Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Apache/websites
#1

I have LAMP server running and I've been using root account download files into

/var/www/html/websites/example.com. Right now all the folders/files are owned by root.

Is it better to make a normal user account and give that account r/w/x access to /var/www/html/websites

or /var/www/html/websites/example.com .So that I'm not doing everything with root user cuz I think that's

probably an unsafe practice?

 

And I have Joomla installed and my folders rights are set to 755 which but when I try to install a joomla

component or template I get the following error: Warning: Failed to move file! I know this has to do with

rights not being set right cuz I googled it.

But I don't quite get it cause as far as I can see all my folder permissions are set right, but when I check joomla system information->

Directory permissions they all say unwritable. Maybe it has to do with my first question? According to joomla-documentation

files should be set to 644 and folders to 755. And I'm not comfortable setting the folder permissions to 777.

<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/monthly_08_2011/post-6026-0-25442600-1313128336.jpg" data-fileid="1306">[img]<fileStore.core_Attachment>/monthly_08_2011/post-6026-0-25442600-1313128336.jpg[/img]</a>



Attached Files
.jpg   Unwritable-Folders.JPG (Size: 171.4 KB / Downloads: 0)
Reply
#2

Quote:I have LAMP server running and I've been using root account download files into

/var/www/html/websites/example.com. Right now all the folders/files are owned by root.

Is it better to make a normal user account and give that account r/w/x access to /var/www/html/websites

or /var/www/html/websites/example.com .So that I'm not doing everything with root user cuz I think that's

probably an unsafe practice?
How can I put this?

YESSSS!

Your webserver will probably be running under a user account of "apache" or so (or www-data if you're a debian user) so the directories and files should be owned by www-data.

Quote:And I have Joomla installed and my folders rights are set to 755 which but when I try to install a joomla

component or template I get the following error: Warning: Failed to move file! I know this has to do with

rights not being set right
You are correct.

 

A quick way of fixing this is:

chgrp -R www-data /var/www/html/websites/

chmod -R g+w /var/www/html/websites/

 

- that should change the GROUP membership to www-data (same group as apache) and make them group-writable, so Joomla can upload content in there.

 

A much safer method is to install the suPHP mod. This will run the website as a specific user (switches to that user) so all files and dirs can be owned by feedmebits, rather than www-data or root. However, do that bit above first to see if it fixes things.

 

(and you're dead right that the dirs shouldn't be 777. 775 and group-owned by www-data, or 700 and user-owned by www-data, possibly.)

 

Hope that helps!

 

(ps: if your website is internet-facing, ensure you lock it down and run appropriate IDS utils to check upon its health)

Reply
#3

It worked like a charm :) Thanks alot :)

 

drwxrwxr-x 3 root apache 4096 Aug 12 11:37 websites

 

Learned something new again. So from what I understand what you explained, that would mean

before I used these commands the directory websites wasn't owned by apache and therefore apache couldn't write to it. So when I tried

to install something via joomla administrator it couldn't write to this directory. Then now with one command (chgrp -R apache) I added

the directory websites to the apache user group, and with the command (chmod -R g+w) I gave apache group recursive rights to write into

the folder websites? Am I understanding this correctly?

 

chgrp -R apache /var/www/html/websites/

chmod -R g+w /var/www/html/websites/

 

I have been looking into suPHP and I've found some tutorials on the web but I haven't manage to get suPHP working yet. I've tried installing suPHP from

source cuz can't install it via yum. I've used these two tutorials: tutorial 1

and tutorial 2 Yes my website is internet facing, but it's not much of a website yet. Because

right now it's more of like a learning project to outside of my normal studying. Right now just wanting to learn how the technical side works as in how to set it up.

But slowly it will become more of a websiteBut I've heard of the term IDS but I don't really know anything about IDS utilities. Which ones would you advise, I will search for some myself.

Reply
#4

Quote:<snip quoted text></snip>

It worked like a charm :) Thanks a lot :)Learned something new again. So from what I understand what you explained, that would mean

before I used these commands the directory websites wasn't owned by apache and therefore apache couldn't write to it. So when I tried

to install something via joomla administrator it couldn't write to this directory. Then now with one command (chgrp -R apache) I added

the directory websites to the apache user group, and with the command (chmod -R g+w) I gave apache group recursive rights to write into

the folder websites? Am I understanding this correctly?
Yup - that's precisely it.

 

To be honest, you REALLY only need 775 on the directories that apache will write to - Joomla should identify those. It's safer to allow write permission to those areas and leave the others as 755 or 750, just to limit write access.

 

Quote:I have been looking into suPHP and I've found some tutorials on the web but I haven't manage to get suPHP working yet.
for CentOS, it's called mod_suphp - try a quick "yum install mod_suphp" and that should pull it down. However, the configuration can be a bit of a pig, but once you've got it going, you can make ALL website content feedmebits:users rather than apache:www-data.

Quote:Yes my website is internet facing, but it's not much of a website yet. Because

right now it's more of like a learning project to outside of my normal studying.
In that case, it's still vulnerable, whilst it's connected.

 

Firstly, I'd advise you set up virtual hosting, and move your website content to another location (eg: /home/feedmebits/htdocs) but leave a blank placeholder in /var/www.

Secondly, configure your first (default) website to point to var/www - this is a "catchall bucket".

Then configure a NamedVirtualHost of feedmebits.nl to point to your real content.

 

The idea is that is someone tries http://feedmebits.nl they'll go to the second location, but if they try http://1.2.3.4/ (or whatever your IP address is) then they'll drop into the first location, ie: the "bucket".

 

This has a number of advantages:

- anyone sniffing your server for vulnerabilities won't try the domain name, they'll try by IP - so they'll keep sniffing the bucket and not your live (joomla) site.

- your web stats for your live site will reflect true visitors, not sniffers

- you can put your IDS against the bucket, knowing anyone visiting that location isn't a proper visitor and probably up to no good

- now virtual hosting is setup, you can easily add multiple domains, such as stats.feedmebits and testbed.feedmebits, later on.

Quote: Right now just wanting to learn how the technical side works as in how to set it up.

But slowly it will become more of a website But I've heard of the term IDS but I don't really know anything about IDS utilities. Which ones would you advise, I will search for some myself.
I use the following:


  • logwatch - this sends me an email of what visitors hit my bucket, as well as what errors my live sites had, showing people trying to probe for known vulnerabilities (and not finding any). Since I have their IP I can report them to the upstream hosting provider, but it tends to be a leased server that's unsecured and has been rooted by someone, not a home IP, so at least I can get something cleaned.


  • fail2ban - checks the logfiles and after a certain number of failed attempts will add a block to that IP address. I've created some rules so that they can only manage 3-5 attempts before I decide they're up to no good.


  • a couple of custom scripts I wrote - I have a few scripts sitting in places of known vulnerabilities that harvest and make use of information gleaned in the attack. Bit like booby-trapping a fake burglar alarm to explode as soon as someone pulls the cover off to tamper with it.




If you need a hand Apache configuring, I'm a whiz at that. I've also worked out how to set up suPHP and mod_security together (yep, that was a pig).

Reply
#5

<snip unnecessary quote></snip>

I've already setup a virtual domein so all I need to do I guess it's move it's location. would that be like under /home/feedmebits/public_html/websites for example. like explained in apache http.conf file?

 

 

and when I make /var/www/websites a bucket, do I remove the apache group from that location? and add it to my new location? and is it smarter to move the virtual domein first or to install/setup suPHP?

Reply
#6

I just changed the permissions to 755 that Apache will write to. I've edited so that I can use /home/username/public_html for apache:

Just how it is explained in the httpd.conf file:

 

<ifmodule mod_userdir.c></ifmodule>

#

# UserDir is disabled by default since it can confirm the presence

# of a username on the system (depending on home directory

# permissions).

#

#UserDir disable

 

#

# To enable requests to /~user/ to serve the user's public_html

# directory, remove the "UserDir disable" line above, and uncomment

# the following line instead:

#

UserDir public_html

 

Then I did I changed my virtualhosts to this: I used an earlier post to make the blackhole like you said.

 

# Custom virtualhosts

 

NameVirtualHost ipadress:80

 

<virtualhost ipadress:80></virtualhost>

## -- DEFAULT: should NEVER get here normally!

ServerName nothing.here

ServerAdmin abuse@127.0.0.1

DocumentRoot /var/www/html/

ErrorLog /var/log/httpd/sniffer_error.log

CustomLog /var/log/httpd/sniffer_access.log combined

Loglevel warn

 

ScriptAlias /cgi-bin /websites/.blackhole

 

## this redirects any sniffers over to the right page...

#AliasMatch ^/(.*) /websites/.blackhole/index.php

 



 

<virtualhost ipadress:80></virtualhost>

ServerAlias www.feedmebits.nl

ServerAdmin maarten@feedmebits.nl

DocumentRoot /home/www/public_html/feedmebits.nl

ServerName feedmebits.nl

ErrorLog /log/httpd/websites/feedmebits.nl/error.log

CustomLog /logs/httpd/websites/feedmebits.nl/access.log combined

 

<directory></directory>

AllowOverride None

order allow,deny

allow from all

Options Indexes Includes FollowSymLinks





 

but for the the virtualhost feedmebits.nl CustomLog with the option combined apache fails to start.

When I comment it out apache starts, and when I unocomment it and remove the option combined I get an error:

 

Starting httpd: Syntax error on line 1024 of /etc/httpd/conf/httpd.conf:

CustomLog takes two or three arguments, a file name, a custom log format string or format name, and an optional "env=" clause (see docs)

[FAILED]

So I uncommented CustomLog for now.

 

Then I did like before. I used the two commands to give apache access to my home directories where my website data is:

 

chgrp -R apache /home/www/public_html

chmod -R g+w /home/www/public_html

 

then I chmod 755 /home/www/public_html

 

 

I made a normal html page(index.htm) for my blackhole cuz I wasn't exactly sure how to finish it off.

But when I go there(using my ip) I just get my normal apache test page and when I do ip/index.htm I get the page(blackhole)

I just set my domein name to my ip today so I think it takes 24-48 hours before that's active.

However I am not able to see my website now which is under /home/www/public_html

 

 

Will still do some more searching, but it's first time working with apache so I haven't figured out

what I did wrong yet. After I get this sorted out and working I will have a go for installing/configuring suPHP.

Reply
#7

Quote: 

Just how it is explained in the httpd.conf file:

 

<ifmodule mod_userdir.c></ifmodule>

#

# UserDir is disabled by default since it can confirm the presence

# of a username on the system (depending on home directory

# permissions).

#

#UserDir disable

 

#

# To enable requests to /~user/ to serve the user's public_html

# directory, remove the "UserDir disable" line above, and uncomment

# the following line instead:

#

UserDir public_html

 
Erm.. not quite. The "UserDir" directive is for someone to visit http://yourmachine/~fred - and they get dropped into /home/fred/public_html. In most cases, you can safely leave UserDir commented out.

 

(places like Universities and so tend to use it to allow every user to have their own public webspace, but it's not advised)

 

 



Code:
# Custom virtualhosts

NameVirtualHost  ipadress:80

<VirtualHost ipadress:80>
## -- DEFAULT: should NEVER get here normally!
ServerName nothing.here
ServerAdmin abuse@127.0.0.1
DocumentRoot /var/www/html/
ErrorLog /var/log/httpd/sniffer_error.log
CustomLog /var/log/httpd/sniffer_access.log combined
Loglevel warn

ScriptAlias /cgi-bin /websites/.blackhole




okay.. this looks like something I wrote... don't forget that /websites/.blackhole should exist as a directory.

 

If it isn't, change it to:



Code:
Alias /cgi-bin/ /var/www/html




- this will just redirect people sniffing your cgi-bin area.

 



Code:
<VirtualHost ipadress:80>
ServerAlias www.feedmebits.nl
ServerAdmin maarten@feedmebits.nl
DocumentRoot /home/www/public_html/feedmebits.nl
ServerName feedmebits.nl
ErrorLog /log/httpd/websites/feedmebits.nl/error.log
CustomLog /logs/httpd/websites/feedmebits.nl/access.log combined

<Directory /home/www/public_html/feedmebits.nl>
          AllowOverride None
          order allow,deny
          allow from all
          Options Indexes Includes FollowSymLinks
</Directory>
</VirtualHost>




okay.. kinda on the right track there - but check that the path for your CustomLogs exists (do you have a /logs/httpd dir?).

 

Quote:I made a normal html page(index.htm) for my blackhole cuz I wasn't exactly sure how to finish it off.

But when I go there(using my ip) I just get my normal apache test page and when I do ip/index.htm I get the page(blackhole)
okay - you're missing one final directive: add the following line into your bucket host (the first VirtualHost):



Code:
DirectoryIndex index.htm




The reason you're getting the "welcome to apache!" page is that in your conf.d directory is a file called "welcome.conf" that redirects 403 errors to a welcome page. And as you've not added "Index +Options" on (which you shouldn't, anyway), apache can't find your DirecoryIndex file, fails to serve up a directory listing so then generates a 403 error - which welcome.conf shows as a nice welcome page.

 

(there have been arguments in the Apache group as to if this is a good thing or not).

 

Quote:I just set my domein name to my ip today so I think it takes 24-48 hours before that's active.

However I am not able to see my website now which is under /home/www/public_html
Under your ServerName directive, add in something like "ServerAlias feedme.testbed" then add feedme.testbed to your local hosts file. That way, your browser will resolve it to the server IP, and Apache will serve up the same content as though it was feedmebits.nl.

 

 

Quote:Will still do some more searching, but it's first time working with apache so I haven't figured out

what I did wrong yet. After I get this sorted out and working I will have a go for installing/configuring suPHP.
I'll have to say - I'm impressed that you've read around and had a go, and had quite a measure of success - you deserve it!

 

Just as a last touch: don't forget to check the apache logfiles, in particular /var/log/httpd/error_log - this often contains some useful information about apache failing/doing odd things.

Reply
#8

Just another point, glancing through your files...

 

On my server I have several users what own websites, so I create them a localised webroot area. In everyone's home directory is a "webroot" dir, containing the following:


  • htdocs - website content


  • etc - any possible additional site-specific config files


  • logs - logfiles for this site


  • php_temp and php_session - intended for session info and temporary area, set via suPHP, so that any stuff from THIS site doesn't interfere with others'




 

This way, every user has their website completely isolated from others, and it takes me a matter of minutes to set up additional sites just by duplicating a skeleton directory containing those subdirectories.

Reply
#9

Thanks for the correction on my config file. I will try to apply it later.

"okay.. kinda on the right track there - but check that the path for your CustomLogs exists (do you have a /logs/httpd dir?)."

I just figured out the problem lol, just an overlookd typing error: it's log/http instead of logs/httpd :P hahaha :P

 

Right now I have my user named www. I'll change that as you advise to have a user for every website like you mentioned in your last post. And I just wanted to say I'm so encourage by your compliment:"I'll have to say - I'm impressed that you've read around and had a go, and had quite a measure of success - you deserve it!"

 

It encourges me to continue playing and learning linux, I've been having so much fun lately just doing and playing around :)

And I appreciate I'll the help and tips/advice you've been providing. Btw playing around with my dedicated server is just for

fun so I do a different type of studying more active/practical then my normal studying material :)I'll keep you updated mate.

Reply
#10

Most of my learning has come about as a result of changing something in /etc, restarting a service, then checking logfiles in /var/log - I learned a lot of Apache/postfix/squid/pureftpd configs that way.

 

(only issue is.. sometimes you get distracted from what you're TRYING to do!)

 

Good luck with the apache stuff. I only configured my server in that way so that individual users could FTP-upload their content and stay away from other sites, i.e. nothing was owned by apache/httpd/www - it was all user-owned and user-maintained content, pretty much.

 

Anyway, glad to have helped. So.. when do we see your new site come online, then?

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)