Configure a CentOS 6.4 Web Server on Rackspace - Part 3: Starting the Server
Firewall
First we need to enable iptables (the CentOS firewall) and open some ports to allow access from the web:
$ sudo service iptables start
Let's make sure the server always starts iptables after a reboot:
$ sudo chkconfig iptables on
Now we need to open some ports in our firewall. We'll do that using the GUI we installed:
$ sudo system-config-firewall-tui
# If it refuses to start run the command below, for this bug fix:
# https://bugzilla.redhat.com/show_bug.cgi?id=1123919
$ sudo service messagebus start
- Hit the tab key to highlight the Customize button, then press enter. Use the arrow key to scroll through the list. Hit enter to enable the ports that need to be opened. A star will appear next to each service name that we've enabled. For now let's just open 3 ports:
[*] SSH
[*] Secure WWW (HTTPS)
[*] WWW (HTTP) - Hit the tab key again to highlight the Close button, then press enter. On the next screen select OK, then press enter.
Note: Don't open the FTP port. You should aways use SFTP, which works just like FTP but runs over the SSH port making it more secure.
Now we need to restart iptables so that our rules will take effect:
$ sudo service iptables restart
The iptables configuration file is located in /etc/sysconfig/iptables. This is the file that the GUI modified. You can modify it directly if you prefer.
Note: On Linode I ran into an error restarting iptables. If you see the error below, see this blog post for the solution.
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter
Fail2Ban (Requires EPEL)
Fail2Ban monitors log files looking for suspicious behavior, like too many failed login attempts. When if finds a evil IP address, it adds a rule to iptables to block that IP. If you installed the EPEL repos in the earlier section, you can install fail2ban to give your server some added protection.
$ sudo yum -y install fail2ban
$ sudo chkconfig fail2ban on
$ sudo service fail2ban start
Now we'll copy the .conf file and edit the .local version so we can tweak the settings:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vim /etc/fail2ban/jail.local
In jail.local, look for the section beginning with [DEFAULT]. Add your IP address to the ignoreip setting (use spaces to separate multiple IPs). You can change the values of bantime and maxretry if you wish. Then restart the service:
$ sudo service fail2ban restart
You can see that fail2ban is active by checking the iptables rules.
$ sudo iptables -L
Apache
Let's get the Apache web server (known as httpd) up and running:
$ sudo service httpd start
And we'll make sure the server always starts Apache after a reboot:
$ sudo chkconfig httpd on
We can check that the above command worked by typing:
$ sudo chkconfig --list httpd
# this should output:
# httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
MySQL
Finally let's start MySQL:
$ sudo service mysqld start
$ sudo chkconfig mysqld on
Run the setup script:
$ sudo mysql_install_db
And security harden the installation a bit by running this next script.
$ sudo mysql_secure_installation
# Just hit enter here
Enter current password for root (enter for none):
You will then be asked to create a root MySQL password. After that, say yes to all the remaining questions (type Y at each prompt and hit enter).
You can test your MySQL login:
$ mysql -u root -p
$ Password:
If you see a MySQL prompt, all is well. You can exit MySQL:
> exit
Visit Your Server
Open your web browser and enter your server's IP address in the address bar. You should see an Apache welcome screen, indicating that the server is up and running.
Next > Part 4: Apache Virtual Hosts
