Setting up a webserver and ftp

semperfiguy · 2008-12-03 21:10:03

Hello, I am looking to set up a web server along with FTP.

For the web server, can anyone recomend a tutorial for setting up apache and php? Could you also recomend one for using wordpress software.

Also can anyone tell me how to set up a FTP server for my personal use so I can acess files from school or whatever?

Thank you

Last edited by semperfiguy (2008-12-03 22:10:01)

fukawi2 · 2008-12-03 22:07:47

semperfiguy wrote:

For the web server, can anyone recomend a tutorial for setting up apache and php? Could you also recomend one for using wordpress software.

http://wiki.archlinux.org/index.php/LAMP

PinkFloydYoshi · 2008-12-03 23:36:04

If you're putting it out on the net, especially with Wordpress, you might also consider compiling an Apache 2 module called "mod_security". From what I can tell, mod_security is an orphaned package from the "Extras" repo. It's saved my skin a few times. It takes a bit of configuring but where it says "You know how paranoid you are" in the LAMP tut, I kind of define it. I've had a box broken in to before while using a hosting control panel called "VHCS" and there's two missing lines from the registration scripts which allow a registered user to gain elevated privileges. There's actually a public script which all you do is put a target server in, hit go, and it gives you a randomly generated account on the new server with admin privs. Didn't realize it was there until I dug through Apache's logs to find out what happened to find I had been hit with the same public exploit script! Fair enough I fixed the exploit myself, but mod_security would have actually stopped it if it were installed too.

Wordpress is very very good at it's job, and it's very very secure, but because it's so popular when a vulnerability is found, the skiddies are all over it. I admit, my Wordpress install is so out of date that I should have been broken in to hundreds of times, but mod_security does a good job deflecting them. Not to mention it also logs each attempt with IP address and what they tried doing.

semperfiguy · 2008-12-05 22:31:38

How would you recomend setting up a FTP server that can be accessed by windows, mac and archlinux? Also how would you go about securing it so that only me and my family would be able to use it?

I have no Idea how to configure wordpress. Do you just install it from aur, and then go to localhost/wp-admin? There is quite a bit that goes into securing it I guess. I also heard good things about serindipity. Is that a good choice for setting up a blog?

Basically, I am trying to figure out how to set up a website with an easy content management system so I don't have to recode the webpage everytime I want to add a post or whatever. Any suggestions on this? or stick with wordpress?

lucke · 2008-12-05 22:41:14

Instead of using ftp, I'd suggest using scp/sftp - basically you just need to have a ssh server running, you can use WinSCP or putty tools to access it from Windows.

Endperform · 2008-12-06 00:22:59

semperfiguy wrote:

How would you recomend setting up a FTP server that can be accessed by windows, mac and archlinux? Also how would you go about securing it so that only me and my family would be able to use it?
I have no Idea how to configure wordpress. Do you just install it from aur, and then go to localhost/wp-admin? There is quite a bit that goes into securing it I guess. I also heard good things about serindipity. Is that a good choice for setting up a blog?
Basically, I am trying to figure out how to set up a website with an easy content management system so I don't have to recode the webpage everytime I want to add a post or whatever. Any suggestions on this? or stick with wordpress?

If this is going to be internal only, you might opt for setting up a Samba share internally. I have no experience with Serendipity, but have been using Wordpress on my site for some time now without issues. As far as securing it, you haven't told us whether or not you intend on putting this on the net. If you are, you'll most likely have to set up authentication with Apache so whoever you want to get there would need to have a username and password. Of course, if it's only going to be internal on your network and not on the net, your router should provide enough defense to keep people from accessing your web server, but you'll want to of course check the firewall settings regardless.

semperfiguy · 2008-12-06 21:43:30

The web log itself will be on the net. So that will need to be secured.

As for the FTP, I would still want to be able to access it while I'm away at school, and all that good stuff. It would have to be secured then too correct?

fukawi2 · 2008-12-07 21:46:54

I've been having good experiences with CMS Made Simple

PM me and I'll send you some examples if you want... (Don't want to be accused of spamming by posting them here!)

semperfiguy · 2008-12-08 16:04:06

Allright. I think I figured out how to set up wordpress and the webserver and everything from that wiki article. Now I just need some tips on securing it. I should create another account on the sql database without the big privileges to use for wordpress, correct? mod_security is another good program to try?

On the FTP server, how would I go about setting that up, and what methods would I use to secure it? Would a samba share be accessible while I am away at school, and yet secure enough to keep from being broken into?

I appreciate all the suggestions and replies so far. They have helped alot.

lucke · 2008-12-08 19:47:00

As I said, probably the best and easiest way is to use ssh's sftp - you just set up a ssh server (which you probably already have) and use a proper client to transfer files, using regular shell accounts. All traffic is encrypted that way and that's the only downside - transfers might be a bit slower compared to unencrypted solutions. Setting ftp isn't as easy (and ftp generally isn't as secure) and it depends on the ftp server you choose to use (eg. vsftpd).

Last edited by lucke (2008-12-08 19:47:43)

PinkFloydYoshi · 2008-12-09 20:57:44

I agree that SFTP (The SSH method) is the most secure and I recommend it if you are able to easily deploy SFTP clients and configuring them without too much trouble. And on that note, if you go down this route be sure to change your SSH port from 22 to something above port 1024 (and remember what you set it to otherwise you won't be able to access it; locked myself out a VE in Florida the once by typing 'exit' a little too soon without noting the new port!), otherwise you'll discover after a week or so that your SSH server is getting hammered by brute forcing trojans on other compromised servers. If your password is strong enough, you shouldn't be too bad but you want to stop the attempts otherwise your server will be using most of it's time saying "no" to all the attempts.

mod_security is an Apache 2 module and is used by those who are really serious about security. It's not a simple case of installing it sadly as I couldn't find it in pacman (I was probably having a blonde moment at the time though and missed it) but all the information you'll need is located here:

http://www.modsecurity.org/

Changing your server signature is highly recommended as your server signature gives away what server you're using and whats installed. This tells potential attackers what sort of attack surface you have so they pick the right tools to (...and I know it sounds rather twisted, but...) "do the job". Changing it forces them to resort to other methods of trying to get your server name out of your box, methods which mod_security will also protect you against. Setting up Mod_Security to have Apache report itself as an IIS server results in skiddies trying IIS buffer overflow attacks and a whole host of other IIS exploits being attempted on your box (none of which will work of course).

Edit reason: Spelling corrections. It's all fingers and thumbs.

Last edited by PinkFloydYoshi (2008-12-09 21:03:24)

brisbin33 · 2008-12-09 21:20:44

just my two cents.

i use vsftpd to have an ftp repo for config/screenshot files only (primarily for linking in this forum). it's set up for anonymous logins only, no uploads, chrooted to it's own folder, etc. pretty secure. i use sshd with private/public key authentication (very easy to set up and stops all those brute force attacks w/o moving the port around) for everything else.

scp/sftp would be very easy to learn/use for when you're away at school. carry you're public key on a usb keychain (w/ a good passphrase) and you're good to connect from anywhere. been working well for me so far.

both of my methods were set up from the wiki (and google for the public/private key business)

semperfiguy · 2008-12-10 19:26:27

Alright. That sounds good. So I am going to install openssh and configure it to only allow logins from specified users. Then I need to set up private/public key authentication and it should be pretty secure? Thank you for your help. I will try and put those suggestions to use.

PinkFloydYoshi · 2008-12-14 01:01:52

I think I should give that public/private key business a try, as brisbin33 mentioned. I had thought about it previously but right now, even though I've gone out of my way to change ports around I'm just waiting for one of my sites on one of my boxes to appear with a "Cracked by" page. I've had it happen once, not nice. :s

Have used vsftpd before but it's been a very long time since I touched it, have used SFTP/SCP for a long time now and it's not given me problems thus far - touch wood.

Good luck semperfiguy and let us know how you get on.

Edit reason: The keys kept moving beneath my fingers.

Last edited by PinkFloydYoshi (2008-12-14 01:03:07)

semperfiguy · 2008-12-20 20:24:31

Alright. I finally got home and started setting up my server box in the basement. First up is SSH.

I installed openssh on both laptop and server, then configured the server to disable root login, enable protocol 2 and change the port.

I ran ssh-keygen, supplied a passphrase and then moved the private key to the appropriate spot on the server. Now I have a public keys with a passphrase on my laptop, so can I just copy that to a usb drive, and I can connect from anywhere basically?

Also is the server secured with a passkey, or is there something else I need to add to only allow computers with my public key to login?

The web server will come as soon as I can get to aur to enable wordpress...

(followed first few steps from here: http://wiki.archlinux.org/index.php/Using_SSH_Keys)

Last edited by semperfiguy (2008-12-20 20:58:50)

fukawi2 · 2008-12-21 01:01:03

You've got it the wrong way round... Public Key goes on the server, you keep the private key (hence it's 'private')

semperfiguy · 2008-12-21 01:22:33

Sorry, my bad. I actually did put the public key on the server, just got confused and typed it wrong on here. I think I have ssh configured correctly. I have a hard password for root, a regular user that is logged into, and no password authentication, only pub/private key access.

My next project for this server is further securing it, and setting up a proxy. Looks like squid is a good choice for this? I need to be able to forward requests to a sageTV server and send to the web server.

Also where is a good place to be storing files from ssh and scp? I made only a 10gig home partition because I didn't think it would be used that much, but I made a 50g /srv partition. Is there a way to create a folder where all files are uploaded and taken from on that partition?

Hrod beraht · 2008-12-21 17:13:28

semperfiguy wrote:

Also where is a good place to be storing files from ssh and scp? I made only a 10gig home partition because I didn't think it would be used that much, but I made a 50g /srv partition. Is there a way to create a folder where all files are uploaded and taken from on that partition?

Along with ssh/scp, if you are going to be moving many files back and forth, consider using sshfs so that you can just mount your server to your Linux desktop. That way you can then use your nomral GUI file manager from your desktop to just drag and drop files.

Bob

semperfiguy · 2008-12-21 19:30:38

So how do I go about setting up a proxy server?

Client side I configure everything to send web traffic on some obscure port like 6793, and then server side I need a proxy to listen for port 6793 and then send that out on port 80? Is this correct thinking? how would I go about accomplishing this? I appreciate all the help and tips everyone is giving, it really helps alot.

semperfiguy · 2008-12-22 23:34:55

Configured squid to be my proxy. It seems to be working correctly. Currently I only have one port open going into the server(the port I ssh in on) via iptables. But for my webserver I am going to open up port 80 too. So I need some extra security. I cannot download that modsecurity package off the BSN site or modsecurities site for some reason. I will try again tomorrow.

But what are some common things I should lock down in order to keep security on the webserver side of things?

What permissions should my files in /srv/http be?

How do I change apache to automaticly supply the wordpress directory? for example, I type in my hostname, and it automatically points to hostname/wordpress (where my web page is). I have tried setting this in the /etc/httpd/conf/httpd.conf file, but then links insert an extra "/wordpress/" which breaks the links. How do I ge around this?

semperfiguy · 2009-01-02 21:18:56

How do I go about sharing files and folders? Thats the only thing I have left. For linux to linux, I can either mount it via sshfs or scp. But for windows, what do I do to share that file?

I figured out all of my issues. I got modsecurity installed and added the modules. Any thing else I should add/change for security?

As for getting my hostname to automaticly point to the /wordpress/ directory, that option is changed within wordpress. In case anyone else was wondering.

Arch Linux

#1 2008-12-03 21:10:03

Setting up a webserver and ftp

#2 2008-12-03 22:07:47

Re: Setting up a webserver and ftp

#3 2008-12-03 23:36:04

Re: Setting up a webserver and ftp

#4 2008-12-05 22:31:38

Re: Setting up a webserver and ftp

#5 2008-12-05 22:41:14

Re: Setting up a webserver and ftp

#6 2008-12-06 00:22:59

Re: Setting up a webserver and ftp

#7 2008-12-06 21:43:30

Re: Setting up a webserver and ftp

#8 2008-12-07 21:46:54

Re: Setting up a webserver and ftp

#9 2008-12-08 16:04:06

Re: Setting up a webserver and ftp

#10 2008-12-08 19:47:00

Re: Setting up a webserver and ftp

#11 2008-12-09 20:57:44

Re: Setting up a webserver and ftp

#12 2008-12-09 21:20:44

Re: Setting up a webserver and ftp

#13 2008-12-10 19:26:27

Re: Setting up a webserver and ftp

#14 2008-12-14 01:01:52

Re: Setting up a webserver and ftp

#15 2008-12-20 20:24:31

Re: Setting up a webserver and ftp

#16 2008-12-21 01:01:03

Re: Setting up a webserver and ftp

#17 2008-12-21 01:22:33

Re: Setting up a webserver and ftp

#18 2008-12-21 17:13:28

Re: Setting up a webserver and ftp

#19 2008-12-21 19:30:38

Re: Setting up a webserver and ftp

#20 2008-12-22 23:34:55

Re: Setting up a webserver and ftp

#21 2009-01-02 21:18:56

Re: Setting up a webserver and ftp

Board footer