How to Build OpenVPN Server on CentOS 6.x

How to Install, Setup, Config OpenVPN on CentOS 6.4 – In this page I write full tutorial to guide you installing OpenVPN on CentOS 6.x server. I will try all the steps to be as clear as possible. Do not hesitate to ask if you have any question. Previously: How to install PPTP on CentOS 6.x (the easiest way).

What you need?

1. A VPS or Dedicated server running CentOS 6.x
2. Proper knowledge to use Putty, SSH and common Unix command
3. Only for VPS based-on OpenVZ virtualization (other skip this): please enable TUN/TAP options in your VPS control panel (e.g: SolusVM).

OpenVZ VPS users only:

How to Install OpenVPN to Build CentOS VPN server

Prerequisite

Step 0 – Login to your server via SSH. You better login as root.
Step 1 – Now issue this first command syntax:

1	yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

screenshot:

Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:

1	wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

screenshot:

Step 3 – Now add correct repo for your server:
CentOS 6 32-bit (x86):

1	wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm

CentOS 6 64-bit (x86_64):

1	wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

screenshot:

How to know which one is your server? Issue this command:

1

uname -a

If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.

Step 4 – Then build the rpm package using this command:

1 2 3

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release*

hit enter for each line above.

Installing OpenVPN

Step 5 – Issue the special yum command:

1	yum install openvpn -y

screenshot

Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:

1	cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Step 7 – Now edit it:

1	nano /etc/openvpn/easy-rsa/2.0/vars

Edit this line:

1	export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'

replace it with:

1	export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

screenshot:

once done hit Control+O to save then Control+X to exit.
Step 8 – Create the certificate using these commands:

1 2 3 4 5

cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all

hit enter for each line.

Step 9 – It’s time to build necessary CA file:

1	./build-ca

screenshot:

Hint
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Step 10 – Time to build Key Server:

1	./build-key-server server

screenshot:

Hint:
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)
Step 11 – Now issue command below to build Diffie Hellman:

1	./build-dh

screenshot:

Step 12 – Create OpenVPN config file:

1	nano /etc/openvpn/server.conf

Step 13 – Now enter this value in that config file:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3

Save it once done. (Control+O then Control+X)

Step 14 – Lets start OpenVPN service on your server for the very first time:

1	service openvpn start

pic:

Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:

1	nano /etc/sysctl.conf

replace 0 with 1 in this line:

1	net.ipv4.ip_forward = 1

pic:

Hit Control+O to save then Control+X to exit nano.
Step 16 – Issue this command to load the change:

1

sysctl -p

Step 17 – Create new Linux username which can also be used to login to the VPN:

1	useradd username -s /bin/false

replace username with your own username.
Then also create its password:

1	passwd username

pic:

Step 18 – Now route some iptables.
Xen and KVM users use:

1	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

special for OpenVZ use these two instead:

1	iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123

and

1	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123

Do not forget to replace 123.123.123.123 with your server IP. Pic:

Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:

1 2 3 4 5

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

Step 20 – Now save that iptables rules:

1	service iptables save

Step 21 – Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

client dev tun proto udp remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3

Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer. See screenshot:

Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).

1	cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory

example:

1	cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/servermom.com/public_html

Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier.
That’s it. Now you can login to your VPN using username and password you’ve created. ENJOY..

Quickest Easiest Way To Install LNMP Stack on CentOS and Ubuntu

Install Nginx, PHP, MySQL on CentOS and Ubuntu Easier with Auto Installer script – In this page I will tell you how to build Linux, Nginx, MySQL, and PHP on either CentOS or Ubuntu in much easier quicker way with the help of Nginx Auto Installer script by Ruchira. Previously I also posted how to the same thing using Tuxlite, an auto installer script for Ubuntu to get either Apache or Nginx installed easily. What’s the differences? Tuxlite is able to install Apache or Nginx (your choice) along with PHPMyAdmin, Varnish Cache, and WordPress while this new one is Nginx-only auto installer along with PHPMyAdmin, Eaccelerator, PureFTPd, VsFTPd, PHP Suhousin Patch, Memcached and Zend Optimizer. You can use it on debian/ubuntu/centos 32bit or 64bit.

How to Use Nginx Auto Installer?

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS or Ubuntu before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root.

You may also need to type this command to go to the root directory:

cd ~

Step 2 – Now download the NGINX Auto Installer package using the wget command:

wget -c http://www.ruchirablog.com/downloads/lnmp0.9-full.tar.gz

screenshot:

Step 3 – Now unpack that package with this command:

1	tar zxvf lnmp0.9-full.tar.gz

Step 4 – Then go to that  folder:

1	cd lnmp0.9-full

screenshot:

Step 5 – Finally, issue the magic command syntax to install the script:
For Ubuntu OS

1	sh ubuntu.sh

For CentOS:

1	sh centos.sh

For Debian:

1	sh debian.sh

In this guide I use CentOS 6.4 32-bit.
Step 6 – You’ll be asked some questions during install. Just answer them properly but make sure you know/remember with your answer (e.g: mysql root password, etc).

Upon hitting the last Enter key the installation process will begin. Just wait till it finishes.

Step 7 – Once done you’ll see this:

You can test it on your browser by typing domain name or ip address and you’ll see its test page:

F.A.Qs

LNMP files will be located on:
– mysql: /usr/local/mysql
– php: /usr/local/php
– nginx: /usr/local/nginx
– Site Directory: /home/wwwroot
– PHPMyAdmin will be located on http://yourip/phpmyadmin

Post Install

1 – How to install eAccelerator:

1	/eaccelerator.sh

2 – How to install IonCube:

1	/ionCube.sh

3 – How to install imageMagick:

1	/imageMagick.sh

4 – How to install MemCached:

1	/memcached.sh

5 – How to upgrade Nginx to latest version:

1	/upgrade_nginx.sh

6 – How to upgrade PHP to latest version:

1	/upgrade_php.sh

7 – How to add more domains (virtual hosts):

1	./vhost.sh

Enjoy..

How to Install Pure-FTPd On CentOS 6.4

This article teaches you how to install free ftp server Pure-FTPd on CentOS 6 and how to configure and use it so you can access your server via ftp connection using your favorite ftp client (e.g:FileZilla). The main reason why I post this article is because a friend of mine asked me why couldn’t he access his server using FileZilla. The answer is simple, that’s because he didn’t install any ftp server on his VPS. FileZilla is an ftp server installed in client computer while the VPS is not accessible via FTP without any FTP server installed. Yet, CentOS is not coming with FTP server installed by default and even if by any chance you found it installed, you still have to configure it.

What is Pure-FTPd?

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server. It doesn’t provide useless bells and whistles, but focuses on efficiency and ease of use. It provides simple answers to common needs, plus unique useful features for personal users as well as hosting providers.
Why Pure-FTPd?
Because it is actively supported, and it was always designed with security in mind, and the code is always re-audited as new kind of vulnerabilities are discussed.
Are there any other alternatives?
Yes there are. Try Pro-FTPd and vsftpd (how to install vsftpd).

How to Install Pure-FTPd on CentOS 6?

The guide is below. But first, read some prerequisites:

What You’ll Need?

1. A Linux server running CentOS 6. In this guide I use CentOS 6.4 x64 by DigitalOcean.
2. You better firstly setup LAMP or LNMP on it.
3. You’ll also need an FTP client like FileZilla installed on your computer. This is for testing purpose (and you’ll really need this once you build your site)
4. A skill to use SSH and basic Unix commands (I’m sure you have this already).
5. About 15 minutes of your time

A. Installing Pure-FTPd Software on CentOS Server

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root.

You may also need to type this command to go to the root directory:

1

cd ~

Step 2 – Pure-FTPd is not available by default in CentOS and you have to grab it from another repository. You have to enable the RPMforge and EPEL repositories on our CentOS. So go ahead add the repo:

1	rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

then

1	rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

now..

1 2 3

cd /tmp wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

However If the above link doesn’t work anymore, you can find the current version of rpmforge-release here: http://packages.sw.be/rpmforge-release/.
This repo will also give you more benefit:

1	rpm --import https://fedoraproject.org/static/0608B895.txt

then

1 2	wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm -ivh epel-release-6-8.noarch.rpm

next, update yum:

1	yum update

Each time yum asks you to confirm, simply type Y then hit Enter.
Step 3 – Now install Pure-FTPd via yum using this command:

1	yum install pure-ftpd

screenshot:

B. Configuring Pure-FTPd (post install)

Step 1 – Go to Pure-FTPd config folder:

1	cd /etc/pure-ftpd/

Step 2 – Next, edit the config file "pure-ftpd.conf": (in this example I use Nano editor).

1	nano -w pure-ftpd.conf

Step 3 – Once Nano editor appears with pure-ftpd.conf file ready for editing, now make adjustment to several lines as below:
3.1. Look for #UnixAuthentication and uncomment that line (remove the # symbol):

3.2. Then change No in VerboseLog to yes.

3.3. Uncomment the PureDB line:

3.4. Uncomment the CreateHomeDir line

Step 4 – Now create ftp user or aka virtual user used to login to your server. And the command syntax is:

1	pure-pw useradd ftpuser -u user -g group -d /var/www/domain.com/public_html

where:

1. ftpuser is username you can use it to login to your server via ftp.
2. user is a Unix user. If you didn’t created one yet, you can also use root.
3. group is a Unix group. If you didn’t created one yet, you can also use root.
4. /var/www/domain.com/public_html is default document root folder of your site. This is where the ftp user will have access to once logged in.

Obviously you have to change those parts to suite your own. In my example is:

1	pure-pw useradd servermom -u sawiyati -g sawiyati -d /var/www/servermom.com/public_html

Once hit Enter, you’ll then be asked to define new password for the user. Enter it twice for confirmation.
Step 5 – Finally, issue this command:

1	pure-pw mkdb

screenshot for step 4 and 5:

C. Using FTP to Access Your Server

Step 1 – Once you’ve done making some adjustments to pure-ftpd configuration, now you better firstly restart the ftp service:

1	service pure-ftpd restart

screenshot

Don’t panic if you see [FAILED] message in when the system tried to stop pure-ftpd. It happens because pure-ftpd service is not yet started. The point here is the [OK] message when starting.
Step 2 – Now open up your favorite ftp client like FileZilla then enter the detail:

• Host : Enter your server’s IP or hostname (if you’ve added A record to it in your DNS).
• Username : Use what you defined in step 4 section B above.
• Password : Use what you defined in step 5 section B above.
• Port : use Port 21

Once done hit the Connect button. screenshot:

Step 3 – You’ll finally see the “Status:Directory listing successful” message indicating you are now logged in.

That’s it. I’m sure you knew what you have to do from here. Enjoy..

Optional

Issue this command to make sure pure-ftpd service will be automatically started every time your server reboot:

1	chkconfig --levels 235 pure-ftpd on

Also, if you created other virtual users (and passwords) – see section B step 4 – make sure you issue this command:

1	pure-pw mkdb

You have to issue that command every time you add a virtual user.

How To Install IonCube Loader on CentOS 6

Tutorial (with pictures) how to install IonCube PHP Loader module on CentOS 6 with Apache and PHP5 installed. This module is basically PHP extension that handles the reading and execution of encoded files at run time. Shortly, you may see a script encoded with IonCube and as per its developer says, you must have IonCube Loader installed on your server. How to install it?

Prerequisites

A server (VPS or Dedicated) running CentOS, Apache and PHP. In this guide I use CentOS 6.4 x64 hosted by Digital Ocean.

How To Install

Method #1:

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root. You may also need to type this command to go to the root directory:

1

cd ~

Step 2 – Go to your site’s public folder (root directory of your site) which in my case is /var/www/servermom.com/public_html

1	cd /path/to/www

example:

1	cd /var/www/servermom.com/public_html

Step 3 – Download IonCube Loader file using wget command:
For CentOS 32-bit use:

1	wget http://downloads3.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz

For CentOS x86_64 (64-bit):

1	wget http://downloads3.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz

If the links are not working anymore, please check the latest download links at http://www.ioncube.com/loaders.php.

Step 3 – Extract the file. Issue this command:
For CentOS 32-bit use:

1	tar xvfz ioncube_loaders_lin_x86.tar.gz

For CentOS 64-bit use:

1	tar xvfz ioncube_loaders_lin_x86-64.tar.gz

Step 4 – Now launch your favorite web browser up (like Firefox, Chrome, etc) then access loader-wizard.php via your server’s ip or domain name:
http://xxx.xxx.xxx.xxx/ioncube/loader-wizard.php
or
http://www.domain.com/ioncube/loader-wizard.php

Step 5 – From there simply read the instruction and the wizard will tell you which Loader version is suitable for your PHP version. In this case you choose whether Dedicated / VPS or Local Install. Once the wizard tells you which Loader version you should use on your server. In my example is ioncube_loader_lin_5.3.so.
Note if you get a message saying:

Please note that the following problem currently exists with the ionCube Loader installation:
The necessary zend_extension line could not be found in the configuration.

In this case you have to firstly install Zend Optimizer.
Step 6 – Now copy the loader .so file to:
32-bit server: /usr/lib/php/modules
64-bit server: /usr/lib64/php/modules
example:

1	cp /var/www/servermom.com/public_html/ioncube/ioncube_loader_lin_5.3.so /usr/lib64/php/modules

screenshot

Step 7 – Now download the 20ioncube.ini file from the link in the bottom part of that page. Once downloaded, upload that file to /etc/php.d directory. You can use ftp or upload that file to another host then grab it via widget command. But in my case, I simply prefer to open that file using Notepad then copy it to Nano editor. This is my way:

1	nano /etc/php.d/20ioncube.ini

now open the downloaded file using Notepad, copy the content and paste it to nano editor.

paste it to Nano

Once done, hit Control+O to save then Control+X to exit.
Step 8 – Optional: Go to /etc/php.d/ directory and type ls to see all modules. Make sure 20ioncube.ini file appears first then ZendGuard.ini.
Step 9 – Restart Apache service:

1	service httpd restart

screenshot:
Step 10 – Go back to your browser where you open loader-wizard.php page. Scroll down to the bottom and click the link in “When the server software has restarted, click here to test the Loader.” line to re-test the configuration.
If you did everything correctly, you’ll see this message:

Loader Installed Successfully
The ionCube Loader version 4.4.1 for PHP 5.3 is installed and encoded files should run successfully.

That’s it. Enjoy.

Other Methods

Quicker methods (sorry I don’t try it yet so use with your own risks):

Method #2:

Step 1 – Issue the first command:

1	wget -q -O - http://www.atomicorp.com/installers/atomic |sh

Step 2 – Then lets install it via yum:

1	yum install php-ioncube-loader

Method #3:

Step 1 – Add new repository:

1	rpm -ivh rpmbuild/RPMS/x86_64/php-ioncube-loader-4.2.2-2.art.x86_64.rpm

Step 2 – Let’s build it:

1	rpmbuild -bb ~/rpmbuild/SPECS/php-ioncube-loader-art.spec

Step 3 –  Issue this next command:

1	rpm -ivh rpmbuild/RPMS/x86_64/php-ioncube-loader-4.2.2-2.art.x86_64.rpm

Final words: Honestly I prefer to use the first method which is so manual and traditional but it is safer.

How to Install ModSecurity with OWASP on Apache Server

Installing Mod_Security and OWASP on Apache CentOS server – This tutorial will show you (with pictures) how to install a web application firewall engine that provides very little protection on its own. This web app, mod_security is basically used to protect and monitor real time HTTP traffic and web applications from brute fore attacks and it also acts as intrusion detection and prevention system for web applications. In order to become useful, ModSecurity must be configured with rules which we can then use OWASP (Open Web Application Security Project) which is a Core Rules Set (CRS) for mod_security base configuration. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity.

Prerequisites:

You can install mod_security in any server-compliant Linux distros like Ubuntu, Fedora, Debian and CentOS but this tutorial is done in a CentOS machine. You can simply adopt the command according to the Distro you are using. However, RHEL 6.2/6.1/6/5.8, CentOS 6.2/6.1/6/5.8 and Fedora 17,16,15,14,13,12 users can simply follow the exact steps.
Basically mod_security can be installed in most web servers like Nginx, Apache and even Microsoft IIS. But this tutorial will cover only on a server running Apache. So I assume you have already installed and configured your LAMP stack.

How to Install Mod_Security (using source code)

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root. You may also need to type this command to go to the root directory:

1

cd ~

Step 2 – Next, you have to install some dependency packages for mod_security. Here’s the command you can try to issue:

1 2	yum install gcc make yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel

p.s: if you see two lines of command like above means you have to hit Enter after each line for issuing the command.

Hit Y if asked to confirm.
Step 3 – Now download latest version of mod_security. To do that, you can always check it at ModSecurity official website (http://www.modsecurity.org/download/). In my case it is now version 2.7.4. Then issue this command:

1 2	cd /usr/src wget https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.4.tar.gz

screenshot:

Step 4 – Once downloaded, extract it using this command:

1	tar xzf modsecurity-apache_2.7.4.tar.gz

Of course you have to replace modsecurity-apache_2.7.4.tar.gz part with the latest version of ModSecurity you’ve downloaded.
Step 5 – Let’s install it. First, go to the newly extracted folder and configure it:

1 2	cd modsecurity-apache_2.7.4 ./configure

pic:

Next, install mod_security with simple make install command:

1	make install

The output will be a bit too long. Just wait till it done:

Step 6 – Once done, copy recommended configuration file:

1	cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

Step 7 – Now load the module in your Apache configuration. You can use either Nano or vi editor to do that:

1	nano /etc/httpd/conf/httpd.conf

Step 8 – Once the editor appears, locate line LoadModule in your httpd.conf and add this below line at the bottom. If you are using Nano like me, hit Control+W to search.

1	LoadModule security2_module modules/mod_security2.so

pic:

In Nano, hit Control+O to save then Control+X to exit.
Do not restart Apache yet as we will also install OWSAP CRS to be integrated with Apache’s ModSecurity.

Alternate Method to Install Mod_Security

There is also another way you can follow to always install the latest version of ModSecurity module on your Apache server. Use these steps to replace step 3, 4 and 5 above:
Step 3 – Download Mod_Security from Github project page:

1 2	cd /usr/src git clone https://github.com/SpiderLabs/ModSecurity.git

Step 4 – Now issue these:

1 2 3

cd ModSecurity ./configure make install

form here you can simply follow steps 6 above.

How to Install OWASP CRS

Step 1 – Still in your favorite SSH client, now move to /etc/httpd directory:

1	cd /etc/httpd/

Step 2 – Next, lets grab OWASP CRS from SpiderLabs Github project page:

1	git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

pic:

Step 3 – A simple task, rename it to modsecurity-crs then go to that folder:

1 2	mv owasp-modsecurity-crs modsecurity-crs <span style="color: #7a0874; font-weight: bold;">cd</span> modsecurity-crs

Step 4 – Now create configuration file from included example:

1	cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

pic:

Step 5 – Finally, edit Apache configuration again:

1	nano /etc/httpd/conf/httpd.conf

then scroll down (go to the very bottom of the config page) and place this in the very bottom (after your virtual host file):

1 2 3 4

<IfModule security2_module>     Include modsecurity-crs/modsecurity_crs_10_config.conf     Include modsecurity-crs/base_rules/*.conf </IfModule>

Now save it and exit Nano editor. Pic:

Restart Apache

So now you’ve installed Mod_Security and OWASP-CRS, it’s time to restart Apache service so the module can be loaded along with its rules:

1	service httpd restart

p.s: This tutorial is done in CentOS 6.4 x86_64 server hosted by DigitalOcean.
That’s it. Enjoy some basic necessary protection on your Apache server as the Mod_Security + OWASP CRS give you these advantages:

• HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy.
• Real-time Blacklist Lookups – utilizes 3rd Party IP Reputation
• Web-based Malware Detection – identifies malicious web content by check against the Google Safe Browsing API.
• Identification of Application Defects – alerts on application misconfigurations.
• HTTP Denial of Service Protections – defense against HTTP Flooding and Slow HTTP DoS Attacks.
• Common Web Attacks Protection – detecting common web application security attack.
• Automation Detection – Detecting bots, crawlers, scanners and other surface malicious activity.
• Tracking Sensitive Data – Tracks Credit Card usage and blocks leakages.
• Trojan Protection – Detecting access to Trojans horses.
• Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
• Error Detection and Hiding – Disguising error messages sent by the server.

How to Install LAMP with PHP v5.5.0 and MySQL v5.5.32

How to setup and configure a CentOS LAMP server with PHP5 (v5.5.0) and MySQL v5.5.32 – I posted all basic and necessary tutorials to guide you how to properly setup a working server to host your website either using LAMP or LEMP/LNMP stack on CentOS. In this article, you’ll see similar guide but this time we’ll try to use latest version of PHP and MySQL within the LAMP stack. As usual, I use CentOS 6.4 x86_64 hosted by DigitalOcean but however the steps should be also similar if you are using any version of CentOS 6.

About PHP 5.5.0

PHP 5.5.x is the latest version currently (at the time I posted this article). There are a few incompatibilities and new features that should be considered. Its developers suggest users to firstly test their code before switching PHP versions in production environments. One thing that’s so good in PHP5.5.x is the new built-in Zend OPCache engine, that means you won’t have to use external opcode caches any more, it all comes out of the box. OPcache improves PHP performance by storing precompiled script “byte code” in shared memory, thereby removing the need for PHP to load and parse scripts on each request. Just similar to Varnish but different way it works.

Prerequisites

1. I assumed you already have either a VPS or Dedicated server running CentOS and you have access to it. In this tutorial I use CentOS 6.4.
2. I also assumed you knew already how to use Putty or Terminal to SSH-ing a server.
3. I believe you knew –at least part of– most common Unix commands used to manage an unmanaged server.

How to Install Apache and PHP 5.5.0

Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root. You may also need to type this command to go to the root directory:

1

cd ~

Step 2 – First thing first, we have to add additional repository, the one from Remi and Epel. The command for that:
for CentOS 6 x86_64:

1 2	rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

for CentOS 6 32-bit:

1 2	rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

screenshot:

Step 3 – Finally, use this one line of command to install Apache 2, PHP 5.5 and MySQL 5.5.32:

1	yum --enablerepo=remi,remi-test install httpd mysql mysql-server php php-common

screenshot:

Hit Y to confirm.
Step 4 – Additionally, you may also need to install several most common PHP modules (your app / script may need this):

1	yum --enablerepo=remi,remi-test install php-mysql php-pgsql php-pecl-mongo php-sqlite php-pecl-memcache php-pecl-memcached php-gd php-mbstring php-mcrypt php-xml php-pecl-apc php-cli php-pear php-pdo -y

screenshot:

ps: You can see the list of all available PHP modules using this command:

1	yum search php-

Step 5 – Now you can start Apache service for the very first time;

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

# Start Apache service httpd start   # Start Apache (alternate command) /etc/init.d/httpd start   # Stop Apache service httpd stop   # Stop Apache (alternate command) /etc/init.d/httpd stop   # Restart Apache service httpd restart   # Restart Apache (alternate command) /etc/init.d/httpd restart

Step 6 – Also start MySQL database server for the very first time:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

# Start MySQL service mysqld start   # Start MySQL(alternate command) /etc/init.d/mysqld start   # Stop MySQL service mysqld stop   # Stop MySQL(alternate command) /etc/init.d/mysqld stop   # Restart MySQL service mysqld restart   # Restart MySQL (alternate command) /etc/init.d/mysqld restart

Step 7 – Optionally, you can add Apache and MySQL service to system startup link so it will starts each time your server boot:

1 2	chkconfig --levels 235 httpd on chkconfig --levels 235 mysqld on

That’s it. What’s next? Obviously you can start adding your new website in your server. Read my previous guide about how to add new Apache virtual host for new website. Do not also forget to catch up all CentOS tutorial. Good day..