Web Hosting tunning guide

[NetNappy]

Well,, I'm very new for web administration, but if you guy could guide me on how to tune up the web server stuff, please I am very appreciate your help.

Coz, I just wonder on my ftp session or ssh session won't be timed out, and it's not only this things that I am finding out, I believe there will be somethings else that I have to tune up, but I just don't know because I am newbie.

Thanks for your help

 

[NightStorm]

http://eth0.us

 

[VIB-host]

Originally posted by NightStorm
http://eth0.us

This is useless junk to the question

Go to your OS vendors homepage and/or find a forum that provide good support for you OS and ask there. You will find people out there in the opensource enviroment there will Tune your box for "free" and many of them are actually pretty good at it.

You can also go to 4psa.com they provite such an service for about 99 dollars, well spended if you ask me.

 

[NightStorm]

I must have missed the part about step-by-step walkthroughs on kernel upgrade, securing /tmp, tuning Apache and MySQL, and tweaking to help combat DOS attacks and URL exploits is useless junk.
Not to mention how to disable direct root login, install mod_security, APF, patching php...
He asked for info on how to tune the server, and I think he would find a lot of helpful tips at the link. Could you perhaps explain how it's useless?

Paying someone else to do all the work for you is fine and dandy, but it doesn't help you when something goes wrong and you still have no clue how to navigate your own server. If you're going to be a sysadmin, you need to know where things are, and how things work. Learning how to manage your own server is far from "useless junk".

 

[VIB-host]

yep, but sending a guy to a page NOT describing any of the things he ask for is pretty useless.

he was asking for how to tune his server nt securing etc. of other stuff.

 

[phatPhrog]

If you are running the latest update of Plesk 8/Fedora Core 4 all you need to do is run

yum update

For mod_security, just run: yum install mod_security - and 1.9.4 is installed.

The /etc/httpd/conf.d/mod_security.conf is a default file that needs some work.

Best to use http://gotroot.com help on mod_security.

I have a script that updates the rules which comes in quite handy.

 

[eWebtricity]

Check out this guide for some web server tuning tips.

http://www.webhostingtalk.com/showthread.php?t=340239

 

[VIB-host]

Thanks

This was a couple of good links, thanks

 

[Highland]

Originally posted by phatPhrog
If you are running the latest update of Plesk 8/Fedora Core 4 all you need to do is run

yum update

For mod_security, just run: yum install mod_security - and 1.9.4 is installed.

The /etc/httpd/conf.d/mod_security.conf is a default file that needs some work.

Best to use http://gotroot.com help on mod_security.

I have a script that updates the rules which comes in quite handy.

mod_security is in the ASL channel which requires a subscription

 

[phatPhrog]

With the current FC4/Plesk 8 on Linux mod_security can be installed without adding ART or ASL channels to yum.conf or to an /etc/yum.respos.d/art.repo file.

The "extras" channel installs it:

http://download.fedora.redhat.com/pub/fedora/linux/extras/4/SRPMS/

yum install mod_security

It installs a default /etc/httpd/conf.d/mod_security.conf that is in real need of tweaking though.

Again, this holds true for Fedora Core 4 yum channels.

NOTE: the default is set to the development channels so you will need to add/edit your EXTRAS channel per

http://download.fedora.redhat.com/pub/fedora/linux/extras/EXTRAS

 

[VIB-host]

any one done this on a freebsd yet?

 

[gee_fin]

I have a script that updates the rules which comes in quite handy.

Hi, I've just installed the mod_security and grabbed the current rules from gotroot, their auto script is giving me issues though. I would be really grateful if you could post the script that you are using to gather the rules.

Cheers,
Graeme.

 

[phatPhrog]

#!/bin/sh
#
# Autoupdater for modsec rulesets.
#
# This script will attempt to update your rulefiles, and restart apache.
# If it apache does not start after changing rules, it will roll back to
# the old ruleset and restart apache again.
#

APACHESTART="/usr/sbin/apachectl start"
MODSECPATH="/etc/modsecurity"
APACHEPID="/var/run/httpd.pid"

##########################################################################
######### you probably don't need to change anything below here ##########
##########################################################################

# urls
BLACKLIST="http://www.gotroot.com/downloads/ftp/mod_security/blacklist.conf"
BLACKLIST2="http://www.gotroot.com/downloads/ftp/mod_security/blacklist2.conf"
RULES="http://www.gotroot.com/downloads/ftp/mod_security/rules.conf"
APACHE2="http://www.gotroot.com/downloads/ftp/mod_security/apache2-rules.conf"
USERAGENTS="http://www.gotroot.com/downloads/ftp/mod_security/useragents.conf"
ROOTKITS="http://www.gotroot.com/downloads/ftp/mod_security/rootkits.conf"
EXCLUDE="http://www.gotroot.com/downloads/ftp/mod_security/exclude.conf"
PROXY="http://www.gotroot.com/downloads/ftp/mod_security/proxy.conf"

# internal
PID=`cat ${APACHEPID}`
UPDATED=0

echo -n "Changing PWD: "
cd ${MODSECPATH}
echo `pwd`

# blacklist
echo -n "Updating blacklist.conf: "
/usr/bin/wget -t 30 -O blacklist.conf.1 -q ${BLACKLIST}
if [ `md5sum blacklist.conf | cut -d " " -f1` != `md5sum blacklist.conf.1 | cut -d " " -f1` ] ; then
        /bin/mv blacklist.conf blacklist.conf.bak
        /bin/mv blacklist.conf.1 blacklist.conf
        UPDATED=`expr $UPDATED + 1`
        echo "ok."
else
        echo "allready up to date."
        /bin/rm -f blacklist.conf.1
fi

# blacklist2
echo -n "Updating blacklist2.conf: "
/usr/bin/wget -t 30 -O blacklist2.conf.1 -q ${BLACKLIST2}
if [ `md5sum blacklist2.conf | cut -d " " -f1` != `md5sum blacklist2.conf.1 | cut -d " " -f1` ] ; then
        /bin/mv blacklist2.conf blacklist2.conf.bak
        /bin/mv blacklist2.conf.1 blacklist2.conf
        UPDATED=`expr $UPDATED + 1`
        echo "ok."
else
        echo "allready up to date."
        /bin/rm -f blacklist2.conf.1
fi

# rules
echo -n "Updating rules.conf: "
/usr/bin/wget -t 30 -O rules.conf.1 -q ${RULES}
if [ `md5sum rules.conf | cut -d " " -f1` != `md5sum rules.conf.1 | cut -d " " -f1` ] ; then
        /bin/mv rules.conf rules.conf.bak
        /bin/mv rules.conf.1 rules.conf
        UPDATED=`expr $UPDATED + 1`
        echo "ok."
else
        echo "allready up to date."
        /bin/rm -f rules.conf.1
fi

# apache2 rules
echo -n "Updating apache2-rules.conf: "
/usr/bin/wget -t 30 -O apache2-rules.conf.1 -q ${APACHE2}
if [ `md5sum apache2-rules.conf | cut -d " " -f1` != `md5sum apache2-rules.conf.1 | cut -d " " -f1` ] ; then
        /bin/mv apache2-rules.conf apache2-rules.conf.bak
        /bin/mv apache2-rules.conf.1 apache2-rules.conf
        UPDATED=`expr $UPDATED + 1`
        echo "ok."
else
        echo "allready up to date."
        /bin/rm -f apache2-rules.conf.1
fi

# useragents
echo -n "Updating useragents.conf: "
/usr/bin/wget -t 30 -O useragents.conf.1 -q ${USERAGENTS}
if [ `md5sum useragents.conf | cut -d " " -f1` != `md5sum useragents.conf.1 | cut -d " " -f1` ] ; then
        /bin/mv useragents.conf useragents.conf.bak
        /bin/mv useragents.conf.1 useragents.conf
        UPDATED=`expr $UPDATED + 1`
        echo "ok."
else
        echo "allready up to date."
        /bin/rm -f useragents.conf.1
fi

# rootkits
echo -n "Updating rootkits.conf: "
/usr/bin/wget -t 30 -O rootkits.conf.1 -q ${ROOTKITS}
if [ `md5sum rootkits.conf | cut -d " " -f1` != `md5sum rootkits.conf.1 | cut -d " " -f1` ] ; then
        /bin/mv rootkits.conf rootkits.conf.bak
        /bin/mv rootkits.conf.1 rootkits.conf
        UPDATED=`expr $UPDATED + 1`
        echo "ok."
else
        echo "allready up to date."
        /bin/rm -f rootkits.conf.1
fi

# exclude
echo -n "Updating exclude.conf: "
/usr/bin/wget -t 30 -O exclude.conf.1 -q ${EXCLUDE}
if [ `md5sum exclude.conf | cut -d " " -f1` != `md5sum exclude.conf.1 | cut -d " " -f1` ] ; then
        /bin/mv exclude.conf exclude.conf.bak
        /bin/mv exclude.conf.1 exclude.conf
        UPDATED=`expr $UPDATED + 1`
        echo "ok."
else
        echo "allready up to date."
        /bin/rm -f exclude.conf.1
fi

# proxy
echo -n "Updating proxy.conf: "
/usr/bin/wget -t 30 -O proxy.conf.1 -q ${EXCLUDE}
if [ `md5sum proxy.conf | cut -d " " -f1` != `md5sum proxy.conf.1 | cut -d " " -f1` ] ; then
        /bin/mv proxy.conf proxy.conf.bak
        /bin/mv proxy.conf.1 proxy.conf
        UPDATED=`expr $UPDATED + 1`
        echo "ok."
else
        echo "allready up to date."
        /bin/rm -f proxy.conf.1
fi

        cd /etc/modsecurity
        chmod 0750 *conf
        chmod 0700 *bak

# try restart
if [ "$UPDATED" -gt "0" ]; then
        echo -n "Restarting apache: "
        /bin/kill -HUP ${PID} 2>/dev/null
        # did it work?
        if `/bin/kill -CHLD ${PID} >/dev/null 2>&1`; then
                echo "ok."
                exit 0
        fi
        echo "error. Apache not running."

        # blacklist
        echo -n "Rolling back blacklist.conf: "
        /bin/mv blacklist.conf blacklist.conf.new
        /bin/mv blacklist.conf.bak blacklist.conf
        echo "ok."

        # blacklist2
        echo -n "Rolling back blacklist2.conf: "
        /bin/mv blacklist2.conf blacklist2.conf.new
        /bin/mv blacklist2.conf.bak blacklist2.conf
        echo "ok."

        # rules
        echo -n "Rolling back rules.conf: "
        /bin/mv rules.conf rules.conf.new
        /bin/mv rules.conf.bak rules.conf
        echo "ok."

        # apache2 rules
        echo -n "Rolling back apache2-rules.conf: "
        /bin/mv apache2-rules.conf apache2-rules.conf.new
        /bin/mv apache2-rules.conf.bak apache2-rules.conf
        echo "ok."

        # useragents
        echo -n "Rolling back useragents.conf: "
        /bin/mv useragents.conf useragents.conf.new
        /bin/mv useragents.conf.bak useragents.conf
        echo "ok."

        # rootkits
        echo -n "Rolling back rootkits.conf: "
        /bin/mv rootkits.conf rootkits.conf.new
        /bin/mv rootkits.conf.bak rootkits.conf
        echo "ok."

        # exclude
        echo -n "Rolling back exclude.conf: "
        /bin/mv exclude.conf exclude.conf.new
        /bin/mv exclude.conf.bak exclude.conf
        echo "ok."

        # proxy
        echo -n "Rolling back proxy.conf: "
        /bin/mv proxy.conf proxy.conf.new
        /bin/mv proxy.conf.bak proxy.conf
        echo "ok."

        # try starting httpd again
        `${APACHESTART}`
        PID=`cat ${APACHEPID}`

        # did that fix the problem?
        if `/bin/kill -CHLD ${PID} >/dev/null 2>&1`; then
                echo "That did the trick."
                exit 0
        fi

        echo "Fatal: Apache still not running! Run apachectl -t to find the error."

        exit 999
fi

 

[Jllynch]

phatPhrog are you basically using the following rules on RHE 4?

BLACKLIST="http://www.gotroot.com/downloads/ftp/mod_security/blacklist.conf"
BLACKLIST2="http://www.gotroot.com/downloads/ftp/mod_security/blacklist2.conf"
RULES="http://www.gotroot.com/downloads/ftp/mod_security/rules.conf"
APACHE2="http://www.gotroot.com/downloads/ftp/mod_security/apache2-rules.conf"
USERAGENTS="http://www.gotroot.com/downloads/ftp/mod_security/useragents.conf"
ROOTKITS="http://www.gotroot.com/downloads/ftp/mod_security/rootkits.conf"
EXCLUDE="http://www.gotroot.com/downloads/ftp/mod_security/exclude.conf"
PROXY="http://www.gotroot.com/downloads/ftp/mod_security/proxy.conf"

If so have you had to tweak them much? That is what I am worried about, I want to add some new rules but don't want to risk breaking a lot of applications. What is a good way of testing new rules?

Justin