SuSE Linux 9.1 Server Setup with Apache, SSL, PHP, Postgresql

10/29/05 CREATE GROUP FOR pvalentino USERS ####10 min#####: $ groupadd pvalentino CREATE SU CAPABLE USERS: $ useradd -m -G wheel,pvalentino -s /bin/bash pvalentino $ useradd -m -G wheel,pvalentino -s /bin/bash jeff $ useradd -m -G wheel,pvalentino -s /bin/bash sue $ passwd pvalentino $ passwd jeff $ passwd sue DISABLE REMOTE ROOT ACCESS BY LIMITING SSH USERS (SuSe Specific)###20 min###: Added Line below to the file /etc/pam.d/sshd: auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/sshusers onerr=succeed $ vi /etc/sshusers and added users, 1 per line, that should not have ssh access - in this case root and all service accounts $ chmod 500 /etc/sshusers (must chmod to 600 when users must be added) Also set "PermitRootLogin to no" in /etc/ssh/sshd_config file. telnet and other methods are blocked both by firewall and removal of securetty entries i.e. /etc/securetty only includes entries for tty1 - tty6. OPENSSL version 0.9.7d is preinstalled INSTALL CVS VERSION 1.12.13 ###30 min###: psftp cvs-1.12.13.tar.gz up to home directory $ gzip -d cvs-1.12.13.tar.gz $ tar xvf cvs-1.12.13.tar $ cd to cvs-1.12.13 dir no C compiler error therefore: downloaded requisite rpm packages from ftp://ftp.suse.com/pub/suse/i386/9.1/suse/i586/ ###2hr 45min### installed in exact order: glibc-devel-2.3.3-98,gcc-3.3.3-41, automake-1.8.3-23.i586.rpm, m4-1.4o-622.i586.rpm, autoconf-2.59-75.i586.rpm, make-3.80-184.i586.rpm All packages are located in /home/pvalentino $ ./configure $ make $ make install CONFIGURE CVS SERVER ###1 hour 30 min###: Define CVSROOT and PATH for SSH logons in /etc/bash.bashrc.local: CVSROOT=/cvsroot PATH=$PATH:/usr/local/bin export CVSROOT PATH $ mkdir /cvsroot $ useradd -m -G pvalentino -s /bin/bash pvalentinocvs $ chown pvalentinocvs /cvsroot $ chgrp pvalentino /cvsroot $ chmod 770 /cvsroot (Read, Write, Execute for group members and owner) Disabled remote shell access for pvalentinocvs user account as noted in DISABLE REMOTE ACCESS section of this document above. Initialized CVS Repository with "cvs -d /cvsroot init" command Followed and verified instructions from "Pageant as your login method for the pvalentino Discoveries CVS repository.doc" Created new module "tms" with TortoiseCVS Added contents of "tms" folder with TortoiseCVS Commited changes with TortoisCVS Performed checkout into new location for verification Performed tests for add, remove, checkout, update, and commit Added these configuration notes to the repository in servercfg module and commited them GET SECURITY & SOFTWARE UPDATES FOR OS ####1 hour####: install apt from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.1-i386/RPMS.suser-rbos/ dowloaded and installed the following rpm's $ rpm -ivh apt-libs-0.5.15cnc6-0.suse091.rb.5.i586.rpm $ rpm -ivh apt-0.5.15cnc6-0.suse091.rb.5.i586.rpm Ran $ apt-get update APACHE INSTALL (NOTE! apt-get commands are all on one line): $ apt-get install apache2 apache2-devel apache2-mod_perl apache2-mod_php4 apache2-prefork libapr0 perl-HTML-Parser perl-HTML-Tagset perl-Tie-IxHash perl-URI perl-libwww-perl php4 $ apt-get install php4-bcmath php4-zlib php4-yp php4-xslt php4-wddx php4-unixODBC php4-sysvshm php4-sysvsem php4-swf php4-sockets php4-snmp php4-shmop php4-session php4-servlet php4-qtdom php4-pgsql php4-pear php4-mysql php4-mime_magic php4-mhash php4-mcrypt php4-mcal php4-mbstring php4-ldap php4-imap php4-iconv php4-gmp php4-gettext php4-gd php4-ftp php4-filepro php4-fastcgi php4-exif php4-domxml php4-devel php4-curl php4-ctype php4-calendar php4-bz2 ImageMagick curl $ chkconfig --add apache2 Edit /etc/mime.types. Comment out the following 2 lines: # application/x-httpd-php phtml pht php # application/x-perl pl pm Edit /etc/apache2/httpd.conf.local and Add: DirectoryIndex index.html index.htm index.shtml index.cgi index.php Edit /etc/apache2/httpd.conf and comment out: DirectoryIndex index.html index.htm $ /etc/init.d/apache2 start SETUP SSL ###5 hours###: Create a RSA private key for Apache server (will be Triple-DES encrypted and PEM formatted): $ openssl genrsa -des3 -out server.key 1024 Backup this server.key file and the pass-phrase in a secure location. You can see the details of this RSA private key by using the command: (root password was used) $ openssl rsa -noout -text -in server.key Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted): $ openssl req -new -key server.key -out server.csr Make sure you enter the FQDN ("dev.gopvalentino.com") when OpenSSL prompts you for the "CommonName", i.e. when you generate the CSR for a website which will be later accessed via https://dev.gopvalentino.com/, enter "dev.gopvalentino.com" here. You can see the details of this CSR by using $ openssl req -noout -text -in server.csr Create a RSA private key for the CA (will be Triple-DES encrypted and PEM formatted): $ openssl genrsa -des3 -out ca.key 1024 Backup this ca.key file at a secure location. Remember the pass-phrase you entered . You can see the details of this RSA private key via the command: (root password used) $ openssl rsa -noout -text -in ca.key Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted): $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt You can see the details of this Certificate via the command: $ openssl x509 -noout -text -in ca.crt Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing. Downloaded custom script and placed in /usr/bin called sign.sh. Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache web server (assuming you already have a server.csr at hand): $ sign.sh server.csr Now you have two files: server.key and server.crt. Use them as following inside your Apache's /etc/apache2/tms/apachetms.conf file: SSLCertificateFile /pvalentinocerts/server.crt SSLCertificateKeyFile /pvalentinocerts/server.key The server.csr file is no longer needed. PREVENT APACHE FROM REQUESTING PASSWORD ON EVERY REBOOT: Remove the encryption from the RSA private key (while keeping a backup copy of the original file): $ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key CREATE SSL CLIENT CERTS (NOT OPERATIONAL YET): $ openssl genrsa -des3 -out pvalentinoclient.key 1024 GENERATE CSR (NOT OPERATIONAL YET): $ openssl req -new -key pvalentinoclient.key -out pvalentinoclient.csr GENERATE AND SIGN CLIENT CERT: $ openssl x509 -req -in pvalentinoclient.csr -out pvalentinoclient.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 GENERATE A PKCS12 FILE FOR IMPORTING INTO CLIENT PC'S (NOT OPERATIONAL YET): $ openssl pkcs12 -export -in pvalentinoclient.crt -inkey pvalentinoclient.key -name "pvalentino Client Cert" -out pvalentinoclient.p12 $ openssl pkcs12 -in pvalentinoclient.p12 -clcerts -nokeys -info CREATE A DER FORMAT CERT (Optional): $ openssl x509 -in client.req.crt -out client.der -outform DER VERIFY THAT PRIVATE KEY AND CERTIFICATE MATCH: To check that the public key in your Certificate matches the public portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands: $ openssl x509 -noout -text -in server.crt $ openssl rsa -noout -text -in server.key The `modulus' and the `public exponent' portions in the key and the Certificate must match. As the public exponent is usually 65537 and it's difficult to visually check that the long modulus numbers are the same, you can use the following approach: $ openssl x509 -noout -modulus -in server.crt openssl md5 $ openssl rsa -noout -modulus -in server.key openssl md5 This leaves you with two rather shorter numbers to compare. It is, in theory, possible that these numbers may be the same, without the modulus numbers being the same, but the chances of this are overwhelmingly remote. Should you wish to check to which key or certificate a particular CSR belongs you can perform the same calculation on the CSR as follows: $ openssl req -noout -modulus -in server.csr openssl md5 UPDATE APACHE CONFIGURATION FILES ###2 hours###: added APACHE_CONF_INCLUDE_FILES paths in /etc/sysconfig/apache2 as follows: "/etc/apache2/httpd.conf.local" and APACHE_CONF_INCLUDE_DIRECTORIES "/etc/apache2/tms/" REQUIRE CLIENT CERTIFICATE FOR SSL ACCESS: CREATE /etc/apache2/httpd.conf.local with: SSLProtocol +all SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL #require a client certificate which has been signed by this server SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /pvalentinocerts/ca.crt SSLCertificateFile /pvalentinocerts/server.crt SSLCertificateKeyFile /pvalentinocerts/server.key CREATE VIRTUAL SERVER FOR TMS: Create file and Add following lines to /etc/apache2/tms/apachetms.conf: #--------------------------------------------# # SSL Virtual Host Context #--------------------------------------------# Listen 66.116.75.34:443 # General setup for the virtual host DocumentRoot /www/tms ServerAdmin webmaster@pvalentinodiscoveries.com ServerName dev.gopvalentino.com # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCertificateFile /pvalentinocerts/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /pvalentinocerts/server.key Allowoverride none Order allow,deny Allow from all SECURE THE CERTIFICATES AND PRIVATE KEYS: chmod 400 for all .crt and .key files in /pvalentinocerts RESTART APACHE: $ /etc/init.d/apache2 restart VERIFY SSL PORT IS LISTENING: $ netstat -ltin should produce line as follows within output: tcp 0 0 dev.gopvalentino.com:https *:* LISTEN SETUP TIME SERVER: $ apt-get install netdate $ netdate tcp 128.2.136.71 Created /var/spool/cron/tabs/root with: #update time via ntp server 0 3,9,15,21 *** /usr/sbin/netdate 128.2.136.71 Ran $ chmod 600 /var/spool/cron/tabs/root $ /etc/init.d/cron restart