diff --git a/docs/guides/file_sharing/secure_ftp_server_vsftpd.md b/docs/guides/file_sharing/secure_ftp_server_vsftpd.md index 9cc680f033..7bf63eed1e 100644 --- a/docs/guides/file_sharing/secure_ftp_server_vsftpd.md +++ b/docs/guides/file_sharing/secure_ftp_server_vsftpd.md @@ -24,6 +24,10 @@ _vsftpd_ is the Very Secure FTP Daemon (FTP being the file transfer protocol). _vsftpd_ allows for the use of virtual users with pluggable authentication modules (PAM). These virtual users don't exist in the system, and have no other permissions except to use FTP. This means that if a virtual user gets compromised, the person with those credentials would have no other permissions once they gained access. Using this setup is very secure indeed, but does require a bit of extra work. +!!! hint "Consider `sftp`" + + Even with the security settings used here to set up `vsftpd`, you may want to consider `sftp` instead. `sftp` will encrypt the entire connection stream and is more secure for this reason. We've created a document [here](../sftp) that deals with setting up `sftp` and the locking down SSH. + ## Installing vsftpd We also need to make sure _openssl_ is installed. If you are running a web server, this probably **is** already installed, but just to make sure, you can run: diff --git a/docs/guides/virtualization/vbox-rocky.md b/docs/guides/virtualization/vbox-rocky.md index 39ade2396b..d1d92c02e7 100644 --- a/docs/guides/virtualization/vbox-rocky.md +++ b/docs/guides/virtualization/vbox-rocky.md @@ -2,11 +2,15 @@ title: Rocky on VirtualBox author: Steven Spencer contributors: Trevor Cooper, Ezequiel Bruni -update: 11-24-2021 -tested on: Rocky Linux 8.4, 8.5 +tested on: 8.4, 8.5 +tags: + - virtualbox + - virtualization --- -# Introduction +# Rocky on VirtualBox + +## Introduction VirtualBox® is a powerful virtualization product for both enterprise and home use. Once in a while, someone posts that they are having trouble getting Rocky Linux to run in VirtualBox®. It has been tested multiple times going back to the release candidate, and works just fine. The problems people usually report often involve video. diff --git a/docs/guides/web/apache-sites-enabled.md b/docs/guides/web/apache-sites-enabled.md index 1310c2cffb..8e8e1a9c75 100644 --- a/docs/guides/web/apache-sites-enabled.md +++ b/docs/guides/web/apache-sites-enabled.md @@ -3,6 +3,10 @@ title: Apache Multisite author: Steven Spencer contributors: Ezequiel Bruni tested with: 8.5 +tags: + - web + - apache + - multisite --- # Apache Web Server Multisite Setup diff --git a/docs/guides/web/apache_hardened_webserver/index.md b/docs/guides/web/apache_hardened_webserver/index.md index c919950f6e..7f107dc8cc 100644 --- a/docs/guides/web/apache_hardened_webserver/index.md +++ b/docs/guides/web/apache_hardened_webserver/index.md @@ -1,3 +1,14 @@ +--- +title: Apache Hardened Webserver +author: Steven Spencer +contributors: Ezequiel Bruni +tested with: 8.5 +tags: + - apache + - web + - security +--- + # Apache Hardened Webserver ## Prerequisites and Assumptions @@ -26,7 +37,7 @@ You might elect to use a couple of these tools, and not the others, so for clari * A Web-based Application Firewall (WAF), with _mod\_security_ rules [Apache Hardened Web Server - mod_security](modsecurity.md) * Rootkit Hunter (rkhunter): A scan tool that checks against Linux malware [Apache Hardened Web Server - rkhunter](rkhunter.md) * Database security (we are using _mariadb-server_ here) [MariaDB Database Server](../../database/database_mariadb-server.md) -* A secure FTP or SFTP server (we are using _vsftpd_ here) [Secure FTP Server - vsftpd](../../file_sharing/secure_ftp_server_vsftpd.md) +* A secure FTP or SFTP server (we are using _vsftpd_ here) [Secure FTP Server - vsftpd](../../file_sharing/secure_ftp_server_vsftpd.md) but we also have _sftp_ and SSH lock down procedures [here](../../file_sharing/sftp.md) This procedure does not replace the [Apache Web Server Multi-Site Setup](../apache-sites-enabled.md), it simply adds these security elements to it. If you haven't read it, take some time to look at it before proceeding. @@ -36,7 +47,7 @@ Some of the tools outlined here have both free and fee-based options. Depending Know, too, that most of these options can be purchased as hardware appliances. If you'd prefer not to hassle with installing and maintaining your own system, there are options available other than those outlined here. -This document uses a straight _iptables_ firewall and requires [this procedure on Rocky Linux to disable firewalld and enable the iptables services](../../security/enabling_iptables_firewall.md). +This document uses a straight _iptables_ firewall and requires [this procedure on Rocky Linux to disable firewalld and enable the iptables services](../../security/enabling_iptables_firewall.md). Since this document was first written, we now have a couple of excellent _firewalld_ guides; one that allows someone with knowledge of _iptables_ to transfer what they know to _firewalld_ [here](../../security/firewalld.md), and one that is a more dedicated to beginners [here](../../security/firewalld-beginners.md). If you prefer to use _firewalld_, simply skip this step and apply the rules needed. The firewall in our examples here, needs no OUTPUT or FORWARD chains, only INPUT. Your needs may differ! diff --git a/docs/guides/web/apache_hardened_webserver/modsecurity.md b/docs/guides/web/apache_hardened_webserver/modsecurity.md index 3ee16fe70a..9bba12fc30 100644 --- a/docs/guides/web/apache_hardened_webserver/modsecurity.md +++ b/docs/guides/web/apache_hardened_webserver/modsecurity.md @@ -1,3 +1,15 @@ +--- +title: Web-based Application firewall (WAF) +author: Steven Spencer +contributors: Ezequiel Bruni +tested with: 8.5 +tags: + - web + - security + - apache + - nginx +--- + # Web-based Application Firewall (WAF) ## Prerequisites @@ -11,13 +23,13 @@ ## Introduction -_mod\_security_ is an open-source web-based application firewall (WAF). It is just one possible component of a hardened Apache web server setup and can be used with, or without, other tools. +_mod\_security_ is an open-source web-based application firewall (WAF). It is just one possible component of a hardened Apache web server setup and can be used with, or without, other tools. If you'd like to use this along with other tools for hardening, refer back to the [Apache Hardened Web Server guide](index.md). This document also uses all of the assumptions and conventions outlined in that original document, so it is a good idea to review it before continuing. -One thing that is missing with _mod\_security_ when installed from the generic Rocky Linux repositories, is that the rules installed are minimal at best. To get a more extensive package of free mod_security rules, we are using [Comodo's](https://www.comodo.com/) WAF installation procedure after installing the base package. +One thing that is missing with _mod\_security_ when installed from the generic Rocky Linux repositories, is that the rules installed are minimal at best. To get a more extensive package of free mod_security rules, we are using [Comodo's](https://www.comodo.com/) WAF installation procedure after installing the base package. -Note that Comodo is a business that sells lots of tools to help secure networks. The free _mod\_security_ tools may not be free forever and they do require that you setup a login with Comodo in order to gain access to the rules. +Note that Comodo is a business that sells lots of tools to help secure networks. The free _mod\_security_ tools may not be free forever and they do require that you setup a login with Comodo in order to gain access to the rules. ## Installing mod_security @@ -27,9 +39,9 @@ To install the base package, use this command which will install any missing dep ## Setting Up Your Comodo account -To setup your free account, go to [Comodo's WAF site](https://waf.comodo.com/), and click the "Signup" link at the top of the page. You will be required to setup username and password information but no credit-card or other billing will be done. +To setup your free account, go to [Comodo's WAF site](https://waf.comodo.com/), and click the "Signup" link at the top of the page. You will be required to setup username and password information but no credit-card or other billing will be done. -The credentials that you use for signing on to the web site will be used in your setup of Comodo's software and also to obtain the rules, so you will need to keep these safe in a password manager somewhere. +The credentials that you use for signing on to the web site will be used in your setup of Comodo's software and also to obtain the rules, so you will need to keep these safe in a password manager somewhere. Please note that the "Terms and Conditions" section of the form that you need to fill out to use Comodo Web Application Firewall (CWAF) is written to cover all of their products and services. That said, you should read this carefully before agreeing to the terms! @@ -43,7 +55,7 @@ In addition, you will need to have your web server running for Comodo to see _mo `systemctl start httpd` -After signing up with Comodo, you will get an email with instructions on what to do next. Essentially, what you need to do is to login to the web site with your new credentials and then download the client install script. +After signing up with Comodo, you will get an email with instructions on what to do next. Essentially, what you need to do is to login to the web site with your new credentials and then download the client install script. From the root directory of your server, use the wget command to download the installer: @@ -71,7 +83,7 @@ Enter password for 'username@domain.com' (will not be shown): ****************** Confirm password for 'username@domain.com' (will not be shown): ************************ ``` -Please note here that you will probably have to download the rules and install them in the correct location, as the password field requires a punctuation or special character, but the configuration file apparently has issues with this when sending it to Comodo's site from the installer or update script. +Please note here that you will probably have to download the rules and install them in the correct location, as the password field requires a punctuation or special character, but the configuration file apparently has issues with this when sending it to Comodo's site from the installer or update script. These scripts will always fail with a credentials error. This probably doesn't affect administrators who have web servers running with a GUI front end (Cpanel / Plesk) but if you are running the program standalone as we are in our example, it does. [You can find the workaround below](#cwaf_fix). @@ -169,7 +181,7 @@ Next go to the bottom of this configuration file. We need to tell _mod\_security # ModSecurity Core Rules Set and Local configuration IncludeOptional modsecurity.d/*.conf IncludeOptional modsecurity.d/activated_rules/*.conf - IncludeOptional modsecurity.d/local_rules/*.conf + IncludeOptional modsecurity.d/local_rules/*.conf ``` @@ -180,7 +192,7 @@ We need to add in one line at the bottom to add the CWAF configuration, which in IncludeOptional modsecurity.d/*.conf IncludeOptional modsecurity.d/activated_rules/*.conf IncludeOptional modsecurity.d/local_rules/*.conf - Include "/usr/local/cwaf/etc/cwaf.conf" + Include "/usr/local/cwaf/etc/cwaf.conf" ``` @@ -192,8 +204,8 @@ If httpd starts OK, then you are ready to start using _mod\_security_ with the C ## Conclusion -_mod\_security_ with CWAF is another tool that can be used to help harden an Apache web server. Because CWAF's passwords require punctuation and because the standalone installation does not send that punctuation correctly, managing CWAF rules requires logging into the CWAF site and downloading rules and changes. +_mod\_security_ with CWAF is another tool that can be used to help harden an Apache web server. Because CWAF's passwords require punctuation and because the standalone installation does not send that punctuation correctly, managing CWAF rules requires logging into the CWAF site and downloading rules and changes. -_mod\_security_, like other hardening tools, has the potential of false-positive responses, so you must be prepared to tune this tool to your installation. +_mod\_security_, like other hardening tools, has the potential of false-positive responses, so you must be prepared to tune this tool to your installation. Like other solutions mentioned in the [Apache Hardened Web Server guide](index.md), there are other free and fee-based solutions for _mod\_security_ rules, and for that matter, other WAF applications available. You can take a look at one of these at [Atomicorp's _mod\_security_ site](https://atomicorp.com/atomic-modsecurity-rules/). diff --git a/docs/guides/web/apache_hardened_webserver/ossec-hids.md b/docs/guides/web/apache_hardened_webserver/ossec-hids.md index fe1b54f662..22dd92b7e0 100644 --- a/docs/guides/web/apache_hardened_webserver/ossec-hids.md +++ b/docs/guides/web/apache_hardened_webserver/ossec-hids.md @@ -2,7 +2,12 @@ title: Host-based Intrustion Detection System (HIDS) author: Steven Spencer contributors: Ezequiel Bruni -update: Jan-25-2022 +tested with: 8.5 +tags: + - web + - security + - ossec-hids + - hids --- # Host-based Intrusion Detection System (HIDS) diff --git a/docs/guides/web/apache_hardened_webserver/rkhunter.md b/docs/guides/web/apache_hardened_webserver/rkhunter.md index 5146aa5f93..5ce97f8831 100644 --- a/docs/guides/web/apache_hardened_webserver/rkhunter.md +++ b/docs/guides/web/apache_hardened_webserver/rkhunter.md @@ -1,3 +1,14 @@ +--- +title: Rootkit Hunter +author: Steven Spencer +contributors: Ezequiel Bruni +tested with: 8.5 +tags: + - server + - security + - rkhunter +--- + # Rootkit Hunter ## Prerequisites @@ -44,7 +55,7 @@ You may also need to setup [Postfix Email for Reporting](../../email/postfix_rep ## Running rkhunter -_rkhunter_ can be run by typing it at the command-line. There is a cron job installed for you in `/etc/cron.daily`, but if you want to automate the procedure on a different schedule, look at the [Automating cron jobs guide](../../automation/cron_jobs_howto.md). +_rkhunter_ can be run by typing it at the command-line. There is a cron job installed for you in `/etc/cron.daily`, but if you want to automate the procedure on a different schedule, look at the [Automating cron jobs guide](../../automation/cron_jobs_howto.md). You'll also need to move the script somewhere other than `/etc/cron.daily`, such as `/usr/local/sbin` and then call it from your custom cron job. The easiest method, of course, is to leave the default cron.daily setup intact. diff --git a/docs/guides/web/nginx-multisite.md b/docs/guides/web/nginx-multisite.md index 139492e110..f5d2d54fcb 100644 --- a/docs/guides/web/nginx-multisite.md +++ b/docs/guides/web/nginx-multisite.md @@ -3,6 +3,10 @@ title: Nginx Multisite author: Ezequiel Bruni contributors: Steven Spencer tested with: 8.5 +tags: + - web + - nginx + - multisite --- # How to Set up Nginx for Multiple Websites on Rocky Linux diff --git a/docs/guides/web/php.md b/docs/guides/web/php.md index ee1d2ba7fe..82aedff4cf 100644 --- a/docs/guides/web/php.md +++ b/docs/guides/web/php.md @@ -2,7 +2,11 @@ title: PHP and PHP-FPM author: Antoine Le Morvan contributors: Steven Spencer -update: 25-Jan-2022 +tested with: 8.5 +tags: + - web + - php + - php-fpm --- # PHP and PHP-FPM