Documente Academic
Documente Profesional
Documente Cultură
This tutorial is total dedicated to Kloxo, its security and tricks & tips.
Install Kloxo
wget http://download.lxcenter.org/download/kloxo/production/kloxo-install-master.sh sh ./kloxo-install-master.sh
Login to kloxo, it is your server IP:7778, with username and pass admin (that you must change) Enter your DNS details and make resource plans. Configure mod_ruid2 for security (Quote from Kloxo Development Forums) "With this module, all httpd process run under user's access right, not nobody or apache. mod_ruid2 is similar to mod_suid2, but has better performance than mod_suid2 because it doesn`t need to kill httpd children after one request. It "makes use of kernel capabilites and after receiving a new request suids again." - it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities - it has better performance than mod_suid2 because it doesn`t need to kill httpd children after one request. it makes use of kernel capabilities and after receiving a new request suids again."
Make Repo
/etc/yum.repos.d/atomic.repo
Page 1
Install mod_ruid2
yum install mod_ruid2
Page 2
// begin - this portion for mod_ruid2 $string $string $string $string $string $string // end return $string; } .= .= .= .= .= .= "<IfModule mod_ruid2.c>\n"; "RMode config\n"; "RUidGid {$this->main->username} {$this->main->username}\n"; "RMinUidGid {$this->main->username} {$this->main->username}\n"; "RGroups {$this->main->username}\n"; "</IfModule>\n\n";
Login to kloxo and then change suphp to mod_php in 'Webserver Config'. Choose 'Apache' instead Lighttpd in 'Switch Program'. This is default setting so if you did not change it since kloxo install there is nothing to do. If you have domains added run this
sh /script/fixweb
Restart apache
service httpd restart
Page 3
Copy this code to /etc/init.d/firewall (Reminder: Disable "word wrap" in your text editor. Ex.: nano -w /etc/init.d/firewall)
#!/bin/sh # firewall # chkconfig: 3 21 91 # description: Starts, stops iptables firewall case "$1" in start) # Clear rules iptables -t filter -F iptables -t filter -X echo - Clear rules : [OK] # SSH In iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT echo - SSH : [OK] # Don't break established connections iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT echo - established connections : [OK] # Block all connections by default iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP echo - Block all connections : [OK] # SYN-Flood Protection iptables -N syn-flood iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: " iptables -A syn-flood -j DROP echo - SYN-Flood Protection : [OK]
Page 4
# Loopback iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT echo - Loopback : [OK] # ICMP (Ping) iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT echo - PING : [OK] # DNS In/Out iptables -t filter iptables -t filter iptables -t filter iptables -t filter echo - DNS : [OK] -A -A -A -A OUTPUT -p tcp --dport 53 -j ACCEPT OUTPUT -p udp --dport 53 -j ACCEPT INPUT -p tcp --dport 53 -j ACCEPT INPUT -p udp --dport 53 -j ACCEPT
# NTP Out iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT echo - NTP : [OK] # WHOIS Out iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT echo - WHOIS : [OK] # FTP Out iptables -t filter iptables -t filter # FTP In iptables -t filter iptables -t filter iptables -t filter echo - FTP : [OK] -A OUTPUT -p tcp --dport 20:21 -j ACCEPT -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT -A INPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 30000:50000 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP + HTTPS Out iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTP + HTTPS In iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT echo - HTTP/HTTPS : [OK] # Mail SMTP:25 iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT echo - SMTP : [OK] # Mail POP3:110 iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT echo - POP : [OK] # Mail IMAP:143 iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT echo - IMAP : [OK] # Kloxo iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT
Page 5
echo - Kloxo : [OK] echo - Firewall [OK] exit 0 ;; stop) echo "Stopping Firewall... " iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -t filter -F echo "Firewall Stopped!" exit 0 ;; restart) /etc/init.d/firewall stop /etc/init.d/firewall start ;; *) echo "Usage: /etc/init.d/firewall {start|stop|restart}" exit 1 ;; esac
Start firewall:
/etc/init.d/firewall start
Page 6
Tweaking a web server is very necessary, the less it will consume resource, the more stable it will be and the more website it will be able to handle. Kloxo/lxadmin is a free control panel, and has been working quite great but the problem with it is, it use alot of RAM though kloxo documentation claims that it only eat 33MB ram which is completely wrong in my experience.
If you are running simple website or blogs, then you do not need innodb. innodb is a mysql storage system and do not require for simple websites. Therefore disablinginnodb in kloxo will safe alot of RAM. Same with bdb, it is storage translator in kloxo. 1. Login to server using ssh 2. open /etc/my.cnf 3. and add lines to disable innodb and bdb 4. save and close file 5. restart mysql, and you will see the huge decrease in RAM. skip-bdb skip-innodb RAM usage before disabling innodb and bdb [root@mailserver1 ~]# top top - 07:16:22 up 2:50, 1 user, load average: 0.00, 0.00, 0.00 Tasks: 29 total, 2 running, 27 sleeping, 0 stopped, 0 zombie Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2097152k total, 269420k used, 1827732k free, 0k buffers Swap: 0k total, 0k used, 0k free, 0k cached Disabling innodb and bdb [root@mailserver1 etc]# cp my.cnf my.cnf.backup [root@mailserver1 etc]# nano my.cnf Added
Page 7
skip-bdb skip-innodb Restart mysql [root@mailserver1 etc]# service mysqld restart Stopping MySQL: Starting MySQL:
[ [
OK OK
] ]
RAM usage after [root@mailserver1 etc]# top top - 07:18:20 up 2:52, 1 user, load average: 0.06, 0.03, 0.01 Tasks: 29 total, 1 running, 28 sleeping, 0 stopped, 0 zombie Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2097152k total, 163464k used, 1933688k free, 0k buffers Swap: 0k total, 0k used, 0k free, 0k cached You can clearly notice that ram usage is decreased from 256MB to 164MB after disabling innodb and bdbd.
Page 8
Page 9