instalasi web server di linux

Tutorial ini menggunakan sistem operasi linux fedora core 12 dan versi terbaru dari apache: httpd-2.2.15.tar.bz2, php: php-5.3.2.tar.bz2, modsecurity: modsecurity-apache_2.5.12.tar.gz, modsecurity core rules: modsecurity-crs_2.0.6.tar.gz . Jika akan melakukan instalasi di linux 64 bit tolong lihat sejenak disini.

instalasi apache:
hapus apache bawaan fedora core 12
$ rpm -qa |grep httpd

httpd-tools-2.2.13-4.fc12.i686
httpd-2.2.13-4.fc12.i686

$ rpm -e gnome-user-share httpd httpd-tools

download apache terbaru
$ wget http://apache.the.net.id/httpd/httpd-2.2.15.tar.bz2
$ tar xjfv httpd-2.2.15.tar.bz2
$ cd httpd-2.2.15

Untuk menyamarkan web server yang dipakai (security in obscurity):

$ cd httpd-2.2.15/include
$ vi ap_release.h

#define AP_SERVER_BASEVENDOR “Apache Software Foundation” -> #define AP_SERVER_BASEVENDOR “software inc.”
#define AP_SERVER_BASEPRODUCT “Apache” -> #define AP_SERVER_BASEPRODUCT “webserv”

save and exit vi dengan perintah :wq
$ cd ..

$ ./configure –-prefix=/usr/local/apache2 –enable-so –enable-ssl –with-ldap –enable-ldap –enable-auth-ldap –disable-info –disable-status –disable-autoindex –disable-imap –disable-include –disable-userdir –enable-rewrite –enable-unique-id

$ make
$ make install
$ cat /etc/passwd |grep apache

jika ditemukan apache:

$vi /usr/local/apache2/conf/httpd.conf

ganti User dan Group daemon menjadi:

User apache
Group apache

save and exit vi

instalasi modsecurity:
$ wget http://nchc.dl.sourceforge.net/project/mod-security/modsecurity-apache/2.5.12/modsecurity-apache_2.5.12.tar.gz
$ tar xzfv modsecurity-apache_2.5.12.tar.gz
$ cd modsecurity-apache_2.5.12/apache2
$ ./configure –with-apxs=/usr/local/apache2/bin/apxs

terjadi error sebagai berikut :


configure: looking for Apache module support via DSO through APXS
configure: found apxs at /usr/local/apache2/bin/apxs
configure: checking httpd version
configure: httpd is recent enough
checking for libpcre config script… no
configure: *** pcre library not found.
configure: error: pcre library is required

$ wget ftp://fr2.rpmfind.net/linux/fedora/releases/12/Everything/i386/os/Packages/pcre-devel-7.8-3.fc12.i686.rpm
$ rpm -ivh pcre-devel-7.8-3.fc12.i686.rpm
$ ./configure –with-apxs=/usr/local/apache2/bin/apxs

terjadi error lagi sebagai berikut :


configure: using ‘-lpcre’ for pcre Library
checking for libapr config script… no
configure: *** apr library not found.
configure: error: apr library is required

$ ./configure –with-apxs=/usr/local/apache2/bin/apxs –with-apr=/usr/local/apache2/bin/apr-1-config –with-apu=/usr/local/apache2/bin/apu-1-config
$ make
$ make install

$ vi httpd.conf
tambahkan baris-baris berikut :

LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so

save and exit vi
instalasi modsecurity core rules :

$ cd /usr/local/apache2
$ wget http://nchc.dl.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.0.6.tar.gz
$ tar xzfv modsecurity-crs_2.0.6.tar.gz
$ mv modsecurity-crs_2.0.6 modsecurity-crs
$ vi httpd.conf
tambahkan baris-baris berikut :

Include conf/modsecurity-crs/*.conf
Include conf/modsecurity-crs/base_rules/*.conf

save and exit vi

membuat startup script untuk apache :

$ vi /etc/rc.d/init.d/httpd2

tambahkan baris-baris berikut :

#!/bin/sh
#
# Startup script for the Apache Web Server
# chkconfig: 345 85 15
# description: Apache is a World Wide Web server.  It is used to serve
#              HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd.pid
# config: /usr/local/apache2/conf/access.conf
# config: /usr/local/apache2/conf/httpd.conf
# config: /usr/local/apache2/conf/srm.conf
# Source function library.
. /etc/rc.d/init.d/functions
case “$1” in
‘start’)
/usr/local/apache2/bin/apachectl start
;;
‘stop’)
/usr/local/apache2/bin/apachectl stop
;;
‘restart’)
/usr/local/apache2/bin/apachectl restart
;;
*)
echo “Usage: $0 {start|stop|restart}”
exit 1
esac
exit 0

save and exit vi

$ chkconfig –add httpd2
$ service httpd2 start

httpd: Syntax error on line 55 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/lib/liblua5.1.s into server: /usr/lib/liblua5.1.s: cannot open shared object file: No such file or directory

$ wget ftp://fr2.rpmfind.net/linux/fedora/releases/12/Everything/i386/os/Packages/lua-devel-5.1.4-4.fc12.i686.rpm
$ rpm -Uvh lua-devel-5.1.4-4.fc12.i686.rpm
$ service httpd2 start

instalasi PHP :
$ wget http://id.php.net/distributions/php-5.3.2.tar.bz2
$ tar xjfv php-5.3.2.tar.bz2
$ cd php-5.3.2
$ ./configure –with-apxs2=/usr/local/apache2/bin/apxs –enable-magic-quotes –with-openssl –with-zlib –with-bz2 –enable-ftp –with-gd –enable-mbstring –with-freetype-dir –with-jpeg-dir

terjadi error sebagai berikut :
….
checking for fabsf… yes
checking for floorf… yes
configure: error: libjpeg.(a|so) not found.

insert fedora DVD and mount
$ cd /mnt/Packages
$ ls *jpeg*
$ rpm -Uvh libjpeg-6b-46.fc12.i686.rpm libjpeg-devel-6b-46.fc12.i686.rpm

lakukan configure lagi

$ make
$ make test
$ make install
$ cp php.ini-development /usr/local/lib/php.ini
$ vi /usr/local/lib/php.ini
sesuaikan beberapa opsi sebagai berikut :

expose_php = Off
display_erros = Off
short_open_tag = On

date.timezone = Asia/Jakarta

save and exit vi

$ mkdir /var/log/httpd
$ vi /usr/local/apache2/conf/httpd.conf

tambahkan baris-baris berikut :

LoadModule php5_module modules/libphp5.so
<FilesMatch .php$>
SetHandler application/x-httpd-php
</FilesMatch>
ErrorLog “/var/log/httpd/error_log”
CustomLog “/var/log/httpd/access_log” combined
DirectoryIndex index.php index.html

save and exit vi

$ service apache2 restart
$ cd /usr/local/apache2/conf/modsecurity-crs/base_rules
$ vi modsecurity_crs_50_outbound.conf

untuk menampilkan nomor baris pada vi berikan perintah :set number lalu cari baris 85 seperti berikut:

SecRule RESPONSE_BODY “!@pmFromFile modsecurity_50_outbound.data”
“phase:4,rev:’2.0.6′,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK”

lalu edit menjadi :

SecRule RESPONSE_BODY “!@pmFromFile modsecurity_50_outbound.data”
“phase:4,rev:’2.0.6′,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,skipAfter:END_OUTBOUND_CHECK”

save and exit vi

$ cd /usr/local/apache2/conf/modsecurity-crs/
$ vi modsecurity_crs_10_config.conf

SecDefaultAction “phase:2,deny”

SecRuleEngine On

SecAuditEngine RelevantOnly
SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/modsecurity/modsec_audit.log
SecAuditLogParts ABIFHZ
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/modsecurity/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir
SecDebugLogLevel 3

save and exit vi

$ mkdir /var/log/modsecurity
$ mkdir /var/log/modsecurity/SecTmpDir
$ mkdir /var/log/modsecurity/SecDataDir
$ mkdir /var/log/modsecurity/SecUploadDir
$ chown -R apache.apache /var/log/modsecurity
$ service apache2 restart

test instalasi dengan :

$ vi ls /usr/local/apache2/htdocs/test.php

<?php
echo “testing”;
?>

save and exit vi
dari browser panggil http://192.168.5.18/test.php. jika instalasi berhasil maka akan muncul testing

Jika muncul Permission Denied, kemungkinan besar disebabkan oleh false positive oleh rule modsecurity. Cara untuk disable / bypass sebuah rule modsecurity dapat dilakukan sebagai berikut :

1. lihat error.log apache untuk domain yang mengalami permission denied dan cari baris yang serupa berikut

[Fri Aug 30 08:07:28 2013] [error] [client 202.46.1.56] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file “/usr/local/apache2/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf”] [line “47”] [id “960015”]

catat id 960015

2. masuk ke direktori modsecurity-crs lalu

$ vi exception.conf

lalu ketik

<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleRemoveById 960015
</IfModule>
</LocationMatch>

simpan dan keluar dari vi lalu restart apache. jika ada lebih dari satu id, tulis disebelahnya pisahkan dengan spasi.

Jika SELinux enforcing dan document root apache tidak standar, dapat timbul error. Untuk itu berikan perintah :

$ chcon -R system_u:object_r:httpd_sys_content_t:s0 /path/doc/root

juga untuk sshd dengan port tidak standar harus disesuaikan dengan :

$ /usr/sbin/semanage port -a -t ssh_port_t -p tcp 222

jika semanage belum ada, install dengan :

$ yum -y install policycoreutils-python

Latest posts by gregor (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *


*