php5.conf ▐▌
█ Can also view all PHP modules instructed to load by doing: ▐▌
█ grep -Hrv ";" /etc/php5 | grep -i "extension=" ▐▌
█ To fix this check that you have it first: ▐▌
█ ls -al /etc/apache2/mods-available/php5.conf ▐▌
█ If you don't you'll probably need to re-install it. ▐▌
█ If you do have it; to enable it: ▐▌
█ a2enmod php5 ▐▌
█ Then restart your Apache: ▐▌
█ service apache2 restart ▐▌
█ Check that your PHP pages are parsing properly now. ▐▌
█ Side note: If you want users to be able to parse PHP files from their home ▐▌
█ directory you need to comment out the code as stated in that file: ▐▌
█ pico /etc/apache2/mods-available/php5.conf ▐▌
█ Editing that file will update the settings in ▐▌
█ /etc/apache2/mods-enabled/php5.conf as they are linked. ▐▌
█ Restart server: /etc/init.d/apache2 restart ▐▌
█ ▐▌
█ 4. 'suhosin.so' error on Debian Wheezy: PHP Warning: PHP Startup: ▐▌
█ Unable to load dynamic library '/usr/lib/php5/20100525+lfs/suhosin.so' - ▐▌
█ /usr/lib/php5/20100525+lfs/suhosin.so: cannot open shared object file: ▐▌
█ No such file or directory in Unknown on line 0 ▐▌
█ As it states HERE; The php5-suhosin package has been removed. To remove ▐▌
█ the leftover configuration in /etc/php5/conf.d/suhosin.ini run: ▐▌
█ su ▐▌
█ dpkg --purge php5-suhosin ▐▌
█ exit ▐▌
█ Error should now be gone: php -v ▐▌
█ ▐▌
█ CREATING SYMBOLIC LINKS | ALIAS: ▐▌
█ ```````````````````````````````` ▐▌
█ Symbolic Links and/or Alias Directive. Basically it's like creating a ▐▌
█ shortcut that the users won't be aware of. ▐▌
█ You can find Apache examples HERE. ▐▌
█ ▐▌
█ This also can be useful if you want to remove certain names in the URL ▐▌
█ path without editing the files. For example http://yoursite.com/irc/ 'irc' ▐▌
█ might be a banned name in some firewall's settings so instead you could ▐▌
█ reach that same URL with http://yoursite.com/flowers/ or whatever using an ▐▌
█ 'alias'. ▐▌
█ ▐▌
█ For example lets say the directory I want my users to access is 'irc' ▐▌
█ which is located here: /var/www/stuff/irc/ and I want the url to be: ▐▌
█ http://yoursite.com/flowers/ ▐▌
█ su ▐▌
█ If you are worried you might make mistakes, back up the file first: ▐▌
█ cp /etc/apache2/apache2.conf /etc/apache2/apache2-org.conf ▐▌
█ Then edit it: ▐▌
█ pico /etc/apache2/apache2.conf ▐▌
█ Add this under the Alias section: ▐▌
█ Alias /flowers /var/www/stuff/irc ▐▌
█ <Directory /var/www/stuff/irc/> ▐▌
█ Options -Indexes ▐▌
█ Order allow,deny ▐▌
█ Allow from all ▐▌
█ </Directory> ▐▌
█ ▐▌
█ /etc/init.d/apache2 reload ▐▌
█ exit ▐▌
█ ▐▌
█ *If for some reason I want users to be able to see all the files in /irc/ ▐▌
█ (raw view) then remove the '-' before Indexes. ▐▌
█ For example I have a directory 'wallpaper' and I want users to be able to ▐▌
█ see entire list of files in that directory then I would add this to the ▐▌
█ above file toward the bottom to keep track of it: ▐▌
█ <Directory "/files/wallpaper"> ▐▌
█ Options Indexes FollowSymLinks Includes ExecCGI ▐▌
█ AllowOverride All ▐▌
█ Order allow,deny ▐▌
█ Allow from all ▐▌
█ </Directory> ▐▌
█ ▐▌
█ To disable users from browsing directories see below under Security Tips 7.▐▌
█ ▐▌
█ JAIL NOTE: ▐▌
█ If the other area you want to link is in a 'jail' environment the above ▐▌
█ methods won't work properly, nor will ln -s. You'll need to 'mount'. ▐▌
█ "mount --bind <source> <dest>" mount one part of the directory structure ▐▌
█ onto another part, but that won't be part of the file system, it will be ▐▌
█ part of the running system. This is 'NOT' recommended for security reasons ▐▌
█ but you might have a need to do this, but only if your site is very ▐▌
█ private with trusted users and I would still not recommend doing this. ▐▌
█ For example so website users can have access to this path: ▐▌
█ /jail/glftpd/site/incoming from this path: /var/www/files ▐▌
█ Do this: su ▐▌
█ mount --bind /var/www/files /jail/glftpd/site/incoming ▐▌
█ To view the mount: cat /etc/mtab ▐▌
█ Or to view all mounts: mount ▐▌
█ To remove it umount (not unmount): ▐▌
█ umount /jail/glftpd/site/incoming ▐▌
█ and remove it from your fstab if you added it as below instructions. ▐▌
█ ▐▌
█ *Note files uploaded to directory /files/ via website will not be part of ▐▌
█ the glftpd.log ▐▌
█ You'll need to make an external script that scans the 'files' directory ▐▌
█ and adds those to the glftpd.log ▐▌
█ ▐▌
█ To have the mount there after reboot we need to add it to the bottom of ▐▌
█ the fstab: ▐▌
█ pico /etc/fstab ▐▌
█ add your mount path line like above to bottom of the file ▐▌
█ Has this for example (yours will be different): ▐▌
█ # /etc/fstab: static file system information. ▐▌
█ # ▐▌
█ # <file system> <mount point> <type> <options> <dump> <pass> ▐▌
█ proc /proc proc defaults 0 0 ▐▌
█ /dev/hda3 / ext3 defaults,errors=remount-ro 0 1 ▐▌
█ /dev/hda1 /boot ext3 defaults 0 2 ▐▌
█ /dev/hda2 none swap sw 0 0 ▐▌
█ /dev/hdd /media/cdrom0 udf,iso9660 user,noauto 0 0 ▐▌
█ ▐▌
█ Change to (adding the last line only): ▐▌
█ # /etc/fstab: static file system information. ▐▌
█ # ▐▌
█ # <file system> <mount point> <type> <options> <dump> <pass> ▐▌
█ proc /proc proc defaults 0 0 ▐▌
█ /dev/hda3 / ext3 defaults,errors=remount-ro 0 1 ▐▌
█ /dev/hda1 /boot ext3 defaults 0 2 ▐▌
█ /dev/hda2 none swap sw 0 0 ▐▌
█ /dev/hdd /media/cdrom0 udf,iso9660 user,noauto 0 0 ▐▌
█ /var/www/files /jail/glftpd/site/incoming none rw,bind 0 0 ▐▌
█ ▐▌
█ exit ▐▌
█ ▐▌
█ USER AUTHENTICATION | PASSWORD PROTECT YOUR SITE: ▐▌
█ ````````````````````````````````````````````````` ▐▌
█ 1. From the various methods I have read, I believe this is the best way to ▐▌
█ do this (replace 'NameHere' with the name you want your users to use for ▐▌
█ logging in): ▐▌
█ su ▐▌
█ cd /etc/apache2/ ▐▌
█ htpasswd -cm /etc/apache2/.htpasswd NameHere ▐▌
█ You'll be prompted twice to enter password, you can't paste it in or see ▐▌
█ it being typed. ▐▌
█ It will reply: ▐▌
█ Adding password for user NameHere ▐▌
█ ▐▌
█ chmod 644 /etc/apache2/.htpasswd ▐▌
█ *Note in the above cmd 'htpasswd -cm...' the 'm' will create that file ▐▌
█ with md5 encryption instead of its default 'c' crypt(). If you use -c only ▐▌
█ in the cmd and have a password longer than 8 characters (which you should) ▐▌
█ it will only use the first 8 characters of your password. So for example ▐▌
█ if your password is mewbiesrulez, your user can login in with the password ▐▌
█ mewbiesr. ▐▌
█ ▐▌
█ 2. Now we need to add the settings for the .htpasswd file to Apache. For ▐▌
█ myself I have the entire website password protected- adjust to your needs: ▐▌
█ pico /etc/apache2/sites-available/default ▐▌
█ The '2nd Directory section' has this: ▐▌
█ <Directory /var/www/> ▐▌
█ Options -Indexes FollowSymLinks MultiViews ▐▌
█ AllowOverride None ▐▌
█ Order allow,deny ▐▌
█ allow from all ▐▌
█ </Directory> ▐▌
█ ▐▌
█ Change to: ▐▌
█ <Directory /var/www/> ▐▌
█ Options -Indexes FollowSymLinks MultiViews ▐▌
█ AllowOverride AuthConfig ▐▌
█ Order allow,deny ▐▌
█ allow from all ▐▌
█ AuthUserFile /etc/apache2/.htpasswd ▐▌
█ AuthGroupFile /dev/null ▐▌
█ AuthName "Authorization Required" ▐▌
█ AuthType Basic ▐▌
█ require user YourName ▐▌
█ </Directory> ▐▌
█ ▐▌
█ Or if you want to only password protect for example /var/www/MyStuff, then ▐▌
█ Instead of: <Directory /var/www/> ▐▌
█ It would be: <Directory /var/www/MyStuff/> ▐▌
█ ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ exit ▐▌
█ ▐▌
█ I've found HERE a good simple tutorial on other methods to protect a ▐▌
█ single directory and or file, etc. ▐▌
█ ▐▌
█ SSL | HTTPS: ▐▌
█ ```````````` ▐▌
█ 1. CREATE A SSL CERTIFICATE: ▐▌
█ If you want your server to use SSL - HTTPS you'll need to do a few steps ▐▌
█ Lets start by making a certificate for it. This method is for a ▐▌
█ self-signed certificate and not the type that you pay for: ▐▌
█ A. First find out your server name stated in your Apache: ▐▌
█ cat /etc/apache2/apache2.conf | grep ServerName ▐▌
█ cat /etc/apache2/sites-available/ssl | grep ServerName ▐▌
█ or you could do: hostname ▐▌
█ These don't always match depending on your configuration. ▐▌
█ Output will be similar to: ServerName "mewbies.com" ▐▌
█ Note: cat /etc/hosts and hostname doesn't always match depending on your ▐▌
█ configuration. The cert should match what is in your Apache config. SSL ▐▌
█ will still work but your Apache logs will have repeated warnings about it: ▐▌
█ tail -10 /var/log/apache2/error.log | grep RSA ▐▌
█ [warn] RSA server certificate CommonName (CN) `mewbies.com' does NOT match server name!?
█ You can safely ignore these warnings. I've not been able to fix that ▐▌
█ warning after doing Wheezy upgrade :/ so I just ignore it for now... ▐▌
█ ▐▌
█ B. su ▐▌
█ apt-get install openssl ssl-cert ▐▌
█ ▐▌
█ C. This method will create your certificate valid for 10 years, not 1 ▐▌
█ month like some other methods I have read: ▐▌
█ /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
█ i. You will be prompted for your 'host name' (this will become the ▐▌
█ 'commonName' field of the generated SSL certificate). Clear all of the ▐▌
█ default entry 'localhost' first by pressing your back key numerous ▐▌
█ times if the cert window is hard view. Then enter the output from ▐▌
█ previous step A. for hostname. Use your arrow key to select 'Ok' ▐▌
█ then press your Enter key. ▐▌
█ ii. You'll then be prompted to: Please enter any additional names to use ▐▌
█ in the SSL certificate. If you do not have more names to add; leave it ▐▌
█ blank, select Ok and you are done. ▐▌
█ ▐▌
█ If you did make a mistake just delete the apache.pem it created (or ▐▌
█ whatever you named it): rm /etc/apache2/ssl/apache.pem ▐▌
█ and then run the cmd above again. ▐▌
█ To view the host name/commonName that is on your cert: ▐▌
█ openssl x509 -in /etc/apache2/ssl/apache.pem -noout -subject ▐▌
█ Output similar to: subject= /CN=mewbies.com ▐▌
█ ▐▌
█ 2. ENABLE SSL MODULES: ▐▌
█ Now, to enable SSL: ▐▌
█ a2enmod ssl ▐▌
█ This will reply: Enabling module ssl. ▐▌
█ You might notice this simply linked the needed files; ssl.conf & ssl.load ▐▌
█ from etc/apache2/mods-available to /etc/apache2/mods-enabled/ ▐▌
█ ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ ▐▌
█ 3. CREATE AN APACHE SSL FILE: ▐▌
█ create a ssl configuration file for apache: ▐▌
█ cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl ▐▌
█ enable that file by way of link (if you edit one, both will be edited): ▐▌
█ ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl ▐▌
█ Now we need to change all instances of port 80 to 443 and inset these two ▐▌
█ lines: ▐▌
█ SSLEngine On ▐▌
█ SSLCertificateFile /etc/apache2/ssl/apache.pem ▐▌
█ Here is my complete SSL file, be sure to change ▐▌
█ a. 'yoursite.com' to your domain ▐▌
█ b. 'require user 'YourName'' to your name for the .htpasswd we created ▐▌
█ earlier: ▐▌
█ pico /etc/apache2/sites-enabled/ssl ▐▌
█ <VirtualHost *:443> ▐▌
█ ServerAdmin webmaster@localhost ▐▌
█ ServerName yoursite.com ▐▌
█ ▐▌
█ DocumentRoot /var/www/ ▐▌
█ SSLEngine On ▐▌
█ SSLCertificateFile /etc/apache2/ssl/apache.pem ▐▌
█ ▐▌
█ <Directory /> ▐▌
█ Options None ▐▌
█ AllowOverride None ▐▌
█ </Directory> ▐▌
█ <Directory /var/www/> ▐▌
█ Options -Indexes FollowSymLinks MultiViews ▐▌
█ AllowOverride AuthConfig ▐▌
█ Order allow,deny ▐▌
█ allow from all ▐▌
█ AuthUserFile /etc/apache2/.htpasswd ▐▌
█ AuthGroupFile /dev/null ▐▌
█ AuthName "Authorization Required" ▐▌
█ AuthType Basic ▐▌
█ require user YourName ▐▌
█ </Directory> ▐▌
█ ▐▌
█ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ ▐▌
█ <Directory "/usr/lib/cgi-bin"> ▐▌
█ AllowOverride None ▐▌
█ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch ▐▌
█ Order allow,deny ▐▌
█ Allow from all ▐▌
█ </Directory> ▐▌
█ ▐▌
█ ErrorLog /var/log/apache2/error.log ▐▌
█ ▐▌
█ # Possible values include: debug, info, notice, warn, error, crit, ▐▌
█ # alert, emerg. ▐▌
█ LogLevel warn ▐▌
█ ▐▌
█ CustomLog /var/log/apache2/access.log combined ▐▌
█ ▐▌
█ Alias /doc/ "/usr/share/doc/" ▐▌
█ <Directory "/usr/share/doc/"> ▐▌
█ Options -Indexes MultiViews FollowSymLinks ▐▌
█ AllowOverride None ▐▌
█ Order deny,allow ▐▌
█ Deny from all ▐▌
█ Allow from 127.0.0.0/255.0.0.0 ::1/128 ▐▌
█ </Directory> ▐▌
█ ▐▌
█ </VirtualHost> ▐▌
█ ▐▌
█ 4. APACHE LISTENING ON 443: ▐▌
█ I didn't need to do this, but some need to. Make sure that your apache is ▐▌
█ listening for users on port 443: ▐▌
█ pico /etc/apache2/ports.conf ▐▌
█ Mine has this (replace Listen 123.456.789:80 with your site's IP) ▐▌
█ NameVirtualHost *:80 ▐▌
█ Listen 123.456.789:80 ▐▌
█ ▐▌
█ <IfModule mod_ssl.c> ▐▌
█ # SSL name based virtual hosts are not yet supported, therefore no ▐▌
█ # NameVirtualHost statement here ▐▌
█ Listen 123.456.789:443 ▐▌
█ </IfModule> ▐▌
█ ▐▌
█ ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ exit ▐▌
█ ▐▌
█ Done :) Now go to your https site, you'll be prompted to accept an invalid ▐▌
█ certificate; as it's self signed. ▐▌
█ View logs if other errors: cat /var/log/apache2/error.log ▐▌
█ ▐▌
█ FORCE REDIRECT HTTP TO SSL HTTPS: ▐▌
█ ````````````````````````````````` ▐▌
█ For my other site I have the entire web-site redirected to https. If you ▐▌
█ don't want the entire site but only a certain area; see comment below ▐▌
█ below settings. ▐▌
█ su ▐▌
█ To enable the rewrite module (change your.site.com to your domain): ▐▌
█ a2enmod rewrite ▐▌
█ pico /etc/apache2/sites-available/default ▐▌
█ Has this: ▐▌
█ <VirtualHost *:80> ▐▌
█ ServerAdmin webmaster@localhost ▐▌
█ ▐▌
█ DocumentRoot /var/www/ ▐▌
█ ▐▌
█ Changed to: ▐▌
█ <VirtualHost *:80> ▐▌
█ ServerAdmin webmaster@localhost ▐▌
█ RewriteEngine on ▐▌
█ RewriteRule ^/(.*) https://your.site.com/$1 ▐▌
█ ▐▌
█ DocumentRoot /var/www/ ▐▌
█ ▐▌
█ ▐▌
█ Or to only have https on a certain area of your site for example directory ▐▌
█ named 'mewbies' enter settings like this for the above: ▐▌
█ RewriteRule ^/(mewbies.*) https://your.site.com/$1 ▐▌
█ ▐▌
█ /etc/init.d/apache2 reload ▐▌
█ exit ▐▌
█ ▐▌
█ Now test that by going to http://your.site.com/mewbies , you'll be ▐▌
█ redirected to https://your.site.com/mewbies ▐▌
█ *Note: Something I have noticed with this setting if you have a ▐▌
█ authentication mode for that area: ▐▌
█ When I go to my site http://your.site.com/mewbies ▐▌
█ I'll first be prompted for login- name and pass, submit those, and then ▐▌
█ only are users redirected to https. In other words it seems as though the ▐▌
█ name/pass is being sent via http, then only are users redirected to https ▐▌
█ mode... Definitely this is something to work out and find correct method. ▐▌
█ ▐▌
█ TO CHANGE SIZE OF FILES ALLOWED TO UPLOAD: ▐▌
█ `````````````````````````````````````````` ▐▌
█ To allow large file uploads you must change the settings on your PHP & ▐▌
█ Apache conf files, we'll use 600MB file size as the example, change it to ▐▌
█ your own needs: ▐▌
█ pico /etc/php5/apache2/php.ini ▐▌
█ or if you are PHP4: ▐▌
█ pico /etc/php4/apache2/php.ini ▐▌
█ ▐▌
█ Search for (Ctrl +w): upload_max_filesize ▐▌
█ Change to: ▐▌
█ upload_max_filesize = 600M ▐▌
█ ▐▌
█ Search for: post_max_size ▐▌
█ Has this: ▐▌
█ post_max_size = 8M ▐▌
█ Change to (it must be larger than upload_max_filesize): ▐▌
█ post_max_size = 700M ▐▌
█ ▐▌
█ Search for: memory_limit ▐▌
█ Has this: memory_limit = 128M ▐▌
█ Change to, if you don't want any limit: ▐▌
█ memory_limit = -1 ▐▌
█ Or change to (it must be larger than post_max_size): ▐▌
█ memory_limit = 800M ▐▌
█ ▐▌
█ Search for: max_execution_time ▐▌
█ Has this: max_execution_time = 30 ▐▌
█ Change to for example: ▐▌
█ max_execution_time = 9600 ▐▌
█ ▐▌
█ Search for (just below max_execution_time): max_input_time = 60 ▐▌
█ Has this: max_input_time = 60 ▐▌
█ Change to: max_input_time =3600 ▐▌
█ ▐▌
█ Done, save the changes. ▐▌
█ ▐▌
█ pico /etc/apache2/apache2.conf ▐▌
█ Search for: LimitRequestBody ▐▌
█ If your conf does not have this line; add it ▐▌
█ Has this: LimitRequestBody 102400 ▐▌
█ Change to: ▐▌
█ LimitRequestBody 600000000 ▐▌
█ ▐▌
█ If you set it to 0, meaning unlimited up to 2147483647 bytes (2GB) ▐▌
█ ▐▌
█ Restart your web server: ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ ▐▌
█ APACHE AUTO RUN AFTER REBOOT: ▐▌
█ ````````````````````````````` ▐▌
█ To have apache2 run after rebooting the machine you'll need to either: ▐▌
█ 1. Manually add it to the sysv-rc-conf list; shows what will be started on ▐▌
█ reboot: ▐▌
█ su ▐▌
█ sysv-rc-conf ▐▌
█ To navigate use arrow key, use space key to toggle an item on [X] or ▐▌
█ off [ ] ▐▌
█ Toggle on 2-5 for apache2 ▐▌
█ q to quit that window ▐▌
█ ▐▌
█ Or you can issue that with a cmd: ▐▌
█ sysv-rc-conf apache2 on ▐▌
█ Which will toggle on 2-5. ▐▌
█ To turn it off: sysv-rc-conf apache2 off ▐▌
█ To view the list: sysv-rc-conf --list ▐▌
█ exit ▐▌
█ ▐▌
█ SECURITY TIPS: ▐▌
█ `````````````` ▐▌
█ For 'Ten Tips Securing Apache' read HERE. This is what I did for what ▐▌
█ applied to my installation and some others: ▐▌
█ *Note: most of these changes will require root, su, so you don't need to ▐▌
█ 'exit' if you are going to continue to the next one. Remember su su mew! ▐▌
█ 1. (1) KEEP YOUR SYSTEM UP TO DATE: ▐▌
█ See my NIX UP TO DATE tutorial. ▐▌
█ ▐▌
█ 2. (3) DON'T GIVE AWAY PROGRAM INFORMATION: ▐▌
█ Why give away information that could potentially help a newbie hacker. ▐▌
█ Make them work a little more for it :p. If I were to go to a non existing ▐▌
█ URL on my site (not this site) I would see something like this: ▐▌
█ Not Found ▐▌
█ The requested URL /testing was not found on this server. ▐▌
█ Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch ▐▌
█ mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 ▐▌
█ Perl/v5.10.0 Server at 123.456.789 Port 80 ▐▌
█ ▐▌
█ Thats just too much info. ▐▌
█ su ▐▌
█ pico /etc/apache2/apache2.conf ▐▌
█ Add these 2 lines at the bottom: ▐▌
█ ServerTokens Prod ▐▌
█ ServerSignature Off ▐▌
█ ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ exit ▐▌
█ ▐▌
█ I test it by going to http://mysite.com/mewbies and this is now what the ▐▌
█ page states: ▐▌
█ Not Found ▐▌
█ The requested URL /mewbies was not found on this server. ▐▌
█ sweet ▐▌
█ You of course could make a custom error page to redirect users to as well. ▐▌
█ ▐▌
█ 3. (4) INSTALL A FIREWALL mod_security ▐▌
█ See my tutorial for mod_security ▐▌
█ ▐▌
█ 4. (7) BE SPECIFIC ON WHAT IP:PORT APACHE LISTENS ON: ▐▌
█ The default 'Listen 80' directive tells Apache to listen to every IP ▐▌
█ address on port 80. ▐▌
█ ▐▌
█ su ▐▌
█ pico /etc/apache2/ports.conf ▐▌
█ Has this: ▐▌
█ Listen 80 ▐▌
█ ▐▌
█ Change to, replacing 123.456.789 with your domain's IP: ▐▌
█ NameVirtualHost *:80 ▐▌
█ Listen 123.456.789:80 ▐▌
█ ▐▌
█ If you are using https site add this as well after: ▐▌
█ <IfModule mod_ssl.c> ▐▌
█ # SSL name based virtual hosts are not yet supported, therefore no ▐▌
█ # NameVirtualHost statement here ▐▌
█ Listen 123.456.789:443 ▐▌
█ </IfModule> ▐▌
█ ▐▌
█ ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ exit ▐▌
█ ▐▌
█ 5. (8) KEEP USERS OUT OF ROOT / : ▐▌
█ su ▐▌
█ pico /etc/apache2/sites-available/default ▐▌
█ Has this: ▐▌
█ <Directory /> ▐▌
█ Options FollowSymLinks ▐▌
█ AllowOverride None ▐▌
█ Order Deny,Allow ▐▌
█ Deny from all ▐▌
█ </Directory> ▐▌
█ ▐▌
█ Change to: ▐▌
█ <Directory /> ▐▌
█ Options None ▐▌
█ AllowOverride None ▐▌
█ Order Deny,Allow ▐▌
█ Deny from all ▐▌
█ </Directory> ▐▌
█ ▐▌
█ same for this file: ▐▌
█ pico /etc/apache2/sites-available/ssl ▐▌
█ ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ exit ▐▌
█ ▐▌
█ 6. (10) PREVENT DOS/DENIAL OF SERVICE ATTACKS: ▐▌
█ See a chart HERE for setting recommendations. ▐▌
█ su ▐▌
█ pico /etc/apache2/apache2.conf ▐▌
█ ▐▌
█ Has: Timeout 300 ▐▌
█ Change to: 30 ▐▌
█ ▐▌
█ Has: KeepAliveTimeout 5 ▐▌
█ Change to: KeepAliveTimeout 2 ▐▌
█ ▐▌
█ 'LimitRequestBody 102400' would be to limit the size per file uploaded to ▐▌
█ 102400 bytes. ▐▌
█ settings would be 0 (meaning unlimited) to 2147483647 (2GB) ▐▌
█ I want to allow 600MB so 'add' these lines: ▐▌
█ LimitRequestBody 600000000 ▐▌
█ LimitRequestFields 50 ▐▌
█ LimitRequestFieldSize 8190 ▐▌
█ LimitRequestLine 8190 ▐▌
█ ▐▌
█ Has this: ▐▌
█ MaxClients 150 ▐▌
█ Since my site is private, very few people I changed it to: ▐▌
█ MaxClients 5 ▐▌
█ ▐▌
█ Moving on... ▐▌
█ If you have PHP files you'll need to change the settings for upload max ▐▌
█ size as well to match your above settings: ▐▌
█ pico /etc/php5/apache2/php.ini ▐▌
█ and ▐▌
█ pico /etc/php4/apache2/php.ini ▐▌
█ ▐▌
█ Has this: ▐▌
█ upload_max_filesize = 2M ▐▌
█ post_max_size = 8M ▐▌
█ ▐▌
█ Change to: ▐▌
█ upload_max_filesize = 6M ▐▌
█ post_max_size = 8M ▐▌
█ ▐▌
█ /etc/init.d/apache2 reload ▐▌
█ exit ▐▌
█ ▐▌
█ 7. DISABLE USERS FROM BROWSING DIRECTORIES THAT DO NOT HOLD WEB PAGES: ▐▌
█ su ▐▌
█ pico /etc/apache2/apache2.conf ▐▌
█ Change this: ▐▌
█ Options Indexes FollowSymLinks Includes ExecCGI ▐▌
█ To: ▐▌
█ Options -Indexes FollowSymLinks Includes ExecCGI ▐▌
█ ▐▌
█ and 2 instances of Indexes here: ▐▌
█ pico /etc/apache2/sites-available/default ▐▌
█ Change this: ▐▌
█ <Directory /var/www/> ▐▌
█ Options Indexes FollowSymLinks MultiViews ▐▌
█ ▐▌
█ and ▐▌
█ <Directory "/usr/share/doc/"> ▐▌
█ Options Indexes MultiViews FollowSymLinks ▐▌
█ ▐▌
█ To: ▐▌
█ <Directory /var/www/> ▐▌
█ Options -Indexes FollowSymLinks MultiViews ▐▌
█ ▐▌
█ and ▐▌
█ <Directory "/usr/share/doc/"> ▐▌
█ Options -Indexes MultiViews FollowSymLinks ▐▌
█ ▐▌
█ ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ exit ▐▌
█ ▐▌
█ Test this by making a directory in your website, copy over a file into ▐▌
█ that new directory, then go to that URL. You will now be denied. ▐▌
█ ▐▌
█ 8. SAFER METHODS TO OBTAIN YOUR PHP INFORMATION, phpinfo() read HERE. ▐▌
█ ▐▌
█ 9. DISABLE PHP EASTER EGGS: ▐▌
█ These Easter eggs can reveal information about your PHP such as version ▐▌
█ and which modules are installed. If you would like to view these click ▐▌
█ HERE. To disable them: ▐▌
█ su ▐▌
█ pico /etc/php5/apache2/php.ini ▐▌
█ or if you are using PHP4: ▐▌
█ pico /etc/php4/apache2/php.ini ▐▌
█ Search for (Ctrl +w): expose_php ▐▌
█ Change: ▐▌
█ expose_php = On ▐▌
█ To: ▐▌
█ expose_php = Off ▐▌
█ ▐▌
█ Restart your web server: ▐▌
█ /etc/init.d/apache2 restart ▐▌
█ ▐▌
█ APACHE2 LOGS: ▐▌
█ ````````````` ▐▌
█ To disable logs and or change log rotation settings view my tutorial ▐▌
█ HERE. ▐▌
█ ▐▌
█ OTHER PROGRAMS NEEDED FOR VARIOUS WEB APPS: ▐▌
█ ``````````````````````````````````````````` ▐▌
█ JAVA: ▐▌
█ su ▐▌
█ aptitude install sun-java5-jdk sun-java5-jre sun-java5-plugin ▐▌
█ or ▐▌
█ aptitude install sun-java6-jdk sun-java6-jre sun-java6-plugin ▐▌
█ use tab key to select OK and yes to license terms ▐▌
█ exit ▐▌
█ ▐▌
█ PERL: ▐▌
█ su ▐▌
█ aptitude install perl ▐▌
█ exit ▐▌
█ ▐▌
█ IONCUBE OR ZEND ENCODED FILES: Read HERE. ▐▌
█ ▐▌
█ MOD_SECURITY - FIREWALL FOR APACHE: Read HERE ▐▌
█ ▐▌
█ PYTHON MODS - MOD_WSGI AND MOD_PYTHON: Read HERE ▐▌
█ (libapache2-mod-python or libapache2-mod-wsgi / mod_wsgi.so) ▐▌
█ ▐▌
█ RAR FILES - ENABLE THE VIEWING & EXTRACTION; UNRAR: Read HERE ▐▌
█ ▐▌
█ TOMCAT - DEPLOYING WAR FILES: Read HERE. ▐▌
█ ▐▌
█ //---------------------------------------------------------------------- ▐▌
█ ▐▌
█ If you find mistakes, have suggestions, and or questions please post at ▐▌
█ mewbies forum HERE - thank you. ▐▌
█ ▐▌
█ Last update on 18 Nov '13 ▐▌
█ ▐▌
█▌ █▌
█▌ - mewbies.com - █▌
█▌ █▌
██▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄██