The Perfect Server - CentOS 5.5 x86_64 [ISPConfig 3] - Page 5
15 Installing Apache2 With mod_php, mod_fcgi/PHP5, And suPHP
ISPConfig 3 allows you to use mod_php, mod_fcgi/PHP5, cgi/PHP5, and suPHP on a per website basis.
mod_fcgid is not available in the official CentOS repositories, but there's a package for CentOS 5.x in the centos.karan.org testing repository. We enable the repository as follows:
cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
Next we open /etc/yum.repos.d/kbsingh-CentOS-Extras.repo...
vi /etc/yum.repos.d/kbsingh-CentOS-Extras.repo
... and set gpgcheck to 0 and enabled to 1 in the [kbs-CentOS-Testing] section:
[...] [kbs-CentOS-Testing] name=CentOS.Karan.Org-EL$releasever - Testing gpgcheck=0 gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt enabled=1 baseurl=http://centos.karan.org/el$releasever/extras/testing/$basearch/RPMS/ |
Afterwards we can install Apache2with mod_php5, mod_fcgid, and PHP5:
yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-mbstring php-mcrypt php-mhash php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel
Next we open /etc/php.ini...
vi /etc/php.ini
... and change the error reporting (so that notices aren't shown any longer) and add cgi.fix_pathinfo = 1 at the end of the file:
[...] ;error_reporting = E_ALL error_reporting = E_ALL & ~E_NOTICE [...] cgi.fix_pathinfo = 1 |
Next we install suPHP:
cd /tmp
wget http://suphp.org/download/suphp-0.7.1.tar.gz
tar xvfz suphp-0.7.1.tar.gz
cd suphp-0.7.1/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make
make install
Then we add the suPHP module to our Apache configuration...
vi /etc/httpd/conf.d/suphp.conf
LoadModule suphp_module modules/mod_suphp.so |
... and create the file /etc/suphp.conf as follows:
vi /etc/suphp.conf
[global] ;Path to logfile logfile=/var/log/httpd/suphp.log ;Loglevel loglevel=info ;User Apache is running as webserver_user=apache ;Path all scripts have to be in docroot=/ ;Path to chroot() to before executing script ;chroot=/mychroot ; Security options allow_file_group_writeable=true allow_file_others_writeable=false allow_directory_group_writeable=true allow_directory_others_writeable=false ;Check wheter script is within DOCUMENT_ROOT check_vhost_docroot=true ;Send minor error messages to browser errors_to_browser=false ;PATH environment variable env_path=/bin:/usr/bin ;Umask to set, specify in octal notation umask=0077 ; Minimum UID min_uid=100 ; Minimum GID min_gid=100 [handlers] ;Handler for php-scripts x-httpd-suphp="php:/usr/bin/php-cgi" ;Handler for CGI-scripts x-suphp-cgi="execute:!self" |
Finally we restart Apache:
/etc/init.d/httpd restart
16 Install PureFTPd
PureFTPd can be installed with the following command:
yum install pure-ftpd
Then create the system startup links and start PureFTPd:
chkconfig --levels 235 pure-ftpd on
/etc/init.d/pure-ftpd start
17 Install A Chrooted DNS Server (BIND9)
To install a chrooted BIND9, we do this:
yum install bind-chroot
Then do this:
chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
touch /var/named/chroot/var/named/named.local
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
touch /var/named/chroot/etc/named.conf.local
vi /var/named/chroot/etc/named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named/chroot/var/named"; dump-file "/var/named/chroot/var/named/data/cache_dump.db"; statistics-file "/var/named/chroot/var/named/data/named_stats.txt"; memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion no; allow-recursion { none; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.root"; }; include "/var/named/chroot/var/named/named.local"; |
chkconfig --levels 235 named on
/etc/init.d/named start
BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).
18 Install Vlogger And Webalizer
Vlogger and webalizer can be installed as follows:
yum install webalizer perl-DateTime-Format-HTTP perl-DateTime-Format-Builder
cd /tmp
wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*
19 Install Jailkit
Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz
tar xvfz jailkit-2.11.tar.gz
cd jailkit-2.11
./configure
make
make install
cd ..
rm -rf jailkit-2.11*
20 Install fail2ban
This is optional but recommended, because the ISPConfig monitor tries to show the log:
yum install fail2ban
chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start
21 Install rkhunter
rkhunter can be installed as follows:
yum install rkhunter