Where is the Apache configuration in CentOS?

Reading Time: 2 minutes

Apache Main Configuration Files

On a CentOS server, the package manager used to install the Apache web server (such as rpm, yum, or dnf) will typically default to placing the main Apache configuration file in of one of the following locations on the server:

/etc/apache2/httpd.conf
/etc/apache2/apache2.conf
/etc/httpd/httpd.conf
/etc/httpd/conf/httpd.conf

If you have access to the server via command line, you can confirm the exact location that Apache is loading its configuration file from by running the command

apachectl -V

or

httpd -V (if using an older version of Apache)

Either command displays Apache’s version and build parameters:

[root@host ~]# apachectl -V
Server version: Apache/2.4.39 (cPanel)
Server built: May 30 2019 20:13:52
Server's Module Magic Number: 20120211:84
Server loaded: APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.7.0, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

The HTTPD_ROOT= line will display the root directory for Apache’s installation, and the SERVER_CONFIG_FILE= line will show you the Apache configuration file’s path relative to the root directory of Apache’s installation.

To illustrate this using the example output above, the HTTPD_ROOT= line shows us the root directory of Apache is the following:

/etc/apache2/

The Apache configuration file’s relative path, listed as SERVER_CONFIG_FILE=”conf/httpd.conf“, is within the Apache installation’s root directory, making the full path to the Apache configuration file:

/etc/apache2/conf/httpd.conf

Include Files

In addition to the main Apache configuration file discussed above, Apache settings can also be placed in the Apache Include files. The Include files are additional configuration files that Apache will read if instructed to in the main configuration file.

The following are examples of how these Include files are referenced in the main configuration file:

Include "/etc/apache2/conf.d/includes/post_virtualhost_global.conf"
Include "/etc/apache2/conf.d/*.conf"

The first line instructs Apache to read additional configurations from a specific file /etc/apache2/conf.d/includes/post_virtualhost_global.conf.

The second line instructs Apache to read additional configurations from any files within the folder /etc/apache2/conf.d/ that have .conf at the end of their filename, as the * is a wildcard character. For example, a file named ‘php.conf’ within the /etc/apache2/conf.d/ would be considered an Include file by Apache, and its configurations would be loaded.

You can get a full list of the configuration files Apache currently has loaded, including the main configuration file and any Include files, by running the following command:

apachectl -t -D DUMP_INCLUDES

Accessing Apache Configurations in Control Panels

If the CentOS server has a control panel for server management installed, such as cPanel/WHM or Plesk, its interface will provide you with a graphical menu for editing this Apache configuration file. For more information on navigating each control panel, you can refer to our guides Getting Started With Plesk and Getting Started With cPanel/WHM.

How To Manually Set Up Clients in WHMCS

Reading Time: 3 minutes

WHMCS is an amazingly capable software allowing you to manage your clients from initial purchase, continued support, and billing management. However, if you already have clients and you’re looking to get started with WHMCS, you will need to get those clients into the new system. While this process does require some manual work, it is absolutely possible and once they are set up, the automation can take over from there! In this guide, I will show you how to manually set up your existing clients into WHMCS.

Adding A Client Profile and Product in WHMCS

  1. Log in to your WHMCS Admin dashboard
  2. Hover over Clients, then Select Add New Client.

add a client drop-down menu screenshot

  1. Fill in the form with the required information.

new client information form screenshot

    1. Client Profile Information
      1. First Name
      2. Last Name
      3. Company Name
      4. Email Address
      5. Password
      6. Address 1
      7. Address 2 (optional)
      8. City
      9. State/Region
      10. Postcode
      11. Country
      12. Phone Number
    2. Client Billing Information (where applicable)
      1. Payment Method
      2. Billing Contact
      3. Language
      4. Status
      5. Currency
      6. Client Group
      7. Credit Balance
    3. Account traits
      1. Late Fees
      2. Overdue Notices
      3. Tax Exempt
      4. Separate Invoices
      5. Disable CC Processing
      6. Marketing Emails Opt-out
      7. Status Update
      8. Allow Single Sign On
    4. Include any relevant Admin Notes
  1. Tick the box IF you would like to send New Account Information to the client upon creation
  2. Click Add Client. Once added it will take you to the “Client Profile”.

add client button highlightedViewing the Client Profile

The Client Profile screen contains all of the information for a given client, separated into tabs. We’ll review the tabs and the information you can find under each tab.

  • Summary: this shows the “at-a-glance” summary of the client

client summary tab screenshot

  • Profile: this tab contains the basic information you entered when you setup the client.

Client profile, profile tab highlighted

  • Contacts: Add and modify additional contact information for the client.

contact tab screenshot

  • Products/Services: New clients will have no products/services. Use the Click Here link to place a new order.

New product button highlighted

  • From the new order page, you can confirm client details, select a default payment method, enter Promotion codes, set the order status, select a matching cPanel package, and additional details about the new client package. If this is a new client, the cPanel account will be created and mapped automatically. For an existing client, enter the cPanel username and password for the account, then use the cPanel/WHM Import Tool to connect the client with their cPanel account.

cPanel/WHM Import Tool

  1. Navigate to “Utilities > cPanel/WHM Import”, then select the Server from the drop down.

cPanel import tool highlighted

  1. Sort through the Domains and check ONLY the domains you are looking to import. This can be done as many times as needed, so feel free to do them in short batches if that’s easier.
  2. Once imported, it will most likely create a new client profile. It could potentially match the new information based on matching cPanel email addresses and the client email addresses you create. If WHMCS matches the new information correctly, you’re done. If not, continue with the steps below.
  3. If the system creates a new client and ties in the product, navigate to that client profile.
  4. From the Import Generated Client Profile, navigate to Products/Services, then click on Move Product/Service.

move product button highlighted

  1. Enter Client ID (if you don’t know it, you can find those under Clients > View/Search Clients and finding the ID column). Click Transfer and the client will now be matched to the correct product information.

With this guide you can add all of your existing clients and get them set up on billing plans to fully automate your existing clients as well as all of your new sign ups. This guide was specifically regarding your cPanel clients. However, Liquid Web also offers a WHMCS Plugin that integrates with our Cloud platform allowing you to do this with any existing VPS or Cloud Dedicated clients you have as well! You can use these links to learn about our WHMCS offering and see the Liquid Web WHMCS Plugin.

 

How to Install and Configure Puppet on CentOS, Fedora, Ubuntu or Opensuse

Reading Time: 4 minutes

What is Puppet?

Puppet: A Closer Look At Who Holds The Strings

Puppet is an intuitive, task-controlling software which provides a straightforward method to manage Linux and Windows server functions from a central master server. It can perform administrative work across a wide array of systems that are primarily defined by a “manifest” file, for the group or type of server(s) being controlled.

Continue reading “How to Install and Configure Puppet on CentOS, Fedora, Ubuntu or Opensuse”

How to Set Up A Firewall Using Iptables on Ubuntu 16.04

Reading Time: 5 minutes

This guide will walk you through the steps for setting up a firewall using iptables in Ubuntu 16.04. We’ll show you some common commands for manipulating the firewall, and teach you how to create your own rules.

 

What are Iptables in Ubuntu?

The utility iptables is a Linux based firewall that comes pre-installed on many Linux distributions. It is a leading solution for software-based firewalls. It’s a critical tool for Linux system administrators to learn and understand. Any publicly facing server on the Internet should have some form of firewall enabled for security reasons. In a typical configuration, you would only open ports for the services that you wish to be accessible via the Internet. All other ports would remain closed and inaccessible via the Internet. For example, in a typical server, you may want to open ports for your web services, but you probably would not want to make your database accessible to the public!

 

Pre-flight

Working with iptables requires root privileges on your Linux box. The rest of this guide assumes you have logged in as root. Please exercise caution, as commands issued to iptables take effect immediately. You will be manipulating how your server is accessible to the outside world, so it’s possible to lock yourself out from your own server!

Note
If you’re a Liquid Web customer, check out our VPN + IPMI remote management solutions. These solutions can help you restore access to your server even if you’ve blocked out the outside world. We have a VPN configuration guide to get you started. Of course, our support staff is also standing by 24×7 in the event you get locked out.

 

How Do Iptables Work?

Iptables works by inspecting predefined firewall rules. Incoming server traffic is compared against these rules, and if iptables finds a match, it takes action. If iptables is unable to find a match, it will apply a default policy action. Typical usage is to set iptables to allow matched rules, and deny all others.

 

How Can I See Firewall Rules in Ubuntu?

Before making any changes to your firewall, it is best practice to view the existing rule set and understand what ports are already open or closed. To list all firewall rules, run the following command.

iptables -L

If this is a brand new Ubuntu 16.04 installation, you may see there are no rules defined! Here is an example “empty” output with no rules set:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you’re running Ubuntu 16.04 on a Liquid Web VPS, you’ll see we’ve already configured a basic firewall for you. There are usually three essential sections to look at in the iptables ruleset. When dealing with iptables rulesets, they are called “chains”, particularly “Chain INPUT”, “Chain FORWARD”, and “Chain OUTPUT”. The input chain handles traffic coming into your server while the output chain handles the traffic leaving your server. The forwarding chain handles server traffic that is not destined for local delivery. As you can surmise, the traffic is forwarded by our server  to its intended destination.

 

Common Firewall Configurations

The default action is listed in “policy”. If traffic doesn’t match any of the chain rules, iptables will perform this default policy action. You can see that with an empty iptables configuration, the firewall is accepting all connections and not blocking anything! This is not ideal, so let’s change this. Here is an example firewall configuration allowing some common ports, and denying all other traffic.

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -s 192.168.0.100 -j ACCEPT

iptables -A INPUT -s 192.168.0.200 -j DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

We will break down these rules one at a time.

iptables -A INPUT -i lo -j ACCEPT

This first command tells the INPUT chain to accept all traffic on your loopback interface. We specify the loopback interface with -i lo. The -j ACCEPT portion is telling iptables to take this action if traffic matches our rule.


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Next, we’ll allow connections that are already established or related. This can be especially helpful for traffic like SSH, where you may initiate an outbound connection and wish to accept incoming traffic of the connection you intentionally established.


iptables -A INPUT -p icmp -j ACCEPT

This command tells your server not to block ICMP (ping) packets. This can be helpful for network troubleshooting and monitoring purposes. Note that the -p icmp portion is telling iptables the protocol for this rule is ICMP.


How Do I Allow a Port in Ubuntu?

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

TCP port 22 is commonly used for SSH. This command allows TCP connections on port 22. Change this if you are running SSH on a different port. Notice since SSH uses TCP, we’ve specified the protocol using -p tcp in this rule.


iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

These two commands allow web traffic. Regular HTTP uses TCP port 80, and encrypted HTTPS traffic uses TCP port 443.


iptables -A INPUT -p udp --dport 1194 -j ACCEPT

This is a less commonly used port, but here is an example of how to open port 1194 utilizing the UDP protocol instead of TCP. Note that in this example we’ve specified UDP by using -p udp.


How Do I Allow an IP Address in Ubuntu?

iptables -A INPUT -s 192.168.0.100 -j ACCEPT

You can configure iptables to always accept connections from an IP address, regardless of what port the connections arrive on. This is commonly referred to as “whitelisting”, and can be helpful in certain circumstances. We’re whitelisting 192.168.0.100 in this example. Typically you would want to be very restrictive with this action and only allow trusted sources.


How Do I Block an IP Address in Ubuntu?

iptables -A INPUT -s 192.168.0.200 -j DROP

You can also use iptables to block all connections from an IP address or IP range, regardless of what port they arrive on. This can be helpful if you need to block specific known malicious IPs. We’re using 192.168.0.200 as our IP to block in this example.


How Do I Block All Other Ports?

iptables -P INPUT DROP

Next, we tell iptables to block all other inputs. We’re only allowing a few specific ports in our example, but if you had other ports needed, be sure to insert them before issuing the DROP command.


How Do I Forward Traffic in Ubuntu?

iptables -P FORWARD DROP

Likewise, we’re going to drop forwarded packets. Iptables is very powerful, and you can use it to configure your server as a network router. Our example server isn’t acting as a router, so we won’t be using the FORWARD chain.


How Do I Allow All Outbound Traffic?

iptables -P OUTPUT ACCEPT

Finally, we want to allow all outgoing traffic originating from our server. We’re mostly worried about outside traffic hitting our server, and not blocking our own box from accessing the outside world.


How Do I Permanently Save IP Rules?

To make your firewall rules persist after a reboot, we need to save them. The following command will save the current ruleset:

/sbin/iptables-save


How Do I Reset My Iptable?

To wipe out all existing firewall rules and return to a blank slate, you can issue the following command. Remember that an empty iptables configuration allows all traffic to your server, so you typically would not want to leave your server unprotected in this state for very long. Nevertheless, this can be very helpful when configuring new firewall rulesets and you need to revert to a blank slate.

iptables -F

 

We’ve covered a lot of ground in this article! Configuring iptables can seem like a daunting process when first looking at an extensive firewall ruleset, but if you break down the rules one at a time, it becomes much easier to understand the process. When used correctly, iptables is an indispensable tool for hardening your server’s security. Liquid Web customers enjoy our highly trained support staff, standing by 24×7, if you have questions on iptables configurations. Have fun configuring your firewall!

How to Configure Multiple Sites with Apache

Reading Time: 2 minutes

If you are hosting more than one site on a server, then you most likely use Apache’s virtual host files to state which domain should be served out. Name based virtual hosts are one of the methods used to resolve site requests. This means that when someone views your site the request will travel to the server, which in turn, will determine which site’s files to serve out based on the domain name. Using this method you’ll be able to host multiple sites on one server with the same IP. In this tutorial, we’ll show you how to set up your virtual host file for each of your domains on an Ubuntu 18.04 server. Continue reading “How to Configure Multiple Sites with Apache”

How to Install Apache 2 on Ubuntu 18.04

Reading Time: 2 minutes

Apache is the most popular web server software in use today.  Its popularity is earned through its stability, speed, and security.  Most likely if you are building out a website or any public facing app, you’ll be using Apache to display it. At the time of this writing, the most current offering of Apache is 2.4.39, and it is the version we will be using to install on our Ubuntu 18.04 LTS server.  Let’s get started! Continue reading “How to Install Apache 2 on Ubuntu 18.04”

Install and Configure Mod_Security on Ubuntu 16.04 Server

Reading Time: 5 minutes

Mod_security, also commonly called Modsec for short, is a powerful WAF (Web Application Firewall) that integrates directly into Apache’s module system. This direct integration allows the security module to intercept traffic at the earliest stages of a request. Early detection is crucial for blocking malicious requests before they are passed along to web applications hosted by Apache web sites. This provides and extra layer of protection against common threats a server faces. This article will explore the installation of mod_security along with the CRS (Core Rule Set) in a Ubuntu 16.04 LTS Server running Apache 2.4. Continue reading “Install and Configure Mod_Security on Ubuntu 16.04 Server”

An Introduction to Firewalld

Reading Time: 5 minutes

In some ways, firewalld on systemd systems is easier to manage and configure than iptables. There are, for the most part, no long series of chains, jumps, accepts and denies that you need to memorize in order to get firewalld up and running in a basic configuration. The rules are simple and straightforward, but there is no reason you cannot still have all the power that iptables afforded. Continue reading “An Introduction to Firewalld”

How to Install and Configure Fail2ban on Ubuntu Server 16.04

Reading Time: 4 minutes

Have you ever logged into your server and seen a message such as this?

Last failed login: Fri Dec 28 11:37:02 MST 2018 from 192.168.0.102 on ssh:notty
There were 942 failed login attempts since the last successful login.
Last login: Mon Dec 24 13:35:57 2018 from 192.168.0.101

What happened here? This message is informing me that while I was logged out, there were 942 failed attempts to access my server via SSH! This type of message is a strong indicator that my server was probably under a “brute force” attack. In this type of scenario, an attacker will attempt to randomly guess passwords repeatedly until they get lucky with the correct password. This is one reason why using a secure password is so important! Fear not, Fail2ban can be a fantastic tool for dynamically thwarting these types of brute force attacks. This tutorial will walk you through installing and configuring Fail2ban to help protect sshd from brute force attacks. Let’s dig in!

Note:
The remainder of this tutorial requires you to have root privileges. Start by either logging in as root or prefix these commands with sudo.

 

Installing Fail2ban on Ubuntu Server 16.04 is simple. Run the following two commands to install the program:

apt-get update

apt-get install fail2ban -y

We will start the service, so it is running.

service fail2ban restart

Finally, we check to make sure Fail2ban is running after the restart:

service fail2ban status

The output should display active (running) which indicates the service is up and we’re ready to proceed to configuration.

 

Now that Fail2ban is installed and running, we can define custom rules for what services it protects, and how to handle violations.

First, create a configuration file for Fail2ban. This file doesn’t exist by default, but Fail2ban will look for this file and read the contents if it exists:

touch /etc/fail2ban/jail.local

Now we’ll open the configuration file for editing. We’re using vi as our text editor in this example, but feel free to use nano or whatever text editor you are most comfortable with. (Related: check out our helpful tutorial if you need to brush up on how to use vi.) Run the following command to open the file for editing:

vi /etc/fail2ban/jail.local

Paste in the following contents, and save the file:

[DEFAULT] ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5
[sshd] enabled = true

Let’s review the options we just set. First, we are telling Fail2ban to ignore IP addresses 127.0.0.1 and ::1. These are the IPv4 and IPv6 addresses for localhost, respectively. For the remaining lines, it is important to understand Fail2ban reads time as seconds in the configuration file. These rules will ban IP addresses for one hour {bantime = 3600}, if they make 5 mistakes {maxretry = 5}, within 10 minutes {findtime = 600}. Finally, we enabled the jail for sshd. Feel free to adjust these numbers to your liking, but please consider the following:

Note:
Setting a ban time of -1 will result in a permanent ban on that IP address. You may need to contact Liquid Web support if you accidentally block yourself from your own server. Consider these options carefully!

Now that we have created a configuration to use, restart Fail2ban so that our new rules are read and utilized:

service fail2ban restart

We will also double check to make sure Fail2ban is running after the restart:

service fail2ban status

Note:
If Fail2ban does not start successfully after creating your configuration file, it is possible you have a typo in the configuration file /etc/fail2ban/jail.local. Check the file contents and try again!

 

At this point, you have successfully installed and configured Fail2ban, congratulations! For the remainder of this tutorial, we will show you how to use to use the program and how to manage IP blocks.

Run the following command to check the status of Fail2ban:

fail2ban-client status

Example output shows you the number of currently configured jails. Right now we have only created a jail for sshd:

Status
|- Number of jail:    1
`- Jail list:    sshd

You can also poll the detailed status of individual jails. This command will check the status of the sshd jail we just configured:

fail2ban-client status sshd

Example output shows no IPs blocked, looks good!

Status for the jail: sshd
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    0
|  `- File list:                 /var/log/auth.log
`- Actions
|- Currently banned:    0
|- Total banned:    0
`- Banned IP list:

Now, for example, I’m going to fail five attempts to SSH to my server. After the fifth failed attempt, my IP should be automatically blocked! The following shows the output from my workstation when I try to SSH to the server after the fifth failed attempt:

ssh root@192.168.0.101
ssh: connect to host 192.168.0.101 port 22: Connection refused

The “connection refused” message indicates that the server’s firewall is now blocking us.

Back on the server, let’s again check the status of the SSH jail by running:

fail2ban-client status sshd

The output shows that my IP has indeed been blocked! Looking at the status, we can see my workstation’s IP address has been added to the “Banned IP list”.

Status for the jail: sshd
|- Filter
|  |- Currently failed:    1
|  |- Total failed:    1
|  `- File list:                 /var/log/auth.log
`- Actions
|- Currently banned:    1
|- Total banned:    1
`- Banned IP list:    192.168.0.102

Finally, we will demonstrate how to remove a banned IP. This is helpful if you have clients that accidentally block themselves from incorrect password attempts. The syntax for this command is as follows:

fail2ban-client set <JAIL NAME> unbanip <IP ADDRESS>

For example, this command will delist 192.168.0.102 from the sshd jail.

fail2ban-client  set sshd unbanip 192.168.0.102

Let’s double check our work and make sure my IP address has been successfully unblocked:

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed:    1
|  |- Total failed:    6
|  `- File list:                 /var/log/auth.log
`- Actions
|- Currently banned:    0
|- Total banned:    1
`- Banned IP list:

That wraps it up for this tutorial! We only discussed protecting sshd in this tutorial, but Fail2ban can be used to help protect all kinds of other services such as httpd. We encourage you to do some further reading and see what it is capable of! Just remember that while Fail2ban is awesome, it is not a replacement for a strong set of firewall rules. When properly configured, however, Fail2ban is a great tool to help further harden your server’s security. Have fun and happy IP blocking!