I’m probably going to regret using the wording ‘sensible defaults’ … what may seem sensible to me may well be not-sensible to others. Still, at the very least I’ll be able to explain how I recompile apache and why I choose certain settings. If you’ve never recompiled Apache on a WHM server then it can be a very scary task – so many options to choose from.

Before we get started you need to understand that if you are recompiling Apache on a server that already has several live sites then you need to look at the scripts that run on those sites. I’m going to suggest that you use PHP5 and suPHP but this could break some older scripts that won’t run on PHP5 and suPHP will cause ‘Server Errors’ if you have any world writable directories or files, or the ownership of the files does not match the CPanel account owner(s). If you are unsure about any of that, then please read the article: Upgrading WHM Apache To Use suPHP and PHP 5 as you will need to follow those instructions after the recompile.

If you are recompiling Apache on a shiny new server then there isn’t much that can go wrong! Regardless of that, this guide does carry a standard disclaimer. If anything breaks, that’s not my fault. These instructions are given in good faith and no warranty or guarantees are either implied or provided.

Step 1: Profile

This is the first screen you will see when you click on Software->Apache Update. By default the ‘Previously Saved Config’ profile will be selected. Click on the ‘PHP Security’ option as this will compile the suPHP module when we get to that step. After selecting the PHP Security profile, click on the ‘Start customizing based on profile’ button.

Step 2: Apache Version

For the Apache version, select Apache 2.2. This is the latest stable version and the version that works best with PHP5. It also has some performance improvements over version 2.0. After selecting Apache 2.2, click on the ‘Next Step’ button.

Step 3: PHP Major Version

Tick the box next to PHP 5. PHP 4 is a ‘dead duck’ and is no longer actively supported by the PHP developers (though they have said they may provide security fixes until Aug. 8 2008). PHP 5 is the current ‘stable’ and actively developed version of PHP. Do check though, if you have some scripts running, that they will work with PHP 5. You can generally find this out from the script developer’s website. After choosing PHP 5 click on the ‘Next Step’ button.

Step 4: PHP Minor Version

Choose the most recent release. These will always be ‘stable’ releases and it’s quite likely your server is running the previous version. At the time of writing this guide, PHP 5.2.6 is the most recent version. After choosing the minor version click on the ‘Next Step’ button.

Step 5: Short Options List

Unless you are positive that someone is going to NEED Microsoft Frontpage support, untick that sucker RIGHT NOW!. Yes..I was shouting when I said that. Seriously, frontpage extensions are a potential security risk and should never be enabled if they will not be used.

I generally tick the Mod suPHP, Ioncube Loader, Mod Security and Zend Optimizer and untick the rest. Whilst it adds a little extra ‘baggage’ to your web server there are many scripts that use Ioncube or Zend encoding so it may save you a little time and hair pulling some time in the future. suPHP and Mod Security will help protect your web server from attacks and exploits. As the CPanel docs say:

“ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.”

Security is good. Say that a few times until you feel REALLY comfortable with it!

Don’t be too concerned by the ‘Are you fully aware…’ messages that pop up when you click on ‘More Info’ for Ioncube and Zend – these options generally don’t need any further tweaking or alterations after Apache is recompiled and even in the rare cases where something goes wrong there are plenty of good support docs around, online forums etc and Google is your friend .

Once you’ve selected the 4 aforementioned options, click on the ‘Exhaustive Options List’ button.

Step 6: Exhaustive Options List

Ok now… remember your breathing exercises. Take a few deep breaths. Sure, there are ALOT of options there, but whose scared of of a bunch of tick boxes eh?

The first thing you will notice is that some of the options have orange text. These are options that are enabled by default in Apache and you can leave them all ticked, so we won’t mention them other than to say if it is orange – it should be enabled. Now, lets look at the other options I always enable.

Expires – this allows the generation of cache control and expires headers. This can be useful when someone is coming through a caching proxy as you can let the caching proxy know that it should fetch the current page instead of serving up an old page from the cache.

Fileprotect – remember that we said security is good? The fileprotect module prevents other users on your server from reading other peoples web root folders.

Headers – Not used extensively but this allows you to customize HTTP response and request headers. It’s the sort of thing that a script developer may use.

Imagemap – You don’t see imagemaps as often as in years gone by but there are still plenty of web pages and scripts that use them, so it would be silly not to include the imagemmap module.

Mod suPHP – We talked about this earlier. Security is good. Mod suPHP is good! You can find out all about it at http://suphp.org/

You should be able to skip past the ‘Other Modules’ section as those are the ones we set earlier. Now we move on to the PHP options.

Bcmath & Calendar – These are used by some popular scripts out there so I always enable them.

Curl & CurlSSL – Curl is often used for scripts such as PayPal IPN scripts and scripts that need to post information to another web site. Also, many hosts now disable the allow_fopen_url option in PHP and the alternative they do allow is Curl. Most script developers are aware of this, so Curl is often used as either the primary or ‘fallback’ option when posting forms or data to other sites.

FTP – Again, I include this because there are scripts that make use of PHP’s FTP functions so it is better to do it now than to have to re-compile again later.

Force CGI Redirect – This option is required in order for our suPHP option to work.

GD – This is a graphics library that is used in many, many PHP scripts.

Magic Quotes – This option helps prevent some SQL injection attacks, so it is basically an added security feature. If you have a script that falls over because of it, you can turn it off in the php.ini file. However, most well written scripts will check whether magic quotes is enabled and adapt accordingly.

Mbstring – Provides some multi-byte character encoding functions. Yep – that’s quite a mouthful but .. long story short .. there are scripts that use it and no harm in enabling it.

Mcrypt & Mhash – These options provide encrypting and hashing functions that are used by many scripts.

MySQL & MySQL of the system – Guess where WordPress stores its data .. in a MySQL database. Guess what language WordPress is written in … PHP. Need I say more? There are a huge number of PHP scripts that will need to access a MySQL database so these options are a no-brainer. MySQL of the system just means that it will use the MySQL libraries that are installed on your server rather than the built-in support that PHP has. Without going into details .. ‘of the system’ is better ticked than unticked. So, make sure you check both of these options.

Sockets – This is another often used feature in PHP so it’s best to turn it on now rather than have to recompile again later.

TTF – This option provides support for Freetype fonts which are used by some scripts.

Zlib – I usually leave this enabled though there aren’t all that many scripts out there that use it. It provides gzip compatible file compression/decompression functions.

Finally, you should make sure the ‘Proxy’ option is NOT enabled (unless you plan on providing some proxy services .. which the vast majority of us do not). and tick the box labelled ‘Save my profile with appropriate PHP 5 options set so that it is compatible with cpphp’.

Preferences

Enable the following:

Always do latest PHP
Report Errors to cPanel

Now… take another deep breath and click on the ‘Save and build‘ button. Read the two popup windows – one is the confirmation and the other tells you that you shouldn’t interrupt the build. The build will take quite a while…perhaps an hour or more, so leave your web browser open and go make a cup of your favourite beverage … then sit back while the compiler does its thing.

As I said at the beginning … there’s no such thing as the perfect build and there is no ‘one build fits all’ solution. The defaults that I use should work for most servers. Feel free to comment and/or criticize though – I’m always open to suggestions and improvements.

Popularity: 38% [?]

Posted by Gary | 55No Comments »http%3A%2F%2Fdedicatedserverdoc.com%2Fwhm-recompiling-apache-with-sensible-defaults%2FWHM+-+Recompiling+Apache+With+Sensible+Defaults2008-05-15+05%3A44%3A14Garyhttp%3A%2F%2Fdedicatedserverdoc.com%2Fthe-server-room%2F2008%2Fwhm-recompiling-apache-with-sensible-defaults%2F

Your server is only as secure as the scripts you run on it. Strong passwords, firewalls and a tight security policy aren’t going to help if you have scripts or applications that contain vulnerabilities. Unfortunately, many of the most popular scripts and applications do contain flaws and/or poorly written code that may allow the bad guys to deface your web site or use your resources.

So … how can you prevent this from happening without spending a fortune on expensive auditing tools or services? There are several very good assesment tools that are free and/or open source. We’re going to look at two of the most popular and, in my opinion, most useful tools for testing your server.

Nessus

Nessus is an application that runs on Windows and various Unix operating systems. It ‘probes’ your server and looks for many of the known vulnerabilities in server software. After performing a scan (which can take several hours) it will list all of the vulnerabilities and potential vulnerabilities it found and in many cases will offer possible solutions such as upgrading your server software. At the very least it can provide you with a very detailed report about the ports and server applications that are exposed by your server. You would be surprised to see just howw much information can be gleaned from a server by running a few simple commands and probing the server ports. Information such as the operating system type and version as well as the versions of applications such as the web server, mail server etc are usually displayed by default. If a hacker knows that you are running a version of software that has some known vulnerabilities then they virtually have their foot in the door.

The Nessus application and it’s huge range of plugins are updated regularly. The plugins (and there are literally thousands of them) define the parameters for vulerabilities and potential security holes. You can download Nessus from www.nessus.org.

Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

So, rather than being a general security scanner, Nikto is totally focussed on vulnerabilities in web server software and scripts. Your web server tends to be one of the most vulnerable applications as it is usually publically available and can access the file system on your server.

Nikto is updated regularly with updated plugins available on the  Nikto web site. The list of features is quite long:

* Uses rfp’s LibWhisker as a base for all network funtionality
* Main scan database in CSV format for easy updates
* Fingerprint servers via favicon.ico files
* Determines “OK” vs “NOT FOUND” responses for file type, if possible
* Determines CGI directories for each server, if possible
* Switch HTTP versions as needed so that the server understands requests properly
* SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL)
* Output to file in plain text, HTML or CSV
* Plugin support (standard PERL)
* Checks for outdated server software
* Proxy support (with authentication)
* Host authentication (Basic)
* Watches for “bogus” OK responses
* Attempts to perform educated guesses for Authentication realms
* Captures/prints any Cookies received
* Mutate mode to “go fishing” on web servers for odd items
* Builds Mutate checks based on robots.txt entries (if present)
* Scan multiple ports on a target to find web servers (can integrate nmap for speed, if available)
* Multiple IDS evasion techniques
* Users can add a custom scan database
* Supports automatic code/check updates (with web access)
* Multiple host/port scanning (scan list files)
* Username guessing plugin via the cgiwrap program and Apache ~user methods

It really is an essential tool if you want to know whether your web site has any well known vulnerabilities. The Nikto application (Unix only) is available at http://www.cirt.net/nikto2.

Popularity: 20% [?]

Posted by Gary | 54No Comments »http%3A%2F%2Fdedicatedserverdoc.com%2Fvulnerability-assessment-on-the-cheap%2FVulnerability+Assessment+On+The+Cheap2008-05-10+15%3A43%3A43Garyhttp%3A%2F%2Fdedicatedserverdoc.com%2Fserver-security%2F2008%2Fvulnerability-assessment-on-the-cheap%2F

With the never ending fight against unsolicited email, more and more ISPs and businesses are including an MX check as part of their spam ‘scoring’ method. It’s important that you have your MX record configured correctly so that you don’t lose points due to misconfiguration.

Before we get into that, MX stands for Mail eXchanger. It tells the rest of the world which mail server will be responsible for any mail that should be delivered to your domain. So, as far as importance goes, the MX is right up there!

Basically, there are two golden rules.

1. Your MX IP number should resolve to the MX hostname.

2. Your MX DNS record should be an ‘A’ record.

So..how do you check that it’s right? I usually use DNSStuff.com (the banner at the top of the main page) as it does several additional checks, but lets look at how we would do this the old fashioned way. The first step (and we’ll use dedicatedserverdoc.com as the example) is to find out what the MX host is for your domain. This is easy enough from the unix command line. We’ll just use the ‘dig’ command:

dig dedicatedserverdoc.com mx

The answer I get is mail.optintrust.org. The next step is to look up the IP for that host and then look up the host for the IP:

nslookup mail.optintrust.org

The IP number is 72.36.158.194. So next we look up the IP number:

nslookup 72.36.158.194

The answer we get is:

Non-authoritative answer:
194.158.36.72.in-addr.arpa name = mail.optintrust.org

That’s what we want to see … 72.36.158.194 = mail.optintrust.org = 72.36.158.194. But what if you find that when you look up the IP it says something like 194.158.36.72.reverse.somehost.com? All you should need to do is contact your host and politely ask them to create a reverse DNS entry for your IP number. It should go something like this:

Dear Host, Could you please create a reverse DNS entry for my IP which is 72.36.158.194. I would like the hostname for that IP to point to my mail server – mail.optintrust.org.

You need to tell them your main IP number for your server AND the hostname you would like that IP number to point to.

The second golden rule is that your MX should be an ‘A’ record. Quite often I find that customers have set up their own DNS and their MX is a CNAME (i.e. an alias). There is a specific RFC (i.e. da rules) which states that an MX must be an ‘A’ record.

Popularity: 19% [?]

Posted by Gary | 53No Comments »http%3A%2F%2Fdedicatedserverdoc.com%2Fis-your-mx-record-configured-correctly%2FIs+Your+MX+Record+Configured+Correctly%3F2008-04-26+16%3A27%3A36Garyhttp%3A%2F%2Fdedicatedserverdoc.com%2Fdedicated-server-tips%2F2008%2Fis-your-mx-record-configured-correctly

Layered Technologies recently announced a new affiliate program. For the first time they are now paying commissions on referred sales. I’ve been referring people to LT for years so it’s nice that I can do that and now I can receive a commission as well. From their affiliate page:

“When you refer a new customer to us via a link on your web site, you will receive a one-time 30% commission (paid within 30 days) based on that new customer’s monthly recurring revenue after the first full month. With our grid solutions an average order is $4,000 PLUS; in turn, you’re able to earn up to $1,200 or more. ”

More info is available at http://www.layeredtech.com/affiliates/index.php

Popularity: 17% [?]

Posted by Gary | 52No Comments »http%3A%2F%2Fdedicatedserverdoc.com%2Flayered-tech-offers-affiliate-program%2FLayered+Tech+Offers+Affiliate+Program2008-04-03+22%3A57%3A35Garyhttp%3A%2F%2Fdedicatedserverdoc.com%2Fdedicated-server-industry-news%2F2008%2Flayered-tech-offers-affiliate-program

The following message came through from cPanel just now:
An arbitrary file inclusion vulnerability has been discovered in the Horde
webmail application. At present, we can confirm that this security
vulnerability in question affects Horde 3.1.6 and earlier. Based on
incomplete information at this time, we also believe this affects Horde
Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware
at this time).

cPanel customers should update their cPanel and WHM servers immediately to
prevent any chance of compromise. The patch will be available in builds
11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated
builds will be available immediately to all fast update servers. The
builds will be available to all other update servers within one hour of
this posting.

To check which version of cPanel and WHM is on your server, simply log
into WebHost Manager (WHM) and look in the top right corner, or execute
the following command from the command line as root:

/usr/local/cpanel/cpanel -V

You can upgrade your server by navigating to ‘cPanel’ -> ‘Upgrade to
Latest Version’ in WebHost Manager or by executing the following from the
command line as root:

/scripts/upcp

It is recommended that all use of Horde 3.1.6 and earlier be stopped (on
cPanel and non-cPanel systems alike) until Horde updates can be applied.
You can disable Horde on your cPanel system by unchecking the box next to
‘Server Configuration’ -> ‘Tweak Settings’ -> ‘Mail’ -> ‘Horde Webmail’
within WHM, and saving the page with the new settings.

We would like to thank HostGator for providing the initial details in
their report of this vulnerability.

If you are a Dedicated Server Doctor service subsciber, your server was updated within 15 minutes of us receiving this message.

Popularity: 17% [?]

Posted by Gary | 51No Comments »http%3A%2F%2Fdedicatedserverdoc.com%2Fcpanel-horde-arbitrary-file-inclusion-vulnerability%2FcPanel+-+Horde+arbitrary+file+inclusion+vulnerability2008-03-07+00%3A51%3A14Garyhttp%3A%2F%2Fdedicatedserverdoc.com%2Fdedicated-server-security%2F2008%2Fcpanel-horde-arbitrary-file-inclusion-vulnerability