Apache - SuExec and SuPhp

Using directadmin custombuild to build one web server ( not mail, i don`t like exim). I using suExec and suPhp, not suHosin.
download:
cd /usr/local/directadmin/
wget files.directadmin.com/services/custombuild/..
tar xvzf custombuild.tar.gz
cd custombuild
./build
./build update_data
Preparing:
Edit host:

#vim /etc/hosts

192.168.232.100 server.hbn.local server
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

Install bind ( da co)
yum install -y bind-chroot
Update_script:
cd /usr/local/updatescript/
wget tools.web4host.net/update.script
chmod 700 update.script
./update.script OPENSSL
Install apache
cd /usr/local/directadmin/
./build zlib
./build apache
Install Mysql: mysql.com
MySQL-client-5.1.41-0.glibc23.i386.rpm
MySQL-devel-5.1.41-0.glibc23.i386.rpm
MySQL-server-5.1.41-0.glibc23.i386.rpm
MySQL-shared-compat-5.1.41-0.glibc23.i386.rpm
yum install -y perl-DBI
rpm -Uvh MySQL-*
mysqladmin -u root password password
mysql -u root -p
Install php
cd /usr/local/directadmin/custombuild
./build libtool
./build libjpeg
./build libpng
options.conf
php5_cli=no
php5_cgi=yes
./build php n
check : /etc/httpd/conf/extra/httpd-suphp.conf

AddHandler x-httpd-php5 .inc .php .php3 .php4 .php5 .phtml

suPHP_Engine on
suPHP_ConfigPath /usr/local/etc/php5/cgi/
suPHP_AddHandler x-httpd-php5

~
cd /etc/httpd/conf/extra/
vim httpd-vhosts.conf

#Include /etc/httpd/conf/ips.conf
Insert:
LogFormat "%b \"%r\"" homedir
NameVirtualHost 192.168.232.100:80
NameVirtualHost 192.168.232.100:443

ServerAdmin new@pdt.local
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /home/new/public_html
ServerName new.pdt.local
SuexecUserGroup new new
suPHP_Engine on
suPHP_UserGroup new new
suPHP_AddHandler x-httpd-php
ScriptAlias /cgi-bin/ /home/new/cgi-bin/

ServerAdmin www@pdt.local
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /home/www/public_html
ServerName pdt.local
ScriptAlias /cgi-bin/ /home/www/cgi-bin/
SuexecUserGroup www www
suPHP_Engine on
suPHP_UserGroup www www
suPHP_AddHandler x-httpd-php
SetEnv PHP_INI_SCAN_DIR /usr/local/directadmin/data/users/www/php/

mkdir /var/log/httpd
restat httpd

use another php.ini ( php.ini per user)
cd /usr/local/directadmin/data/users/www/php/
vim php.ini
open_basedir = /home/www/:/tmp/
Allow CGI
vim /etc/httpd/conf/httpd.conf

Include conf/extra/httpd-userdir.conf

vim /etc/httpd/conf/extra/httpd-userdir.conf

AllowOverride None
Options None
Order allow,deny
Allow from all

Tree i use for each user:
/home/user/public_html
/home/user/cgi-bin
chmod thu muc: 755
file: 400
run shell to see id :D
///MYSQL
Disable load_data in file of MySQL

vim /etc/my.cnf
local-infile=0

Note: User privilege, using grant if you know or phpmyadmin.
/// System
disable ln cat prel sh dir cd wget tar cd ll chmod setfacl getfacl ( all command i think is dangerous to your system) chmod 700
if you understand your system, you can use acl to controll permission to access /etc/passwd and /etc/shaddown
// DOS DDOS
use configserver.com/cp/csf.html to prevent DDOS
//Optimize
disable all unuseful serive

#!/bin/bash

services="acpid anacron apmd autofs bluetooth cups firstboot gpm haldaemon messagebus mdmonitor hidd ip6tables kudzu lvm2-monitor netfs nfslock pcscd portmap rpcgssd rpcidmad sendmail smartd yum-updatesd"
for service in $services; do
service $service stop
chkconfig --level 35 $service off
done
echo "Complelte"

Note: php ở đây được cấu hình chạy chế độ CGI ( php-cgi), non cli, run dưới quyền của ower nên file chỉ cần chmod 400. Apche chạy prefork, hạn chế đc tương đối nếu attackẻ dùng cgi-telnet, tuy nhiên tốt nhất là disable vì ở VN cũg chẳg customer nào sử dụng nó. Mysql cần được gia cố thêm.
Sẽ viết tiếp tut2 về security + optimizing server :D
Thanks for reading
--------------------------------------------------------------------------
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Nam Habach