[Thu Dec 29 14:53:01 2011] [crit] [client xx.xx.xx.xx] (13)Permission denied: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

./set_permisions.sh set_user_home username

Incoming search terms:

• (13)permission denied: / htaccess pcfg_openfile: unable to check htaccess file ensure it is readable cpanel vps (1)

Required utilities

You can spawn FastCGI processes using a dispatcher script or using spawn-fcgi utility, which is used to spawn remote FastCGI processes. spawn-fcgi included with lighttpd web server. You can grab source code from lighttpd.net or simply install it using lighttpd as follows (you need EPEL repo enabled under RHEL / CentOS / Fedora Linux):
# yum install lighttpd-fastcgi
# cp /usr/bin/spawn-fcgi /tmp
# yum remove lighttpd-fastcgi
# mv /tmp/spawn-fcgi /usr/bin/spawn-fcgi
lighttpd-fastcgi is FastCGI module and spawning helper for lighttpd and PHP configuration.

How do spawning php as TCP/IP remote app?

Use /usr/bin/spawn-fcgi as follows, enter:
# /usr/bin/spawn-fcgi -f /usr/bin/php-cgi -a 192.168.1.10 -p 9000 -P /var/run/php-cgi.fastcgi.pid -u apache -g apache
You can also jail php, using following syntax (make sure /var/run/ and /usr/bin/php-cgi exists inside jail directory):
# /usr/bin/spawn-fcgi -c /httpdjail -a 192.168.1.10 -p 9000 -P /var/run/php-cgi.fastcgi.pid -u apache -g apache -- /usr/bin/php-cgi
Where,

• -f /usr/bin/php-cgi: Filename of the fcgi-application
• -a 192.168.1.10 : Bind to ip address
• -p 9000 : Bind to tcp-port
• -P /var/run/php-cgi.fastcgi.pid: Name of PID-file for spawed process
• -c /httpdjail : Chroot to directory (security feature)
• -u apache : Change to user-id (security feature – drop root user privileges to apache user)
• -g apache : Change to group-id (security feature – drop root group privileges to apache group)

Configure Apache 2 mod_fastcgi connect to external PHP fcgi application

Above command will run php fcgi on 192.168.1.10:9000. Here is our sample setup:

1. 192.168.1.10 port 9000 : PHP FastCGI server
2. 192.168.1.11 port 9000 : Python or Ruby on rails cgi process
3. 202.54.1.20 port 80 : Apache 2 running mod_fastcgi (DocumentRoot set to /webroot/http)

Open your httpd.conf on 202.54.1.20, enter:
# vi /etc/httpd/conf/httpd.conf
Locate your domain VirtualHost configuration and append following two directives:

AddHandler php5-fastcgi .php
FastCgiExternalServer /webroot/http -host 192.168.1.10:9000

Here is complete snippet from one my box:

<VirtualHost nixcraft.com:80>
    ServerAdmin webmaster@nixcraft.com
    DocumentRoot /webroot/http
    ServerName nixcraft.com
    ErrorLog logs/nixcraft.com-error_log
    CustomLog logs/nixcraft.com-access_log common
    AddHandler php5-fastcgi .php
    FastCgiExternalServer /webroot/http -host 192.168.1.10:9000
</VirtualHost>

Save and close the file. Restart httpd:
# service httpd restart
Make sure iptables is configured to allow communication between public and private fastcgi server.

How do I configure PHP FastCGI via UNIX sockets?

UNIX sockets are faster as compare to TCP/IP sockets. However, they do not support remote spawning. Create /tmp/php.socket as follows:
# /usr/bin/spawn-fcgi -f /usr/bin/php-cgi -s /tmp/php.socket -u apache -g apache
Add following configuration to your httpd.conf virtual host:

AddHandler php5-fastcgi .php
FastCgiExternalServer /webroot/http -socket /tmp/php.socket

Save and close the file. Restart httpd, type:
# service httpd restart

mod_fastcgi has lots of other options. Please refer to Apache and mod_fastcgi documentation for further information.

A note about mod_fastcgi limitation

You can not load balance between multiple php backend. You need to use lighttpd or nginx or other reverse proxy software.

You can check if mod_rewrite is compiled in with Apache doing:

httpd -l | grep mod_rewrite.c

If it’s not then you should re-compile Apache.

You could also enable mod_rewrite logging:

RewriteLog “/var/log/httpd/rewrite.log”
RewriteLogLevel 9 # Maximum debug level, should be disabled on production environment

Note that this must be added on the VirtualHost or at the httpd.conf and *NOT* in the .htaccess.

After this you can check the file /var/log/httpd/rewrite.log to see what happens when you try to access an URL that should be rewritten.

Incoming search terms:

• accessing a website with network programming (1)
• download httpd-2 2 17 for linux (1)

The problem: mod_fcgid: read data timeout in xx seconds

First, check if you have the mod_fcgid module that is causing these problems.

# rpm -qa |grep -i mod_fcgid
mod_fcgid-2.2-11.el5

Apparently, any 2.2.x branche has this bug.

The problem exists if any VirtualHost does not have the IPCommTimeout value. If there’s a VirtualHost where this setting is not defined, it will reset the configuration globally back to the default of 40 seconds, resulting in the following error you Apache’s error logs.

[warn] mod_fcgid: read data timeout in 40 seconds
Premature end of script headers: php-cgi, referer: [snip]

And they will throw a 500 Internal Server Error in your access logs.

“GET /path/to/url HTTP/1.1″ 500 537

The solution: IPCommTimeout in every virtual host

The solution sucks if you have many (manually controlled) virtual hosts, but you have to define the IPCommTimeout option in every Virtual Host on the server. If one is missing, it will reset the config of that parameter to the default serverwide. So place the following codeblock in every Virtual Host you have.

<IfModule mod_fcgid.c>
IPCCommTimeout          360
IPCConnectTimeout       360
</IfModule>

The values above are expressed in seconds.

What is .htaccess and how to disable .htaccess?

.htaccess is use to modify the way Apache behaves for a directory and it’s sub-directories. It gives you an extra control on your server, like setting up custom error messages, password protect a directory, writing rewrite rules, blocking IPs etc.

However, it can be a potentially dangerous file. For example, a hacker can redirect your website to an external website say a malware website.

In order to disable .htaccess server wide, edit the Apache configuration file

pico /etc/httpd/conf/httpd.conf

Search for

    AllowOverride All

replace it with

    AllowOverride None

Save the file and restart the Apache service.

service httpd restart

Incoming search terms:

• howto htaccess centos and plesk (1)

In this exclusive series, you will learn more about:

• Securing an Apache 2 web server under Red Hat Enterprise Linux / CentOS Linux using mod_chroot
• Virtual hosting configuration under chrooted jail.
• Troubleshooting Chrooted Apache jail problem.

Requirements

1. Server: Apache 2 Web server.
2. Jail directory: /httpdjail.
3. User / Group: apache / apache (never ever run chroot using root user).
4. Virtual domain directory for all domain inside jail: /home/httpd.
5. PHP is configured via default mod_php.
6. Instructions are tested under CentOS / RHEL 5.x.

More about Jail directory: /httpdjail

Create a jail directory as follows:
# J=/httpdjail
# mkdir $J

1. Do not create /dev directory inside your jail.
2. Do not create special device files inside jail.
3. Do not copy shell or any other single executable files inside your jail.
4. Do not run httpd or php / perl / python as root user.
5. If possible mount $J using a separate partition with nosuid, nodev and noexec options. This will improve security as user will not able to run suid enabled programs and device files inside a jail.

Install Apache, PHP and MySQL

Install required packages using yum command, enter:
# yum install mysql mysql-server httpd php-mysql php-pear php-xml php-mysql php-cli php-imap php-gd php-pdo php-devel php-mbstring php-common php-ldap php httpd-devel
Now, create required directories inside your jail:
# mkdir -p $J/var/run
# chown -R root.root $J/var/run
# mkdir -p $J/home/httpd
# mkdir -p $J/var/www/html
# mkdir -p $J/tmp
# chmod 1777 $J/tmp
# mkdir -p $J/var/lib/php/session
# chown root.apache $J/var/lib/php/session


1. $J/var/run will store PID and other files.
2. $J/var/lib/php/session PHP session file path (configured in php.ini).
3. $J/tmp – Used by many scripts and cms software to upload files.

Install mod_chroot

mod_chroot makes running Apache in a secure chroot environment easy. You don’t need to create a special directory hierarchy containing /dev, /lib, /etc. mod_chroot allows you to run Apache in a chroot jail with no additional files. The chroot() system call is performed at the end of startup procedure – when all libraries are loaded and log files open. Download mod_chroot using wget command:
# cd /opt/
# wget http://core.segfault.pl/~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
Untar it:
# tar -zxvf mod_chroot-0.5.tar.gz
Compile and install mod_chroot for using apxs, enter:
# cd mod_chroot-0.5
# apxs -cia mod_chroot.c

Configure Apache mod_chroot

Open /etc/httpd/conf/httpd.conf file, type:
# C=/etc/httpd/conf/httpd.conf
# vi $C
Set PidFile path in which the server should record its process identification number when it starts. Find line that reads as follows:

PidFile run/httpd.pid

Replace with:
PidFile /var/run/httpd.pid
Next add ChrootDir directive, enter:
ChrootDir /httpdjail
Find line that read as follows:
ServerRoot "/etc/httpd"
Append following lines:


LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard

Make sure mod_chroot.so line exists. For example, 64 bit Linux should have line as follows:

LoadModule chroot_module /usr/lib64/httpd/modules/mod_chroot.so

32 bit Linux config line:

LoadModule chroot_module /usr/lib/httpd/modules/mod_chroot.so

Save and close the file.
Disable SELinux for Apache

You need to disable SELinux for apache, enter:
# setsebool httpd_disable_trans 1
See article “disabling SELinux for only Apache / httpd in Linux” for further details.
Patch up /etc/init.d/httpd

Open /etc/init.d/httpd file, enter:
# vi /etc/init.d/httpd
Find out line that read as follows:

# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}

Add following line (set ROOT to $J):

ROOT=/httpdjail

Find stop() that read as follows:

stop() {
echo -n $"Stopping $prog: "
killproc -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}

Replace it as follows (you need to link /var/run/httpd.pid to $J/var/run/httpd.pid; so that stop operation works):

stop() {
/bin/ln -s $ROOT/var/run/httpd.pid /var/run/httpd.pid
echo -n $"Stopping $prog: "
killproc -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}

Save and close the file. Set immutable permission on /etc/init.d/httpd so that file cannot be modified, updated by yum, deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute:
# chattr +i /etc/init.d/httpd
How do I start chrooted httpd?

Type the following command:
# /etc/init.d/httpd start
You should not see any error in /var/log/httpd/error_log file:

[Sun Dec 21 18:43:09 2008] [notice] core dump file size limit raised to 18446744073709551615 bytes
[Sun Dec 21 18:43:09 2008] [notice] SELinux policy enabled; httpd running as context root:system_r:initrc_t
[Sun Dec 21 18:43:09 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Dec 21 18:43:09 2008] [notice] Digest: generating secret for digest authentication …
[Sun Dec 21 18:43:09 2008] [notice] Digest: done
[Sun Dec 21 18:43:10 2008] [notice] mod_chroot: changed root to /httpdjail.
[Sun Dec 21 18:43:10 2008] [notice] Apache/2.2.3 (CentOS) configured — resuming normal operations

How do I stop chrooted httpd?

# /etc/init.d/httpd stop

How do I restart chrooted httpd?

# /etc/init.d/httpd restart

Incoming search terms:

• centos router (1)

<VirtualHost se.rv.er.ip.ad.re.ss>
        ServerAdmin info@servername.com
        DocumentRoot /var/www
        ErrorLog /var/log/apache/apache-error.log
        TransferLog /var/log/apache/apache.log
        ServerName www.servername.com
        ServerAlias *.servername.com
        RewriteEngine on
        RewriteCond %{HTTP_HOST} !^www.* [NC]
        RewriteCond %{HTTP_HOST} ^([^\.]+)\.servername\.com
        RewriteRule ^/$ http://www.servername.com/user.php?user=%1
</VirtualHost>

The lines for this feature,
RewriteEngine on activating rewrite option

RewriteCond %{HTTP_HOST} !^www.* [NC]  the rule will not be applied to subdomain “www”

RewriteCond %{HTTP_HOST} ^([^\.]+)\.servername\.com  subdomain section will be our parameter

RewriteRule ^/$ http://www.servername.com/user.php?user=%1  parameter section which is grabbed as subdomain name will be our value for user variable to user.php file.

Incoming search terms:

• thttpd centos 500 error (1)

A. Xcache caches both php files and variable. Since vbulltin is the same product, it will cache and use same variable within cache. This is performance boosting feature. However, you can force xcache , so that VB do not try to use the same variable within the cache by specific to use a prefix. Make sure following two line exists in your VB config.php file (located in /path/to/forum/includes/config.php):

# vi config.php

Append or modify settings as follows:
$config['Datastore']['class'] = 'vB_Datastore_XCache';
$config['Datastore']['prefix'] = 'yourforumname';
Save and close the file. Make sure you restart Apache:

# service httpd restart

OR

# service lighttpd restart

This works in a similar manner to the database table prefix. This is also applicable to other PHP caching systems such as APC and eAccelerator with more than one set of boards installed on same UNIX / Linux / Windows host.

Incoming search terms:

• cent os unable to make action: unable to manage service by dnsmng (1)

By setting up daily reporting, this notifies you within, at most, 24 hours of when any file was changed, added, or removed.  It also helps establish an audit trail in the event your site is compromised.

These instructions are designed for an end user, where you don’t need to have root access, to implement and assumes your server has the aide binary installed.  Most hosts will have this installed already, or will install it for you upon request.

Step 1: Download A Sample AIDE config file

We will start with a simple one, this will scan your web root directory for md5 hash changes.

To download the file, SSH into your account and run:

$ wget securehostingdirectory.com/aide.conf

What you will want to change in this file, is replace “username” on the first line, and confirm that is the path to your root directory.

Then on the last line, confirm that public_html is your web root directory.  If your host uses the cPanel control panel, then public_html is your web root.

Step 2: Initialize the AIDE database

The command to initialize the AIDE database is:

$ nice -19 aide --init --config=/home/username/aide.conf

AIDE is not the least resource intensive software in the world so we are running it with a 19 priority using nice.

Now copy your AIDE output database file to the input file:

$ cp aide.db.out aide.db.in

You can test aide by doing:

$ nice -19 aide -C --config=/home/username/aide.conf

Go ahead and run that now, it will say all files match, then make a change to a file and add a file, rerun it and see what the report says.

Step 3: Daily Reporting

There are a few ways to get the aide reports, a common one is to have it email you the reports, for this you can set a cronjob to run aide everyday, or even more frequently if you’d like.

Open up the crontab editor and paste in:

0 1 * * * nice -19 /usr/local/bin/aide --config=/home/username/aide.conf -C| mail you@domain -saide\ domain

The reports can get rather lengthy overtime, so if you want to reset the database, say weekly, you can add this to the crontab:

0 2 * * 0  nice -19 /usr/local/bin/aide --config=/home/username/aide.conf --init;mv -f /home/username/aide.db.out /home/username/aide.db.in

Step 4: Extras

We have covered the basics, and that is actually only the tip of the iceberg of what you can do with AIDE.

You can get the full AIDE config file here: Full AIDE Config File

And you might want to exclude certain files, for example if you have a forum or gallery and a lot of images are added regularly you can exclude those from the report. For example to exclude all jpg files in images/ you would put the following in the config file:

 !@@{TOPDIR}/public_html/images/.*\.jpg$

And that would go right above this line:

@@{TOPDIR}/public_html MD

Another thing you can do for extra security is, have your host chown your in database file, and your config file to another user, this way if your user is compromised, the hacker could not compromise your AIDE database, without also gaining access to the second user.

To be even more secure, you can download your AIDE database after creating it, and then upload it before you run a scan.

I hope this Howto lets you see the need for a file integrity checker, and makes it easy to setup, no matter what your user level is.

Incoming search terms:

• advanced intrusion detection environment (1)
• aide conf example (1)
• centos aide config (1)
• configure aide in shell script (1)
• htdocs centos 5 5 location (1)
• nice 19 aide --check (1)

Options ExecCGI
SetHandler cgi-script

At the end final entry looked like as follows:

<Directory /home/*/public_html/cgi-bin>
Options ExecCGI
SetHandler cgi-script
</Directory>

Then I restarted apache and it worked like a charm. See Apache document Dynamic Content with CGI. Update: As pointed out by Randal you just need to add above four lines.

Incoming search terms:

• apache directadmin hide version (1)
• apache user directory cgi (1)
• apache2 server name * (1)
• cpanel /cgi-bin/ for each user (1)