Mellowood Designs

The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. How do I install and configure mod_ssl under CentOS / Fedora / Redhat Enterprise Linux?

mod_ssl is the SSL/TLS module for the Apache HTTP server. You can use self signed certificate or 3rd party SSL certificate. This module provides SSL v2/v3 and TLS v1 support for the Apache HTTP Server. It was contributed by Ralf S. Engeschall based on his mod_ssl project and originally derived from work by Ben Laurie. This module relies on OpenSSL to provide the cryptography engine.

Step #1: Install mod_ssl

Type the following command as the root user to install mod_ssl, enter:
# yum install mod ssl

Step #2: Create an SSL Certificate

Type the following commands:
# cd /etc/pki/tls/certs
# openssl genrsa -des3 -out apachekey.pem 2048

Sample outputs:

Generating RSA private key, 2048 bit long modulus
..................+++
...................................+++
e is 65537 (0x10001)
Enter pass phrase for apachekey.pem:
Verifying - Enter pass phrase for apachekey.pem:Note enter a strong, passphrase to protect the Apache web server key pair.

Generate a Certificate Signing Request (CSR)
Type the following command:
# openssl req -new -key apachekey.pem -out apachekey.csr

Sample outputs:

Enter pass phrase for apachekey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:MH
Locality Name (eg, city) [Newbury]:Poona
Organization Name (eg, company) [My Company Ltd]:nixCraft LTD
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.nixcraft.com
Email Address []:vivek@nixcraft.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You need to provide the information fill or hit [Enter] key to accept defaults, but the Common Name field is very important. You must match the fullyqualified domain name of your server exactly (e.g. www.nixcraft.com) or the certificate will not work. No need to enter the challenge password.

Create the Web Server Certificate
You must signed the CSR to create the web server certificate, enter (you can send it to your CA to sign the same). To sign httpserver.csr using your CA:
# openssl ca -in apachekey.csr -out apachecert.pem

Install SSL Certificate
Copy server key and certificates files /etc/pki/tls/http/, enter:
# cp apachecert.pem /etc/pki/tls/http/
# cp apachekey.pem /etc/pki/tls/http/

Edit /etc/httpd/conf.d/ssl.conf, enter:
# vi /etc/httpd/conf.d/ssl.conf

Listen to the the HTTPS port, enter:
Listen 10.10.29.68:443

Update it as follows to seed appropriately, enter:
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024

Update VirtualHost as follows:
SSLEngine On
SSLCertificateFile /etc/pki/tls/http/apachecert.pem
SSLCertificateKeyFile /etc/pki/tls/http/apachekey.pem
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5
DocumentRoot "/var/www/html/ssl"
ServerName www.nixcraft.com:443

Save and close the file. Make sure /var/www/html/ssl exits, enter:
# mkdir -p /var/www/html/ssl

Edit /etc/httpd/conf/httpd.conf, enter:
# vi /etc/httpd/conf/httpd.conf

Make sure SSL is used for /var/www/html/ssl and set other options for the same, enter:
SSLRequireSSL
SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq "www.nixcraft.com"
ErrorDocument 403 https://www.nixcraft.com/sslerror.html

Now, you can upload ssl specific php or html pages in /var/www/html/ssl directory and can access them by visiting https://www.nixcraft.com/ url. Do not forgot to restart Apache:
# service httpd restart

Firewall Configuration

Edit /etc/sysconfig/iptables. Add the following lines, ensuring that they appear before the final DROP lines:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Save and close the file. Restart the firewall:
# service iptables restart

Q. How do I start Iptables firewall under RHEL / Red Hat / CentOS / Fedora Linux from a shell prompt? How do I stop firewall?

A. First, you need to configure firewall rules by editing text file located at /etc/sysconfig/iptables. You can also use setup command to configure firewall. Just type the following as root user:
# setup

Select Firewall configuration and just follow on screen instructions.

Once configuration is updated type the following command at a shell prompt:

To start firewall from a shell enter:
# chkconfig iptables on
# service iptables start

To stop firewall, enter:
# service iptables stop

How do I configure iptables firewall under CentOS / Fedora / RHEL / Redhat Linux to allow access to the Samba server? How do I open TCP ports # 137, 138, 139 and 445 under Linux so that all Microsoft Windows machine can access files and printer on a Linux host?

The Samba server can be configured to allow access to certain hosts. However, iptables prevent the access over the Internet. You must allow only the systems on your network as clients of the Samba Linux server.

Iptables Open Port 137, 138, 139 and 445
Edit /etc/sysconfig/iptables file, enter:

# vi /etc/sysconfig/iptables
To allow access to 192.168.1.0/24 network only add the following before the final LOG & DROP statements:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Save and close the file.

Restart Firewall

Type the following command:
service iptables restart

SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take. However, by default it is turned off under RHEL / CentOS 5.x server? How do I turn it on?

SELinux is a kernel security extension, which can be used to guard against misconfigured or compromised programs. It comes with Mandatory Access Control (MAC) system that improves the traditional UNIX/Linux DAC (Discretionary Access Control) model.

How Do I Enable SELinux under Redhat / Fedora and CentOS Linux Systems?

Edit /etc/selinux/config file, run:
# vi /etc/selinux/config

Update the configuration file as follows:
SELINUX=enforcing
SELINUXTYPE=targeted

Understanding SELinux Configuration

• SELINUX=enforcing : Enforcing is the default mode which will enable and enforce the SELinux security policy on the Linux. It will also deny unauthorized access and log actions in a log file.
• SELINUXTYPE=targeted : Only targeted network daemons (such as DNS, Apache and others) are protected.

Save and close the file. Make sure SELinux is not disabled using Grub boot loader. Search /boot/grub/grub.conf file using grep and make sure the following line DO NOT appears:
# egrep -i 'selinux=0|enforcing=0' /boot/grub/grub.conf

If you found lines with selinux=0 or enforcing=0, remove them and save the changes.

Prepare File System For The Reboot

The chcon command can be used to change SELinux security context of a file. However, it is recommended that you relabel complete filesystem.

Restore Default Security Contexts

Type the following command to restore default security contexts for /home:
# restorecon -Rv -n /home
You can run this on root (/) file system too.

Relabel Complete Filesystem

Do not skip this step and reboot the system. Type the following commands:
# touch /.autorelabel
# reboot
It will take some time to relabel complete filesystem. If you get any errors or common services mysqld or sshd failed, try the following solution (go to a single user mode):
# init 1
# genhomedircon
# touch /.autorelabel
# reboot


Make Sure SELinux is Properly Enabled

Type the following command:
# sestatus
Sample outputs:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

How Do I Print Full List Of Allowed Network Ports?

Type the following commands
# semanage port -l
# semanage port -l | less
#### look for port 80 ####
# semanage port -l | grep -w 80

How Do I Allow Lighttpd / Apache / Nginx At Port 8181?

By default SELinux will block access to many ports including 8181. You need to allow access to a port # 8181 so that it can bind and listen for incoming requests on non privileged ports. You need to use the semanage command as follows:
# semanage port -a -t http_port_t -p tcp 8181

How Do I Find Out Unprotected Services?

Type the following command:
# ps -eZ | egrep "initrc" | egrep -vw "ps|tr|egrep|awk|bash" | tr ':' ' ' | awk '{ print $NF }'
You should not see any output on fully configured SELinux systems.

How Do I See SELinux Labels?

Type the following command:
# ls -lZ /path/to/file
# ls -lZd /path/to/dir
# ls -lZd /etc
# ls -lZ /dev/ | grep deviceName
# ls -lZ /etc/resolv.conf
Sample outputs:
-rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf

Troubleshooting SELinux Policy Errors

SELinux is pretty complicated kernel software. It takes time to fix error. Use the following tools to find and debug SELinux policy problems (refer to your local man pages):

• ps -Z -p PID
• ls -Z fileName
• ausearch
• restorecon
• semodule
• audit2allow
• Log files: /var/log/audit/audit.log and /var/log/setroubleshoot/setroubleshootd.log

My hosting company disabled SELinux protection. How do I turn on SELinux over remote ssh session without distributing existing networking services?

You can enable SELinux it by typing the following commands:
#genhomedircon
# touch /.autorelabel
# reboot

After reboot turn it on:
# setenforce 1

You need to modify /etc/grub.conf or /etc/selinux/config to enable SELinux after each reboot. Edit /etc/selinux/config, enter:
# vi /etc/selinux/config

Edit/add as follows:
SELINUX=enforcing
SELINUXTYPE=targeted

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!