Secure Your LAMP

by Anil Jalela | Mar 16, 2022 | Linux

/etc/php.ini

disable_functions= allow_url_fopen, apache_child_terminate, apache_setenv, chgrp, chmod, chown, curl_exec, curl_multi_exec, dbase_open, dbmopen, define_syslog_variables, exec, fsockopen, gzinflate, parse_ini_file, passthru, pclose, pcntl_exec, pfsockopen, pg_lo_import, phpinfo, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_uname, proc_close, proc_nice, proc_open, proc_terminate, shell_exec, show_source, symlink, system

expose_php = Off

/etc/httpd/conf/httpd.conf

ServerSignature Off
ServerTokens Prod
TraceEnable Off

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
Header always set X-XSS-Protection “1; mode=block”
Header always set x-Frame-Options “SAMEORIGIN”
Header always set X-Content-Type-Options “nosniff”
Header always set Content-Security-Policy “default-src ‘self’; font-src *;img-src * data:; script-src *; style-src *;”
Header always set Permissions-Policy “geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()”
Header always set Referrer-Policy “strict-origin”

/etc/httpd/conf.d/autoindex.conf

<Directory “/usr/share/httpd/icons”>
Options -Indexes -MultiViews -FollowSymlinks
AllowOverride None
Require all granted

/etc/httpd/conf.d/tracetrack.conf

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

/etc/httpd/conf.d/userdir.conf

#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disabled

#
# To enable requests to /~user/ to serve the user’s public_html
# directory, remove the “UserDir disabled” line above, and uncomment
# the following line instead:
#
#UserDir public_html

#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory “/home/*/public_html”>
AllowOverride FileInfo AuthConfig Limit Indexes
Options -MultiViews -Indexes -SymLinksIfOwnerMatch -IncludesNoExec
Require method GET POST OPTIONS

/etc/httpd/conf.d/ssl.conf

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
Protocols h2 http/1.1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch “MSIE [2-5]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache “shmcb:logs/ssl_stapling(32768)”

/etc/my.cnf

Htaccess for Speedup Web

by Anil Jalela | Sep 4, 2021 | Linux

# Protect files and directories from prying eyes.
<FilesMatch
“\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$”>
Order allow,deny
</FilesMatch>

# Prevent access to .htaccess
<Files .htaccess>
Order allow, deny
Deny from all
</Files>

# Block access to multiple file types
<FilesMatch “\.(htaccess|htpasswd|ini|psd|log|sh)$”>
Order allow, deny
Deny from all
</FilesMatch>

# Don’t show directory listings for URLs which map to a directory.
Options -Indexes

# Follow symbolic links in this directory.
Options +FollowSymLinks

#Generation of Expires and Cache-Control

<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault “access plus 1 month”

# CSS
ExpiresByType text/css “access plus 1 year”

# Data interchange
ExpiresByType application/atom+xml “access plus 1 hour”
ExpiresByType application/rdf+xml “access plus 1 hour”
ExpiresByType application/rss+xml “access plus 1 hour”
ExpiresByType application/json “access plus 0 seconds”
ExpiresByType application/ld+json “access plus 0 seconds”
ExpiresByType application/schema+json “access plus 0 seconds”
ExpiresByType application/vnd.geo+json “access plus 0 seconds”
ExpiresByType application/xml “access plus 0 seconds”
ExpiresByType text/xml “access plus 0 seconds”

# Favicon (cannot be renamed!) and cursor images
ExpiresByType image/vnd.microsoft.icon “access plus 1 week”
ExpiresByType image/x-icon “access plus 1 week”

# HTML
ExpiresByType text/html “access plus 0 seconds”

# JavaScript
ExpiresByType application/javascript “access plus 1 year”
ExpiresByType application/x-javascript “access plus 1 year”
ExpiresByType text/javascript “access plus 1 year”

# Manifest files
ExpiresByType application/manifest+json “access plus 1 week”
ExpiresByType application/x-web-app-manifest+json “access plus 0 seconds”
ExpiresByType text/cache-manifest “access plus 0 seconds”

# Media files
ExpiresByType audio/ogg “access plus 1 month”
ExpiresByType image/bmp “access plus 1 month”
ExpiresByType image/gif “access plus 1 month”
ExpiresByType image/jpeg “access plus 1 month”
ExpiresByType image/png “access plus 1 month”
ExpiresByType image/svg+xml “access plus 1 month”
ExpiresByType image/webp “access plus 1 month”
ExpiresByType video/mp4 “access plus 1 month”
ExpiresByType video/ogg “access plus 1 month”
ExpiresByType video/webm “access plus 1 month”

# Web fonts
# Embedded OpenType (EOT)
ExpiresByType application/vnd.ms-fontobject “access plus 1 month”
ExpiresByType font/eot “access plus 1 month”

# OpenType
ExpiresByType font/opentype “access plus 1 month”
# TrueType
ExpiresByType application/x-font-ttf “access plus 1 month”

# Web Open Font Format (WOFF) 1.0
ExpiresByType application/font-woff “access plus 1 month”
ExpiresByType application/x-font-woff “access plus 1 month”
ExpiresByType font/woff “access plus 1 month”

# Web Open Font Format (WOFF) 2.0
ExpiresByType application/font-woff2 “access plus 1 month”

# Other
ExpiresByType text/x-cross-domain-policy “access plus 1 week”
</IfModule>

#Compress content before it is delivered to the client

<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>

#ustomization of HTTP request and response headers

<IfModule mod_headers.c>

##### DYNAMIC PAGES
<FilesMatch “\\.(ast|php|css|js)$”>
Header set Cache-Control “public, max-age=3600, must-revalidate”
</FilesMatch>

##### STATIC FILES
<FilesMatch “\\.(png|svg|swf|js|xml|css|js)$”>
Header set Cache-Control “public, max-age=604800, must-revalidate”
</FilesMatch>

##### ETERNAL FILES
<FilesMatch “\.(flv|gif|jpg|jpeg|png|ico|swf|css|js|html|pdf)$”>
Header set Cache-Control “max-age=20082014, private, must-revalidate”
FileETag None
</FilesMatch>
Header set Connection keep-alive
</IfModule>

Ethernet Bonding

by Anil Jalela | Aug 22, 2021 | Linux

The most important requirements of networking are availability and bandwidth for connectivity of LAN/WAN/INTERNET.
The current Linux distributions allow administrators to combine multiple (two or more) network interfaces together into a single logical interface called a bonding interface. In this process, both physical interfaces become slave devices and created a logical device (bond X) called a master device.

The Linux bonding driver provides a method for aggregating multiple network interfaces into a single logical “bonded” interface. The Linux bonding driver integrates as a loadable kernel module with all the distributions, and usually, it is loaded automatically when the Linux system is booting.

For network bonding, “ifenslave” is a control utility. By default, it is installed as module “/sbin/ifenslave”.

Make sure the kernel bonding module is enabled and loaded before go-ahead.

# modinfo bonding

If the above command throws an error like “modinfo: ERROR: Module alias bonding not found” then run modprobe –first-time bonding.

# modprobe –first-time bonding && modinfo bonding && modinfo bonding

Now create bonding channel interface using “/etc/modprobe.conf” or /etc/modprobe.d/bonding.conf and add following lines to the file.

# vim /etc/modprobe.conf
alias bond0 bonding

Linux kernel driver provides options to admin configure master bonding device with different modes and options are as per below.

Mode 0 or balance-RR:- Sets a round-robin policy for fault tolerance and load balancing.

Mode 1 or active-backup:- Sets an active-backup policy for fault tolerance.

Mode 2 or balance-xor:- Sets an XOR (exclusive-or) mode for fault tolerance and load balancing.

Mode 3 or broadcast:- Sets a broadcast policy for fault tolerance. All transmissions send on all slave interfaces.

Mode 4 or 802.3ad: Sets an IEEE 802.3ad dynamic link aggregation policy. Creates aggregation groups that share the same speed and duplex settings.

Mode 5 or balance-TLB:- To set a Transmit Load Balancing (TLB) policy for fault tolerance and load balancing. The outgoing traffic distributes according to the current load on each slave interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed slave. This mode is only suitable for local addresses known to the kernel bonding module and therefore cannot be used behind a bridge with virtual machines.

Mode 6 or balance-alb:- Sets an Adaptive Load Balancing (ALB) policy for fault tolerance and load balancing. Includes transmit and receive load balancing for IPv4 traffic.

Step for creating a Network bonding interface.

Create ifcfg-bond0 file into /etc/sysconfig/network-scripts/ directory for logical interface configration. Ifcfg-bond0 file handel IP configration which we set for network high avebility, and other bonding options.

# vim /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond1
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
BONDING_OPTS=”mode=4 miimon=100 downdelay=0 updelay=0 lacp_rate=fast xmit_hash_policy=1″
IPADDR=192.168.0.11
NETMASK=255.255.255.0
GATEWAY=192.168.0.254

In the BONDING_OPTS

Miimon=time_in_milliseconds: shows(in milliseconds) how often link status is checked for link failure. This is useful if high availability is required because MII is used to verify that the NIC is active.
Arp_interval=time_in_milliseconds: Specifies (in milliseconds) how often ARP monitoring occurs. If using this setting while in mode 0 or mode 2 (the two load-balancing modes), the network switch must be configured to distribute packets evenly across the NICs.

Downdelay=time_in_milliseconds:- To wait before disabling a slave after a link failure has been detected.
updelay=time_in_milliseconds:- To wait before enabling a slave after a link recovery has been detected.
Lacp_rate=1(or fast) or 0 (slow): Option specifying the rate at which we’ll ask our link partner to transmit LACPDU packets in 802.3ad mode.
Xmit_hash_policy=1: Selects to transmit hash policy to use for slave selection in balance-xor, 802.3ad, and TLB modes.

# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:25:90:1f:2c:e1
SLAVE=yes
MASTER=bond0
USERCTL=no

# vim /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:25:90:1f:2c:e2
SLAVE=yes
MASTER=bond1
USERCTL=no

To active bonding configuration, run the following command and check the status using cat /proc/net/bonding/bond0.

# nmcli con reload or service network restart

We can create multiple logical bonding bondX in the Linux system for different networks. For brief information about network bonding, follow “https://www.kernel.org/doc/Documentation/networking/bonding.txt.

Lvs With HartBit

by Anil Jalela | Jun 4, 2021 | Linux

LVS

LVS (Linux Virtual Server) ?
The Linux Virtual Server is a highly scalable and highly available server built on a cluster of real servers, with the load balancer running on the Linux operating system. The architecture of the server cluster is fully transparent to end users, and the users interact as if it were a single high-performance virtual server.

Applications of the Linux Virtual Server
The Linux Virtual Server as an advanced load balancing solution can be used to build highly scalable and highly available network services, such as scalable web, cache, mail, ftp, media and VoIP services.

LDIRECTORS:
ldirectord is a daemon to monitor and administer real servers in a LVS cluster of load balanced virtual servers.
ldirectord typically used as a resource for heartbeat , but can also be run from the command line.

A LVS cluster consists or one or more virtual services each of which may have zero or more real servers. The IP address of a virtual service is what end-users connect to and is typically advertised over DNS. When a connection is made to a virtual service, it is allocated a real server, and all packets for this connection are forwarded to this real server. A more detailed overview of LVS can be found here.

ldirectord monitors the health of the real servers by periodically requesting a known URL and checking that the response contains an expected response. If a real server fails then the server is removed and will be reactivated once it comes back on line. If all the real servers are down then a fall-back server is inserted into the pool, which will made quiescent one of the real web servers comes back on line. Typically, the fall-back server is local host. If an HTTP virtual service is being provided then it is useful to run an Apache HTTP server that returns a page indicating that the service is temporarily inaccessible.

HARTBIT:
It is the private connection between two servers.
IF one goes down another will automatically up.

Things needs To Install LDIRECTORS:

yum install heartbeat-ldirectord-2.0.8-3.el5.centos (Plz use above version only)
yum install perl-DBI.x86_64
yum search DBI
yum install perl-DBI
yum search DBD-mysql
yum install perl-DBD-MySQL

To stop & start ldirecrtors
ldirectord -d start
ldirectord -d stop

How To Configure ldirectors:

Create /etc/ha.d/ldirectord.cf

[root@LVS1 ~]# cat  /etc/ha.d/ldirectord.cf ——————————— Main Configuration file
checktimeout=10 ————————- Timeout in seconds for connect, external and ping checks.
checkinterval=5 ————————- Defines the number of second between server checks
#fallback=127.0.0.1:80
autoreload=yes ————————-Defines if <ldirectord> should continuously check the
Configuration file for modification. If this is set to ‘yes’ and the configuration file changed on disk and
its modification time (mtime) is newer than the previous version, the configuration is automatically reloaded.
logfile=”/var/log/ldirectord.log” ####touch /var/log/ldirectord.log ————————-ldirectors logs
#logfile=”local0″
#emailalert=”[email protected]”
#emailalertfreq=3600
#emailalertstatus=all
quiescent=yes ————————- If yes, then when real or failback servers are determined
to be down, they are not actually removed from the kernel’s LVS table. Rather, their weight is set to zero which means
that no new connections will be accepted.

#Sample configuration for a MySQL virtual service.
virtual =10.11.1.165:3306 —————Virtual IP & Port for Load balance
real=10.11.1.157:3306 masq ————— Real Server IP
real=10.11.1.26:3306 masq ————– Real Server IP
#fallback=127.0.0.1:3306
service=mysql —————–Which service is used by server
scheduler=wrr (waited round robin) ————— Scheduler to be used by LVS for loadbalancing.
persistent=600 —————  On Client side active connection will refresh after 600 sec
netmask=255.255.255.0
protocol=tcp ————— Protocol used for communication
checktype=negotiate ————— Check the connectivity of real server
Negotiate sends a request and matches a receive string.
Connect only attempts to make a TCP/IP connection,This is useful to check often if a service answers and
in much longer intervals a negotiating check is done
login=”blackpostuser” ———-To check the connectivity it will use following line
passwd=”NitwingsPassword”
database=”blackpost”
request=”SELECT 1;”

[root@LVS1 ~]#

Run following on LVS directors
echo “1” >/proc/sys/net/ipv4/ip_forward
echo “0” >/proc/sys/net/ipv4/conf/all/send_redirects
echo “0” >/proc/sys/net/ipv4/conf/default/send_redirects
echo “0” >/proc/sys/net/ipv4/conf/eth0/send_redirects

on real server change gateway to virtual ip
route del -net 10.11.0.0 netmask 255.255.0.0 dev eth1
route del -net 10.11.1.0 netmask 255.255.255.0 dev eth0

service ldirectord start
vi /etc/ha.d/ldirectord.cf
service ldirectord stop
service ldirectord start

ipvsadm -L
ldirectord –debug stop

Heart beat installation
Yum install heartbeat
Please check
Ha.cf

USED FOR HARTBIT FUNTION
Configuring ha.cf :
It tells heartbeat what types of media paths to use and how to configure them . ha.cf. This is placed in the /etc/ha.d directory that is created after installation.

cat /etc/ha.d/ha.cf
#logfacility daemon # This is deprecated
keepalive 1  —————— Sets the time between heartbeats to 1 seconds.
deadtime  10 —————— Node is pronounced dead after 10 seconds.
warntime  5  —————— Time in seconds before issuing a late heartbeat warning in the logs.
initdead  60 —————— With some configurations, the network

takes some time to start working after a reboot.
It should be at least twice the normal deadtime.

#bcast eth0
mcast eth0 229.0.0.1 690 1 0 ———— The mcast directive is used to configure a multicast communication path.

The syntax of an mcast directive is:
mcast dev mcast-group udp-port ttl 0
node lb1.blackpost.net
node lb2.blackpost.net

#crm yes
use_logd yes ————– Use system logging.
logfile /var/log/hb.log ———— Heartbeat logfile.
debugfile /var/log/heartbeat-debug.log — Debugging logfile.
auto_failback no ———— The auto_failback option determines whether

a resource will automatically fail back to
its “primary” node, or remain on whatever
node is serving it until that node fails,
or an administrator intervenes.

#respawn root /usr/lib64/heartbeat/mgmtd -v

uuidfrom nodename —————– heartbeat generates a UUID for each node
in the system as a way of uniquely identifying
a node – even if it should change nodenames.

[root@lb1 ~]# cat /etc/ha.d/authkeys ———– There are three types of authentication methods
available: crc, md5, and sha1.
This file must have mode 600.
auth 4
4 md5 MySecret —————————— MD5 is a convenient way to support a single authentication
mechanism for web, mail, LDAP, and other protocols.

[root@lb1 ~]# cat /etc/ha.d/haresources —— The haresorces file is called when heartbeat starts
This file is containing Master Node & VIP. This is common For both node.
lb1.blackpost.net IPaddr::10.11.1.70/24/eth0