May 2019
M T W T F S S
« Apr    
 12345
6789101112
13141516171819
20212223242526
2728293031  

Categories

WordPress Quotes

Old friends pass away, new friends appear. It is just like the days. An old day passes, a new day arrives. The important thing is to make it meaningful: a meaningful friend - or a meaningful day.
Dalai Lama
May 2019
M T W T F S S
« Apr    
 12345
6789101112
13141516171819
20212223242526
2728293031  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (34)
Ansibile (19)
Apache (133)
Asterisk (2)
cassandra (2)
Centos (209)
Centos RHEL 7 (264)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (30)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (3)
Ldap (5)
Linux (188)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (32)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (34)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (61)
Uncategorized (29)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

31 visitors online now
6 guests, 25 bots, 0 members

Hit Counter provided by dental implants orange county

Apache Performance Tuning

Apache Performance Tuning

Forewarning:

“Premature optimization is the root of all evil.” — Donald Knuth.

Select MPM
Chose the right MPM for the right job:
prefork [default MPM for Apache 2.0 and 1.3]:
• Apache 1.3-based.
• Multiple processes, 1 thread per process, processes handle requests.
• Used for security and stability.
• Has higher memory consumption and lower performance over the newer Apache 2.0-based threaded MPMs.
worker:
• Apache 2.0-based.
• Multiple processes, many threads per process, threads handle requests.
• Used for lower memory consumption and higher performance.
• Does not provide the same level of isolation request-to-request, as a process-based MPM does.
winnt:
• The only MPM choice under Windows.
• 1 parent process, exactly 1 child process with many threads, threads handle requests.
• Best solution under Windows, as on this platform, threads are always “cheaper” to use over processes.
Configure MPM
Core Features and Multi-Processing Modules
Default Configuration

StartServers 8
MinSpareServers 5
MaxSpareServers 20
MaxClients 150
MaxRequestsPerChild 1000


StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0


ThreadsPerChild 250
MaxRequestsPerChild 0

Directives

MaxClients, for prefork MPM

MaxClients sets a limit on the number of simultaneous connections/requests that will be served.

I consider this directive to be the critical factor to a well functioning server. Set this number too low and resources will go to waste. Set this number too high and an influx of connections will bring the server to a stand still. Set this number just right and your server will fully utilize the available resources.

An approximation of this number should be derived by dividing the amount of system memory (physical RAM) available by the maximum size of an apache/httpd process; with a generous amount spared for all other processes.

MaxClients ? (RAM – size_all_other_processes)/(size_apache_process)

Use ‘ps -ylC httpd –sort:rss’ to find process size. Divide number by 1024 to get megabytes. Also try ‘top’.
Use ‘free -m’ for a general overview. The key figure to look at is the buffers/cache used value.

Use ‘vmstat 2 5’ to display the number of runnable, blocked, and waiting processes; and swap in and swap out.
Example:
• System: VPS (Virtual Private Server), CentOS 4.4, with 128MB RAM
• Apache: v2.0, mpm_prefork, mod_php, mod_rewrite, mod_ssl, and other modules
• Other Services: MySQL, Bind, SendMail
• Reported System Memory: 120MB
• Reported httpd process size: 7-13MB
• Assumed memory available to Apache: 90MB
Optimal settings:
• StartServers 5
• MinSpareServers 5
• MaxSpareServers 10
• ServerLimit 15
• MaxClients 15
• MaxRequestsPerChild 2000

With the above configuration, we start with 5-10 processes and set a top limit of 15. Anything above this number will cause serious swapping and thrashing under a load; due to the low amount of RAM available to the [virtual] Server. With a dedicated Server, the default values [ServerLimit 256] will work with 1-2GB of RAM.

When calculating MaxClients, take into consideration that the reported size of a process and the effective size are two different values. In this setup, it might be safe to use 20 or more workers… Play with different values and check your system stats.

Note that when more connections are attempted than there are workers, the connections are placed into a queue. The default queue size value is 511 and can be adjusted with the ListenBackLog directive.
ThreadsPerChild, for winnt MPM
On the Windows side, the only useful directive is ThreadsPerChild, which is usually set to a value of 250 [defaults to 64 without a value]. If you expect more, or less, concurrent connections/requests, set this directive appropriately. Check process size with Task Manager, under different values and server load.
MaxRequestsPerChild
Directive MaxRequestsPerChild is used to recycle processes. When this directive is set to 0, an unlimited amount of requests are allowed per process.
While some might argue that this increases server performance by not burdening Apache with having to destroy and create new processes, there is the other side to the argument…
Setting this value to the amount of requests that a website generates per day, divided by the number of processes, will have the benefit of keeping memory leaks and process bloat to a minimum [both of which are a common problem]. The goal here is to recycle each process once per day, as apache threads gradually increase their memory allocation as they run.
Note that under the winnt MPM model, recycling the only request serving process that Apache contains, can present a problem for some sites with constant and heavy traffic.
Requests vs. Client Connections
On any given connection, to load a page, a client may request many URLs: page, site css files, javascript files, image files, etc.
Multiple requests from one client in rapid succession can have the same effect on a Server as “concurrent” connections [threaded MPMs and directive KeepAlive taken into consideration]. If a particular website requires 10 requests per page, 10 concurrent clients will require MPM settings that are geared more towards 20-70 clients. This issue manifests itself most under a process-based MPM [prefork].

Separate Static and Dynamic Content

Use separate servers for static and dynamic content. Apache processes serving dynamic content will carry overhead and swell to the size of the content being served, never decreasing in size. Each process will incur the size of any loaded PHP or Perl libraries. A 6MB-30MB process size [or 10% of server’s memory] is not unusual, and becomes a waist of resources for serving static content.
For a more efficient use of system memory, either use mod_proxy to pass specific requests onto another Apache Server, or use a lightweight server to handle static requests:
• lighttpd [has experimental win32 builds]
• tux [patched into RedHat, runs inside the Linux kernel and is at the top of the charts in performance]
The Server handling the static content goes up front.
Note that configuration settings will be quite different between a dynamic content Server and a static content Server

mod_deflate

Reduce bandwidth by 75% and improve response time by using mod_deflate.
LoadModule deflate_module modules/mod_deflate.so

AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml application/x-javascript

Loaded Modules
Reduce memory footprint by loading only the required modules.
Some also advise to statically compile in the needed modules, over building DSOs (Dynamic Shared Objects). Very bad advice. You will need to manually rebuild Apache every time a new version or security advisory for a module is put out, creating more work, more build related headaches, and more downtime.
mod_expires
Include mod_expires for the ability to set expiration dates for specific content; utilizing the ‘If-Modified-Since’ header cache control sent by the user’s browser/proxy. Will save bandwidth and drastically speed up your site for [repeat] visitors.
Note that this can also be implemented with mod_headers.
KeepAlive
Enable HTTP persistent connections to improve latency times and reduce server load significantly [25% of original load is not uncommon].
prefork MPM:
KeepAlive On
KeepAliveTimeout 2
MaxKeepAliveRequests 80
worker and winnt MPMs:
KeepAlive On
KeepAliveTimeout 15
MaxKeepAliveRequests 80

With the prefork MPM, it is recommended to set ‘KeepAlive’ to ‘Off’. Otherwise, a client will tie up an entire process for that span of time. Though in my experience, it is more useful to simply set the ‘KeepAliveTimeout’ value to something very low [2 seconds seems to be the ideal value]. This is not a problem with the worker MPM [thread-based], or under Windows [which only has the thread-based winnt MPM].
With the worker and winnt MPMs, the default 15 second timeout is setup to keep the connection open for the next page request; to better handle a client going from link to link. Check logs to see how long a client remains on each page before moving on to another link. Set value appropriately [do not set higher than 60 seconds].

SymLinks
Make sure ‘Options +FollowSymLinks -SymLinksIfOwnerMatch’ is set for all directories. Otherwise, Apache will issue an extra system call per filename component to substantiate that the filename is NOT a symlink; and more system calls to match an owner.

Options FollowSymLinks

AllowOverride
Set a default ‘AllowOverride None’ for your filesystem. Otherwise, for a given URL to path translation, Apache will attempt to detect an .htaccess file under every directory level of the given path.

AllowOverride None

ExtendedStatus
If mod_status is included, make sure that directive ‘ExtendedStatus’ is set to ‘Off’. Otherwise, Apache will issue several extra time-related system calls on every request made.
ExtendedStatus Off

ExtendedStatus
If mod_status is included, make sure that directive ‘ExtendedStatus’ is set to ‘Off’. Otherwise, Apache will issue several extra time-related system calls on every request made.
ExtendedStatus Off
Timeout
Lower the amount of time the server will wait before failing a request.
Timeout 45

Other/Specific
Cache all PHP pages, using Squid, and/or a PHP Accelerator and Encoder application, such as APC. Also take a look at mod_cache under Apache 2.2.
Convert/pre-render all PHP pages that do not change request-to-request, to static HTML pages. Use ‘wget’ or ‘HTTrack’ to crawl your site and perform this task automatically.
Pre-compress content and pre-generate headers for static pages; send-as-is using mod_asis. Can use ‘wget’ or ‘HTTrack’ for this task. Make sure to set zlib Compression Level to a high value (6-9). This will take a considerable amount of load off the server.
Use output buffering under PHP to generate output and serve requests without pauses.
Avoid content negotiation for faster response times.
Make sure log files are being rotated. Apache will not handle large (2gb+) files very well.
Gain a significant performance improvement by using SSL session cache.
Outsource your images to Amazon’s Simple Storage Service (S3).
Measuring Web Server Performance

Apache capacity planning -2

1. Apache server performance
Apache server performance can be improved by adding additional hardware resources such as RAM, faster CPU etc. But, most of the time, the same result can be achieved by custom configuration of the server. This article looks into getting maximum performance out of Apache with the existing hardware resources, specifically on the Linux systems. Of course, it is assumed that there is enough hardware resources, especially enough RAM that the server isn’t swapping frequently. First two sections look into various Compile-Time and Run-Time configuration options. Run-Time section assumes that Apache is compiled with prefork MPM. HTTP compression and caching is discussed next. Finally, using separate servers for serving static and dynamic contents are being discussed. Basic knowledge of compiling and configuring Apache, and Linux are assumed.



2 Compile-Time Configuration Options

2.1 Load only the required modules:

The Apache HTTP Server is a modular program where the administrator can choose the functionality to include in the server by selecting a set of modules [2]. The modules can be either statically compiled to the httpd binary or else can be compiled as Dynamic Shared Objects (DSOs). DSO modules can be either compiled when the server is built or else can use the apxs utility to compile and add at a later date. The module mod_so must be statically compiled into the Apache core to enable DSO support.

Run apache with only the required modules. This reduces the memory footprint and hence the server performance. Statically compiling modules will save RAM that’s used for supporting dynamically loaded modules, but one has to recompile Apache whenever a module is to be added or dropped. This is where the DSO mechanism comes handy. Once the mod_so module is statically compiled, any other module can be added or dropped using the LoadModule command in httpd.conf file – of course, you will have to compile the modules using apxs if it wasn’t compiled when the server was built.

2.2 Choose appropriate MPM:

Apache server ships with a selection of Multi-Processing Modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests [3]. Only one MPM can be loaded into the server at any time.

Choosing an MPM depends on various factors such as whether the OS supports threads, how much memory is available, scalability versus stability, whether non-thread-safe third-party modules are used, etc.. Linux systems can choose to use a threaded MPM like worker or a non-threaded MPM like prefork:

Worker MPM uses multiple child processes. It’s multi-threaded within each child and each thread handles a single connection. Worker is fast and highly scalable and the memory footprint is comparatively low. It’s well suited for multiple processors. On the other hand, worker is less tolerant to faulty modules and faulty threads can affect all the threads in a child process.

Prefork MPM uses multiple child processes, each child handles one connection at a time. Prefork is well suited for single or double CPU systems, speed is comparable to that of worker and it’s highly tolerant to faulty modules and crashing children. But the memory usage is high, more traffic leads to more memory usage.

3 Run-Time Configuration Options

3.1 DNS lookup:

The HostnameLookups directive enables DNS lookup so that hostnames can be logged instead of the IP address. This adds latency to every request since the DNS lookup has to be completed before the request is finished. HostnameLookups is Off by default in Apache 1.3 and above. Leave it Off and use post-processing program such as logresolve to resolve IP addresses in Apache’s access logfiles. Logresolve ships with Apache.
When using Allow from or Deny from directives, use IP address instead of a domain name or a hostname. Otherwise a double DNS lookup is performed to make sure that the domain name or the hostname is not being spoofed.

3.2 AllowOverride:

If AllowOverride is not set to ‘None’, then Apache will attempt to open .htaccess file (as specified by AccessFileName directive) in each directory that it visits. For example:
DocumentRoot /var/www/html

AllowOverride all

If a request is made for URI /index.html, then Apache will attempt to open /.htaccess, /var/.htaccess, /var/www/.htaccess, and /var/www/html/.htaccess. These additional file system lookups add to the latency. If .htaccess is required for a particular directory, then enable it for that directory alone.


3.3 FollowSymLinks and SymLinksIfOwnerMatch:

If FollowSymLinks option is set, then the server will follow symbolic links in this directory. If SymLinksIfOwnerMatch is set, then the server will follow symbolic links only if the target file or directory is owned by the same user as the link.
If SymLinksIfOwnerMatch is set, then Apache will have to issue additional system calls to verify whether the ownership of the link and the target file match. Additional system calls are also needed when FollowSymLinks is NOT set. For example:
DocumentRoot /vaw/www/html

Options SymLinksIfOwnerMatch

For a request made for URI /index.html, Apache will perform lstat() on /var, /var/www, /var/www/html, and /var/www/html/index.html. These additional system calls will add to the latency. The lstat results are not cached, so they will occur on every request.
For maximum performance, set FollowSymLinks everywhere and never set SymLinksIfOwnerMatch. Or else, if SymLinksIfOwnerMatch is required for a directory, then set it for that directory alone.

3.4 Content Negotiation:

Avoid content negotiation for fast response. If content negotiation is required for the site, use type-map files rather than Options MultiViews directive. With MultiViews, Apache has to scan the directory for files, which add to the latency.
3.5 MaxClients:
The MaxClients sets the limit on maximum simultaneous requests that can be supported by the server. No more than this much number of child processes are spawned. It shouldn’t be set too low such that new connections are put in queue, which eventually time-out and the server resources are left unused. Setting this too high will cause the server to start swapping and the response time will degrade drastically. Appropriate value for MaxClients can be calculated as: MaxClients = Total RAM dedicated to the web server / Max child process size —- [4] Child process size for serving static file is about 2-3M. For dynamic content such as PHP, it may be around 15M. The RSS column in
“ps -ylC httpd –sort:rss”
shows non-swapped physical memory usage by Apache processes in kilo Bytes.
If there are more concurrent users than MaxClients, the requests will be queued up to a number based on ListenBacklog directive. Increase ServerLimit to set MaxClients above 256.

3.6 MinSpareServers, MaxSpareServers, and StartServers:

MaxSpareServers and MinSpareServers determine how many child processes to keep while waiting for requests. If the MinSpareServers is too low and a bunch of requests come in, then Apache will have to spawn additional child processes to serve the requests. Creating child processes is relatively expensive. If the server is busy creating child processes, it won’t be able to serve the client requests immediately. MaxSpareServers shouldn’t be set too high, it can cause resource problems since the child processes consume resources.
Tune MinSpareServers and MaxSpareServers such that Apache need not frequently spwan more than 4 child processes per second (Apache can spwan a maximum of 32 child processes per second). When more than 4 children are spawned per second, a message will be logged in the ErrorLog.
The StartServers directive sets the number of child server processes created on startup. Apache will continue creating child process until the MinSpareServers setting is reached. Doesn’t have much effect on performance if the server isn’t restarted frequently. If there are lot of requests and Apache is restarted frequently, set this to a relatively high value.

3.7 MaxRequestsPerChild:

The MaxRequestsPerChild directive sets the limit on the number of requests that an individual child server process will handle. After MaxRequestsPerChild requests, the child process will die. It’s set to 0 by default, that means the child process will never expire. It is appropriate to set this to a value of few thousands. This can help prevent memory leakage since the process dies after serving a certain number of requests. Do not set this too low, since creating new processes does have overhead.

3.8 KeepAlive and KeepAliveTimeout:
The KeepAlive directive allows multiple requests to be sent over the same TCP connection. This is particularly useful while serving HTML pages with lot of images. If KeepAlive is set to Off, then for each images, a separate TCP connection has to be made. Overhead due to establishing TCP connection can be eliminated by turning On KeepAlive.
KeepAliveTimeout determines how long to wait for the next request. Set this to a low value, perhaps between two to five seconds. If it is set too high, child processed are tied up waiting for the client when they could be used for serving new clients.

4 HTTP Compression & Caching

HTTP compression is completely specified in HTTP/1.1. The server uses gzip or deflate encoding method to the response payload before it is sent to the client. Client then decompresses the payload. There is no need to install any additional software at the client side since all major browsers support this. Using compression will save bandwidth and improve response time, studies have found a mean compression gain of 75.2 % [5]. HTTP Compression can be enabled in Apache using mod_deflate module. Payload is compressed only if the browser requests compression, otherwise uncompressed content is served. A compression aware browser inform the server that it prefers compressed content through the HTTP request header – “Accept-Encoding: gzip,deflate”. Then the server responds with compressed payload and the response header set to ”
Content-Encoding:
gzip
Following example uses telnet to view request and response headers:
bash-3.00$ telnet www.webperformance.org 80
Trying 24.60.234.27…
Connected to www.webperformance.org (24.60.234.27).
Escape character is ‘^]’.
HEAD / HTTP/1.1
Host: www.webperformance.org
Accept-Encoding: gzip,deflate

HTTP/1.1 200 OK
Date: Sat, 31 Dec 2005 02:29:22 GMT
Server: Apache/2.0
X-Powered-By: PHP/5.1.1
Cache-Control: max-age=0
Expires: Sat, 31 Dec 2005 02:29:22 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Content-Type: text/html; charset=ISO-8859-1

In caching, a copy of the data is stored at the client or in a proxy server so that it need not be retrieved frequently from the server. This will save bandwidth, decrease load on the server and reduce latency. Cache control is done through HTTP headers. In Apache, this can be accomplished through mod_expires and mod_headers modules. Also there is server side caching, in which the frequently accessed contents are stored in memory so that it can be served fast. The module mod_cache can be used for server side caching, it is production stable in Apache version 2.2.

5 Separate server for static and dynamic content

Apache processes serving dynamic content takes about 3M to 20M of RAM. It grows to accommodate the content it’s serving and never decreases until the process dies. Say an Apache process grows to 20M to serve a dynamic content. After completing the request, it is free to serve any other request. If a request for an image comes in, then this 20M process is serving a static content which could as well be served by a 1M process. Memory is used inefficiently.
Use a tiny Apache (with minimum modules statically compiled) as the front-end server to serve static contents. Request for dynamic contents are forwarded to the heavy Apache (compiled with all required modules). Using a light front-end server has the advantage that the static contents are served fast without much memory usage and only the dynamic contents are passed over to the heavy server.
Request forwarding can be achieved by using mod_proxy and rewrite_module modules. Suppose there is a lightweight Apache server listening to port 80 and the heavyweight Apache listening on port 8088. Then the following configuration in the lightweight Apache can be used to forward all request except request for images to the heavyweight server.
ProxyPassReverse / http://%{HTTP_HOST}:8088/
RewriteEngine on —- [9]
RewriteCond %{REQUEST_URI} !.*\.(gif|png|jpg)$
RewriteRule ^/(.*) http://%{HTTP_HOST}:8088/$1 [P]
All requests, except for images, are proxied to the backend server. Response is received by the frontend server and then supplied to the client. As far as client is concerned, all the response seem to come from a single server.

6 Conclusion

Configuring Apache for maximum performance is tricky, there are no hard and fast rules. Understand the web server requirements and experiment with various available options. Use tools like ab and httperf to measure the web server performance. Light weight servers such as tux , thttpd can also be used as the front-end server. If a database server is used, make sure it is optimized so that it won’t create any bottleneck. In case of MySQL, mtop can be used to monitor slow queries. Performance of PHP scripts can be improved by using a PHP caching product such as Turck MMCache. It eliminates overhead due to compiling by caching the PHP scripts

Hardening guide for Apache

Hardening guide for Apache

From:
ServerSignature OnTo:
ServerSignature Off
HostnameLookups Off

From:
# ServerTokensTo:
ServerTokens Prod

From:
ServerAdmin you@yourhost.comTo:
ServerAdmin webmaster@yourcompany.com

From:
LogLevel warnTo:
LogLevel notice

From:
IndexOptions FancyIndexing VersionSortTo:
# IndexOptions FancyIndexing VersionSort
#

To:
# AddIcon

From:
DefaultIcon /icons/unknown.gifTo:
# DefaultIcon /icons/unknown.gif

From:
Alias /icons/ “/var/apache2/icons/”To:
# Alias /icons/ “/var/apache2/icons/”

From:
AliasMatchTo:
# AliasMatch

From:
ScriptAliasTo:
# ScriptAlias

From:
LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo:
# LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

From
LoadModule imap_module libexec/mod_imap.soTo:
# LoadModule imap_module libexec/mod_imap.so

From:
LoadModule cgi_module libexec/mod_cgi.soTo:
# LoadModule cgi_module libexec/mod_cgi.so

From:
LoadModule suexec_module libexec/mod_suexec.soTo:
# LoadModule suexec_module libexec/mod_suexec.so

From:
LoadModule autoindex_module libexec/mod_autoindex.soTo:
# LoadModule autoindex_module libexec/mod_autoindex.so

From:
LoadModule info_module libexec/mod_info.soTo:
# LoadModule info_module libexec/mod_info.so

From:
LoadModule status_module libexec/mod_status.soTo:
# LoadModule status_module libexec/mod_status.so

From:
LoadModule status_module libexec/mod_status.soTo:
# LoadModule status_module libexec/mod_status.so

From:
LoadModule userdir_module libexec/mod_userdir.soTo:
# LoadModule userdir_module libexec/mod_userdir.so

From:
LoadModule cern_meta_module modules/mod_cern_meta.soTo:
# LoadModule cern_meta_module modules/mod_cern_meta.so

From:
LoadModule dav_module modules/mod_dav.soTo:
# LoadModule dav_module modules/mod_dav.so

From:

Options FollowSymLinks
AllowOverride None

To:

Options None
AllowOverride None
Order deny,allow
deny from all

From:
<Directory “/var/apache2/htdocs”>To:
<Directory “/www”>

deny from all

From:
Options Indexes FollowSymLinksTo:
Options -FollowSymLinks -Includes -Indexes -MultiViews
# Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
# Remove the sections bellow from the file httpd.conf
<Directory “/usr/apache2/manual”>
<Directory “/var/apache2/cgi-bin”>
# Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR “Apache Software Foundation”To:
#define AP_SERVER_BASEVENDOR “Restricted server”
From:
#define AP_SERVER_BASEPRODUCT “Apache”To:
#define AP_SERVER_BASEPRODUCT “Secure Web Server”
# Starting Apache from command line:
/usr/apache2/bin/apachectl start
# Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2

Security Testing your Apache Configuration with Nikto

Nikto: Scan Apache for Security Holes

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
including over 3500 potentially dangerous files/CGIs,
versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and
can be automatically updated (if desired).”

Nikto does require the LibWhisker Perl module, but this is built into the program so it does not need to be installed.
You will want to install the Net::SSLeay Perl module if you want to test SSL.


Install mod_security Apache Intrusion Detection And Prevention Engine

ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella – shielding web applications from attacks

mod_security configuration files

1. /etc/httpd/conf.d/mod_security.conf – main configuration file for the mod_security Apache module.
2. /etc/httpd/modsecurity.d/ – all other configuration files for the mod_security Apache.
3. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf – Configuration contained in this file should be customized for your specific requirements before deployment.
4. /var/log/httpd/modsec_debug.log – Use debug messages for debugging mod_security rules and other problems.
5. /var/log/httpd/modsec_audit.log – All requests that trigger a ModSecurity events (as detected) or a serer error are logged (“RelevantOnly”) are logged into this file.

cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf

vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

There are five rules directories:

* activated_rules
* base_rules
* experimental_rules
* optional_rules
* slr_rules

Make sure SecRuleEngine set to “On” to protect webserver for the attacks:

SecRuleEngine On

Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart
Make sure everything is working:
# tail -f /var/log/httpd/error_log

mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities. This guide assumes you already have your LAMP server configured.
Guides for setting up a LMAP stack can be found under our LAMP guides section.

disable TRACE and TRACK in the main scope of httpd.conf

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* – [F]

ServerTokens Prod
ServerSignature Off
TraceEnable Off



1.2 ModSecurity

1.3 ModSecurity Core Rules Overview

Performance
Quality
Regression tests
Real traffic testing
Generic Detection
Event Information
Plug and Play
Protocol compliance:
Attack Detection:

## For RHEL/CentOS 6.2/6.1/6/5.8 ##
# cd /usr/src
# wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
# tar xzf modsecurity-apache_2.6.6.tar.gz
# cd modsecurity-apache_2.6.6
# ./configure
# make install
# cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

CentOS 6.x 32-bit (x86/i386):

rpm -Uvh http://mirror.overthewire.com.au/pub/epel/6/i386/epel-release-6-7.noarch.rpm

CentOS 6.x 64-bit (x64):

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

CentOS 5.x 32-bit (x86/i386):

rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

CentOS 5.x 64-bit (x64):

rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm


yum install mod_security





Downloading OWASP Mod_Security Core Rule Set


## For RHEL/CentOS 6.2/6.1/6/5.8 ##
# cd /etc/httpd/
# wget http://downloads.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.5.tar.gz
# tar xzf modsecurity-crs_2.2.5.tar.gz
# mv modsecurity-crs_2.2.5 modsecurity-crs
# cd modsecurity-crs
# cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf








CentOS / Redhat (RHEL) / Fedora Linux disable a module

Under Redhat based Linux distributions you need to modify *.conf file stored in /etc/httpd/conf.d/ directory. Apache scans for files with the .conf suffix at start up.

So if the system does not need to use mod_python, rename 'python.conf' to 'python.bak' and restart Apache with the command 'service httpd restart in order to disable that particular module and save memory.
# cd /etc/httpd/conf.d/
# mv perl.conf no.perl.bak
# /etc/init.d/httpd restart
Enable a module

To re-enable modules, simply rename them to their original names and restart Apache to get back module functionality:
# cd /etc/httpd/conf.d/
# mv no.perl.bak perl.conf
# /etc/init.d/httpd restart



More about /etc/httpd/conf.d/ directory

This directory holds Apache 2.0 module-specific configuration files; any files in this directory which have the ".conf" extension will be processed as Apache configuration files. Files are processed in alphabetical order, so if using configuration directives which depend on, say, mod_perl being loaded, ensure that
these are placed in a filename later in the sort order than "perl.conf".

    manual.conf : This configuration file allows the manual to be accessed at http://localhost/manual/
    perl.conf : mod_perl incorporates a Perl interpreter into the Apache web server, so that the Apache web server can directly execute Perl code.
    php.conf : php5 module for php
    proxy_ajp.conf : When loaded, the mod_proxy_ajp module adds support for proxying to an AJP/1.3 backend server such as Tomcat.
    python.conf : mod_python is a module that embeds the Python language interpreter within the server, allowing Apache handlers to be written in Python.
    squid.conf : Access to squid cache manager
    ssl.conf : Apache SSL server configuration
    webalizer.conf : Webalizer stats configuration
    welcome.conf : This configuration file enables the default "Welcome" page if there is no default index page present for
    the root URL.


mod_dav_svn
mod_perl-devel
mod_auth_kerb
mod_nss
mod_auth_kerb
mod_auth_mysql
mod_auth_pgsql
mod_authz_ldap
mod_dnssd
mod_revocator
mod_wsgi


grep -v '\#' /etc/httpd/conf/httpd.conf


yum install  httpd-devel mod_security mod_ssl php

#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule logio_module modules/mod_logio.so
#LoadModule logio_module modules/mod_logio.so
#LoadModule env_module modules/mod_env.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule info_module modules/mod_info.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule userdir_module modules/mod_userdir.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule cgi_module modules/mod_cgi.so
#LoadModule version_module modules/mod_version.so



LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so



http://www.thegeekstuff.com/2011/03/apache-hardening/
http://hackathology.blogspot.sg/2007/11/basics-of-modsecurity.html
http://www.tecmint.com/protect-apache-using-mod_security-and-mod_evasive-on-rhel-centos-fedora/

Here’s what I’ve added to tune the Linux TCP stack in /etc/sysctl.conf:


    net.ipv4.tcp_abort_on_overflow = 1
    net.ipv4.tcp_fin_timeout = 15
    net.ipv4.tcp_low_latency = 1
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_max_syn_backlog = 2048
    net.ipv4.tcp_synack_retries = 3
    net.ipv4.tcp_sack = 0
    net.ipv4.ip_conntrack_max = 65535
    net.core.rmem_max = 16777216
    net.core.wmem_max = 16777216
    net.ipv4.tcp_rmem = 4096 87380 16777216
    net.ipv4.tcp_wmem = 4096 65536 16777216
    net.ipv4.ip_local_port_range = 1024 65000
    net.ipv4.tcp_keepalive_intvl = 15
    net.ipv4.tcp_keepalive_probes = 4
    net.ipv4.tcp_keepalive_time = 1800

Apache capacity planning

Apache capacity planning

    LogFormat “%{X-Forwarded-For}i %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” proxy
    SetEnvIf X-Forwarded-For “^.*\..*\..*\..*” forwarded
    CustomLog “logs/access_log” combined env=!forwarded
    CustomLog “logs/access_log” proxy env=forwarded

    The apache MPM

    http://articles.slicehost.com/2010/5/19/configuring-the-apache-mpm-on-centos

    http://www.howtoforge.com/configuring_apache_for_maximum_performance

    The apache MPM

    Part of the apache web server installation is the “MPM”, which stands for “Multi-Processing Method”.
    The MPM determines the mechanism apache uses to handle multiple connections. Now that we have an idea of where apache keeps its configs we’ll cover in detail
    how the main MPMs are configured and how you might optimize their settings for your environment.
    The difference

    The first thing to know is that there are several MPMs that apache can use, but the main MPMs are “worker” and “prefork”.

    The worker MPM primarily handles connections by creating new threads within a child process, while the prefork MPM spawns a new process to handle each connection.
    The worker MPM is considered more efficient, but some modules aren’t stable when running under the worker MPM.
    The yum apache package defaults to the prefork MPM for the best compatibility with modules.
    Most users won’t notice a difference in performance between the MPMs, but it’s good to know they’re there.
    If you find your site is having trouble scaling, for example, you might want to switch to the worker MPM even though it isn’t recommended by a module you’re using. PHP,
    for instance, will switch apache to the prefork MPM when aptitude installs it, but newer versions of PHP can be compiled with worker MPM support.
    For a change like that, you’ll want to consult your module’s documentation to see what it may have to say about apache MPMs.

    The prefork MPM

    Default:


    StartServers 8
    MinSpareServers 5
    MaxSpareServers 20
    ServerLimit 256
    MaxClients 256
    MaxRequestsPerChild 4000

    StartServers

    This is the number of child server processes created at startup, ready to handle incoming connections.
    If you’re expecting heavy traffic you might want to increase this number so the server is ready to handle a lot of connections right when it’s started.

    MinSpareServers

    The minimum number of child server processes to keep in reserve.
    MaxSpareServers

    Maximum number of child server processes that will be held in reserve. Any more than the maximum will be killed.

    ServerLimit

    The ServerLimit directive sets an absolute limit on the MaxClients directive. The reasons for this aren’t interesting enough to go into here, so the main thing to know about this directive is that
    it should usually be set to the same value as MaxClients, and probably shouldn’t be set at all if you set MaxClients lower than 256.

    MaxClients

    Sets the maximum simultaneous requests that Apache will handle. Anything over this number will be queued until a process is free to action the request.

    MaxClients is not the same as the maximum number of visitors you can have. It is the maximum number of requests that can be fielded at the same time.

    Remember the KeepAliveTimeout? This was set low so the connections used by idle web clients can be recycled more quickly to handle new web clients.
    Each active connection uses memory and counts toward the MaxClients total. If you hit the number of connections in the MaxClients setting,
    web clients will be stuck waiting for a connection slot to free up.

    The trick with MaxClients is that you want the number to be high enough that visitors don’t have to wait before connecting to your site,
    but not so high that apache needs to grab more memory than is available on your server. If you go over the available memory for your server
    it will start dipping into swap memory, which is slow and ugly and trust me you don’t want to do that.
    For the prefork MPM, a new process is started when apache handles a new connection. That means MaxClients sets the maximum number of processes apache
    will create to handle incoming clients. Memory can definitely be a limiting factor here.

    MaxRequestsPerChild

    Sets how many requests a child process will handle before terminating. The default is zero, which means it will never die.

    Why change this if the Max numbers are set as shown above? Well, it can help in managing your Slice memory usage.

    If you change the default you give a child a finite number of actions before it will die.

    This will, in effect, reduce the number of processes in use when the server is not busy, thus freeing memory.

    Freeing it for what though? If other software needed memory then it would also need it when the server is under load. It is unlikely you will have anything that requires memory only when the server is quiet.

    The worker MPM

    Defaults:


    StartServers 2
    MaxClients 150
    MinSpareThreads 25
    MaxSpareThreads 75
    ThreadsPerChild 25
    MaxRequestsPerChild 0

    Configuring Apache for Maximum Performance

    2.1 Load only the required modules:

    Run apache with only the required modules. This reduces the memory footprint and hence the server performance. Statically compiling modules will save RAM that’s used for supporting dynamically loaded modules,
    but one has to recompile Apache whenever a module is to be added or dropped

    2.2 Choose appropriate MPM:

    orker MPM uses multiple child processes. It’s multi-threaded within each child and each thread handles a single connection.
    Worker is fast and highly scalable and the memory footprint is comparatively low. It’s well suited for multiple processors. On the other hand,
    worker is less tolerant to faulty modules and faulty threads can affect all the threads in a child process.

    Prefork MPM uses multiple child processes, each child handles one connection at a time. Prefork is well suited for single or double CPU systems,
    speed is comparable to that of worker and it’s highly tolerant to faulty modules and crashing children. But the memory usage is high,
    more traffic leads to more memory usage.

    3.1 DNS lookup:

    The HostnameLookups directive enables DNS lookup so that hostnames can be logged instead of the IP address. This adds latency to every request since the DNS lookup has to be completed before the request is finished.
    HostnameLookups is Off by default in Apache 1.3 and above. Leave it Off and use post-processing program such as logresolve to resolve IP addresses in Apache’s access logfiles.
    .Logresolve ships with Apache.

    When using Allow from or Deny from directives, use IP address instead of a domain name or a hostname.
    Otherwise a double DNS lookup is performed to make sure that the domain name or the hostname is not being spoofed.

    3.2 AllowOverride:
    If AllowOverride is not set to ‘None’, then Apache will attempt to open .htaccess file (as specified by AccessFileName directive) in each directory that it visits. For example:

    DocumentRoot /var/www/html

    AllowOverride all

    3.3 FollowSymLinks and SymLinksIfOwnerMatch:
    If FollowSymLinks option is set, then the server will follow symbolic links in this directory. If SymLinksIfOwnerMatch is set, then the server will follow symbolic links only if the target file or directory is owned by the same user as the link.

    If SymLinksIfOwnerMatch is set, then Apache will have to issue additional system calls to verify whether the ownership of the link and the target file match.
    Additional system calls are also needed when FollowSymLinks is NOT set. For example:

    DocumentRoot /vaw/www/html

    Options SymLinksIfOwnerMatch

    3.4 Content Negotiation:

    Avoid content negotiation for fast response. If content negotiation is required for the site, use type-map files rather than Options MultiViews directive. With MultiViews,
    Apache has to scan the directory for files, which add to the latency.

    3.5 MaxClients:

    The MaxClients sets the limit on maximum simultaneous requests that can be supported by the server. No more than this much number of child processes are spawned.
    It shouldn’t be set too low such that new connections are put in queue, which eventually time-out and the server resources are left unused.
    Setting this too high will cause the server to start swapping and the response time will degrade drastically.
    Appropriate value for MaxClients can be calculated as: MaxClients = Total RAM dedicated to the web server / Max child process size —-
    [4] Child process size for serving static file is about 2-3M. For dynamic content such as PHP, it may be around 15M. The RSS column in

    3.6 MinSpareServers, MaxSpareServers, and StartServers:

    3.7 MaxRequestsPerChild:

    3.8 KeepAlive and KeepAliveTimeout:

    4 HTTP Compression & Caching

    5 Separate server for static and dynamic content

Extending Swap on an LVM2 Logical Volume

Extending Swap on an LVM2 Logical Volume

1)Check swap space and its utilization
cat /proc/swaps # free

2) Scan (all disks) for Logical Volumes
lvscan
[root@localhost ~]# lvscan
ACTIVE ‘/dev/VolGroup/lv_root’ [47.44 GiB] inherit
ACTIVE ‘/dev/VolGroup/lv_home’ [46.19 GiB] inherit
ACTIVE ‘/dev/VolGroup/lv_swap’ [5.88 GiB] inherit

3) Disable devices and files for paging and swapping
swapoff -v /dev/VolGroup/lv_swap

4) Resize a logical volume Adding 1 GB
lvm lvresize /dev/VolGroup/lv_swap -L +1G

5) Set up a Linux swap area
mkswap /dev/VolGroup/lv_swap

6) Enable devices and files for paging and swapping
swapon -va

7) Check swap space and its utilization
cat /proc/swaps # free

8) Scan (all disks) for Logical Volumes
lvscan

Reducing Swap on an LVM2 Logical Volume

Reducing Swap on an LVM2 Logical Volume
1) Check swap space and its utilization
cat /proc/swaps # free

2) Scan (all disks) for Logical Volumes
lvscan

[root@localhost ~]# lvscan
ACTIVE ‘/dev/VolGroup/lv_root’ [47.44 GiB] inherit
ACTIVE ‘/dev/VolGroup/lv_home’ [46.19 GiB] inherit
ACTIVE ‘/dev/VolGroup/lv_swap’ [5.88 GiB] inherit

3) Disable devices and files for paging and swapping
swapoff -v /dev/vg0/lv_swap

4)Reduce the size of a logical volume
lvm lvreduce /dev/VolGroup/lv_swap -L -1G

5) Set up a Linux swap area
mkswap /dev/VolGroup/lv_swap

6) Enable devices and files for paging and swapping

swapon -va

7) Check swap space and its utilization
cat /proc/swaps # free
8) Scan (all disks) for Logical Volumes
lvscan

Centos 6 SFTP chroot Jail

Centos 6 SFTP chroot Jail

User and Group setup

First you will want to establish the sftponly group

groupadd sftponly

Then create the user with the correct home directories and group

useradd -d /var/www/vhosts/bob -s /bin/false -G sftponly bob

Don’t forget at this point to also add password to these new accounts.

SSHd configuration changes

Now we need to make changes in /etc/ssh/sshd_config to enable SFTP chroot jails in SSH.

Comment out the following line in /etc/ssh/sshd_config:

Subsystem sftp /usr/lib/openssh/sftp-server

and replace it with this line:

Subsystem sftp internal-sftp

Then add the following set of lines to the very bottom of the file:

Match Group sftponly

ChrootDirectory /var/www/vhosts/%u

X11Forwarding no

AllowTCPForwarding no

ForceCommand internal-sftp

This creates a special login group that then chroot jailed all users in that group into their own home directory.

Once these file changes are saved you will need to restart SSHd for the changes to take effect, using the following command:

service sshd restart

Permissions cleanup and testing

Last issue to address is the permissions settings, for this example the directories /var/www/vhosts/bob and /var/www/vhosts/ted should both be owned by root. The directory /var/www/vhosts/ted/site1 should be owned by ted and the directory /var/www/vhosts/bob/site1 should be owned by bob.

chown root /var/www/vhosts/bob
ls -la
chmod go-w /var/www/vhosts/bob
chown bob:sftponly /var/www/vhosts/bob/fileupload/
chown bob:sftponly /opt/app/vhosts/rbc/writable/
chown bob:sftponly /opt/app/vhosts/rbc/codeupload/
chmod ug+rwx codeupload fileupload writable

tail -f /var/log/secure
tail -f /var/log/audit/audit.log

Shorewall – Firewall

CentOS – Install and Configure Shorewall

Add repository EPEL that is provided from Fedora project.
wget http://ftp.riken.jp/Linux/fedora/epel/RPM-GPG-KEY-EPEL-6
rpm –import RPM-GPG-KEY-EPEL-6
rm -f RPM-GPG-KEY-EPEL-6
vi /etc/yum.repos.d/epel.repo
# create new
[epel]
name=EPEL RPM Repository for Red Hat Enterprise Linux
baseurl=http://ftp.riken.jp/Linux/fedora/epel/6/$basearch/
gpgcheck=1
enabled=0
# when you use the repository, input yum command like follows

yum –enablerepo=epel install shorewall

Backup and Edit System Control

cp /etc/sysctl.conf /etc/sysctl.conf.org

sed -i ‘s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g’ /etc/sysctl.conf

Backup and Edit Shorewall Zones
cp /etc/shorewall/zones /etc/shorewall/zones.org
vi /etc/shorewall/zones

##
# For information about this file, type “man shorewall-zones”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

Backup and Edit Shorewall Interfaces
cp /etc/shorewall/interfaces /etc/shorewall/interfaces.ori
vi /etc/shorewall/interfaces

#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs
dmz eth2 detect
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

Backup and Edit Shorewall Policy
cp /etc/shorewall/policy /etc/shorewall/policy.ori
vi /etc/shorewall/policy

#
# Shorewall version 4 – Policy File
#
# For information about entries in this file, type “man shorewall-policy”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc net ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT. (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc dmz REJECT info
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ‘info’ LOG LEVEL.
$FW net REJECT info
$FW dmz REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT. This may be useful if you run a proxy server in
# your DMZ.
dmz net REJECT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE — DO NOT REMOVE

Backup and Edit Shorewall Rules

cp /etc/shorewall/rules /etc/shorewall/rules.orig

vi /etc/shorewall/rules

# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
#######################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
#
# Drop Ping from the “bad” net zone.
#
Ping/DROP net $FW
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc->net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc
#LAST LINE — ADD YOUR ENTRIES BEFORE THIS ONE — DO NOT REMOVE

Backup and Edit Shorewall Configuration
[root@localhost ~]# cp /etc/shorewall/shorewall.conf /etc/shorewall/shorewall.conf.orig
[root@localhost ~]# vi /etc/shorewall/shorewall.conf
sed -i ‘s/STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/g’ /etc/shorewall/shorewall.conf
Check Shorewall Configuration
shorewall check
Create Auto Start and Restart Shorewall
chkconfig shorewall on
service shorewall restart
or
shorewall restart

Configure Advanced Policy-based Firewall (APF), Brute Force Detection (BFD), DDoS Deflate

Configure Advanced Policy-based Firewall (APF), Brute Force Detection (BFD), DDoS Deflate

Advanced Policy Firewall

Description:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.

The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static rule based policies (not to be confused with a “static firewall”)
2) Connection based stateful policies
3) Sanity based policies

Features:
– detailed and well commented configuration file
– granular inbound and outbound network filtering
– user id based outbound network filtering
– application based network filtering
– trust based rule files with an optional advanced syntax
– global trust system where rules can be downloaded from a central management server
– reactive address blocking (RAB), next generation in-line intrusion prevention
– debug mode provided for testing new features and configuration setups
– fast load feature that allows for 1000+ rules to load in under 1 second
– inbound and outbound network interfaces can be independently configured
– global tcp/udp port & icmp filtering with multiple filters (drop, reject, prohibit)
– configurable policies for each ip on the system with convenience variables to import settings
– packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
– prerouting and postrouting rules for optimal network performance
– dshield.org block list support to ban networks exhibiting suspicious activity
– spamhaus Don’t Route Or Peer List support to ban known “hijacked zombie” IP blocks
– any number of additional interfaces may be configured as trusted or untrusted
– additional firewalled interfaces can have there own unique firewall policies applied
– intelligent route verification to prevent embarrassing configuration errors
– advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
– filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
– configurable type of service options to dictate the priority of different types of network traffic
– intelligent default settings to meet every day server setups
– dynamic configuration of your servers local DNS revolvers into the firewall
– optional filtering of common p2p applications
– optional filtering of private & reserved IP address space
– optional implicit blocks of the ident service
– configurable connection tracking settings to scale the firewall to the size of your network
– configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
– advanced network control such as explicit congestion notification and overflow control
– helper chains for FTP DATA and SSH connections to prevent client side issues
– optional rate limited event logging
– logging subsystem that allows for logging data to user space programs or standard syslog files
– comprehensive logging of every rule added
– detailed startup error checking
– if you are familiar with netfilter you can create your own rules in any of the policy files
– pluggable and ready advanced use of QoS algorithms provided by the Linux
– 3rd party add-on projects that compliment APF features

Install Procedure

mkdir /software
cd software
wget -c http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxvf apf-current.tar.gz
cd apf-9.7-2/
./install.sh
cp /etc/apf/conf.apf /etc/apf/conf.apf.bk
vi /etc/apf/conf.apf

DEVEL_MODE=”0”
IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,3306”
IG_UDP_CPORTS=”53,67,68,111,5353,48443”
USE_AD=”1”

/etc/init.d/apf restart

Brute Force Detection (BFD)

Brute Force Detection (BFD)

1) Download and Install Brute Force Detection (BFD)
wget -c http://rfxnetworks.com/downloads/bfd-current.tar.gz
tar xvfz bfd-current.tar.gz
cd bfd-*
./install.sh
Backup and Edit BFD Configuration
cp /usr/local/bfd/conf.bfd /usr/local/bfd/conf.bfd.ori
vi /usr/local/bfd/conf.bfd

EMAIL_ALERTS=”0″
EMAIL_ADDRESS=”admin@email.com”
Backup and Edit BFD Ignore Hosts
cp /usr/local/bfd/ignore.hosts /usr/local/bfd/ignore.hosts.ori
vi /usr/local/bfd/ignore.hosts

192.168.1.108
Run BFD
bfd -s

DDoS Deflate

Download and Install DDoS Deflate
wget -c http://www.inetbase.com/scripts/ddos/install.sh

sh install.sh
Backup and Edit DDOS Configuration
cp /usr/local/ddos/ddos.conf /usr/local/ddos/ddos.conf.ori
vi /usr/local/ddos/ddos.conf

EMAIL_TO=”test@email.com”
Run DDOS
/usr/local/ddos/ddos.sh -c

Open a port in apf firewall and add trusted IP

Apf is a policy based iptable firewall which is very useful for blocking DDoS attack on heavily traffic servers.
The issue is when we developrs/testers are using the same server which will deny all the traffic from their static Ip given.
This is a major headache in most cases.

1. Opening port in apf firewall
Edit the file
“/etc/apf/conf.apf”

and find the entry of IG_TCP_CPORTS”

and added the ports to be opened in it.

A sample entry like this, I add the port ’9091? in it
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,993,995,3306″

Then restart the firewall
[root@host.mydomain.com] ~ >> apf -r

Trusting our ip’s on Apf firewall

Add our ip information on ”
/etc/apf/allow_hosts.rules

“. A sample entry like this
# inbound to destination port 22 from 192.168.2.1
# tcp:in:d=22:s=192.168.2.1#
# outbound to destination port 23 to destination host 192.168.2.1
# out:d=23:d=192.168.2.1#
# inbound to destination port 3306 from 192.168.5.0/24
# d=3306:s=192.168.5.0/24
# my IP ranges
10.0.4.0/24
10.0.5.0/24
10.0.6.0/24
tcp:in:d=22:s=192.168.2.1#
out:d=23:d=192.168.2.1#
d=3306:s=192.168.5.0/24

IPTABLES Firewall on Centos

Firewall on Centos OS

#!/bin/sh
#
#

## Set your IP address
MYIP=”192.168.1.108″
#
## Flush rules & reset counters
/sbin/iptables -F
/sbin/iptables -Z
#
## Set policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
#
## Drop all incoming fragments
/sbin/iptables -A INPUT -i eth0 -f -j DROP
#
## Drop outside packets with local addresses – anti-spoofing measure
/sbin/iptables -A INPUT -s $MYIP -i ! lo -j DROP
/sbin/iptables -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 10.0.0.0/8 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 192.168.0.0/16 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 224.0.0.0/4 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 0.0.0.0/8 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 255.255.255.255 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 169.254.0.0/16 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 221.240.102 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 203.215.94.193 -i ! lo -j DROP
/sbin/iptables -A INPUT -s 218.71.137.68 -i ! lo -j DROP
#
## Pass all locally-originating packets
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#
## Accept ICMP ping echo requests
## (this allows other people to ping your machine, among other things),
/sbin/iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
#
## Accept all traffic from a specific machine with IP x.x.x.x
## replace x.x.x.x with the desired IP, then uncomment the line.
#/sbin/iptables -A INPUT -p tcp -m tcp –syn -s xxx.xxx.xxx.xxx -j ACCEPT
#
## Accept traffic on port p from a specific machine with IP x.x.x.x
## replace p with the desired port number, and replace x.x.x.x with
## the desired IP, then uncomment the line.
#/sbin/iptables -A INPUT -p tcp -m tcp –syn -s x.x.x.x –dport p -j ACCEPT
#
## Accept ftp-data and ftp (ports 20 & 21)
/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 21 -j ACCEPT
#
## Accept ssh (port 22)
/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 22 -j ACCEPT
#
## Accept telnet (port 23)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 23 -j ACCEPT
#
## Accept smtp (port 25)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 25 -j ACCEPT
## Accept dns (port 53)
/sbin/iptables -A INPUT -p udp -m udp -s 0/0 –dport 53 -d 0/0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp -s 0/0 –dport 53 -d 0/0 -j ACCEPT
#
## Accept http (port 80)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 80 -j ACCEPT
#
## Accept pop3 (port 110)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 110 -j ACCEPT
#
## Accept inbound identd (port 113)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 113 -j ACCEPT
## or you can reject and send back a TCP RST packet instead
#/sbin/iptables -A INPUT -p tcp -m tcp –dport 113 -j REJECT –reject-with tcp-reset
#
## Accept imap (port 143)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 143 -j ACCEPT
#
## Accept https (port 443)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 443 -j ACCEPT
#
## Accept smtps (port 465)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 465 -j ACCEPT
## Accept msp (port 587)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 587 -j ACCEPT
#
## Accept SpamAssassin (port 783)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 783 -j ACCEPT
#
## Accept imaps (port 993)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 993 -j ACCEPT
#
## Accept pop3s (port 995)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 995 -j ACCEPT
#
## Accept mysql (port 3306)
#/sbin/iptables -A INPUT -p tcp -m tcp –syn –dport 3306 -j ACCEPT
#
## Allow inbound established and related outside communication
/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
#
## Drop outside initiated connections
/sbin/iptables -A INPUT -m state –state NEW -j REJECT
#
## Allow all outbound tcp, udp, icmp traffic with state
/sbin/iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
#
## Save rules
service /sbin/iptables save
#
#
echo “/sbin/iptables configuration is complete”
echo “”
echo “Check your rules – /sbin/iptables -L -n”
echo “”

Redhat Linux IPTABLES

==============================================================================================
==============================================================================================
# Generated by iptables-save v1.3.5 on Sat Dec 10 05:28:35 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [59:18308]
:RH-Firewall-1-INPUT – [0:0]
:SSH_CHECK – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF A: ”
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF B: ”
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF C: ”
-A INPUT -s 224.0.0.0/240.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP MULTICAST D: ”
-A INPUT -s 240.0.0.0/248.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF E: ”
-A INPUT -d 127.0.0.0/255.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP LOOPBACK: ”
-A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -j SSH_CHECK
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
-A SSH_CHECK -m recent –set –name SSH –rsource
-A SSH_CHECK -m recent –update –seconds 60 –hitcount 4 –name SSH –rsource -j DROP
COMMIT
# Completed on Sat Dec 10 05:28:35 2011
==============================================================================================
==============================================================================================

Block Incomming Port 80 except for IP Address 192.168.3.0/24

# /sbin/iptables -A INPUT -p tcp -i eth0 -s ! 192.168.3.0/24 –dport 80 -j DROP

# Generated by iptables-save v1.3.5 on Sat Dec 10 06:17:00 2011
*filter
:INPUT ACCEPT [80:5760]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:12568]
-A INPUT -p tcp -m tcp –dport 80 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp –dport 443 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s ! 192.168.3.0/255.255.255.0 -i eth0 -p tcp -m tcp –dport 80 -j DROP
COMMIT
# Completed on Sat Dec 10 06:17:00 2011
==============================================================================================
==============================================================================================

FTP FIREWALL

# Generated by iptables-save v1.3.5 on Wed Jun 10 21:13:16 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [423:45748]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp –dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT
==============================================================================================
==============================================================================================

Redhat Basic Firewall

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8009 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5902 -j ACCEPT
A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 10050 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

==============================================================================================
==============================================================================================

SSH Rules

Using iptables to allow only specific hosts to connect

An alternative to TCP wrappers (although you can use both at the same time) is limiting SSH access with iptables. Here’s a simple example of how you can allow only a specific host to connect to your SSH service:

~# iptables -A INPUT -p tcp -m state –state NEW –source 193.180.177.13 –dport 22 -j ACCEPT

And make sure no one else has access to SSH service:

~# iptables -A INPUT -p tcp –dport 22 -j DROP

~# iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -m limit –limit 1/minute –limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state –syn –state NEW –dport 22 -m limit –limit 1/minute –limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state –syn –state NEW –dport 22 -j DROP

Conclusion

iptables -N SSH_CHECK
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent –set –name SSH
iptables -A SSH_CHECK -m recent –update –seconds 60 –hitcount 4 –name SSH -j DROP