Jump to content

How to install a Web Server Secure on FreeBSD ?


Recommended Posts

Hello, today I will introduce steps to install a web server under FreeBSD.

We need to install some programs:

 

 

Main Programs

-MySql56 Server

-Appache24

-PHP 5.6

-Php 5.6 extensions

-php 5.6 extra-extensions

Advanced Firewall

-IP Filter

-mod_security

-mod_antiloris

-mod_evasive

 

Before you begin configuring the web server you must install PKG.

In FreeBSD console type:

 

Command1:

pkg

after

Y -> ENTER  ( to confirm install)

After :

pkg update 

Installing and configuring MySQL.

Now the mysql server :

In the freebsd console type these commands :

pkg install mysql56-server
echo 'mysql_enable="YES"' >> /etc/rc.conf
service mysql-server start

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now create the mysql " root " user :

mysql -u root
GRANT ALL PRIVILEGES ON *.* TO root@"%"
IDENTIFIED BY 'password' WITH GRANT OPTION;
flush privileges;
exit

Where does the password, you put your desired password.

DONE mysql

 

Installing and configuring Apache24.

pkg install apache24

The following command:

echo 'apache24_enable="YES"' >> /etc/rc.conf

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now open winscp and navigate to 

/usr/local/etc/apache22/httpd.conf

In httpd.conf looking for the following line:

# ServerName www.yourdomain.com:80


And delete # from you httpd.conf (# ServerName www.yourdomain.com:80 ) Delete #
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now start the service :

service apache24 start

READY. Now to test if it works.

Open a webpagee, and type the ip adress used for VDS (VPS )

If everything is OK should appear in the website:

It Works !!

Installing and configuring PHP 5.6

 

The command :

pkg install php56
pkg install mod_php56

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Open /usr/local/etc/apache24/httpd.conf :

And verifi if you have this line :

LoadModule php5_module        libexec/apache24/libphp5.so

If there is no add manually.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

You open the FreeBSD console and put it and ENTER command:

cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now let’s configure Apache.

Open the file /usr/local/etc/apache24/httpd.conf and look for the following line:

DirectoryIndex index.html
And change it so it reads as follows:
DirectoryIndex index.html index.php

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now apache just needs to know what it should parse the PHP files with. These two lines should be added to the httpd.conf file, and can be put at the bottom if needed:

 

 

Or search in httpd.conf lines that start with new line AddType and start with these two:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If want to use PHP code inside of .htm files you can just add on those extensions.

AddType application/x-httpd-php .php .htm .html

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

As an optional step, if you’d like to add multilanguage support to Apache, uncomment the following line( in httpd.conf) :

Include etc/apache24/extra/httpd-languages.conf
service apache24 restart
service mysql-server restart

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Okay, now to test if it works php.

Type this command in freebsd console :

# echo "<? phpinfo(); ?>" >> /usr/local/www/apache24/data/index.php
http://your_server_IP_address/index.php

And type the ip on used by VDS (VPS)  on a web browser.

 

Installing and configuring php 5.6 extensions and extra extensions.

pkg install php56-extensions
pkg install php56-mysqli
pkg install php56-mysql
pkg install php56-gd
pkg install php56-openssl 

DONE

 

 

Varnish cache > Best Http accelerator

pkg install varnish

Then rc.conf :

echo 'varnishd_enable="YES"' >> /etc/rc.conf

Starting varnish .

/usr/local/etc/rc.d/varnishd start

Check if varnish really run?

/usr/local/etc/rc.d/varnishd status

varnishd is not running.

 

Now, View varnish configuration

ee /usr/local/etc/varnish/default.vcl

Inside the file I see these :

 # Default backend definition.  Set this to point to your content
# server.
#
# backend default {
#     .host = “127.0.0.1”;
#     .port = “8080”;
# }

It means the content need to run on port 8080.

Remove all # mark to be like this :

backend default {
.host = 127.0.0.1”;
.port = 8080”;
}

127.0.0.1  =replace with you ip host (vps, vds ) etc...

save the file.

 

 

Change apache configuration to run on port 8080.

ee /usr/local/etc/apache22/httpd.conf

Changer :

Listen 80

with :

Listen 8080

save the file.

 

Restart apache :

service apche24 restart

Now retry to run varnish ? :(

/usr/local/etc/rc.d/varnishd start

Chech varnish :

/usr/local/etc/rc.d/varnishd status

P.S : you can enable varnish log

echo 'varnishlog_enable="YES"' >> /etc/rc.conf
/usr/local/etc/rc.d/varnishlog start

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Security

Antiloris protection :D

Slowloris allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The tools used to launch Slowloris attack can be downloaded at 

This is the hidden content, please

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

Install this :

pkg install mod_antiloris 

Find the following line in your httpd.conf ( and uncomment it ?

If there is this line after installing mod_antiloris add manually.

#LoadModule antiloris_module libexec/apache24/mod_antiloris.so 

 

ModSecurity

pkg install www/mod_security

ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let's make a directory for all our ModSecurity related stuff, and clone the CRS repository under it.

pkg install git
mkdir -p /usr/local/etc/modsecurity
cd /usr/local/etc/modsecurity
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs

Copy the default ModSecurity config file, and fetch a necessary file which is currently not included in the package:

cp /usr/local/etc/modsecurity.conf-example modsecurity.conf
fetch https://raw.github.com/SpiderLabs/ModSecurity/master/unicode.mapping
cp crs/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

Now we create an Apache configuration snippet in Apache's modules.d directory. It loads the ModSecurity module, and includes the configurations and CRS:

ee << EOF > /usr/local/etc/apache22/modules.d/000_modsecurity.conf
# Load ModSecurity
# Comment out the next line to temporarily disable ModSecurity:
LoadModule security2_module libexec/apache22/mod_security2.so

<IfModule security2_module>
    # Include ModSecurity configuration
    Include etc/modsecurity/modsecurity.conf

    # Include OWASP Core Rule Set (CRS) configuration and base rules
    Include etc/modsecurity/modsecurity_crs_10_setup.conf
    Include etc/modsecurity/crs/base_rules/*.conf

    # Add custom configuration and CRS exceptions here. Example:
    # SecRuleRemoveById 960015
</IfModule>
EOF

When the configuration is all set, simply restart Apache, and confirm that ModSecurity is loaded by checking Apache's log file:

service apache22 restart

Log file saved to : /var/log/httpd-error.log

Hopefully, the log will show something like this:

 
ModSecurity for Apache/2.4.2 (http://www.modsecurity.org/) configured.
ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
ModSecurity: PCRE compiled version="8.34 "; loaded version="8.34 2013-12-15"
ModSecurity: LIBXML compiled version="2.8.0"

What log says is diferent by appache version  :D

 

 

Now that ModSecurity is active, try making a suspicious request to your web server, for instance browse to a URL http://www.example.com/?foo=/etc/passwd. The CRS has a rule against this type of request. After browsing to the URL, you should now see this request logged in /var/log/modsec_audit.log.

 

You'll notice that the request succeeds, and the response is sent to the browser normally. The reason is that ModSecurity runs in DetectionOnly mode by default, in order to prevent downtime from misconfiguration or heavy-handed blocking. You can enable blocking mode simply by editing modsecurity.conf and changing the following line :

SecRuleEngine On

Again, restart Apache. Now, make the same suspicious request to your web server. You should now see a "403 Forbidden" error!

 

In practice, it's probably best to keep SecRuleEngine DetectionOnly for some time, while your users exercise the web applications. Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see what is being blocked. If there are any false positives, you need to mitigate this by writing custom exceptions.

 

Mod_evasive

-DOS Hash Table Size
-DOS Page Count
-DOS Site Count
-DOS Page Interval
-DOS Site Interval
-DOS Blocking Period
-DOS Email Notify
-DOS System Command
-DOS Log Dir
-Whitelisting IP Addresses

 

Coming soon :D

 

 

If you know other vulnerabilities leave a message and i edit solving. :D

 

 

 

 

 

Going to edit my post time.

When I have time,about security.
 
 
If you need to install more extensions, leave message in topic. And I'll edit the post and fill you: D
 
 
If you have errors, such as missing libraries or other errors will ask something in the topic.
 
All steps tested on FreeBSD 10.1
  • Metin2 Dev 4
  • Good 3
  • Love 17
Link to comment
Share on other sites

Thanks for tutorial but i have 1 problem.

 

I configure PHP5 but i have 1 error.

 

He can´t read .php files.

 

yCqyd.png

 

 

My configuration:

 

5EVuf.png

 

 

RiV9c.png

 

 

I forgot something, I think: D I edited the post check everything.

 

 

 

 

Open /usr/local/etc/apache24/httpd.conf :

And verifi if you have this line :

LoadModule php5_module        libexec/apache24/libphp5.so

If there is no add manually.

Edited by Metin2 Dev
Core X - External 2 Internal
  • Metin2 Dev 1
  • Love 4
Link to comment
Share on other sites

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.
  • Love 3
Link to comment
Share on other sites

 

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.

 

You can install the php mysql extension without installing mysql

It's a fact that nginx is better than apache

An opinion doesn't matter

Link to comment
Share on other sites

On 1/18/2015 at 9:55 PM, iRemix said:

 

 

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.

 

You can install the php mysql extension without installing mysql

It's a fact that nginx is better than apache

An opinion doesn't matter

 

 

.gif

We tested and apache and nginx.

 

In any case I do tutorial for nginx. :D

  • Love 3
Link to comment
Share on other sites

On 1/18/2015 at 10:01 PM, Reboot said:

 

 

 

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.

 

You can install the php mysql extension without installing mysql

It's a fact that nginx is better than apache

An opinion doesn't matter

 

 

.gif

We tested and apache and nginx.

 

edit: what do you want to show? nginx has better stats on the pic

Link to comment
Share on other sites

On 1/18/2015 at 10:02 PM, iRemix said:

 

 

 

 

Why installing mysql?

And why using apache instead of nginx?

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache

 

Appache best.
 
MySQL is necessary for the database.
Mysql is necessary to use extension MYsqli.
 
With good Appache protection and a perfect setup, ngix is weak compared to Appache.
 
My opinion: D
 
In FreeBSD there are about 100 ways to protect web server. I know them all: D
 
I just do not have time to do tutorials.

 

You can install the php mysql extension without installing mysql

It's a fact that nginx is better than apache

An opinion doesn't matter

 

 

.gif

We tested and apache and nginx.

 

edit: what do you want to show? nginx has better stats on the pic

 

Some statistics show that nginx is better, other that Appachi. Not all the time is correct, I tested apache performed better: D

  • Love 3
Link to comment
Share on other sites

I restart my freebsd server and now when start apache have this error:

 

dJSve.png

 

converters/iconv Charset conversion library and utilities

converters/iconv-extra Additional charsets for the iconv library (those from the Unicode site)

converters/iconv-rfc1345 Additional charset modules for the iconv library (from RFC1345)

converters/libiconv A character set conversion library

pkg install iconv
pkg install iconv-extra
pkg install iconv-rfc1345
pkg install libiconv

ALL  steps tested on freebsd 10.1

Edited by Metin2 Dev
Core X - External 2 Internal
  • Love 4
Link to comment
Share on other sites

 

Installing and configuring MySQL.

Now the mysql server :

In the freebsd console type these commands :

?

pkg install mysql56-server

?

echo 'apache24_enable="YES"' >> /etc/rc.conf

I think it is

 

echo 'mysql_enable="YES"' >> /etc/rc.conf

OMG, I think because they are drunk. :))))))))

 

Thanks :)))))))

  • Love 3
Link to comment
Share on other sites

 

 

Installing and configuring MySQL.

Now the mysql server :

In the freebsd console type these commands :

?

pkg install mysql56-server

?

echo 'apache24_enable="YES"' >> /etc/rc.conf

I think it is

 

echo 'mysql_enable="YES"' >> /etc/rc.conf

OMG, I think because they are drunk. :))))))))

 

Thanks :)))))))

 

would you also please add a turoial about how to prevent slowloris attacks

else every webserver can be downed with 250kb/s connection

Link to comment
Share on other sites

 

 

 

Installing and configuring MySQL.

Now the mysql server :

In the freebsd console type these commands :

?

pkg install mysql56-server

?

echo 'apache24_enable="YES"' >> /etc/rc.conf

I think it is

 

echo 'mysql_enable="YES"' >> /etc/rc.conf

OMG, I think because they are drunk. :))))))))

 

Thanks :)))))))

 

would you also please add a turoial about how to prevent slowloris attacks

else every webserver can be downed with 250kb/s connection

 

You fill out tomorrow night, when I have time this topic.
The tutorial about slowloris. Just wait until tomorrow: D
  • Love 3
Link to comment
Share on other sites

 

Yes, solved.

 

In you tutorial you have 1 error.

 

In mysql instalation you say this:

 

echo 'apache24_enable="YES"' >> /etc/rc.conf
 
Its mysql not apache xD
 
Well, when i go create user i have this problem.
 
y5F4c.png

 

read posts, i'am drunk :D

 

 

Edited :)))))))))))))))))))))))

 

 

for lolor 2 ( antiloris protection)

Update verif my first post  :D

Edited by Metin2 Dev
Core X - External 2 Internal
  • Love 3
Link to comment
Share on other sites

  • Bronze

@topic: We need to install packages, not programs. 
 
First of all: Tutorial work!
 
But:
- First install apache then other packages because Apache is the web server, then MySQL, then PHP (because PHP requires some libraries be available)
 
I would do this with PORTS. But already said ().
 
Configurate:
What about php.ini settings? I am tired of hearing "I have a Too many connections error"
Security:  
If you list mods like mod_antiloris, you can add: mod_limitipconn, mod qos, mod_evasive, mod_security, mod_noloris.
 
- The most important thing to block Attacks on Ubuntu/Debian is (as far as I can see ) definitly Fail2Ban with IPTABLES but i dont know whats the best for BSD
 
 

Why install mysql?
And why using apache instead of nginx?

 
Apache is the most used webserver. With Apache as your Web server, you'll be assured long and reliable service as it's a solid, configurable and capable Web server so why not?? 
nginx is faster than Apache in transfer rate but has less of a wait time between receiving the request and passing a response back. Benchmarks proved that.  The only question is what you need. i dont think you use apache very often if you ask about why installing mysql.
 
I dont get the the point here:
 

You can install the php mysql extension without installing mysql


And that makes nginx better? Cmon
 

Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache
nginx runs as an event (apache as a process) so it can handle that better


I hope you know that the cake hasn't quite turned out as I'd hoped... The disadvantage of process-based servers like apache under heavier loads is that they usually consume far more RAM which significantly degrades performance and has nothing to do with a "good ddos protection". When your server fucked up because of RAM while a DDos attack (CPU trying to process the amount of data that coming in) then i have to say: Leave it all. Without a good hoster (mitigation solution and that is the point against DDoS) your going down with apache and with nginx sooner or later.
 

It's a fact that nginx is better than apache

 
Fact is: The BEST webserver does not  exist. The best webserver is the one which is better configurated and better protected. That can be apache or nginx

edit://

I do not understand why to use apache wich is shitty for me , instead of nginx ( way better and "smart" ).

 
why is it shit? Because its not smart to you? Because its not as simple as nginx? too much to install or configurate? Then use LAMP:  http://en.wikipedia.org/wiki/LAMP_(software_bundle)
 
Why you guys cant give me a compelling evidence WHY the fuck apache is shit? Its a powerfull web server (over 35% of all websites based on it) if you can configurate and protect it. Cant handel apache doesnt mean its shit.

Edited by Ayaka
  • Love 2
Link to comment
Share on other sites

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.