LoadModule auth_module /usr/lib/apache/1.3/mod_session.so

Please note that your Apache server must configure for Dynamic Shared Objects (DSOs). Let us assume you have downloaded the module called mymodule.c and you would like to compile and use this module, then you can use Apache apxs utility to compile and install this module:

Build and install a third-party Apache module, say mod_foo.c, into its own DSO mod_foo.so outside of the Apache source tree using apxs:

# apxs -c mymodule.c
# apxs -i -a -n mymodule mymodule.la

Then open your httpd.conf file and add mymodule using top LoadModule Directive:

# vi httpd.conf

Append following line to server config context (this means that the directive may be used in the server configuration files (e.g., httpd.conf), but not within any or containers. It is not allowed in .htaccess files at all).

LoadModule mymodule /usr/lib/httpd/modules/mymodule.so

Below example show how to enable mod_deflate module.

LoadModule deflate_module modules/mod_deflate.so

Append following configuration directive:

AddOutputFilterByType DEFLATE text/html text/plain text/xml
….
…

Above line only compress html and xml files. Here is the configuration from one of my production box:

…
…
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html
…
…

Close and save the file. Next restart apache web server. All of the above extension file should compressed by mod_deflate:
# /etc/init.d/httpd restart

You can also specify specific directory and enabling compression only for the html files. For example /static/help/ directory:

AddOutputFilterByType DEFLATE text/html

In real life, there are issues with compressing other types of files such as mp3 or images. If you don’t want to compress images or mp3 files, add following to your configuration:
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.avi$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mov$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp3$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp4$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.rm$ no-gzip dont-vary

Options Indexes FollowSymLinks
bla bla bla

To disable directory listing for that directory REMOVE the ‘Indexes’
option. Also, you can use ‘-Indexes’ for that and, sure, you can make a
new entry for a specific directory

OR

One of the “must do’s” on setting a secure apache webserver environment is to disable directory browsing. As a default Apache will be compiled with this option enabled, but its always a good idea to get rid of this setting unless its really necessary. If you have some basic knowledge of vi editor follow this steps

If you are on an RPM installation of Apache (which i dont really recommend) you will find the apache configuration file probably here:

/etc/httpd/conf/httpd.conf

If you are using apache from the source tar balls ( like real men ) probably you will find the configuration file here:

/usr/local/apache/conf/httpd.conf

Using an editor like vi , edit the httpd.conf file and scroll until you find a line like this:

Options All Indexes FollowSymLinks MultiViews

To disable directory browsing carefully remove the line that says: Indexes and leave the line like this:

Options All FollowSymLinks MultiViews

Restart your apache webserver and thats all.

vi /etc/httpd/conf/httpd.conf

————————
————————-
——————————
NameVirtualHost 67.159.54.145:80
NameVirtualHost 67.159.54.146:80

ServerName sample.com
ServerAlias www.sample.com
DocumentRoot /home/sample/public_html

ServerName techside.com
ServerAlias www.techside.com
DocumentRoot /home/techside/public_html

=============================================================
hash all lines in this file other wise default page will display

/etc/httpd/conf.d/welcome.conf

#
# This configuration file enables the default “Welcome”
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
#
# Options -Indexes
# ErrorDocument 403 /error/noindex.html
#

“No space left on device:mod_rewrite: could not create_rewrite: could not create rewrite_log_lockConfiguration Failed”

You should delete semaphores to fix it.

Listing and deleting semaphores :

# ipcs -s grep apache
# ipcs -s grep apache perl -e ‘while () { @a=split(/\s+/); print `ipcrm sem $a[1]`}’

You should be able to start apache fine now.

Create a new password file

Following command will creates a new file and stores a record in it for user jerry. The user is prompted for the password. If the file exists and cannot be read, or cannot be written, it is not altered and htpasswd will display a message and return an error status.

# htpasswd -c /home/pwww/.htpasswd user

Change or update password

To add or modifies the password for user tom, enter:

# htpasswd /home/pwww/.htpasswd-users tom

The user is prompted for the password.

————————————————————————————————————————————–
/etc/init.d/httpd restart: httpd not running, trying to start
[Tue May 6 01:31:31 2008] [warn] module bwlimited_module is already loaded, skipping
[Tue May 6 01:31:31 2008] [warn] module php5_module is already loaded, skipping
/etc/init.d/httpd: line 83: 1044 Segmentation fault (core dumped) $HTTPD
/etc/init.d/httpd restart: httpd could not be started

————————————————————————————————————————————–

One of the reasons why this could happen is the use of Resin modules along with apache. Resin modules act as a fast servlet runner for apache. It acts as a separate layer that speeds up Java servlet handling. Normally, apache doesen’t support JSP pages, Resin modules serves this function too.

Once you come across such an error, follow the steps below to bring apache back online.

1) cd /usr/local/apache/logs

2) Remove the following:

rm -rf ssl*
rm -rf core.*
rm sess*

3) Try to restart apache using apachectl and and /etc/init.d/httpd. Examine the core dump file and see if you can find out
which module is causing the module.

4) If you cannot find out which particular module is causing the issue, find out the php modules that are compiled into
apache using php -m.

5) php -m will list out the modules. You can search for each module in the httpd.conf file. Comment out each module and then try restarting apache . (use /etc/init.d/httpd startssl)Obviously, this is a trial and error method and can consume a little more time. But it is effective. By this way, we can find out which module is causing the trouble.

For example, lets say the Resin module is causing the problem. Then search for “resin” in httpd.conf. You should find something like
“ResinConfigServer 127.0.0.1 6802″ comment out the line and restart apache using /etc/init.d/httpd startssl. This should fix the problem.

The option ServerType specifies how Apache should run on the system. You can run it from the super-server inetd, or as standalone daemon. It’s highly recommended to run Apache in standalone type for better performance and speed.

ServerRoot “/etc/httpd”

The option ServerRoot specifies the directory in which the configuration files of the Apache server lives. It allows Apache to know where it can find its configuration files when it starts.

PidFile /var/run/httpd.pid

The option PidFile specifies the location where the server will record the process id of the daemon when it starts. This option is only required when you configure Apache in standalone mode.

ResourceConfig /dev/null

The option ResourceConfig specifies the location of the old srm.conf file that Apache read after it finished reading the httpd.conf file. When you set the location to /dev/null, Apache allows you to include the content of this file in httpd.conf file, and in this manner, you have just one file that handles all your configuration parameters for simplicity.

AccessConfig /dev/null

The option AccessConfig specifies the location of the old access.conf file that Apache read after it finished reading the srm.conf file. When you set the location to /dev/null, Apache allows you to include the content of this file in httpd.conf file, and in this manner, you have just one file that handles all your configuration parameters for simplicity.

Timeout 300

The option Timeout specifies the amount of time Apache will wait for a GET, POST, PUT request and ACKs on transmissions. You can safely leave this option on its default values.

KeepAlive On

The option KeepAlive, if set to On, specifies enabling persistent connections on this web server. For better performance, it’s recommended to set this option to On, and allow more than one request per connection.

MaxKeepAliveRequests 0

The option MaxKeepAliveRequests specifies the number of requests allowed per connection when the KeepAlive option above is set to On. When the value of this option is set to 0 then unlimited requests are allowed on the server. For server performance, it’s recommended to allow unlimited requests.

KeepAliveTimeout 15

The option KeepAliveTimeout specifies how much time, in seconds, Apache will wait for a subsequent request before closing the connection. The value of 15 seconds is a good average for server performance.

MinSpareServers 16

The option MinSpareServers specifies the minimum number of idle child server processes for Apache, which is not handling a request. This is an important tuning parameter regarding the performance of the Apache web server. For high load operation, a value of 16 is recommended by various benchmarks on the Internet.

MaxSpareServers 64

The option MaxSpareServers specifies the maximum number of idle child server processes for Apache, which is not handling a request. This is also an important tuning parameter regarding the performance of the Apache web server. For high load operation, a value of 64 is recommended by various benchmarks on the Internet.

StartServers 16

The option StartServers specifies the number of child server processes that will be created by Apache on start-up. This is, again, an important tuning parameter regarding the performance of the Apache web server. For high load operation, a value of 16 is recommended by various benchmarks on the Internet.

MaxClients 512

The option MaxClients specifies the number of simultaneous requests that can be supported by Apache. This too is an important tuning parameter regarding the performance of the Apache web server. For high load operation, a value of 512 is recommended by various benchmarks on the Internet.

MaxRequestsPerChild 100000

The option MaxRequestsPerChild specifies the number of requests that an individual child server process will handle. This too is an important tuning parameter regarding the performance of the Apache web server.

User www

The option User specifies the UID that Apache server will run as. It’s important to create a new user that has minimal access to the system, and functions just for the purpose of running the web server daemon.

Group www

The option Group specifies the GID the Apache server will run as. It’s important to create a new group that has minimal access to the system and functions just for the purpose of running the web server daemon.

DirectoryIndex index.htm index.html index.php index.php3 default.html index.cgi

The option DirectoryIndex specifies the files to use by Apache as a pre-written HTML directory index. In other words, if Apache can’t find the default index page to display, it’ll try the next entry in this parameter, if available. To improve performance of your web server it’s recommended to list the most used default index pages of your web site first.

Include conf/mmap.conf

The option Include specifies the location of other files that you can include from within the server configuration files httpd.conf. In our case, we include the mmap.conf file located under /etc/httpd/conf directory. This file mmap.conf maps files into memory for faster serving. See the section on Optimizing Apache for more information.

HostnameLookups Off

The option HostnameLookups, if set to Off, specifies the disabling of DNS lookups. It’s recommended to set this option to Off in order to save the network traffic time, and to improve the performance of your Apache web server.

First install SNMP with yum or with rpms

Essential rpms need are given below

net-snmp-5.3.1-14.el5.i386.rpm
net-snmp-devel-5.3.1-14.el5.i386.rpm
net-snmp-libs-5.3.1-14.el5.i386.rpm
net-snmp-perl-5.3.1-14.el5.i386.rpm
net-snmp-utils-5.3.1-14.el5.i386.rpm
perl-IO-Socket-INET6-2.51-2.fc6.noarch.rpm
perl-Socket6-0.19-3.fc6.i386.rpm

=============================================================

1. Introduction
MRTG (Multi Router Traffic Grapher) is an application that allows us to observe the traffic of a network. It generates html pages with graphs which are refreshed according to our network’s current state. Its source is written in Perl and C which means that it can be installed in every Operating System we like. We will also need SNMP daemon (Simple Network Management Protocol) which gives us information for a network. The following installation was accomplished under Linux and specifically Fedora Core 6. With some little changes it can be used and under other distros.

2. SNMP server

2.1 Installation

Initially we install the packets needed for SNMP. Yum makes this job a lot easier.

Next we make snmpd service to start automatically for the runlevels we want.
# yum install net-snmp-utils net-snmp

And we start the server.
# chkconfig –level 345 snmpd

We can see that it is running in port 199.
# service snmpd start

# netstat -natv | grep ‘:199′

tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN

2.2 Configuration

We run ‘snmpwalk’ which creates a “tree” of information for our network.

If you see an output like this one you may proceed with the MRTG installation. Else you should make some configuration first.
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.127.0.0.1 = 1

ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.192.168.0.3 = 2

We keep a backup of snmpd.conf just in case anything goes wrong

# cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.original

We open it

# nano /etc/snmp/snmpd.conf

And do the follow changes:

* we change this line

com2sec notConfigUser default public

with those

com2sec local localhost public

com2sec mynetwork 10.0.0.0/8 public

where 10.0.0.0/8 we put what our network is

* we change those lines

group notConfigGroup v1 notConfigUser

group notConfigGroup v2c notConfigUser

with those

group MyRWGroup v1 local

group MyRWGroup v2c local

group MyRWGroup usm local

group MyROGroup v1 mynetwork

group MyROGroup v2c mynetwork

group MyROGroup usm mynetwork

* we change those lines

view systemview included .1.3.6.1.2.1.1

view systemview included .1.3.6.1.2.1.25.1.1

with this one

view all included .1 80

* we change this line

access notConfigGroup “” any noauth exact systemview none none

with those

access MyROGroup “” any noauth exact all none none

access MyRWGroup “” any noauth exact all all none

* and finally we change those lines

syslocation Unknown (edit /etc/snmp/snmpd.conf)

syscontact Root (configure /etc/snmp/snmp.local.conf)

with something like this

syslocation Linux, Fedora Core 6

syscontact Root root@localhost

2.3 Check

We restart the server to take affect of the notices

# service snmpd restart

And we run again

# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Now we should see something like that

IP-MIB::ipAdEntIfIndex.10.103.0.33 = INTEGER: 2

IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1

Where 10.103.0.33 is your ip address.

3. MRTG

3.1 Installation

We again use yum

# yum install mrtg

3.2 Configuration

We create the folder in which our graphs and html pages will be kept

# mkdir /var/www/html/mrtg/

And we run ‘cfgmaker’ for the configuration file to be created.

# cfgmaker –global “workdir: /var/www/mrtg” -ifref=ip –output /etc/mrtg/mrtg.cfg –global ‘options[_]: growright,bits’ public@localhost

Here you should pay notice to –output /etc/mrtg/mrtg.cfg as long as to public@localhost. With this command we tell MRTG to create a configuration file with the name ‘mrtg.cfg’ for the traffic of our computer (localhost). Instead of localhost you may put the address of any computer you may monitor as long as it runs SNMP.

Next we create our default index page

# indexmaker –output=/var/www/html/mrtg/index.html /etc/mrtg/mrtg.cfg

3.2.1 Apache configuration

Next we have to configure apache for MRTG to work correctly. MRTG creates a file ‘mrtg.cfg’ under /etc/httpd/conf.d we contains all the necessary for Apache. We change it to contain the ips we want to have access to our MRTG graphs. Here I have added all my network.

Alias /mrtg /var/www/mrtg

Order deny,allow

Deny from all

Allow from 127.0.0.1 10.0.0.0/8

3.3 Check

We run the following command

In case you get an error like this
# mrtg /etc/mrtg/mrtg.cfg

ERROR: Mrtg will most likely not work properly when the environment

variable LANG is set to UTF-8. Please run mrtg in an environment

where this is not the case. Try the following command to start:

env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg

you have to run the above command more than once till it runs without any error. This is normal.
# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg

23-02-2007 17:28:53, Rateup WARNING: /usr/bin/rateup Can’t remove localhost_2.old updating log file

# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg

#

Finally we open our browser and type

http://127.0.0.1/mrtg

ModSecurity is an open source intrusion detection and prevention engine for web applications. Operating as an Apache Web server module, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.

First we will download and unzip mod_security.

wget http://www.modsecurity.org/download/mod … 9.4.tar.gz
tar -zxf modsecurity-apache_1.9.4.tar.gz

If you are using Apache 1.3.x you need to go into the apache1 directory as shown below. Cpanel and ensim both use apache 1.3.x

cd modsecurity-apache_1.9.4/apache1

If you are using Apache 2.x you need to go into the apache 2 directory as shown below. Plesk uses apache 2.x and may require the httpd-devel rpm to be installed to get mod_security working.

cd modsecurity_1.9.4/apache2

Next compile mod_security at a module. One of the lines below should work to compile it.

/etc/httpd/bin/apxs -cia mod_security.c

If you get a file not found install httpd-devel using up2date then try to compile it again. This will work fine on Plesk and the newer versions of Ensim that do not use “ensimized” httpd rpms. If you are running below Ensim 4.0 you should not continue unless you are certain of what you are doing.

up2date -i httpd-devel or yum install httpd-devel
/usr/sbin/apxs -cia mod_security.c

Make a backup of your httpd.conf before touching anything so you have something to go back to if it does not work.

cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec

Now edit the httpd.conf , even though Ensim has multiple httpd.conf files you can put it in the primary config.

vi /etc/httpd/conf/httpd.conf

If you are running Apache 1.3.x – cPanel and Pre 4.0 Ensim
Scroll down below the following line:

AddModule mod_security.c

If you do not have the addmodule line find where the rest of them are located and put it right below the others.

If you are running Apache 2.x (Plesk and Ensim 4.0+)
Scroll down below the following line at which point you can continue on and paste the ruleset.
LoadModule security_module modules/mod_security.so

Now you are going to paste in this ruleset. Please feel free to modify it as you see fit. I think that it is a very non-agreesive ruleset that will work fine on just about any server. Please post any problems you have with it below!

—-Ruleset—-

# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature “Apache”

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. “On” will log everything,
# “DynamicOrRelevant” will log dynamic requests or violations,
# and “RelevantOnly” will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction “deny,log,status:403″
## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
# Don’t accept transfer encodings we know we don’t handle
# (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”
SecFilter “viewtopic\.php\?” chain
SecFilter “chr\(([0-9]{1,3})\)” “deny,log”
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST “wget ”
SecFilterSelective THE_REQUEST “lynx ”
SecFilterSelective THE_REQUEST “scp ”
SecFilterSelective THE_REQUEST “ftp ”
SecFilterSelective THE_REQUEST “cvs ”
SecFilterSelective THE_REQUEST “rcp ”
SecFilterSelective THE_REQUEST “curl ”
SecFilterSelective THE_REQUEST “telnet ”
SecFilterSelective THE_REQUEST “ssh ”
SecFilterSelective THE_REQUEST “echo ”
SecFilterSelective THE_REQUEST “links -dump ”
SecFilterSelective THE_REQUEST “links -dump-charset ”
SecFilterSelective THE_REQUEST “links -dump-width ”
SecFilterSelective THE_REQUEST “links http:// ”
SecFilterSelective THE_REQUEST “links ftp:// ”
SecFilterSelective THE_REQUEST “links -source ”
SecFilterSelective THE_REQUEST “mkdir ”
SecFilterSelective THE_REQUEST “cd /tmp ”
SecFilterSelective THE_REQUEST “cd /var/tmp ”
SecFilterSelective THE_REQUEST “cd /etc/httpd/proxy ”
SecFilterSelective THE_REQUEST “/config.php?v=1&DIR ”
SecFilterSelective THE_REQUEST “&highlight=%2527%252E ”
SecFilterSelective THE_REQUEST “changedir=%2Ftmp%2F.php ”
SecFilterSelective THE_REQUEST “arta\.zip ”
SecFilterSelective THE_REQUEST “cmd=cd\x20/var ”
SecFilterSelective THE_REQUEST “HCL_path=http ”
SecFilterSelective THE_REQUEST “clamav-partial ”
SecFilterSelective THE_REQUEST “vi\.recover ”
SecFilterSelective THE_REQUEST “netenberg ”
SecFilterSelective THE_REQUEST “psybnc ”
SecFilterSelective THE_REQUEST “fantastico_de_luxe ”

SecFilter “bcc:”
SecFilter “bcc\x3a”
SecFilter “cc:”
SecFilter “cc\x3a”
SecFilter “bcc:|Bcc:|BCC:” chain
SecFilter “[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}”
SecFilterSelective POST_PAYLOAD “Bcc:”
SecFilterSelective POST_PAYLOAD “Bcc:\x20″
SecFilterSelective POST_PAYLOAD “cc:”
SecFilterSelective POST_PAYLOAD “cc:\x20″
SecFilterSelective POST_PAYLOAD “bcc:”
SecFilterSelective POST_PAYLOAD “bcc:\x20″
SecFilterSelective POST_PAYLOAD “bcc: ”
SecFilterSelective THE_REQUEST “Bcc:”
SecFilterSelective THE_REQUEST “Bcc:\x20″
SecFilterSelective THE_REQUEST “cc:”
SecFilterSelective THE_REQUEST “cc:\x20″
SecFilterSelective THE_REQUEST “bcc:”
SecFilterSelective THE_REQUEST “bcc:\x20″
SecFilterSelective THE_REQUEST “bcc: ”
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST “/quick-reply\.php” chain
SecFilter “phpbb_root_path=”

—/Ruleset—

Now simply restart apache to enable mod_security.

service httpd restart

If sites start to have problems look at error log.
/etc/httpd/logs/audit_log
If you need or want to remove mod_security at any time simply comment out (put a # in front of) the AddModule mod_security.c line and restart apache. This will disable all of the rules and not allow it to load into apache.
Ok mod_security is all setup.