Jump to content
Reboot

[How to] FreeBSD Web Server Secure

Recommended Posts

Hello, today I will introduce steps to install a web server under FreeBSD.

We need to install some programs:

 

 

Main Programs

-MySql56 Server

-Appache24

-PHP 5.6

-Php 5.6 extensions

-php 5.6 extra-extensions

Advanced Firewall

-IP Filter

-mod_security

-mod_antiloris

-mod_evasive

 

Before you begin configuring the web server you must install PKG.

In FreeBSD console type:

 

Command1:

pkg

after

Y -> ENTER  ( to confirm install)

After :

pkg update 

Installing and configuring MySQL.

Now the mysql server :

In the freebsd console type these commands :

pkg install mysql56-server
echo 'mysql_enable="YES"' >> /etc/rc.conf
service mysql-server start

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now create the mysql " root " user :

mysql -u root
GRANT ALL PRIVILEGES ON *.* TO root@"%"
IDENTIFIED BY 'password' WITH GRANT OPTION;
flush privileges;
exit

Where does the password, you put your desired password.

DONE mysql

 

Installing and configuring Apache24.

pkg install apache24

The following command:

echo 'apache24_enable="YES"' >> /etc/rc.conf

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now open winscp and navigate to 

/usr/local/etc/apache22/httpd.conf

In httpd.conf looking for the following line:

# ServerName www.yourdomain.com:80


And delete # from you httpd.conf (# ServerName www.yourdomain.com:80 ) Delete #
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now start the service :

service apache24 start

READY. Now to test if it works.

Open a webpagee, and type the ip adress used for VDS (VPS )

If everything is OK should appear in the website:

It Works !!

Installing and configuring PHP 5.6

 

The command :

pkg install php56
pkg install mod_php56

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Open /usr/local/etc/apache24/httpd.conf :

And verifi if you have this line :

LoadModule php5_module        libexec/apache24/libphp5.so

If there is no add manually.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

You open the FreeBSD console and put it and ENTER command:

cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now let’s configure Apache.

Open the file /usr/local/etc/apache24/httpd.conf and look for the following line:

DirectoryIndex index.html
And change it so it reads as follows:
DirectoryIndex index.html index.php

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now apache just needs to know what it should parse the PHP files with. These two lines should be added to the httpd.conf file, and can be put at the bottom if needed:

 

 

Or search in httpd.conf lines that start with new line AddType and start with these two:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If want to use PHP code inside of .htm files you can just add on those extensions.

AddType application/x-httpd-php .php .htm .html

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

As an optional step, if you’d like to add multilanguage support to Apache, uncomment the following line( in httpd.conf) :

Include etc/apache24/extra/httpd-languages.conf
service apache24 restart
service mysql-server restart

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Okay, now to test if it works php.

Type this command in freebsd console :

# echo "<? phpinfo(); ?>" >> /usr/local/www/apache24/data/index.php
http://your_server_IP_address/index.php

And type the ip on used by VDS (VPS)  on a web browser.

 

Installing and configuring php 5.6 extensions and extra extensions.

pkg install php56-extensions
pkg install php56-mysqli
pkg install php56-mysql
pkg install php56-gd
pkg install php56-openssl 

DONE

 

 

Varnish cache > Best Http accelerator

pkg install varnish

Then rc.conf :

echo 'varnishd_enable="YES"' >> /etc/rc.conf

Starting varnish .

/usr/local/etc/rc.d/varnishd start

Check if varnish really run?

/usr/local/etc/rc.d/varnishd status

varnishd is not running.

 

Now, View varnish configuration

ee /usr/local/etc/varnish/default.vcl

Inside the file I see these :

 # Default backend definition.  Set this to point to your content
# server.
#
# backend default {
#     .host = “127.0.0.1”;
#     .port = “8080”;
# }

It means the content need to run on port 8080.

Remove all # mark to be like this :

backend default {
.host = 127.0.0.1”;
.port = 8080”;
}

127.0.0.1  =replace with you ip host (vps, vds ) etc...

save the file.

 

 

Change apache configuration to run on port 8080.

ee /usr/local/etc/apache22/httpd.conf

Changer :

Listen 80

with :

Listen 8080

save the file.

 

Restart apache :

service apche24 restart

Now retry to run varnish ? :(

/usr/local/etc/rc.d/varnishd start

Chech varnish :

/usr/local/etc/rc.d/varnishd status

P.S : you can enable varnish log

echo 'varnishlog_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/varnishlog start

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Security

Antiloris protection :D

Slowloris allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The tools used to launch Slowloris attack can be downloaded at https://github.com/llaera/slowloris.pl

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

Install this :

pkg install mod_antiloris 

Find the following line in your httpd.conf ( and uncomment it 😞

If there is this line after installing mod_antiloris add manually.

#LoadModule antiloris_module libexec/apache24/mod_antiloris.so 

 

ModSecurity

pkg install www/mod_security

ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let's make a directory for all our ModSecurity related stuff, and clone the CRS repository under it.

pkg install git
mkdir -p /usr/local/etc/modsecurity
cd /usr/local/etc/modsecurity
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs

Copy the default ModSecurity config file, and fetch a necessary file which is currently not included in the package:

cp /usr/local/etc/modsecurity.conf-example modsecurity.conf
fetch https://raw.github.com/SpiderLabs/ModSecurity/master/unicode.mapping
cp crs/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

Now we create an Apache configuration snippet in Apache's modules.d directory. It loads the ModSecurity module, and includes the configurations and CRS:

ee << EOF > /usr/local/etc/apache22/modules.d/000_modsecurity.conf
# Load ModSecurity
# Comment out the next line to temporarily disable ModSecurity:
LoadModule security2_module libexec/apache22/mod_security2.so

<IfModule security2_module>
    # Include ModSecurity configuration
    Include etc/modsecurity/modsecurity.conf

    # Include OWASP Core Rule Set (CRS) configuration and base rules
    Include etc/modsecurity/modsecurity_crs_10_setup.conf
    Include etc/modsecurity/crs/base_rules/*.conf

    # Add custom configuration and CRS exceptions here. Example:
    # SecRuleRemoveById 960015
</IfModule>
EOF

When the configuration is all set, simply restart Apache, and confirm that ModSecurity is loaded by checking Apache's log file:

service apache22 restart

Log file saved to : /var/log/httpd-error.log

Hopefully, the log will show something like this:

 
ModSecurity for Apache/2.4.2 (http://www.modsecurity.org/) configured.
ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
ModSecurity: PCRE compiled version="8.34 "; loaded version="8.34 2013-12-15"
ModSecurity: LIBXML compiled version="2.8.0"

What log says is diferent by appache version  :D

 

 

Now that ModSecurity is active, try making a suspicious request to your web server, for instance browse to a URL http://www.example.com/?foo=/etc/passwd. The CRS has a rule against this type of request. After browsing to the URL, you should now see this request logged in /var/log/modsec_audit.log.

 

You'll notice that the request succeeds, and the response is sent to the browser normally. The reason is that ModSecurity runs in DetectionOnly mode by default, in order to prevent downtime from misconfiguration or heavy-handed blocking. You can enable blocking mode simply by editing modsecurity.conf and changing the following line :

SecRuleEngine On

Again, restart Apache. Now, make the same suspicious request to your web server. You should now see a "403 Forbidden" error!

 

In practice, it's probably best to keep SecRuleEngine DetectionOnly for some time, while your users exercise the web applications. Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see what is being blocked. If there are any false positives, you need to mitigate this by writing custom exceptions.

 

Mod_evasive

-DOS Hash Table Size
-DOS Page Count
-DOS Site Count
-DOS Page Interval
-DOS Site Interval
-DOS Blocking Period
-DOS Email Notify
-DOS System Command
-DOS Log Dir
-Whitelisting IP Addresses

 

Coming soon :D

 

 

If you know other vulnerabilities leave a message and i edit solving. :D

 

 

 

 

 

Going to edit my post time.

When I have time,about security.
 
 
If you need to install more extensions, leave message in topic. And I'll edit the post and fill you: D
 
 
If you have errors, such as missing libraries or other errors will ask something in the topic.
 
All steps tested on FreeBSD 10.1
  • Love 11

Share this post


Link to post

Thanks for tutorial but i have 1 problem.

 

I configure PHP5 but i have 1 error.

 

He can´t read .php files.

 

yCqyd.png

 

 

My configuration:

 

5EVuf.png

 

 

RiV9c.png

 

Share this post


Link to post

Thanks for tutorial but i have 1 problem.

 

I configure PHP5 but i have 1 error.

 

He can´t read .php files.

 

yCqyd.png

 

 

My configuration:

 

5EVuf.png

 

 

RiV9c.png

 

 

I forgot something, I think: D I edited the post check everything.

 

 

 

 

Open /usr/local/etc/apache24/httpd.conf :

And verifi if you have this line :

LoadModule php5_module        libexec/apache24/libphp5.so

If there is no add manually.

  • Love 4

Share this post


Link to post

Yes you right, this dont create the line i add them manually but .... Other error xD

 

NOIff.png

 

I go to cd /usr/local/libexec/apache24 and i dont have libphp5.so into this directory.

Share this post


Link to post
Unable probably unsuccessful in your attempts you broke something in FreeBSD.
 
After installing mod_php56. You really need to be that way libphp5.so
 
Use a clean FreeBSD, resume steps in the tutorial.
  • Love 3

Share this post


Link to post

Why install mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

nginx runs as an event (apache as a process) so it can handle that better

  • Love 1

Share this post


Link to post

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.
  • Love 3

Share this post


Link to post

 

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.

 

You can install the php mysql extension without installing mysql

It's a fact that nginx is better than apache

An opinion doesn't matter

Share this post


Link to post

 

Unable probably unsuccessful in your attempts you broke something in FreeBSD.
 
After installing mod_php56. You really need to be that way libphp5.so
 
Use a clean FreeBSD, resume steps in the tutorial.

 

 

Ok, i go reinstall my freebsd and try again and after i come here leave 1 comment =)

Share this post


Link to post

 

 

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.

 

You can install the php mysql extension without installing mysql

It's a fact that nginx is better than apache

An opinion doesn't matter

 

 

https://lh6.googleusercontent.com/TGZJ8_IWGWsn-0M6Txi9rrt7m5shn_Y5wwi475r8ewMatyVQyULg43lQvAvSN1V24P_9Eu_aezpyRMuWRbmf_XPXtjkN6QrsB9zbM7eLs4ESzrtR6_3ft-LgjA

We tested and apache and nginx.

 

In any case I do tutorial for nginx. :D

  • Love 3

Share this post


Link to post

 

 

 

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.

 

You can install the php mysql extension without installing mysql

It's a fact that nginx is better than apache

An opinion doesn't matter

 

 

https://lh6.googleusercontent.com/TGZJ8_IWGWsn-0M6Txi9rrt7m5shn_Y5wwi475r8ewMatyVQyULg43lQvAvSN1V24P_9Eu_aezpyRMuWRbmf_XPXtjkN6QrsB9zbM7eLs4ESzrtR6_3ft-LgjA

We tested and apache and nginx.

 

edit: what do you want to show? nginx has better stats on the pic

Share this post


Link to post

 

 

 

 

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.

 

You can install the php mysql extension without installing mysql

It's a fact that nginx is better than apache

An opinion doesn't matter

 

 

https://lh6.googleusercontent.com/TGZJ8_IWGWsn-0M6Txi9rrt7m5shn_Y5wwi475r8ewMatyVQyULg43lQvAvSN1V24P_9Eu_aezpyRMuWRbmf_XPXtjkN6QrsB9zbM7eLs4ESzrtR6_3ft-LgjA

We tested and apache and nginx.

 

edit: what do you want to show? nginx has better stats on the pic

 

Some statistics show that nginx is better, other that Appachi. Not all the time is correct, I tested apache performed better: D

  • Love 3

Share this post


Link to post

You can use apache if you want but dont wonder if your homepage is offline

Share this post


Link to post

I restart my freebsd server and now when start apache have this error:

 

dJSve.png

 

i think you forgive some steps in apache24 instalation xD

Share this post


Link to post

I restart my freebsd server and now when start apache have this error:

 

dJSve.png

 

converters/iconv Charset conversion library and utilities

converters/iconv-extra Additional charsets for the iconv library (those from the Unicode site)

converters/iconv-rfc1345 Additional charset modules for the iconv library (from RFC1345)

converters/libiconv A character set conversion library

pkg install iconv
pkg install iconv-extra
pkg install iconv-rfc1345
pkg install libiconv

ALL  steps tested on freebsd 10.1

  • Love 3

Share this post


Link to post

Installing and configuring MySQL.

Now the mysql server :

In the freebsd console type these commands :

?

pkg install mysql56-server

?

echo 'apache24_enable="YES"' >> /etc/rc.conf

I think it is

 

echo 'mysql_enable="YES"' >> /etc/rc.conf

Share this post


Link to post

 

Installing and configuring MySQL.

Now the mysql server :

In the freebsd console type these commands :

?

pkg install mysql56-server

?

echo 'apache24_enable="YES"' >> /etc/rc.conf

I think it is

 

echo 'mysql_enable="YES"' >> /etc/rc.conf

OMG, I think because they are drunk. :))))))))

 

Thanks :)))))))

  • Love 3

Share this post


Link to post

 

 

Installing and configuring MySQL.

Now the mysql server :

In the freebsd console type these commands :

?

pkg install mysql56-server

?

echo 'apache24_enable="YES"' >> /etc/rc.conf

I think it is

 

echo 'mysql_enable="YES"' >> /etc/rc.conf

OMG, I think because they are drunk. :))))))))

 

Thanks :)))))))

 

would you also please add a turoial about how to prevent slowloris attacks

else every webserver can be downed with 250kb/s connection

Share this post


Link to post

 

 

 

Installing and configuring MySQL.

Now the mysql server :

In the freebsd console type these commands :

?

pkg install mysql56-server

?

echo 'apache24_enable="YES"' >> /etc/rc.conf

I think it is

 

echo 'mysql_enable="YES"' >> /etc/rc.conf

OMG, I think because they are drunk. :))))))))

 

Thanks :)))))))

 

would you also please add a turoial about how to prevent slowloris attacks

else every webserver can be downed with 250kb/s connection

 

You fill out tomorrow night, when I have time this topic.
The tutorial about slowloris. Just wait until tomorrow: D
  • Love 3

Share this post


Link to post

Yes, solved.

 

In you tutorial you have 1 error.

 

In mysql instalation you say this:

 

echo 'apache24_enable="YES"' >> /etc/rc.conf
 
Its mysql not apache xD
 
Well, when i go create user i have this problem.
 
y5F4c.png

Share this post


Link to post

 

Yes, solved.

 

In you tutorial you have 1 error.

 

In mysql instalation you say this:

 

echo 'apache24_enable="YES"' >> /etc/rc.conf
 
Its mysql not apache xD
 
Well, when i go create user i have this problem.
 
y5F4c.png

 

read posts, i'am drunk :D

 

 

Edited :)))))))))))))))))))))))

 

 

for lolor 2 ( antiloris protection)

Update verif my first post  :D

  • Love 3

Share this post


Link to post

@topic: We need to install packages, not programs. 
 
First of all: Tutorial work!
 
But:
- First install apache then other packages because Apache is the web server, then MySQL, then PHP (because PHP requires some libraries be available)
 
I would do this with PORTS. But already said ().
 
Configurate:
What about php.ini settings? I am tired of hearing "I have a Too many connections error"
Security:  
If you list mods like mod_antiloris, you can add: mod_limitipconn, mod qos, mod_evasive, mod_security, mod_noloris.
 
- The most important thing to block Attacks on Ubuntu/Debian is (as far as I can see ) definitly Fail2Ban with IPTABLES but i dont know whats the best for BSD
 
 

Why install mysql?
And why using apache instead of nginx?

 
Apache is the most used webserver. With Apache as your Web server, you'll be assured long and reliable service as it's a solid, configurable and capable Web server so why not?? 
nginx is faster than Apache in transfer rate but has less of a wait time between receiving the request and passing a response back. Benchmarks proved that.  The only question is what you need. i dont think you use apache very often if you ask about why installing mysql.
 
I dont get the the point here:
 

You can install the php mysql extension without installing mysql


And that makes nginx better? Cmon
 

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache
nginx runs as an event (apache as a process) so it can handle that better


I hope you know that the cake hasn't quite turned out as I'd hoped... The disadvantage of process-based servers like apache under heavier loads is that they usually consume far more RAM which significantly degrades performance and has nothing to do with a "good ddos protection". When your server fucked up because of RAM while a DDos attack (CPU trying to process the amount of data that coming in) then i have to say: Leave it all. Without a good hoster (mitigation solution and that is the point against DDoS) your going down with apache and with nginx sooner or later.
 

It's a fact that nginx is better than apache

 
Fact is: The BEST webserver does not  exist. The best webserver is the one which is better configurated and better protected. That can be apache or nginx

edit://

I do not understand why to use apache wich is shitty for me , instead of nginx ( way better and "smart" ).

 
why is it shit? Because its not smart to you? Because its not as simple as nginx? too much to install or configurate? Then use LAMP:  http://en.wikipedia.org/wiki/LAMP_(software_bundle)
 
Why you guys cant give me a compelling evidence WHY the fuck apache is shit? Its a powerfull web server (over 35% of all websites based on it) if you can configurate and protect it. Cant handel apache doesnt mean its shit.

Edited by Ayaka (see edit history)
  • Love 2

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.