November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Install docker ce on centos 7

Installing Docker On CentOS 7 / RHEL 7

Docker is a container virtualization technology that has gained widespread popularity in recent times; it offers a more efficient way to deploy the application. With Docker, the applications reside inside the container on top of the Linux operating system. Docker uses Kernel features such as cgroups and namespace to allow an independent container to run on single os instance.

Install from Docker (Official):
Docker is now available in two editions,

Community Edition (CE)
Enterprise Edition (EE)
Here, we will install Docker Comunity Edition (CE).

Uninstall older versions of Dockers, named “docker” or “docker-engine” along with associated dependencies.

# yum -y remove docker-common docker container-selinux docker-selinux docker-engine
Do not worry about the contents inside /var/lib/docker/, all will be preserved.

The Docker Comunity package is now called “docker-ce“. Let’s add the CE repository for docker installation.

# yum -y install wget
# wget https://download.docker.com/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
Install the latest version of Docker CE using the following command.

# yum -y install docker-ce

# yum -y install docker
Working with Docker:
Now you have Docker installed onto your machine, start the Docker service in case if it is not started automatically after the installation

# systemctl start docker.service

# systemctl enable docker.service

Step 1 | Remove Old Versions

$ sudo yum remove docker docker-common docker-selinux docker-engine
Step 2 | Install Required Packages

$ sudo yum install -y yum-utils device-mapper-persistent-data lvm2
Step 3 | Setup the Docker CE Repository

$ sudo yum-config-manager –add-repo https://download.docker.com/linux/centos/docker-ce.repo
Step 4 | Update the Packages

$ sudo yum update
Step 5 |Install specific version (Production recommended)

$ sudo yum list docker-ce.x86_64 –showduplicates | sort -r

Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
docker-ce.x86_64 17.06.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.2.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable
Available Packages

$ sudo yum install docker-ce-
Step 6 | Install through respository

$ sudo yum install docker-ce
Step 7 | Start Docker

$ sudo systemctl start docker
Step 8 | Verify the Installation

$ sudo docker run hello-world

Change default Image and Container location in Docker

What to do if you have existing containers and images?

If you want the existing containers and images to be migrated to the new location, don’t reload the service daemon and start the docker service, right after modifying docker.conf, move the existing data in /var/lib/docker to the new location. And create a symlink.

Note: I have not tried the following since there was no need for me to keep existing containers and images. But these steps should work; If you are facing any trouble or aware of any alternative method please comment. I will then modify the post. Please take a backup before venturing further.

# cp –rp /var/lib/docker /mnt/new_volume
# ln -s /mnt/new_volume /var/lib/docker
After this reload daemon and start docker service,

# sudo systemctl daemon-reload
# sudo systemctl start docker

September 25th, 2017 | Category: Docker | Leave a comment

CHANGE OPENSSH PORT OR LISTEN TO MULTIPLE SSH PORTS

OpenSSH usually listens on TCP port 22. However, there are some people who wish to change OpenSSH port to avoid brute-force bot attacks or to avoid from being blocked by restrictive firewall.

To change OpenSSH port, one only need to edit “/etc/ssh/sshd_config” file and change the port at “Port 22” to something else, like “Port 8080” or “Port 443”

#/etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 8080
Save, and restart ssh server.

sudo service ssh restart
Additionally you can also configure OpenSSH to listen to multiple port (usually to avoid restrictive firewall rules)

#/etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 22
Port 8080
Port 443
The example above shows a configuration which lets OpenSSH to listen to port 22, 443 (TLS/SSL) and port 8080 (HTTP-PROXY), these are the ports that usually unblocked by corporate firewall.

Don’t forget to restart ssh service as soon as you’ve save the file!!

September 24th, 2017 | Category: SSH | Leave a comment

docker commonly used command

docker commonly used command

1. View the docker information (version, info)

View the docker version
docker version

Displays information about the docker system
docker info

2. the operation of the image (search, pull, images, rmi, history)

Retrieve image
docker search image_name

Download image
docker pull image_name

List the mirror list; -a, –all = false Show all images; –no-trunc = false Do not truncate output; -q, –quiet = false Only show numeric IDs

docker images

Delete one or more mirrors; -f, –force = false Force; –no-prune = false Do not delete untagged parents

docker rmi image_name

Show a history of a mirror; –no-trunc = false Do not truncate output; -q, –quiet = false Only show numeric IDs

docker history image_name

3. Start the container

The docker container can be understood as a process that runs in a sandbox.

This sandbox contains the resources necessary for the process to run, including the file system, system class library, shell environment and so on.
But this sandbox by default is not running any program. You need to run a process in the sandbox to start a container.
This process is the only process of the container, so when the process ends, the container will be completely stopped.

Run the “echo” command in the container, output “hello word”
docker run image_name echo “hello word”

docker run -i -t image_name /bin/bash

docker run image_name apt-get install -y app_name

When executing the apt-get command, bring the -y parameter.
If you do not specify the -y parameter, the apt-get command will enter the interactive mode, requiring the user to enter a command to confirm, but in the docker environment is unable to respond to this interaction.
After the apt-get command completes, the container stops, but changes to the container are not lost.

4. View container (ps)

List all currently running containers

docker ps

List all the containers

docker ps -a

List the containers that were last started

docker ps -l

5. Save the container to commit (commit)

When you have made a change to a container (by running a command in the container), you can save the container changes, so that the next time you can save the latest state from the container.

Save the changes to the container; -a, –author = “” Author; -m, –message = “” Commit message
docker commit ID new_image_name
image is equivalent to the class, container equivalent to the example, but can be dynamically installed to the instance of the new software, and then use the commit order solidified into an image.

6. the operation of the container (rm, stop, start, kill, logs, diff, top, cp, restart, attach)

Remove all containers

docker rm `docker ps -a -q`

Remove a single container; -f, –force = false; -l, –link = false Remove the specified link and not the underlying container; -v, –volumes = false Remove the volumes associated to the container

docker rm name / id

Stop, start, kill a container

docker stop Name/ID
docker start Name/ID
docker kill Name/ID

Fetching from a container; -f, –follow = false Follow log output; -t, –timestamps = false Show timestamps

docker logs Name/ID

List a file or directory that is changed inside a container. The list list shows three events, A added, D deleted, C changed

docker diff Name/ID

Displays the process information inside a running container

docker top Name/ID

Copy the file / directory from the inside of the container to a local path

docker cp Name:/container_path to_path
docker cp ID:/container_path to_path

Restart a running container; -t, –time = 10 Number of seconds to try to stop for before killing the container, Default = 10

docker restart Name/ID

Attached to a running container; –no-stdin = false Do not attach stdin; –sig-proxy = true Proxify all received signal to the process

docker attach ID
The attach command allows you to view or affect a running container. You can attach the same container at the same time. You can also get out of a container, from CTRL-C.

7. Save and load the mirror (save, load)

When you need to migrate a mirror image to another machine, you need to save the image and load the mirror.

Save the mirror to a tar package; -o, –output = “” Write to an file
docker save image_name -o file_path
Load a tarball format image; -i, –input = “” Read from a tar archive file

docker load -i file_path

docker save image_name -o file_path

docker load -i file_path

Machine a
docker save image_name> /home/save.tar
Use scp will copy.tar Kaodao machine b, and then:
docker load /home/save.tar

docker load < /home/save.tar docker push new_image_name 8, log on registry server (login) Login server server; -e, - email = "" Email; -p, --password = "" Password; -u, --username = "" Username docker login 9. release image (push) Publish docker image docker push new_image_name 10. Use skills Remove all containers and mirrors (clean) Use a line command to clean up: docker ls $ (docker ps -a -q); docker rmi $ (docker images -q -a) Note: The shell in the $ () and `` similar to the implementation of the contents of the inside, the above script will appear as follows docker "kill" container, docker rmi Delete the mirror When there is no running container or no container at all, this will only prompt a warning message. When you want to try, this is a very good single line command. If you just want to delete all the containers, you can run the following command: docker kill $ (docker ps-a); docker rm $ (docker ps -a -q) docker kill $(docker ps -q) ; docker rm $(docker ps -a -q) ; docker rmi $(docker images -q -a)

September 21st, 2017 | Category: Docker | Leave a comment

docker export mirroring and import mirroring

docker export mirroring and import mirroring

Export Mirror:

docker save IMAGENAME | bzip2 -9 -c>img.tar.bz2

Import Mirror (for one machine):

bzip2 -d -c

September 21st, 2017 | Category: Docker | Leave a comment

Nginx Tomcat installation configuration

Tomcat is a lightweight application server, in the small and medium-sized system and concurrent access to the user is not a lot of occasions are widely used, is the development and debugging JSP program of choice. It can be argued that when a Tomcat server is configured on a machine, it can use it to respond to requests for HTML pages. In fact Tomcat is part of the Nginx server extension, but it is run independently, so when you run tomcat, it actually runs as a separate process with Nginx.

Install tomcat

Tomcat installation is divided into two steps: install the JDK and install Tomcat.

The JDK (Java Development Kit) is a product of Sun Microsystems for Java developers. Since the introduction of Java, JDK has become the most widely used Java SDK. JDK is the core of the entire Java, including the Java runtime environment, Java tools and Java-based class library. So in order to run the jsp program must have JDK support, of course, the premise is to install Tomcat JDK installed.

Install the JDK

Download JDK

cd /usr/local/src/

Download JDK official website:

http://www.Oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

rpm -ivh jdk-7-linux-i586.rpm

vim /etc/profile

JAVA_HOME=/usr/java/jdk1.7.0_45

JRE_HOME=/usr/java/jdk1.7.0_45/jre

PATH=$PATH:$JAVA_HOME/bin:$JRE_HOME/bin

CLASSPATH=:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JRE_HOME/lib

export JAVA_HOME JRE_HOME PATH CLASSPATH

[root@localhost ~]# source /etc/profile

[root@localhost ~]# echo $PATH

java -version

Install Tomcat

cd /usr/local/src/

wget http://www.aminglinux.com/bbs/data/attachment/forum/apache-tomcat-7.0.14.tar.gz

If you think this version is not suitable, you can go to the official website (http://tomcat.apache.org/) download.

tar zxvf apache-tomcat-7.0.14.tar.gz

mv apache-tomcat-7.0.14 /usr/local/tomcat

cp -p /usr/local/tomcat/bin/catalina.sh /etc/init.d/tomcat

vim /etc/init.d/tomcat

Add the following in the second line:

# chkconfig: 112 63 37

# description: tomcat server init script

# Source Function Library

. /etc/init.d/functions

JAVA_HOME=/usr/java/jdk1.7.0_45

CATALINA_HOME=/usr/local/tomcat

After saving the file, do the following:

chmod 755 /etc/init.d/tomcat

chkconfig –add tomcat

chkconfig tomcat on

Start tomcat:

service tomcat start

To see if the boot is successful:

ps aux | grep tomcat

If there is a process, please enter http: // IP: 8080 in the browser / you will see the main interface tomcat.

tomcat

1. Configure the access port for the tomcat service

tomcat default is activated 8080, if you want to modify to 80, you need to modify the server.xml file:

vim /usr/local/tomcat/conf/server.xml

turn up:

tomcat:

service tomcat stop

service tomcat start

tomcat

tomcat

vim /data/tomcatweb/app.jsp

Now time is: <%=new java.util.Date()%>

[root@localhost ~]# curl -xlocalhost:80 www.rmohan.com/app.jsp

Now time is: Thu Jun 13 15:26:03 CST 2013

tomcat connection mysql database:

cat jdbc.properties

jdbc.driverClassName=com.mysql.jdbc.Driver

jdbc.url=jdbc:mysql://localhost:3306/rmohan?useUnicode=true&characterEncoding=utf-8

jdbc.username=WordPress

jdbc.password=WordPress

hibernate.dialect=org.hibernate.dialect.MySQLDialect

hibernate.show_sql=false

hibernate.format_sql=true

hibernate.cache.provider_class=org.hibernate.cache.EhCacheProvider

hibernate.cache.use_query_cache=true

hibernate.schemaUpdate=false

Nginx configuration all jsp pages are handled by tomcat:

server {

listen 80;

server_name rmohan.com www.rmohan.com;

index index.html index.jsp;

root /home/www/rmohan/rmohan;

rewrite ^/(.*)$ https://www.rmohan.com/$1 permanent;

location ~ /\. { access_log off; log_not_found off; deny all; }

location ~* (\.jsp)|(\.do)$ {

include proxy.conf;

proxy_pass http://127.0.0.1:8080;

}

location /rmohan {

root /home/www/rmohan;

include proxy.conf;

proxy_pass http://127.0.0.1:8080;

}

}

server {

listen 443 ssl;

server_name rmohan.com www.rmohan.com;

index index.html index.jsp;

root /home/www/rmohan/rmohan;

ssl on;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

#ssl_prefer_server_ciphers on;

#ssl_dhparam /etc/pki/tls/private/dhparam.pem;

ssl_certificate /etc/pki/tls/certs/rmohan.com.crt;

ssl_certificate_key /etc/pki/tls/private/rmohan.com.key;

#ssl_session_tickets off;

#ssl_session_timeout 1d;

#ssl_session_cache shared:SSL:1m;

add_header Strict-Transport-Security ‘max-age=31536000’; # remember the certificate for a year and automatically connect to HTTPS for this domain

location ~ /\. { access_log off; log_not_found off; deny all; }

location ~* (\.jsp)|(\.do)$ {

include proxy.conf;

proxy_pass http://127.0.0.1:8080;

}

location /rmohan {

root /home/www/rmohan;

include proxy.conf;

proxy_pass http://127.0.0.1:8080;

}

}

Tomcat

vi /usr/local/tomcat/conf/server.xml +71

rsync + inotify

rsync + inotify is a more commonly used real-time synchronization solution, but it is not applicable in all the scenes,

rsync + inotify more suitable for the following 10 small-scale web cluster in real-time synchronization, but in the use of rsync + inotify solution and the use of rsync daily,
rsync + inotify rsync server needs to deploy multiple and only one client, rsync client as a daily content of the server so that it will push the data to each Each rsync on the server.
Which used to monitor the file system changes the tool is inotify-tools, rsync client installed inotify-tools after the need to specify the file path to be monitored, the path under the monitored file changes can be used according to the relevant information Triggers rsync to make file push. Linux support inotify kernel minimum 2.6.13, you can use uname-r can view, now CentOS 5 are supported above are more than 2.6.18 so the kernel is generally supported.
Installation is also very simple, after the configuration of the epel source can be installed through yum: yum-y install inotify-tools, after the installation of two binary files are inotifywait and inotifywatch, which is used to monitor the file changes is inotifywait, and inotifywait the parameters used by the option is also very simple:

-m is to keep monitoring changes.
-r Use the recursive form to monitor the directory.
-q Reduce redundant information and only print out the required information.
-e Specifies the list of events to be monitored.
–timefmt is the output format for the specified time.
–format Specifies the details of the file changes.

So you can use the script to hang in the background real-time monitoring specified directory file used to trigger rsync to do file push:

/usr/local/scripts/rsync_inotify.sh &

#!/bin/bash
#rsync_inotify.sh
port=873
src_dir=”/data/www/”
rsyncd_user=”username”
rsyncd_host=”192.168.2.1″
DEST_name=”backup”
password_file=”/etc/.rsync.passwd”

inotifywait -mrq –timefmt ‘%Y-%m-%d %H:%M:%S’ –format ‘%T %Xe %w%f’ -e modify,delete,create,attrib ${src_dir} | while read line
do
file=$(echo $line | awk ‘{print $4}’)
dir=$(dirname $file)
if [ -f $file ];then
rsync -vzrLtopg –progress –delete –port=${port} ${file} –password-file=${password_file} ${rsyncd_user}@${rsyncd_host}::${DEST_name}
else
cd $dir && rsync -vzrLtopg –progress –delete –port=${port} ./ –password-file=${password_file} ${rsyncd_user}@${rsyncd_host}::${DEST_name}
fi
done

September 12th, 2017 | Category: Centos | Leave a comment

Basic ClamAV installation on CentOS 7 and CentOS 6

Basic ClamAV installation on CentOS 7 and CentOS 6

ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. ClamAV includes a multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates.
It is one of the most popular virus scanner that run on CentOS and RedHat and here is very simple quick installation steps.

CentOS 7 Installation
1. ClamAV can easily be installed on CentOS 7.x or RHEL 7.x system to use Fedora EPEL repo. Here is how to add them to you CentOS 7
# wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
# rpm -ivh epel-release-7-5.noarch.rpm
2. Install ClamAV and all prerequisites
# yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
3. Now lets remove Example lines from configuration files.
#sed -i -e “s/^Example/#Example/” /etc/freshclam.conf

#sed -i -e “s/^Example/#Example/” /etc/clamd.d/scan.conf
4. Run ClamAV updates
# freshclam
6. Run your scan.
#clamscan –infected –remove –recursive /home
7. For testing purposes you can upload test virus and make sure it is detected.
#curl -O http://www.eicar.org/download/eicar.com
clamscan –infected –remove –recursive
CentOS 6 Installation
1. Install EPEL repo for CentOS 6
#wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
#rpm -Uvh epel-release-6*.rpm
2. Install ClamAV
#yum install clamav clamd
3. Start ClamV services and make sure they set to auto start
#clamd on
#chkconfig clamd on
#clamd start
Below is example of how to run scan against home directory and moving infected files to /usr/local/virusBAD/
#clamscan -ir /home -l /var/log/clamscan.log –move=/usr/local/virusBAD/

September 12th, 2017 | Category: Centos RHEL 7 | Leave a comment

Enable Event MPM in Apache 2.4 on CentOS/RHEL 7

Apache apache, Event, Modules, MPM 2 Comments

Apache MPM (Multi-Processing Modules) are Apache modules for creating child processes in Apache. There are many Apache MPM available, Each of them works in his own way. If you are using default Apache installation, Apache will use Prefork MPM by default.

Event MPM is launched with many improvements from worker MP. I prefer to use the Event MPM which is an improvement over the Worker MPM. Event MPM is that Event has a dedicated thread which handles all Keep Alive connections and requests.

This article will help you to Disable Prefork MPM and Enable Event MPM on Apache 2.4 running on your Linux operating system.

Enable Event MPM in Apache

First edit Apache MPM configuration file in your favorite text editor.

# vim /etc/httpd/conf.modules.d/00-mpm.conf
Comment LoadModule line for mpm_prefork_module, mpm_worker_module and Un comment LoadModule line for mpm_event_module in configuration as per showing below.

#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so

LoadModule mpm_event_module modules/mod_mpm_event.so

enable event mpm

After making above changes just restart your Apache servers.

# systemctl restart httpd
Check Active MPM in Apache

Now you have successfully enabled Event MPM in your Apache server. To verify current MPM enabled on your server use following command.

[root@TecAdmin ~]# httpd -V | grep MPM

Server MPM: event

September 12th, 2017 | Category: Apache | Leave a comment

Open Web Application Security Project

In today’s article we will guide you through the process of installing mod_security with the OWASP (Open Web Application Security Project) core rule set on a CentOS 7 from source.

ModSecurity is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. In order to enable users to take full advantage of ModSecurity out of the box, Trustwave’s SpiderLabs created the OWASP ModSecurity Core Rule Set (CRS) Project. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS provides generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded.

Prerequisites

Log in to your your server as user “root” user credentials and make sure that all packages are up to date. You can make use of below command to update your CentOS 7 server.

# yum -y update
After system update install the following dependencies as ModSecurity 2.x works only with Apache 2.0.x or higher. Let’s run below command to install apache and its other dependencies as shown below.

# yum install gcc make httpd-devel libxml2 pcre-devel libxml2-devel curl-devel git
system prereq

Installing mod_security

Get the ‘mod_security’ source package to install on your server from their official website link .mod_security can be installed in most web servers like Nginx, Apache and even Microsoft IIS. But in this tutorial will cover only on a server running Apache.

#cd /opt/
#wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
mod security

Extract the downloaded archive and change the current working directory to the newly extracted directory using below commands.

#tar xzfv modsecurity-2.9.1.tar.gz
#cd modsecurity-2.9.1
Now, using below commands configure, compile and install mod_security from the source code as shown shown.

#./configure
# make install
installing mod_security

Configure mod_security

After installation setup of mod_security, copy recommended configuration files.

# cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
# cp unicode.mapping /etc/httpd/conf.d/
Now we need to configure the Apache web server . Open the web server configuration file and add the following lines in it.

# vim /etc/httpd/conf/httpd.conf
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
Save the changes using ‘:wq!’ and restart Apache services.

# systemctl restart httpd.service
# systemctl status httpd.service
# systemctl enable httpd.service
mod_security configurations

Installing OWASP

Now we will install OWSAP CRS to be integrated with Apache’s ModSecurity. Use below commands to download and configure OWASP (Open Web Application Security Project) core rule set for a base configuration.

# cd /etc/httpd
# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
#mv owasp-modsecurity-crs modsecurity-crs
#cd modsecurity-crs
#cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
Now once again open the Apache configuration file to add the following lines at the end.

#vim /etc/httpd/conf/httpd.conf
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
So now you’ve installed Mod_Security and OWASP-CRS, it’s time to restart Apache service so the module can be loaded along with its rules.

# systemctl restart httpd.service
OWASP setup

Enjoy some basic necessary protection on your Linux CentOS 7 Apache server. It gives you couple of other advantages like below.

Real-time Blacklist Lookups: utilizes 3rd Party IP Reputation
Web-based Malware Detection: identifies malicious web content by check against the Google Safe Browsing API.
Identification of Application Defects: alerts on application misconfigurations.
HTTP Denial of Service Protections: defense against HTTP Flooding and Slow HTTP DoS Attacks.
Tracking Sensitive Data: Tracks Credit Card usage and blocks leakages.
Trojan Protection: Detecting access to Trojans horses.
Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
Error Detection and Hiding: Disguising error messages sent by the server.
Common Web Attacks Protection: detecting common web application security attack.
Automation Detection: Detecting bots, crawlers, scanners and other surface malicious activity.
HTTP Protection: detecting violations of the HTTP protocol and a locally defined usage policy.

Conclusion

mod_security is basically used to protect and monitor real time HTTP traffic and web applications from brute fore attacks and it also acts as intrusion detection and prevention system for web applications. In order to become useful, ModSecurity must be configured with rules which we can then use OWASP (Open Web Application Security Project) which is a Core Rules Set (CRS) for mod_security base configuration. Thank you for reading this and I hope you find this article useful.

September 12th, 2017 | Category: Apache, Centos RHEL 7 | Leave a comment

MOD_REWRITING AN ENTIRE SITE

Using mod_rewrite to redirect all pages to one central PHP page’.

On my site, I decided to use an all-index structure, as that’s how I prefer to do things – it means that the scripting language is more hidden from the end user than if you linked to pages such as “something-bizarre.jsp” and means that if the scripting language used to create the pages was changed the names of the pages wouldn’t have to be.
In using mod_rewrite to modify an entire website, the following points needed to be addressed:

Images and CSS files should not be rewritten
Since the only subdomain used by the site is ‘www’, if the user does not enter it then it should be added automatically and visibly for them.
All versions of a webpage should be automatically and visibly rewritten to a single URL. i.e. ‘www.example.com/somepage/’, ‘example.com/somepage/’, ‘www.example.com/somepage’ and ‘example.com/somepage’ should all resolve to ‘www.example.com/somepage/’
Once all visible rewriting has been completed, the URL should be invisibly redirected to a master page which is able to interpret the URL which the user requested and serve up the correct content.
The following is what I came up with. Please refer to “mod_rewrite, a beginner’s guide (with examples)” if you need any extra pointers as to what anything means.

###################################################
# Turn the RewriteEngine on. #
###################################################

RewriteEngine on

###################################################
# Add a leading www to domain if one is missing. #
###################################################
# If this rule is used, the rewriting stops here #
# and then restarts from the beginning with the #
# new URL #
###################################################

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

###################################################
# Do not process images or CSS files further #
###################################################
# No more processing occurs if this rule is #
# successful #
###################################################

RewriteRule \.(css|jpe?g|gif|png)$ – [L]

###################################################
# Add a trailing slash if needed #
###################################################
# If this rule is used, the rewriting stops here #
# and then restarts from the beginning with the #
# new URL #
###################################################

RewriteCond %{REQUEST_URI} ^/[^\.]+[^/]$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1/ [R=301,L]

###################################################
# Rewrite web pages to one master page #
###################################################
# /somepage/ => master.php #
# ?page=somepage #
# /somesection/somepage => master.php #
# ?section=somesection #
# &page=somepage #
# /somesection/somesub/somepage/ #
# => master.php #
# ?section=somesection #
# &subsection=somesub #
# &page=somepage #
###################################################
# Variables are accessed in PHP using #
# $_GET[‘section’], $_GET[‘subsection’] and #
# $_GET[‘page’] #
###################################################
# No more processing occurs if any of these rules #
# are successful #
###################################################

RewriteRule ^([^/\.]+)/?$ /master.php?page=$1 [L]
RewriteRule ^([^/\.]+)/([^/\.]+)/?$ /master.php?section=$1&page=$2 [L]
RewriteRule ^([^/\.]+)/([^/\.]+)/([^/\.]+)/?$ /master.php?section=$1&subsection=$2&page=$3 [L]

September 12th, 2017 | Category: Apache | Leave a comment
« Newer Entries  
  Older Entries »