All About Kloxo by surachaisuvanmane

VIEWS: 2 PAGES: 10

All About Kloxo

More Info
									All About
Kloxo
This tutorial is total dedicated to Kloxo, its
security and tricks & tips.




By Bharat Vashist
https://www.shineservers.com
Update your CentOS

yum update - y


Install WGET in not installed

yum install -y wget


Install nano editor (very handy)

yum install -y nano


Install Kloxo

wget http://download.lxcenter.org/download/kloxo/production/kloxo-install-master.sh
sh ./kloxo-install-master.sh




Login to kloxo, it is your server IP:7778, with username and pass admin (that you must
change)
Enter your DNS details and make resource plans.
Configure mod_ruid2 for security (Quote from Kloxo Development Forums)

"With this module, all httpd process run under user's access right, not nobody or apache.
mod_ruid2 is similar to mod_suid2, but has better performance than mod_suid2 because it
doesn`t need to kill httpd children after one request. It "makes use of kernel capabilites and
after receiving a new request suids again."
- it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities
- it has better performance than mod_suid2 because it doesn`t need to kill httpd children
after one request. it makes use of kernel capabilities and after receiving a new request suids
again."

Make Repo

/etc/yum.repos.d/atomic.repo




By Bharat Vashist
https://www.shineservers.com                                                             Page 1
Add this to file

# Name: Atomic Rocket Turtle RPM Repository for CentOS / Red Hat Enterprise Linux 5
-
# URL: http://www.atomicrocketturtle.com/
[atomic]
name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com
mirrorlist = http://www.atomicorp.com/mirrorlist/atomic/centos-5-$basearch
#mirrorlist = http://www.atomicorp.com/channels/atomic/centos/5/mirrors-atomic
enabled = 1
gpgkey = http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
gpgcheck = 1
# ony need mod_ package
includepkgs=mod_*

# Almost Stable, release candidates for [atomic]
[atomic-testing]
name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com -
(Testing)
mirrorlist = http://www.atomicorp.com/mirrorlist/atomic-testing/centos-5-$basearch
enabled = 0
gpgkey = http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
gpgcheck = 1

# Untested, Unstable, known buggy, and incomplete packages.
#[atomic-bleeding]
#name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com -
(Bleeding)
#baseurl = http://www.atomicorp.com/channels/atomic-bleeding/centos/5/$basearch/
#enabled = 0
#gpgkey = http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
#gpgcheck = 1


Install mod_ruid2

yum install mod_ruid2


edit web__ apachelib.php

nano /usr/local/lxlabs/kloxo/httpdocs/lib/domain/web/driver/web__ apachelib.php




By Bharat Vashist
https://www.shineservers.com                                                 Page 2
Delete all and enter this (be aware of wordwrap)

function getSuexecString($username)
{
        $string = "\n";
        $string .= "<IfModule suexec.c>\n";
        $string .= "SuexecUserGroup {$this->main->username} {$this->main-
>username}\n";
        $string .= "</IfModule>\n\n";

          $string .= "<IfModule mod_suphp.c>\n";

/* --- too much code and overlap with suphp.conf
(http://project.lxcenter.org/issues/563)

          $string    .=   "AddType application/x-httpd-php .php\n";
          $string    .=   "RemoveHandler .php\n";
          $string    .=   "<FilesMatch \"\.php$\" >\n";
          $string    .=   "SetHandler x-httpd-php\n";
          $string    .=   "</FilesMatch>\n";
          $string    .=   "<Location />\n";
          $string    .=   "suPHP_AddHandler x-httpd-php \n";
          $string    .=   "</Location>\n";
--- */
        $string .= "SuPhp_UserGroup {$this->main->username} {$this->main-
>username}\n";
        $string .= "</IfModule>\n\n";

          $string    .=   "<IfModule !sapi_apache2.c>\n";
          $string    .=   "<IfModule !mod_php5.c>\n";
          $string    .=   "<Location />\n";
          $string    .=   "Options MultiViews Indexes Includes FollowSymLinks ExecCGI\n";
          $string    .=   "</Location>\n";
          $string    .=   "</IfModule>\n\n";
          $string    .=   "</IfModule>\n\n";

// begin - this portion for mod_ruid2

          $string    .=   "<IfModule mod_ruid2.c>\n";
          $string    .=   "RMode config\n";
          $string    .=   "RUidGid {$this->main->username} {$this->main->username}\n";
          $string    .=   "RMinUidGid {$this->main->username} {$this->main->username}\n";
          $string    .=   "RGroups {$this->main->username}\n";
          $string    .=   "</IfModule>\n\n";
// end

          return $string;
}


Login to kloxo and then change suphp to mod_php in 'Webserver Config'. Choose 'Apache' instead
Lighttpd in 'Switch Program'. This is default setting so if you did not change it since kloxo install there
is nothing to do.
If you have domains added run this

sh /script/fixweb


Restart apache

service httpd restart



By Bharat Vashist
https://www.shineservers.com                                                                       Page 3
Stop iptables service:

/etc/init.d/iptables stop


Disable iptables service:

chkconfig iptables off


Copy this code to /etc/init.d/firewall (Reminder: Disable
"word wrap" in your text editor. Ex.: nano -w
/etc/init.d/firewall)

#!/bin/sh
# firewall
# chkconfig: 3 21 91
# description: Starts, stops iptables firewall

case "$1" in
start)

# Clear rules
iptables -t filter -F
iptables -t filter -X
echo - Clear rules : [OK]

# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
echo - SSH : [OK]

# Don't break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - established connections : [OK]

# Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo - Block all connections : [OK]

# SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP
echo - SYN-Flood Protection : [OK]



By Bharat Vashist
https://www.shineservers.com                                          Page 4
# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - Loopback : [OK]

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - PING : [OK]

# DNS In/Out
iptables -t filter   -A   OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter   -A   OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter   -A   INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter   -A   INPUT -p udp --dport 53 -j ACCEPT
echo - DNS : [OK]

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - NTP : [OK]

# WHOIS Out
iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT
echo - WHOIS : [OK]

# FTP Out
iptables -t filter   -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter   -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
# FTP In
iptables -t filter   -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter   -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo - FTP : [OK]

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
echo - HTTP/HTTPS : [OK]

# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
echo - SMTP : [OK]

# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
echo - POP : [OK]

# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
echo - IMAP : [OK]

# Kloxo
iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT

By Bharat Vashist
https://www.shineservers.com                                            Page 5
echo - Kloxo : [OK]

echo - Firewall [OK]
exit 0
;;

stop)
echo "Stopping Firewall... "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
echo "Firewall Stopped!"
exit 0
;;

restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;

*)
echo "Usage: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac




chmod 700 /etc/init.d/firewall


Add firewall service:

chkconfig --add firewall


Auto start firewall:

chkconfig --level 2345 firewall on


Start firewall:

/etc/init.d/firewall start



If you have slave server, add this on the master


iptables -t filter -A INPUT -p tcp -s SLAVE_IP --dport 7779 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d SLAVE_IP --dport 7779 -j ACCEPT


Note: replace SLAVE_IP with your Slave server IP.


By Bharat Vashist
https://www.shineservers.com                                             Page 6
Add this on slave server


iptables -t filter -A INPUT -p tcp -s MASTER_IP --dport 7779 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d MASTER_IP --dport 7779 -j ACCEPT




Note: replace MASTER_IP with your Master server IP.




Tweaking a web server is very necessary, the less it will consume resource, the more stable it will be
and the more website it will be able to handle. Kloxo/lxadmin is a free control panel, and has been
working quite great but the problem with it is, it use alot of RAM though kloxo documentation
claims that it only eat 33MB ram which is completely wrong in my experience.

If you are running simple website or blogs, then you do not need innodb. innodb is a
mysql storage system and do not require for simple websites. Therefore disablinginnodb in kloxo
will safe alot of RAM. Same with bdb, it is storage translator in kloxo.


 1. Login to server using ssh
 2. open /etc/my.cnf
 3. and add lines to disable innodb and bdb
 4. save and close file
 5. restart mysql, and you will see the huge decrease in RAM.

skip-bdb
skip-innodb


RAM usage before disabling innodb and bdb

[root@mailserver1 ~]# top
top - 07:16:22 up 2:50, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 29 total,    2 running, 27 sleeping,    0 stopped, 0 zombie
Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem:   2097152k total,    269420k used, 1827732k free,      0k buffers
Swap:        0k total,         0k used,       0k free,      0k cached


Disabling innodb and bdb

[root@mailserver1 etc]# cp my.cnf my.cnf.backup
[root@mailserver1 etc]# nano my.cnf


Added



By Bharat Vashist
https://www.shineservers.com                                                                   Page 7
skip-bdb
skip-innodb


Restart mysql

[root@mailserver1 etc]# service mysqld restart
Stopping MySQL:                                      [   OK   ]
Starting MySQL:                                      [   OK   ]




RAM usage after

[root@mailserver1 etc]# top
top - 07:18:20 up 2:52, 1 user, load average: 0.06, 0.03, 0.01
Tasks: 29 total,    1 running, 28 sleeping,   0 stopped, 0 zombie
Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem:   2097152k total,   163464k used, 1933688k free,      0k buffers
Swap:        0k total,        0k used,       0k free,      0k cached


You can clearly notice that ram usage is decreased from 256MB to 164MB after
disabling innodb and bdbd.




By Bharat Vashist
https://www.shineservers.com                                          Page 8
By Bharat Vashist
https://www.shineservers.com   Page 9

								
To top