Jump to content
Sign in to follow this  
inittux

Apache/websites

Recommended Posts

I have LAMP server running and I've been using root account download files into

/var/www/html/websites/example.com. Right now all the folders/files are owned by root.

Is it better to make a normal user account and give that account r/w/x access to /var/www/html/websites

or /var/www/html/websites/example.com .So that I'm not doing everything with root user cuz I think that's

probably an unsafe practice?

 

And I have Joomla installed and my folders rights are set to 755 which but when I try to install a joomla

component or template I get the following error: Warning: Failed to move file! I know this has to do with

rights not being set right cuz I googled it.

But I don't quite get it cause as far as I can see all my folder permissions are set right, but when I check joomla system information->

Directory permissions they all say unwritable. Maybe it has to do with my first question? According to joomla-documentation

files should be set to 644 and folders to 755. And I'm not comfortable setting the folder permissions to 777.

Unwritable-Folders.JPG

  • Like 1

Share this post


Link to post
Share on other sites

I have LAMP server running and I've been using root account download files into

/var/www/html/websites/example.com. Right now all the folders/files are owned by root.

Is it better to make a normal user account and give that account r/w/x access to /var/www/html/websites

or /var/www/html/websites/example.com .So that I'm not doing everything with root user cuz I think that's

probably an unsafe practice?

How can I put this?

YESSSS!

Your webserver will probably be running under a user account of "apache" or so (or www-data if you're a debian user) so the directories and files should be owned by www-data.

And I have Joomla installed and my folders rights are set to 755 which but when I try to install a joomla

component or template I get the following error: Warning: Failed to move file! I know this has to do with

rights not being set right

You are correct.

 

A quick way of fixing this is:

chgrp -R www-data /var/www/html/websites/

chmod -R g+w /var/www/html/websites/

 

- that should change the GROUP membership to www-data (same group as apache) and make them group-writable, so Joomla can upload content in there.

 

A much safer method is to install the suPHP mod. This will run the website as a specific user (switches to that user) so all files and dirs can be owned by feedmebits, rather than www-data or root. However, do that bit above first to see if it fixes things.

 

(and you're dead right that the dirs shouldn't be 777. 775 and group-owned by www-data, or 700 and user-owned by www-data, possibly.)

 

Hope that helps!

 

(ps: if your website is internet-facing, ensure you lock it down and run appropriate IDS utils to check upon its health)

Share this post


Link to post
Share on other sites

It worked like a charm :D Thanks alot :)

 

drwxrwxr-x 3 root apache 4096 Aug 12 11:37 websites

 

Learned something new again. So from what I understand what you explained, that would mean

before I used these commands the directory websites wasn't owned by apache and therefore apache couldn't write to it. So when I tried

to install something via joomla administrator it couldn't write to this directory. Then now with one command (chgrp -R apache) I added

the directory websites to the apache user group, and with the command (chmod -R g+w) I gave apache group recursive rights to write into

the folder websites? Am I understanding this correctly?

 

chgrp -R apache /var/www/html/websites/

chmod -R g+w /var/www/html/websites/

 

I have been looking into suPHP and I've found some tutorials on the web but I haven't manage to get suPHP working yet. I've tried installing suPHP from

source cuz can't install it via yum. I've used these two tutorials: tutorial 1

and tutorial 2 Yes my website is internet facing, but it's not much of a website yet. Because

right now it's more of like a learning project to outside of my normal studying. Right now just wanting to learn how the technical side works as in how to set it up.

But slowly it will become more of a websiteBut I've heard of the term IDS but I don't really know anything about IDS utilities. Which ones would you advise, I will search for some myself.

Share this post


Link to post
Share on other sites

It worked like a charm :D Thanks a lot :) Learned something new again. So from what I understand what you explained, that would mean

before I used these commands the directory websites wasn't owned by apache and therefore apache couldn't write to it. So when I tried

to install something via joomla administrator it couldn't write to this directory. Then now with one command (chgrp -R apache) I added

the directory websites to the apache user group, and with the command (chmod -R g+w) I gave apache group recursive rights to write into

the folder websites? Am I understanding this correctly?

Yup - that's precisely it.

 

To be honest, you REALLY only need 775 on the directories that apache will write to - Joomla should identify those. It's safer to allow write permission to those areas and leave the others as 755 or 750, just to limit write access.

 

I have been looking into suPHP and I've found some tutorials on the web but I haven't manage to get suPHP working yet.

for CentOS, it's called mod_suphp - try a quick "yum install mod_suphp" and that should pull it down. However, the configuration can be a bit of a pig, but once you've got it going, you can make ALL website content feedmebits:users rather than apache:www-data.

Yes my website is internet facing, but it's not much of a website yet. Because

right now it's more of like a learning project to outside of my normal studying.

In that case, it's still vulnerable, whilst it's connected.

 

Firstly, I'd advise you set up virtual hosting, and move your website content to another location (eg: /home/feedmebits/htdocs) but leave a blank placeholder in /var/www.

Secondly, configure your first (default) website to point to var/www - this is a "catchall bucket".

Then configure a NamedVirtualHost of feedmebits.nl to point to your real content.

 

The idea is that is someone tries http://feedmebits.nl they'll go to the second location, but if they try http://1.2.3.4/ (or whatever your IP address is) then they'll drop into the first location, ie: the "bucket".

 

This has a number of advantages:

- anyone sniffing your server for vulnerabilities won't try the domain name, they'll try by IP - so they'll keep sniffing the bucket and not your live (joomla) site.

- your web stats for your live site will reflect true visitors, not sniffers

- you can put your IDS against the bucket, knowing anyone visiting that location isn't a proper visitor and probably up to no good

- now virtual hosting is setup, you can easily add multiple domains, such as stats.feedmebits and testbed.feedmebits, later on.

Right now just wanting to learn how the technical side works as in how to set it up.

But slowly it will become more of a website But I've heard of the term IDS but I don't really know anything about IDS utilities. Which ones would you advise, I will search for some myself.

I use the following:

  • logwatch - this sends me an email of what visitors hit my bucket, as well as what errors my live sites had, showing people trying to probe for known vulnerabilities (and not finding any). Since I have their IP I can report them to the upstream hosting provider, but it tends to be a leased server that's unsecured and has been rooted by someone, not a home IP, so at least I can get something cleaned.
  • fail2ban - checks the logfiles and after a certain number of failed attempts will add a block to that IP address. I've created some rules so that they can only manage 3-5 attempts before I decide they're up to no good.
  • a couple of custom scripts I wrote - I have a few scripts sitting in places of known vulnerabilities that harvest and make use of information gleaned in the attack. Bit like booby-trapping a fake burglar alarm to explode as soon as someone pulls the cover off to tamper with it.

If you need a hand Apache configuring, I'm a whiz at that. I've also worked out how to set up suPHP and mod_security together (yep, that was a pig).

Share this post


Link to post
Share on other sites

I've already setup a virtual domein so all I need to do I guess it's move it's location. would that be like under /home/feedmebits/public_html/websites for example. like explained in apache http.conf file?

 

 

and when I make /var/www/websites a bucket, do I remove the apache group from that location? and add it to my new location? and is it smarter to move the virtual domein first or to install/setup suPHP?

Share this post


Link to post
Share on other sites

I just changed the permissions to 755 that Apache will write to. I've edited so that I can use /home/username/public_html for apache:

Just how it is explained in the httpd.conf file:

 

#

# UserDir is disabled by default since it can confirm the presence

# of a username on the system (depending on home directory

# permissions).

#

#UserDir disable

 

#

# To enable requests to /~user/ to serve the user's public_html

# directory, remove the "UserDir disable" line above, and uncomment

# the following line instead:

#

UserDir public_html

 

Then I did I changed my virtualhosts to this: I used an earlier post to make the blackhole like you said.

 

# Custom virtualhosts

 

NameVirtualHost ipadress:80

 

## -- DEFAULT: should NEVER get here normally!

ServerName nothing.here

ServerAdmin abuse@127.0.0.1

DocumentRoot /var/www/html/

ErrorLog /var/log/httpd/sniffer_error.log

CustomLog /var/log/httpd/sniffer_access.log combined

Loglevel warn

 

ScriptAlias /cgi-bin /websites/.blackhole

 

## this redirects any sniffers over to the right page...

#AliasMatch ^/(.*) /websites/.blackhole/index.php

 

 

ServerAlias www.feedmebits.nl

ServerAdmin maarten@feedmebits.nl

DocumentRoot /home/www/public_html/feedmebits.nl

ServerName feedmebits.nl

ErrorLog /log/httpd/websites/feedmebits.nl/error.log

CustomLog /logs/httpd/websites/feedmebits.nl/access.log combined

 

AllowOverride None

order allow,deny

allow from all

Options Indexes Includes FollowSymLinks

 

but for the the virtualhost feedmebits.nl CustomLog with the option combined apache fails to start.

When I comment it out apache starts, and when I unocomment it and remove the option combined I get an error:

 

Starting httpd: Syntax error on line 1024 of /etc/httpd/conf/httpd.conf:

CustomLog takes two or three arguments, a file name, a custom log format string or format name, and an optional "env=" clause (see docs)

[FAILED]

So I uncommented CustomLog for now.

 

Then I did like before. I used the two commands to give apache access to my home directories where my website data is:

 

chgrp -R apache /home/www/public_html

chmod -R g+w /home/www/public_html

 

then I chmod 755 /home/www/public_html

 

 

I made a normal html page(index.htm) for my blackhole cuz I wasn't exactly sure how to finish it off.

But when I go there(using my ip) I just get my normal apache test page and when I do ip/index.htm I get the page(blackhole)

I just set my domein name to my ip today so I think it takes 24-48 hours before that's active.

However I am not able to see my website now which is under /home/www/public_html

 

 

Will still do some more searching, but it's first time working with apache so I haven't figured out

what I did wrong yet. After I get this sorted out and working I will have a go for installing/configuring suPHP.

Share this post


Link to post
Share on other sites

 

Just how it is explained in the httpd.conf file:

 

#

# UserDir is disabled by default since it can confirm the presence

# of a username on the system (depending on home directory

# permissions).

#

#UserDir disable

 

#

# To enable requests to /~user/ to serve the user's public_html

# directory, remove the "UserDir disable" line above, and uncomment

# the following line instead:

#

UserDir public_html

 

Erm.. not quite. The "UserDir" directive is for someone to visit http://yourmachine/~fred - and they get dropped into /home/fred/public_html. In most cases, you can safely leave UserDir commented out.

 

(places like Universities and so tend to use it to allow every user to have their own public webspace, but it's not advised)

 

 

# Custom virtualhosts

NameVirtualHost  ipadress:80

<VirtualHost ipadress:80>
## -- DEFAULT: should NEVER get here normally!
ServerName nothing.here
ServerAdmin abuse@127.0.0.1
DocumentRoot /var/www/html/
ErrorLog /var/log/httpd/sniffer_error.log
CustomLog /var/log/httpd/sniffer_access.log combined
Loglevel warn

ScriptAlias /cgi-bin /websites/.blackhole

okay.. this looks like something I wrote... don't forget that /websites/.blackhole should exist as a directory.

 

If it isn't, change it to:

Alias /cgi-bin/ /var/www/html

- this will just redirect people sniffing your cgi-bin area.

 

<VirtualHost ipadress:80>
ServerAlias www.feedmebits.nl
ServerAdmin maarten@feedmebits.nl
DocumentRoot /home/www/public_html/feedmebits.nl
ServerName feedmebits.nl
ErrorLog /log/httpd/websites/feedmebits.nl/error.log
CustomLog /logs/httpd/websites/feedmebits.nl/access.log combined

<Directory /home/www/public_html/feedmebits.nl>
          AllowOverride None
          order allow,deny
          allow from all
          Options Indexes Includes FollowSymLinks
</Directory>
</VirtualHost>

okay.. kinda on the right track there - but check that the path for your CustomLogs exists (do you have a /logs/httpd dir?).

 

I made a normal html page(index.htm) for my blackhole cuz I wasn't exactly sure how to finish it off.

But when I go there(using my ip) I just get my normal apache test page and when I do ip/index.htm I get the page(blackhole)

okay - you're missing one final directive: add the following line into your bucket host (the first VirtualHost):

DirectoryIndex index.htm

The reason you're getting the "welcome to apache!" page is that in your conf.d directory is a file called "welcome.conf" that redirects 403 errors to a welcome page. And as you've not added "Index +Options" on (which you shouldn't, anyway), apache can't find your DirecoryIndex file, fails to serve up a directory listing so then generates a 403 error - which welcome.conf shows as a nice welcome page.

 

(there have been arguments in the Apache group as to if this is a good thing or not).

 

I just set my domein name to my ip today so I think it takes 24-48 hours before that's active.

However I am not able to see my website now which is under /home/www/public_html

Under your ServerName directive, add in something like "ServerAlias feedme.testbed" then add feedme.testbed to your local hosts file. That way, your browser will resolve it to the server IP, and Apache will serve up the same content as though it was feedmebits.nl.

 

 

Will still do some more searching, but it's first time working with apache so I haven't figured out

what I did wrong yet. After I get this sorted out and working I will have a go for installing/configuring suPHP.

I'll have to say - I'm impressed that you've read around and had a go, and had quite a measure of success - you deserve it!

 

Just as a last touch: don't forget to check the apache logfiles, in particular /var/log/httpd/error_log - this often contains some useful information about apache failing/doing odd things.

Share this post


Link to post
Share on other sites

Just another point, glancing through your files...

 

On my server I have several users what own websites, so I create them a localised webroot area. In everyone's home directory is a "webroot" dir, containing the following:

  • htdocs - website content
  • etc - any possible additional site-specific config files
  • logs - logfiles for this site
  • php_temp and php_session - intended for session info and temporary area, set via suPHP, so that any stuff from THIS site doesn't interfere with others'

 

This way, every user has their website completely isolated from others, and it takes me a matter of minutes to set up additional sites just by duplicating a skeleton directory containing those subdirectories.

Share this post


Link to post
Share on other sites

Thanks for the correction on my config file. I will try to apply it later.

"okay.. kinda on the right track there - but check that the path for your CustomLogs exists (do you have a /logs/httpd dir?)."

I just figured out the problem lol, just an overlookd typing error: it's log/http instead of logs/httpd :P hahaha :P

 

Right now I have my user named www. I'll change that as you advise to have a user for every website like you mentioned in your last post. And I just wanted to say I'm so encourage by your compliment:"I'll have to say - I'm impressed that you've read around and had a go, and had quite a measure of success - you deserve it!"

 

It encourges me to continue playing and learning linux, I've been having so much fun lately just doing and playing around :)

And I appreciate I'll the help and tips/advice you've been providing. Btw playing around with my dedicated server is just for

fun so I do a different type of studying more active/practical then my normal studying material :) I'll keep you updated mate.

Share this post


Link to post
Share on other sites

Most of my learning has come about as a result of changing something in /etc, restarting a service, then checking logfiles in /var/log - I learned a lot of Apache/postfix/squid/pureftpd configs that way.

 

(only issue is.. sometimes you get distracted from what you're TRYING to do!)

 

Good luck with the apache stuff. I only configured my server in that way so that individual users could FTP-upload their content and stay away from other sites, i.e. nothing was owned by apache/httpd/www - it was all user-owned and user-maintained content, pretty much.

 

Anyway, glad to have helped. So.. when do we see your new site come online, then?

Share this post


Link to post
Share on other sites

Today I'm going to be trying to get move all my files from how they are now to /home/feedmebits/public_html as you recommended then I'll have to change that in my apache config file

and and I'll fix my blackhole. then I'll have a go out trying to install/configure suPHP, then I'll try implementing some IDS utils maybe that's smarter to do before suPHP?

and and then I'll start working on my website. So you'll seen it as soon as I have the above done. and my website will be hopefully just becoming more of a website over time

will add stuff on it over time. And I also need to look for a way to back/restore up all my important data from my dedicated server. Isn't that usually /home /var /etc that are important to backup?.

Incase I make a really bad screw up which I can't undo cuz reinstalling doesn't sound very fun cuz reconfiguring everything takes so much time lol. And I'll just keep updating this post for when

I'm stuck with something I reallycan't figure out.

Share this post


Link to post
Share on other sites

Under your ServerName directive, add in something like "ServerAlias feedme.testbed" then add feedme.testbed to your local hosts file. That way, your browser will resolve it to the server IP, and Apache will serve up the same content as though it was feedmebits.nl.

 

 

I got my log file figured out, just missed part of the path. it works now and my bucket does to :)

Still not able to access my webpage from my home/username. So I tried like you said; made an Alias:

 

ServerAlias www.feedmebits.nl

 

 

and I added it:"ip www.feedmebits.nl"

to the /etc/hosts file and I restarted apache. I still don't see my website and my ip/dns in my hosting control panel are set right. Think I may have to shoot in a ticket.

Share this post


Link to post
Share on other sites

I figured something out, nameserver for feedmebits.nl were still set to my old hosting provider. So they are going to change it to theirs. I did set my other domein name feedmebits.com to my dedicated server ip too. When I go to www.feedmebits.com I get my home made html test page(it's also my bucket, but get no logs only when I do it via ip. Think I'm still mising something and over looked a configuration. I also tried renaming the server alias to www.feedmebits.com and adding this to the /etc/hosts file and restarting apache but this also had the same result, and no joomla page appearing. So my guess would be that apache still doesn't have enough rights somewhere to access the webcontent under /home/user/webfolder?

 

[root@localhost ~]# cd /home/feedmebits/www/

[root@localhost www]# pwd

/home/feedmebits/www

[root@localhost www]# ls -l

total 4

drwxr-xr-x 15 root apache 4096 Aug 13 11:26 feedmebits.nl

[root@localhost www]#

 

As far as I can see from this apache is in the group and apache has enough rights to read this folder?I'm kind of stuck now.

Share this post


Link to post
Share on other sites

Today I'm going to be trying to get move all my files from how they are now to /home/feedmebits/public_html as you recommended then I'll have to change that in my apache config file and and I'll fix my blackhole. then I'll have a go out trying to install/configure suPHP, then I'll try implementing some IDS utils

Good - you've got it the right way around!

 

Just a note: if you configure another vhost and have the ServerName something that's locally-accessible (eg: an entry in your hosts file that's feedmebits.mylan) but not found out on the internet, then you can use this as a testing area, knowing that someone won't get to it by accident.

 

From that point, you can configure suPHP to work against specific vhosts (turn it on for a testbed) and watch the logfiles to see what works/breaks. Then perform tweaks until it works under suPHP, and apply those changes to your live site.

 

You'll find that once you add suPHP it locks a LOT of stuff down and requires you to do a lot of tightening up before apache will consider serving up pages. Logfiles here are a MUST.

maybe that's smarter to do before suPHP?

The IDSes need to feast off logfiles, so having some logging running then monitoring them for suspicious activity is my way around - else you'll not know if the IDS is actually preventing suPHP or apache from serving pages.

 

I know there are some default rules for fail2ban, but it's worth building up some data first before playing with them - else F2B will be hunting for logfiles that don't exist or are empty.

and and then I'll start working on my website. So you'll seen it as soon as I have the above done. and my website will be hopefully just becoming more of a website over time

will add stuff on it over time.

Good, good - sounds like a plan.

And I also need to look for a way to back/restore up all my important data from my dedicated server. Isn't that usually /home /var /etc that are important to backup?.

With any server, I recommend trying to split the directories into dynamic/static stuff, and data/programs. From there, decide what needs to backup and how often. In your case:

/home - contains important data like website stuff, so probably daily

/var - contains logs and diagnostic stuff, but no important data, so maybe weekly

/etc - contains config files that don't change often, so maybe 2-weekly, or monthly.

 

Another area you may want to consider is /usr/local - I drop custom scripts into /usr/local/bin and /usr/local/sbin on my servers.

 

Any backup plan usually revolves around the recovery plan. So ask yourself two questions:

1. if I lose my server and I need to rebuild it, what files/dirs do I need to add to a fresh install to get it back?

2. how can I make the backup/restore process easier to manage?

 

The first you've pretty much considered. The second is really about not spreading your important data around the place, and not trying to recover stuff that you don't need to (don't backup /tmp, for instance)

Incase I make a really bad screw up which I can't undo cuz reinstalling doesn't sound very fun cuz reconfiguring everything takes so much time lol. And I'll just keep updating this post for when

I'm stuck with something I reallycan't figure out.

Backups mean you have copies of important data before things went wrong - either through a change you manually did, something automatic, or something catastrophic. Even making a copy of httpd.conf to httpd.old before making changes is considered a backup - ensure you've got a way of "rolling back time".

 

Also, as a last point: once you've created your backup, try having a go at a restore - see if you can get back one config file or recover some website data to another directory. Not only does it help to test your plan, but it also means you are more prepared for when you DO need to perform a recovery.

 

Keep at it!

Share this post


Link to post
Share on other sites

and I added it:"ip www.feedmebits.nl"

to the /etc/hosts file and I restarted apache. I still don't see my website and my ip/dns in my hosting control panel are set right. Think I may have to shoot in a ticket.

Check that your machine is correctly resolving the hostname to the IP address - depending upon how your nsswitch is setup, your client machine may try DNS before it tries hosts files.

 

If you add an alias of something that definitely isn't valid on the internet (ServerAlias www.feedmebits.testbed) then add that to your host file, your client machine will definitely be forced to pick up that IP address - rather than attempt to use DNS.

Share this post


Link to post
Share on other sites

nameserver for feedmebits.nl were still set to my old hosting provider...

 

.. I go to www.feedmebits.com I get my home made html test page(it's also my bucket, but get no logs only when I do it via ip.

Which site are you trying to set up?

 

It may help if you provide a list of domains for which you want Apache to serve - we can take it from there.

Share this post


Link to post
Share on other sites

and I added it:"ip www.feedmebits.nl"

to the /etc/hosts file and I restarted apache. I still don't see my website and my ip/dns in my hosting control panel are set right. Think I may have to shoot in a ticket.

Check that your machine is correctly resolving the hostname to the IP address - depending upon how your nsswitch is setup, your client machine may try DNS before it tries hosts files.

 

If you add an alias of something that definitely isn't valid on the internet (ServerAlias www.feedmebits.testbed) then add that to your host file, your client machine will definitely be forced to pick up that IP address - rather than attempt to use DNS.

/etc/hosts format is like this right? I haven't really worked with it alot:

 

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

 

#I edited file from here:

myserverip feedmebits.nl (second part being the alias?)

myserverip feedmebits.testbed (second part being the alias?)

Share this post


Link to post
Share on other sites

nameserver for feedmebits.nl were still set to my old hosting provider...

 

.. I go to www.feedmebits.com I get my home made html test page(it's also my bucket, but get no logs only when I do it via ip.

Which site are you trying to set up?

 

It may help if you provide a list of domains for which you want Apache to serve - we can take it from there.

 

Basically feedmebits.nl feedmebits.com and feemdmebits.net

 

feedmebits.nl is what my virtual domain is setup for. hosting provider still needs to change my nameservers to

my new hosting provider for feedmebits.nl

and I still can't reach my web content yet even though rights are set right for apache as far as I can see.

 

[root@localhost www]# pwd

/home/feedmebits/www

[root@localhost www]# ls -l

total 4

drwxr-xr-x 15 root apache 4096 Aug 13 11:26 feedmebits.nl

[root@localhost www]#

 

if you got www.feedmebits.com I get my bucket not my joomla page. And it also logs it, thought with the bucket it should only log when directly using my ip?

And would you advise using rsync or rsnapshot for backup/restores?

Share this post


Link to post
Share on other sites

Here's how I'm trying to get it setup:

domains I own: feedmebits.nl(hosting provider needs to edit nameservers), feedmebits.net and feedmebits.com

 

For feedmebits.com I also pointed towards my dedicated servers ip.

 

My website data I have under /home/feedmebits/www/feedmebits.nl

So basically when I go to either feedmebits.com feedmebits.nl or feedmebits.net I went to end up where my virtualdomain website is located.

Right now I tried editing my apache file and change my alias to http:/feedmebits.com and a and also changing that in the hosts file to see if my

joomla site would be accessible but I still end up in my bucket. So I'm thinking apache still can't read out of my /home/feedmebits/www folder

So the main problem I'm having right now is getting apache to read/use /home/feedmebits/www instead of /var/www/html/.blackhole when going to

feedmebits.com (cuz feedmebits.nl I have set to the same ip as feedmebits.com so they should both end up in the same place)

I hope it's a bit more clear now. Cuz it's getting kind of confusing, but I guess in the end I will learn from it :)

 

 

 

host control panel domein:

feedmebits.nl: connected to my dedicated server ip but they need to change the nameservers

feedmebits.net: doesn't really matter right now, can change the ip later

feedmebits.com: has my dedidated server ip connected to it.

 

How it is setup in my config file.

 

And here's what my /etc/hosts file looks like:

 

/etc/hosts:

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

 

#I edited file from here:

myserverip http://feedmebits.nl

 

---------------------------------

 

httpd:conf

# Custom virtualhosts

NameVirtualHost myserverip:80

 

## -- DEFAULT: should NEVER get here normally!

ServerName nothing.here

ServerAdmin abuse@127.0.0.1

DocumentRoot /var/www/html/.blackhole

ErrorLog /var/log/httpd/sniffer_error.log

CustomLog /var/log/httpd/sniffer_access.log combined

Loglevel warn

 

DirectoryIndex index.htm

ScriptAlias /cgi-bin /var/www/html/.blackhole

 

 

## this redirects any sniffers over to the right page...

#AliasMatch ^/(.*) /websites/.blackhole/index.php

 

 

 

ServerAlias http://feedmebits.nl

ServerAdmin maarten@feedmebits.nl

DocumentRoot /home/feedmebits/www/feedmebits.nl

ServerName feedmebits.nl

ErrorLog /var/log/httpd/websites/feedmebits.nl/error.log

CustomLog /var/log/httpd/websites/feedmebits.nl/access.log combined

Loglevel warn

 

AllowOverride None

order allow,deny

allow from all

Options Indexes Includes FollowSymLinks

Share this post


Link to post
Share on other sites

if you got www.feedmebits.com I get my bucket not my joomla page. And it also logs it, thought with the bucket it should only log when directly using my ip?

No - you'll get the bucket is no vhost is matched.

 

If you want www.feedmebits.com to serve up your second or third vhost, then you need to add it as a ServerAlias entry, eg:

 

<VirtualHost ipadress:80>

   ServerAdmin maarten@feedmebits.nl
   ServerName feedmebits.nl
   ServerAlias www.feedmebits.nl www.feedmebits.com

   DocumentRoot /home/www/public_html/feedmebits.nl
   ErrorLog /log/httpd/websites/feedmebits.nl/error.log
   CustomLog /logs/httpd/websites/feedmebits.nl/access.log combined

   <Directory /home/www/public_html/feedmebits.nl>
      AllowOverride None
      order allow,deny
      allow from all
      Options Indexes Includes FollowSymLinks
   </Directory>
</VirtualHost>

 

For a website to show up, two things need to happen:

1. The URL resolves to a server

2. a ServerName or ServerAlias needs to match that URL.

 

The idea of the bucket is that if a URL resolves to that IP but no ServerName/Alias matches it, the bucket is shown. So if you type in a URL and you get your bucket, it's definitely resolving to the right IP address.. but Apache isn't matching it to a host header name (the ServerName/Alias bit).

 

You're pretty much there!

 

nb: as I mentioned before, pick some non-resolvable aliases to add to your hosts file and apache configs to test them out, eg:

## in my hosts file
192.168.24.47    feedmebits.testbed

 

Then in Apache:

<VirtualHost *:80>

   ServerAdmin maarten@feedmebits.nl
   ServerName feedmebits.nl
   ServerAlias www.feedmebits.nl www.feedmebits.com feedmebits.testbed
...

 

Then you should be able to ping "feedmebits.testbed" and get an IP back, and your browser should point to this Apache install which will serve up this particular vhost.

Share this post


Link to post
Share on other sites

I pinged from my server to feedmebits.testing and I got an ip. I sent you the results in a pm cuz don't really want to post my ip here.

And I am able to ping now from my own pc at home to www.feedmebits.com and I get an ip/reply.I don't quite get the last part yet:

and your browser should point to this Apache install which will serve up this particular vhost.

 

I then try editing /etc/hosts to:

myip feedmebits.com

 

and then try going to feedmebits.com and I get

403 forbidden. and when I go to my ip I get my

bucket .htm page.But the bucket is still confusing to me

cuz I don't see anything appearing in my logs when I

try it by ip. Think I'm just not understanding one

part yet but I'm a bit closer to understanding now.

Could you test out my bucket and see what you get?

Share this post


Link to post
Share on other sites

Check /var/log/httpd/sniffer_access.log - that's your bucket logfile, isn't it?

Share this post


Link to post
Share on other sites

Check /var/log/httpd/sniffer_access.log - that's your bucket logfile, isn't it?

 

Yeah it seems to be working but seems like there's a delay in my log

Share this post


Link to post
Share on other sites

Haha interesting. I've already seen two people sniffing: one from dallas,texas and the other from Moldova, Republic of, Chisinau. But I also end up in my bucket when going to feedmebits.net cuz it's logged in my sniffer file:

 

But seems like when going to feedmebits.net I also end up in my bucket instead of ending up in the same place as www.feedmebits.com (403 forbidden page)

 

that's from my sniffer access log

[15/Aug/2011:00:56:11 +0200] "GET /favicon.ico HTTP/1.1" 200 146 "http://feedmebits.net/" "Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6"

 

and this is from my sniffer-error log:

[Mon Aug 15 11:08:48 2011] [error] [client 69.162.74.102] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

[Mon Aug 15 11:17:29 2011] [error] [client 67.205.102.172] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

[Mon Aug 15 11:50:53 2011] [error] [client 50.73.155.220] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

[Mon Aug 15 15:17:17 2011] [error] [client 204.95.105.213] File does not exist: /var/www/html/.blackhole/phpmyadmin

 

Don't really understand it the first 3, but the last one is looking for my phpmyadmin controlpanel. Which thanks to anyweb's advice I removed out of

security reasons. And the ip belongs to United States Redmond Microsoft Corp . Why would they be trying to access my phpmyadmin

? Probably someone who hacked them and is using them as a proxy? hahaha viewing logs are fun :) . Will be more fun once I get my site working and my IDS setup biggrin.png

Share this post


Link to post
Share on other sites

But I also end up in my bucket when going to feedmebits.net cuz it's logged in my sniffer file:

 

But seems like when going to feedmebits.net I also end up in my bucket instead of ending up in the same place as www.feedmebits.com (403 forbidden page)

That's because you don't have feedmebits.net mentioned as a ServerName or ServerAlias in your config files.

 

Essentially if you end up in the bucket, Apache can't match your requested URL to a site so drops you into its first one.

 

 

 

Don't really understand it the first 3, but the last one is looking for my phpmyadmin controlpanel. Which thanks to anyweb's advice I removed out of

security reasons. And the ip belongs to United States Redmond Microsoft Corp . Why would they be trying to access my

The first are a sniff for a long-forgotten, the DFind scanner vuln - google w00tw00t if you want to know more information.

 

The phpmyadmin one is the reason I recommend people NOT to have it running against your default site (disable it in conf.d/ dir) - bind it to a vhost instead if needed.

Share this post


Link to post
Share on other sites

I already remove phpmyadmin last week cuz anyweb said it's security wise better to do it via the commandline. And the more i use command line the better and the easier the command line becomes I suppose smile.png

 

The rest I posted here

Share this post


Link to post
Share on other sites

But I also end up in my bucket when going to feedmebits.net cuz it's logged in my sniffer file:

 

But seems like when going to feedmebits.net I also end up in my bucket instead of ending up in the same place as www.feedmebits.com (403 forbidden page)

That's because you don't have feedmebits.net mentioned as a ServerName or ServerAlias in your config files.

 

Essentially if you end up in the bucket, Apache can't match your requested URL to a site so drops you into its first one.

 

 

 

Don't really understand it the first 3, but the last one is looking for my phpmyadmin controlpanel. Which thanks to anyweb's advice I removed out of

security reasons. And the ip belongs to United States Redmond Microsoft Corp . Why would they be trying to access my

The first are a sniff for a long-forgotten, the DFind scanner vuln - google w00tw00t if you want to know more information.

 

The phpmyadmin one is the reason I recommend people NOT to have it running against your default site (disable it in conf.d/ dir) - bind it to a vhost instead if needed.

I didn't get this last part how to disble it, I have the conf.d directory but doesn't s mention phpmyadmin anywhere in there. And how do I bind phpmyadmin to a virtualhost.

before I removed phpmyadmin I did it like this

 

I guess if you say bind I would have to do it like this:?

 

Alias /phpmyadmin /var/www/html/website/webfolder/phpmyadmin

 

 

 

btw I understand the blackhole now and replace my html page with your alias which give and error smile.png Brilliant!!! biggrin.png

Share this post


Link to post
Share on other sites

BTW -= you don't need to quote the entire post back to reply - I can't view the entire lot on this small netbook here and it makes it difficult to reply!

 

It should be in /etc/apache2/mods-enabled in Debian 6, I think. That's where it is on my tower.

Share this post


Link to post
Share on other sites

BTW -= you don't need to quote the entire post back to reply - I can't view the entire lot on this small netbook here and it makes it difficult to reply!

 

It should be in /etc/apache2/mods-enabled in Debian 6, I think. That's where it is on my tower.

 

LOL sorry about that mate.

 

I got my website working :) /home/username was not accessibly by apache

and the directory for index.php was not set now it all works :)

Share this post


Link to post
Share on other sites

I did something really not smart but I managed to get it working again. i wanted to reinstall my website so I remove the /home/feedmebits/_public_html/feedmebits.nl and then I downloaded joomla again and tried reinstalling I got an error saying the page doesn't exist and I don't have permissions. I fixed this by deleting the user feedmebits and recreating the whole path. And it worked. While doing this I realized I made a very stupid/HUGE mistake but I'm glad I realized it. After creating the new user with root I made the new folders in that user's account with root and also download joomla as root. That way all files were owned by root instead of feedmebits. So I deleted all the folders I made with root under /home/feedmebits and su - user and made the path with the normal user and now I am able to install my website again. Only thing I don't understand is why I get an error if delete /home/feedmebits/public_html/feedmebits.nl and then create folder with the same name again and chgrp and chmod -R again?

 

before: drwxr-xr-x 3 root apache 4096 Aug 16 14:12 public_html

after: drwxr-xr-x 3 feedmebits apache 4096 Aug 16 14:12 public_html

Share this post


Link to post
Share on other sites

Joomla probably needs write access to some directories, so you'll need to "chmod -R g+w public_html" the dir so that Apache can write to it (unless you've set up suPHP)

 

Note: It's not a good idea to delete your DocumentRoot directory - Apache will fail to start if it can't locate this dir. A safer method is to move the content into another dir but leave the DocumentRoot there, then drop a basic index.html placeholder to check Apache is working right.

 

Also: consider downloading and extracting as a non-root user, so you don't have to keep changing permissions/ownership over.

Share this post


Link to post
Share on other sites

Joomla probably needs write access to some directories, so you'll need to "chmod -R g+w public_html" the dir so that Apache can write to it (unless you've set up suPHP)

 

Note: It's not a good idea to delete your DocumentRoot directory - Apache will fail to start if it can't locate this dir. A safer method is to move the content into another dir but leave the DocumentRoot there, then drop a basic index.html placeholder to check Apache is working right.

 

Also: consider downloading and extracting as a non-root user, so you don't have to keep changing permissions/ownership over.

 

Thanks for the tip will do that next time. Yeah I figured that one out today too after I saw that everything was owned by root lol. Have a normal user account now too.

I gave gave apache(group) 755 rights and then in my mail webfolder where joomla is at. I left the folders at 755 and I change the files to 644 and I think that should be fine.

It's what Joomla-documentation advised.

Share this post


Link to post
Share on other sites

That will only apply if the directory is apache-owned (gets 7). If it's apache-group, then it'll get 5, meaning it will be unable to write to directories, causing the original problem as before.

Share this post


Link to post
Share on other sites

That will only apply if the directory is apache-owned (gets 7). If it's apache-group, then it'll get 5, meaning it will be unable to write to directories, causing the original problem as before.

 

Yeah I think I see what you are saying now. so it should be chmod -R 775 /home/username/public_html/example.com When username is in the group apache?

I get what you mean now. When DocumentRoot is in the apache group and you only have 755 permissions apache can only read/execute so when installing a template

cannot move file. As soon as I change it to 775 I can install a template meaning apache can write because the DocumentRoot being in the apache group

and giving apache group(being others) r/w/x permissions. Right?

Share this post


Link to post
Share on other sites

Just another point, glancing through your files...

 

On my server I have several users what own websites, so I create them a localised webroot area. In everyone's home directory is a "webroot" dir, containing the following:

  • htdocs - website content
  • etc - any possible additional site-specific config files
  • logs - logfiles for this site
  • php_temp and php_session - intended for session info and temporary area, set via suPHP, so that any stuff from THIS site doesn't interfere with others'

This way, every user has their website completely isolated from others, and it takes me a matter of minutes to set up additional sites just by duplicating a skeleton directory containing those subdirectories.

 

What would be a smart way to set it up then for multiple/websites/users. Then I would think in apache I would have to make DocumentRoot /home?

I think you mean like this?:

 

/home/user1/public_html/: /htdocs /etc /logs /php_temp /php_session

/home/user2/public_html/: /htdocs /etc /logs /php_temp /php_session

 

But if you place your logs and config files in here can't the outside world get to your this file if your DocumentRoot is /home?

and read these files? or would it be better to setup DocumentRoot in a different way in httpd.conf? Just trying to figure out

how I would be able to do it for multiple users and what would be a smart way. How you said it makes sense but still trying

to figure out if the outside world can read the /logs /etc.... and maybe have to set my DocumentRoot up differently for

multiply users. or would it be best to set the permissions for seperately for these folders /log /etc /php_temp /php_session as 770

and then chmod -R 775 /htocs and leaving user1 and public_html at 775? Just trying to make sense out of so that it's a safe setup.

so that apache can write in /htocs and in /etc /logs/ php_temp /php_session and others can't r/w/x these seperate folders?Sounds logical....in a way

Share this post


Link to post
Share on other sites

no, DocumentRoot should be /home/user1/htdocs for the first vhost, /home/user2/htdocs for the second,etc

 

The DocumentRoot is set per-vhost.

Share this post


Link to post
Share on other sites

no, DocumentRoot should be /home/user1/htdocs for the first vhost, /home/user2/htdocs for the second,etc

 

The DocumentRoot is set per-vhost.

 

ah ok. Then it would mean I could comment out this part if you set it for each vhost seperately because it being set in the virtualhost?:

 

# DocumentRoot: The directory out of which you will serve your

# documents. By default, all requests are taken from this directory, but

# symbolic links and aliases may be used to point to other locations.

#

#DocumentRoot "/var/www/html"

 

I did try and comment it out and restart apache, apache restarts with no problems.

So seems if it's set under the vhost itself I can comment out the Main DocumentRoot?

 

ServerName example.nl

ServerAlias example.net www.example.net

ServerAdmin admin@example.net

DocumentRoot /home/username/htdocs

ErrorLog /var/log/httpd/websites/website1/error.log

CustomLog /var/log/httpd/websites/website1/access.log combined

 

AllowOverride None

order allow,deny

allow from all

Options Indexes Includes FollowSymLinks

DirectoryIndex index.php

 

and then place /etc /var etc.. under username?

Share this post


Link to post
Share on other sites

Yup - that's basically it.

 

Essentially, all Apache directives live in one of four places:

  1. server-specific (like ServerRoot)
  2. vhost-specific (like ServerName)
  3. directory-specific (like DirectoryIndex)
  4. htaccess - like Allow, Deny - depending upon dir-specific directives.

 

Any directive that's "promoted" to a higher level means it's a default for lower down, so if in your main server level you have "DirectoryIndex default.php" then that becomes the default for ALL vhosts, unless it's overridden lower down.

 

This can be a time saver in that it saves having to repeat all identical directives in each and every vhost. However, it can cause problems when someone changes something at server level and causes unexpected behaviour when it propagates down (vhosts relying on default behaviour).

 

This is also the reason why if you don't specify ErrorLog or CustomLog in any vhost, it picks up all the settings from the main config file and EVERY site visit is logged into one big file. I split things out strictly for each vhost, then look at consolidating some things higher up once I have each setting - but that's just me (I'm paranoid at having incorrect settings in Apache, for I know how vulnerable a default state can be!)

 

Note that some directives are Server level ONLY - ServerRoot is one example - it can't exist lower down.

 

All of these directives are explained in the Apache docs. There's a column to the right showing which levels they are permitted/banned.

 

Good to hear you've got it all working!

 

nb: I have a default index page that I tend to pop into directories just to show that a site is working - I'll upload it if you want to use it.

Share this post


Link to post
Share on other sites

Yup - that's basically it.

 

Essentially, all Apache directives live in one of four places:

  1. server-specific (like ServerRoot)
  2. vhost-specific (like ServerName)
  3. directory-specific (like DirectoryIndex)
  4. htaccess - like Allow, Deny - depending upon dir-specific directives.

 

Any directive that's "promoted" to a higher level means it's a default for lower down, so if in your main server level you have "DirectoryIndex default.php" then that becomes the default for ALL vhosts, unless it's overridden lower down.

 

This can be a time saver in that it saves having to repeat all identical directives in each and every vhost. However, it can cause problems when someone changes something at server level and causes unexpected behaviour when it propagates down (vhosts relying on default behaviour).

 

This is also the reason why if you don't specify ErrorLog or CustomLog in any vhost, it picks up all the settings from the main config file and EVERY site visit is logged into one big file. I split things out strictly for each vhost, then look at consolidating some things higher up once I have each setting - but that's just me (I'm paranoid at having incorrect settings in Apache, for I know how vulnerable a default state can be!)

 

Note that some directives are Server level ONLY - ServerRoot is one example - it can't exist lower down.

 

All of these directives are explained in the Apache docs. There's a column to the right showing which levels they are permitted/banned.

 

Good to hear you've got it all working!

 

nb: I have a default index page that I tend to pop into directories just to show that a site is working - I'll upload it if you want to use it.

 

Sure that would be great :) cuz I'll be playing with apache for a while still go so much more to learn about apache:

 

suPHP

Mod_security

htaccess

 

Mod_proxy

Mod_SSL

Mod_cgi

mod_suexec

etc.

 

But will need to take my time to figure those out. cuz I took a glance at apache documentation but

seems kind of tricky/complicated to understand.

Share this post


Link to post
Share on other sites

suEXEC works like suPHP, but for cgi-bin executables. I don't allow cgi-bin on my servers (am wary of permitting mod_perl in many cases) so don't use it.

 

mod_ssl is for SSL-enabling sites. Once you've got one working, it's a simple matter to duplicate the template for other sites. Just note that you can't SSL-enable vhosts, you can only ssl-enable the IP.

 

mod_proxy I don't use, unless I'm using mod_rewrite (which requires mod_proxy). Again, I found this fairly easy to set up, but it helped me going through the rigmarole of suPHP first so all files apache were writing were user-owned, not apache-owned.

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...