Tuesday, 22 September 2015

How to Build OpenVPN Server on CentOS 6.x


How to Build OpenVPN Server on CentOS 6.x


How to Install, Setup, Config OpenVPN on CentOS 6.4 – In this page I write full tutorial to guide you installing OpenVPN on CentOS 6.x server. I will try all the steps to be as clear as possible. Do not hesitate to ask if you have any question. Previously: How to install PPTP on CentOS 6.x (the easiest way).

What you need?

  1. A VPS or Dedicated server running CentOS 6.x
  2. Proper knowledge to use Putty, SSH and common Unix command
  3. Only for VPS based-on OpenVZ virtualization (other skip this): please enable TUN/TAP options in your VPS control panel (e.g: SolusVM).
OpenVZ VPS users only:
enable tun tap ppp

How to Install OpenVPN to Build CentOS VPN server

Prerequisite

Step 0 – Login to your server via SSH. You better login as root.
Step 1 – Now issue this first command syntax:
1
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
screenshot:
add repo
Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:
1
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
screenshot:
download repo
Step 3 – Now add correct repo for your server:
CentOS 6 32-bit (x86):
1
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm
CentOS 6 64-bit (x86_64):
1
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
screenshot:
add repo
How to know which one is your server? Issue this command:
1
uname -a
If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.
vps architecture
Step 4 – Then build the rpm package using this command:
1
2
3
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*
hit enter for each line above.
rpm

Installing OpenVPN

Step 5 – Issue the special yum command:
1
yum install openvpn -y
screenshot
install openvpn
Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:
1
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Step 7 – Now edit it:
1
nano /etc/openvpn/easy-rsa/2.0/vars
Edit this line:
1
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'
replace it with:
1
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
screenshot:
edit rsa
once done hit Control+O to save then Control+X to exit.
Step 8 – Create the certificate using these commands:
1
2
3
4
5
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
hit enter for each line.
rsa config
Step 9 – It’s time to build necessary CA file:
1
./build-ca
screenshot:
build ca
Hint
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Step 10 – Time to build Key Server:
1
./build-key-server server
screenshot:
sign certificate
Hint:
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)
Step 11 – Now issue command below to build Diffie Hellman:
1
./build-dh
screenshot:
build dh
Step 12 – Create OpenVPN config file:
1
nano /etc/openvpn/server.conf
Step 13 – Now enter this value in that config file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
Save it once done. (Control+O then Control+X)
ovpn config
Step 14 – Lets start OpenVPN service on your server for the very first time:
1
service openvpn start
pic:
start ovpn
Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
1
nano /etc/sysctl.conf
replace 0 with 1 in this line:
1
net.ipv4.ip_forward = 1
pic:
ovpn13
Hit Control+O to save then Control+X to exit nano.
Step 16 – Issue this command to load the change:
1
sysctl -p
Step 17 – Create new Linux username which can also be used to login to the VPN:
1
useradd username -s /bin/false
replace username with your own username.
Then also create its password:
1
passwd username
pic:
ovpn14
Step 18 – Now route some iptables.
Xen and KVM users use:
1
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
special for OpenVZ use these two instead:
1
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
and
1
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
Do not forget to replace 123.123.123.123 with your server IP. Pic:
ovpn15
Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
1
2
3
4
5
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
Step 20 – Now save that iptables rules:
1
service iptables save
Step 21 – Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
client
dev tun
proto udp
remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer. See screenshot:
ovpn config file
Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).
1
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory
example:
1
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/servermom.com/public_html
Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier.
That’s it. Now you can login to your VPN using username and password you’ve created. ENJOY..

Quickest Easiest Way To Install LNMP Stack on CentOS and Ubuntu

Install Nginx, PHP, MySQL on CentOS and Ubuntu Easier with Auto Installer script – In this page I will tell you how to build Linux, Nginx, MySQL, and PHP on either CentOS or Ubuntu in much easier quicker way with the help of Nginx Auto Installer script by Ruchira. Previously I also posted how to the same thing using Tuxlite, an auto installer script for Ubuntu to get either Apache or Nginx installed easily. What’s the differences? Tuxlite is able to install Apache or Nginx (your choice) along with PHPMyAdmin, Varnish Cache, and WordPress while this new one is Nginx-only auto installer along with PHPMyAdmin, Eaccelerator, PureFTPd, VsFTPd, PHP Suhousin Patch, Memcached and Zend Optimizer. You can use it on debian/ubuntu/centos 32bit or 64bit.

How to Use Nginx Auto Installer?

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS or Ubuntu before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root.
switch-root-login
You may also need to type this command to go to the root directory:
cd ~
Step 2 – Now download the NGINX Auto Installer package using the wget command:
wget -c http://www.ruchirablog.com/downloads/lnmp0.9-full.tar.gz
screenshot:
2
Step 3 – Now unpack that package with this command:
1
tar zxvf lnmp0.9-full.tar.gz
Step 4 – Then go to that  folder:
1
cd lnmp0.9-full
screenshot:
extract script
Step 5 – Finally, issue the magic command syntax to install the script:
For Ubuntu OS
1
sh ubuntu.sh
For CentOS:
1
sh centos.sh
For Debian:
1
sh debian.sh
In this guide I use CentOS 6.4 32-bit.
Step 6 – You’ll be asked some questions during install. Just answer them properly but make sure you know/remember with your answer (e.g: mysql root password, etc).
install
Upon hitting the last Enter key the installation process will begin. Just wait till it finishes.
install process
Step 7 – Once done you’ll see this:
done
You can test it on your browser by typing domain name or ip address and you’ll see its test page:
nginx test page

F.A.Qs

LNMP files will be located on:
– mysql: /usr/local/mysql
– php: /usr/local/php
– nginx: /usr/local/nginx
– Site Directory: /home/wwwroot
– PHPMyAdmin will be located on http://yourip/phpmyadmin

Post Install

1How to install eAccelerator:
1
/eaccelerator.sh
2How to install IonCube:
1
/ionCube.sh
3How to install imageMagick:
1
/imageMagick.sh
4How to install MemCached:
1
/memcached.sh
5How to upgrade Nginx to latest version:
1
/upgrade_nginx.sh
6How to upgrade PHP to latest version:
1
/upgrade_php.sh
7How to add more domains (virtual hosts):
1
./vhost.sh
Enjoy..

How to Install Pure-FTPd On CentOS 6.4

This article teaches you how to install free ftp server Pure-FTPd on CentOS 6 and how to configure and use it so you can access your server via ftp connection using your favorite ftp client (e.g:FileZilla). The main reason why I post this article is because a friend of mine asked me why couldn’t he access his server using FileZilla. The answer is simple, that’s because he didn’t install any ftp server on his VPS. FileZilla is an ftp server installed in client computer while the VPS is not accessible via FTP without any FTP server installed. Yet, CentOS is not coming with FTP server installed by default and even if by any chance you found it installed, you still have to configure it.

What is Pure-FTPd?

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server. It doesn’t provide useless bells and whistles, but focuses on efficiency and ease of use. It provides simple answers to common needs, plus unique useful features for personal users as well as hosting providers.
Why Pure-FTPd?
Because it is actively supported, and it was always designed with security in mind, and the code is always re-audited as new kind of vulnerabilities are discussed.
Are there any other alternatives?
Yes there are. Try Pro-FTPd and vsftpd (how to install vsftpd).

How to Install Pure-FTPd on CentOS 6?

The guide is below. But first, read some prerequisites:

What You’ll Need?

  1. A Linux server running CentOS 6. In this guide I use CentOS 6.4 x64 by DigitalOcean.
  2. You better firstly setup LAMP or LNMP on it.
  3. You’ll also need an FTP client like FileZilla installed on your computer. This is for testing purpose (and you’ll really need this once you build your site)
  4. A skill to use SSH and basic Unix commands (I’m sure you have this already).
  5. About 15 minutes of your time

A. Installing Pure-FTPd Software on CentOS Server

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root.

You may also need to type this command to go to the root directory:
1
cd ~
Step 2 – Pure-FTPd is not available by default in CentOS and you have to grab it from another repository. You have to enable the RPMforge and EPEL repositories on our CentOS. So go ahead add the repo:
1
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
then
1
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
now..
1
2
3
cd /tmp
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
However If the above link doesn’t work anymore, you can find the current version of rpmforge-release here: http://packages.sw.be/rpmforge-release/.
This repo will also give you more benefit:
1
rpm --import https://fedoraproject.org/static/0608B895.txt
then
1
2
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm
next, update yum:
1
yum update
Each time yum asks you to confirm, simply type Y then hit Enter.
Step 3 – Now install Pure-FTPd via yum using this command:
1
yum install pure-ftpd
screenshot:
yum install pureftpd

B. Configuring Pure-FTPd (post install)

Step 1 – Go to Pure-FTPd config folder:
1
cd /etc/pure-ftpd/
Step 2 – Next, edit the config file "pure-ftpd.conf": (in this example I use Nano editor).
1
nano -w pure-ftpd.conf
Step 3 – Once Nano editor appears with pure-ftpd.conf file ready for editing, now make adjustment to several lines as below:
3.1. Look for #UnixAuthentication and uncomment that line (remove the # symbol):
unixauth
3.2. Then change No in VerboseLog to yes.
verboselog
3.3. Uncomment the PureDB line:
purdedb
3.4. Uncomment the CreateHomeDir line
createhomedir
Step 4 – Now create ftp user or aka virtual user used to login to your server. And the command syntax is:
1
pure-pw useradd ftpuser -u user -g group -d /var/www/domain.com/public_html
where:
  1. ftpuser is username you can use it to login to your server via ftp.
  2. user is a Unix user. If you didn’t created one yet, you can also use root.
  3. group is a Unix group. If you didn’t created one yet, you can also use root.
  4. /var/www/domain.com/public_html is default document root folder of your site. This is where the ftp user will have access to once logged in.
Obviously you have to change those parts to suite your own. In my example is:
1
pure-pw useradd servermom -u sawiyati -g sawiyati -d /var/www/servermom.com/public_html
Once hit Enter, you’ll then be asked to define new password for the user. Enter it twice for confirmation.
Step 5 – Finally, issue this command:
1
pure-pw mkdb
screenshot for step 4 and 5:
purepw

C. Using FTP to Access Your Server

Step 1 – Once you’ve done making some adjustments to pure-ftpd configuration, now you better firstly restart the ftp service:
1
service pure-ftpd restart
screenshot
restart ftp
Don’t panic if you see [FAILED] message in when the system tried to stop pure-ftpd. It happens because pure-ftpd service is not yet started. The point here is the [OK] message when starting.
Step 2 – Now open up your favorite ftp client like FileZilla then enter the detail:
  • Host : Enter your server’s IP or hostname (if you’ve added A record to it in your DNS).
  • Username : Use what you defined in step 4 section B above.
  • Password : Use what you defined in step 5 section B above.
  • Port : use Port 21
Once done hit the Connect button. screenshot:
using filezilla
Step 3 – You’ll finally see the “Status:Directory listing successful” message indicating you are now logged in.
filezilla ftp
That’s it. I’m sure you knew what you have to do from here. Enjoy..

Optional

Issue this command to make sure pure-ftpd service will be automatically started every time your server reboot:
1
chkconfig --levels 235 pure-ftpd on
Also, if you created other virtual users (and passwords) – see section B step 4 – make sure you issue this command:
1
pure-pw mkdb
You have to issue that command every time you add a virtual user.

How To Install IonCube Loader on CentOS 6

Tutorial (with pictures) how to install IonCube PHP Loader module on CentOS 6 with Apache and PHP5 installed. This module is basically PHP extension that handles the reading and execution of encoded files at run time. Shortly, you may see a script encoded with IonCube and as per its developer says, you must have IonCube Loader installed on your server. How to install it?

Prerequisites

A server (VPS or Dedicated) running CentOS, Apache and PHP. In this guide I use CentOS 6.4 x64 hosted by Digital Ocean.

How To Install

Method #1:

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root. You may also need to type this command to go to the root directory:
1
cd ~

Step 2 – Go to your site’s public folder (root directory of your site) which in my case is /var/www/servermom.com/public_html
1
cd /path/to/www
example:
1
cd /var/www/servermom.com/public_html
Step 3Download IonCube Loader file using wget command:
For CentOS 32-bit use:
1
wget http://downloads3.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
For CentOS x86_64 (64-bit):
1
wget http://downloads3.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz
If the links are not working anymore, please check the latest download links at http://www.ioncube.com/loaders.php.
download ioncube loader
Step 3 – Extract the file. Issue this command:
For CentOS 32-bit use:
1
tar xvfz ioncube_loaders_lin_x86.tar.gz
For CentOS 64-bit use:
1
tar xvfz ioncube_loaders_lin_x86-64.tar.gz
extract ioncube
Step 4 – Now launch your favorite web browser up (like Firefox, Chrome, etc) then access loader-wizard.php via your server’s ip or domain name:
http://xxx.xxx.xxx.xxx/ioncube/loader-wizard.php
or
http://www.domain.com/ioncube/loader-wizard.php
loader wizard
Step 5 – From there simply read the instruction and the wizard will tell you which Loader version is suitable for your PHP version. In this case you choose whether Dedicated / VPS or Local Install. Once the wizard tells you which Loader version you should use on your server. In my example is ioncube_loader_lin_5.3.so.
Note if you get a message saying:
Please note that the following problem currently exists with the ionCube Loader installation:
The necessary zend_extension line could not be found in the configuration.
In this case you have to firstly install Zend Optimizer.
Step 6 – Now copy the loader .so file to:
32-bit server: /usr/lib/php/modules
64-bit server: /usr/lib64/php/modules
example:
1
cp /var/www/servermom.com/public_html/ioncube/ioncube_loader_lin_5.3.so /usr/lib64/php/modules
screenshot
copy module .so
Step 7 – Now download the 20ioncube.ini file from the link in the bottom part of that page. Once downloaded, upload that file to /etc/php.d directory. You can use ftp or upload that file to another host then grab it via widget command. But in my case, I simply prefer to open that file using Notepad then copy it to Nano editor. This is my way:
1
nano /etc/php.d/20ioncube.ini
now open the downloaded file using Notepad, copy the content and paste it to nano editor.
copy .ini
paste it to Nano
paste to Notepad
Once done, hit Control+O to save then Control+X to exit.
Step 8 – Optional: Go to /etc/php.d/ directory and type ls to see all modules. Make sure 20ioncube.ini file appears first then ZendGuard.ini.
Step 9 – Restart Apache service:
1
service httpd restart
screenshot:
Step 10 – Go back to your browser where you open loader-wizard.php page. Scroll down to the bottom and click the link in “When the server software has restarted, click here to test the Loader.” line to re-test the configuration.
If you did everything correctly, you’ll see this message:
Loader Installed Successfully
The ionCube Loader version 4.4.1 for PHP 5.3 is installed and encoded files should run successfully.
That’s it. Enjoy.
loader installed

Other Methods

Quicker methods (sorry I don’t try it yet so use with your own risks):

Method #2:

Step 1 – Issue the first command:
1
wget -q -O - http://www.atomicorp.com/installers/atomic |sh
Step 2 – Then lets install it via yum:
1
yum install php-ioncube-loader

Method #3:

Step 1 – Add new repository:
1
rpm -ivh rpmbuild/RPMS/x86_64/php-ioncube-loader-4.2.2-2.art.x86_64.rpm
Step 2 – Let’s build it:
1
rpmbuild -bb ~/rpmbuild/SPECS/php-ioncube-loader-art.spec
Step 3 –  Issue this next command:
1
rpm -ivh rpmbuild/RPMS/x86_64/php-ioncube-loader-4.2.2-2.art.x86_64.rpm
Final words: Honestly I prefer to use the first method which is so manual and traditional but it is safer.

How to Install ModSecurity with OWASP on Apache Server

Installing Mod_Security and OWASP on Apache CentOS server – This tutorial will show you (with pictures) how to install a web application firewall engine that provides very little protection on its own. This web app, mod_security is basically used to protect and monitor real time HTTP traffic and web applications from brute fore attacks and it also acts as intrusion detection and prevention system for web applications. In order to become useful, ModSecurity must be configured with rules which we can then use OWASP (Open Web Application Security Project) which is a Core Rules Set (CRS) for mod_security base configuration. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity.

Prerequisites:

You can install mod_security in any server-compliant Linux distros like Ubuntu, Fedora, Debian and CentOS but this tutorial is done in a CentOS machine. You can simply adopt the command according to the Distro you are using. However, RHEL 6.2/6.1/6/5.8, CentOS 6.2/6.1/6/5.8 and Fedora 17,16,15,14,13,12 users can simply follow the exact steps.
Basically mod_security can be installed in most web servers like Nginx, Apache and even Microsoft IIS. But this tutorial will cover only on a server running Apache. So I assume you have already installed and configured your LAMP stack.

How to Install Mod_Security (using source code)

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root. You may also need to type this command to go to the root directory:
1
cd ~

Step 2 – Next, you have to install some dependency packages for mod_security. Here’s the command you can try to issue:
1
2
yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel
p.s: if you see two lines of command like above means you have to hit Enter after each line for issuing the command.
install dependencies
Hit Y if asked to confirm.
Step 3 – Now download latest version of mod_security. To do that, you can always check it at ModSecurity official website (http://www.modsecurity.org/download/). In my case it is now version 2.7.4. Then issue this command:
1
2
cd /usr/src
wget https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.4.tar.gz
screenshot:
download mod security
Step 4 – Once downloaded, extract it using this command:
1
tar xzf modsecurity-apache_2.7.4.tar.gz
Of course you have to replace modsecurity-apache_2.7.4.tar.gz part with the latest version of ModSecurity you’ve downloaded.
Step 5 – Let’s install it. First, go to the newly extracted folder and configure it:
1
2
cd modsecurity-apache_2.7.4
./configure
pic:
configure modsecurity
Next, install mod_security with simple make install command:
1
make install
The output will be a bit too long. Just wait till it done:
make-install
Step 6 – Once done, copy recommended configuration file:
1
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
Step 7 – Now load the module in your Apache configuration. You can use either Nano or vi editor to do that:
1
nano /etc/httpd/conf/httpd.conf
Step 8 – Once the editor appears, locate line LoadModule in your httpd.conf and add this below line at the bottom. If you are using Nano like me, hit Control+W to search.
1
LoadModule security2_module modules/mod_security2.so
pic:
load module
In Nano, hit Control+O to save then Control+X to exit.
Do not restart Apache yet as we will also install OWSAP CRS to be integrated with Apache’s ModSecurity.

Alternate Method to Install Mod_Security

There is also another way you can follow to always install the latest version of ModSecurity module on your Apache server. Use these steps to replace step 3, 4 and 5 above:
Step 3Download Mod_Security from Github project page:
1
2
cd /usr/src
git clone https://github.com/SpiderLabs/ModSecurity.git
Step 4 – Now issue these:
1
2
3
cd ModSecurity
./configure
make install
form here you can simply follow steps 6 above.

How to Install OWASP CRS

Step 1 – Still in your favorite SSH client, now move to /etc/httpd directory:
1
cd /etc/httpd/
Step 2 – Next, lets grab OWASP CRS from SpiderLabs Github project page:
1
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
pic:
install owasp crs
Step 3 – A simple task, rename it to modsecurity-crs then go to that folder:
1
2
mv owasp-modsecurity-crs modsecurity-crs
<span style="color: #7a0874; font-weight: bold;">cd</span> modsecurity-crs
Step 4 – Now create configuration file from included example:
1
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
pic:
owasp-config
Step 5 – Finally, edit Apache configuration again:
1
nano /etc/httpd/conf/httpd.conf
then scroll down (go to the very bottom of the config page) and place this in the very bottom (after your virtual host file):
1
2
3
4
<IfModule security2_module>
    Include modsecurity-crs/modsecurity_crs_10_config.conf
    Include modsecurity-crs/base_rules/*.conf
</IfModule>
Now save it and exit Nano editor. Pic:
add config file

Restart Apache

So now you’ve installed Mod_Security and OWASP-CRS, it’s time to restart Apache service so the module can be loaded along with its rules:
1
service httpd restart
p.s: This tutorial is done in CentOS 6.4 x86_64 server hosted by DigitalOcean.
That’s it. Enjoy some basic necessary protection on your Apache server as the Mod_Security + OWASP CRS give you these advantages:
  • HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy.
  • Real-time Blacklist Lookups – utilizes 3rd Party IP Reputation
  • Web-based Malware Detection – identifies malicious web content by check against the Google Safe Browsing API.
  • Identification of Application Defects – alerts on application misconfigurations.
  • HTTP Denial of Service Protections – defense against HTTP Flooding and Slow HTTP DoS Attacks.
  • Common Web Attacks Protection – detecting common web application security attack.
  • Automation Detection – Detecting bots, crawlers, scanners and other surface malicious activity.
  • Tracking Sensitive Data – Tracks Credit Card usage and blocks leakages.
  • Trojan Protection – Detecting access to Trojans horses.
  • Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
  • Error Detection and Hiding – Disguising error messages sent by the server.

How to Install LAMP with PHP v5.5.0 and MySQL v5.5.32

How to setup and configure a CentOS LAMP server with PHP5 (v5.5.0) and MySQL v5.5.32 – I posted all basic and necessary tutorials to guide you how to properly setup a working server to host your website either using LAMP or LEMP/LNMP stack on CentOS. In this article, you’ll see similar guide but this time we’ll try to use latest version of PHP and MySQL within the LAMP stack. As usual, I use CentOS 6.4 x86_64 hosted by DigitalOcean but however the steps should be also similar if you are using any version of CentOS 6.

About PHP 5.5.0

PHP 5.5.x is the latest version currently (at the time I posted this article). There are a few incompatibilities and new features that should be considered. Its developers suggest users to firstly test their code before switching PHP versions in production environments. One thing that’s so good in PHP5.5.x is the new built-in Zend OPCache engine, that means you won’t have to use external opcode caches any more, it all comes out of the box. OPcache improves PHP performance by storing precompiled script “byte code” in shared memory, thereby removing the need for PHP to load and parse scripts on each request. Just similar to Varnish but different way it works.

Prerequisites

  1. I assumed you already have either a VPS or Dedicated server running CentOS and you have access to it. In this tutorial I use CentOS 6.4.
  2. I also assumed you knew already how to use Putty or Terminal to SSH-ing a server.
  3. I believe you knew –at least part of– most common Unix commands used to manage an unmanaged server.

How to Install Apache and PHP 5.5.0

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root. You may also need to type this command to go to the root directory:
1
cd ~

Step 2 – First thing first, we have to add additional repository, the one from Remi and Epel. The command for that:
for CentOS 6 x86_64:
1
2
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
for CentOS 6 32-bit:
1
2
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm
screenshot:
adding-repo
Step 3 – Finally, use this one line of command to install Apache 2, PHP 5.5 and MySQL 5.5.32:
1
yum --enablerepo=remi,remi-test install httpd mysql mysql-server php php-common
screenshot:
install apache php5 mysql 5.5.32
Hit Y to confirm.
Step 4 – Additionally, you may also need to install several most common PHP modules (your app / script may need this):
1
yum --enablerepo=remi,remi-test install php-mysql php-pgsql php-pecl-mongo php-sqlite php-pecl-memcache php-pecl-memcached php-gd php-mbstring php-mcrypt php-xml php-pecl-apc php-cli php-pear php-pdo -y
screenshot:
install php modules
ps: You can see the list of all available PHP modules using this command:
1
yum search php-
Step 5 – Now you can start Apache service for the very first time;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Start Apache
service httpd start
 
# Start Apache (alternate command)
/etc/init.d/httpd start
 
# Stop Apache
service httpd stop
 
# Stop Apache (alternate command)
/etc/init.d/httpd stop
 
# Restart Apache
service httpd restart
 
# Restart Apache (alternate command)
/etc/init.d/httpd restart
Step 6 – Also start MySQL database server for the very first time:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Start MySQL
service mysqld start
 
# Start MySQL(alternate command)
/etc/init.d/mysqld start
 
# Stop MySQL
service mysqld stop
 
# Stop MySQL(alternate command)
/etc/init.d/mysqld stop
 
# Restart MySQL
service mysqld restart
 
# Restart MySQL (alternate command)
/etc/init.d/mysqld restart
Step 7 – Optionally, you can add Apache and MySQL service to system startup link so it will starts each time your server boot:
1
2
chkconfig --levels 235 httpd on
chkconfig --levels 235 mysqld on
That’s it. What’s next? Obviously you can start adding your new website in your server. Read my previous guide about how to add new Apache virtual host for new website. Do not also forget to catch up all CentOS tutorial. Good day..