Configure a CentOS 6.4 Web Server on Rackspace - Part 3: Starting the Server

Firewall

First we need to enable iptables (the CentOS firewall) and open some ports to allow access from the web:

$ sudo service iptables start

Let's make sure the server always starts iptables after a reboot:

$ sudo chkconfig iptables on

Now we need to open some ports in our firewall. We'll do that using the GUI we installed:

$ sudo system-config-firewall-tui
# If it refuses to start run the command below, for this bug fix:
# https://bugzilla.redhat.com/show_bug.cgi?id=1123919
$ sudo service messagebus start 

  1. Hit the tab key to highlight the Customize button, then press enter. Use the arrow key to scroll through the list. Hit enter to enable the ports that need to be opened. A star will appear next to each service name that we've enabled. For now let's just open 3 ports:
        [*] SSH
        [*] Secure WWW (HTTPS)
        [*] WWW (HTTP)
  2. Hit the tab key again to highlight the Close button, then press enter. On the next screen select OK, then press enter.

Note: Don't open the FTP port. You should aways use SFTP, which works just like FTP but runs over the SSH port making it more secure.

Now we need to restart iptables so that our rules will take effect:

$ sudo service iptables restart

The iptables configuration file is located in /etc/sysconfig/iptables. This is the file that the GUI modified. You can modify it directly if you prefer.

Note: On Linode I ran into an error restarting iptables. If you see the error below, see this blog post for the solution.

iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter

Fail2Ban (Requires EPEL)

Fail2Ban monitors log files looking for suspicious behavior, like too many failed login attempts. When if finds a evil IP address, it adds a rule to iptables to block that IP. If you installed the EPEL repos in the earlier section, you can install fail2ban to give your server some added protection.

$ sudo yum -y install fail2ban
$ sudo chkconfig fail2ban on
$ sudo service fail2ban start

Now we'll copy the .conf file and edit the .local version so we can tweak the settings:

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo vim /etc/fail2ban/jail.local 

In jail.local, look for the section beginning with [DEFAULT]. Add your IP address to the ignoreip setting (use spaces to separate multiple IPs). You can change the values of bantime and maxretry if you wish. Then restart the service:

$ sudo service fail2ban restart

You can see that fail2ban is active by checking the iptables rules.

$ sudo iptables -L

Apache

Let's get the Apache web server (known as httpd) up and running:

$ sudo service httpd start

And we'll make sure the server always starts Apache after a reboot:

$ sudo chkconfig httpd on

We can check that the above command worked by typing:

$ sudo chkconfig --list httpd
# this should output:
# httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

MySQL 

Finally let's start MySQL:

$ sudo service mysqld start
$ sudo chkconfig mysqld on

Run the setup script:

$ sudo mysql_install_db

And security harden the installation a bit by running this next script.

$ sudo mysql_secure_installation

# Just hit enter here
Enter current password for root (enter for none):

You will then be asked to create a root MySQL password. After that, say yes to all the remaining questions (type Y at each prompt and hit enter). 

You can test your MySQL login:

$ mysql -u root -p
$ Password:

If you see a MySQL prompt, all is well. You can exit MySQL:

> exit

Visit Your Server

Open your web browser and enter your server's IP address in the address bar. You should see an Apache welcome screen, indicating that the server is up and running.

Next > Part 4: Apache Virtual Hosts

 

Most Recent

Archive

March 2016 (1)
January 2016 (1)
September 2015 (1)
May 2015 (1)
April 2015 (1)
March 2015 (1)
February 2015 (2)
January 2015 (5)
September 2014 (2)
August 2014 (4)
July 2014 (1)
March 2014 (1)
November 2013 (3)
September 2013 (3)
July 2013 (6)
June 2013 (1)
May 2013 (1)
March 2013 (2)
February 2013 (3)
January 2013 (4)