Thursday, 16 October 2014

CentOS7 Configuring virtual directory to user FTP home

The purpose of this setup is to allow a single user to be able to use FTP to manage the website.
It is achieved by
  1. Changing the Apache service account to the user
  2. Adding the user to the group "apache"
  3. Adding a virtual directory in httpd.conf to within the user's home, e.g. /home/user/www
Steps (assuming user is named demo)
  • sudo usermod -a -G apache demo
  • sudo vi /etc/httpd/conf/httpd.conf
Edit the file as follows:
#User apache    << comment outUser demo       << add as next lineGroup apache
Alias /name "/home/demo/www"    << find a good place<Directory "/home/demo/www">    << and add these 6 lines    AllowOverride All    Options None    Require all granted</Directory>
Note: in my setup, demo has sudoer rights.

Restart Apache
  • sudo systemctl restart httpd
Configure and enable SSH
  • sudo yum -y install mod_ssl
Create self-signed keys with 10 year validity.  For the "Common Name", this is your domain name, or, lacking one, the IP adddress
  • sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
Now edit the Apache SSL configuration. Use the same domain name/ip address.
  • sudo vi /etc/httpd/conf.d/ssl.conf
Locate the relevant lines and reconfigure as shown below
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"    <<< uncomment
ServerName 176.31.122.82:443    <<< uncomment, and change server name
SSLCertificateFile /etc/httpd/ssl/apache.crt    <<< change
SSLCertificateKeyFile /etc/httpd/ssl/apache.key   <<< change
Restart Apache
  • sudo systemctl restart httpd
Create users and passwords to use with .htaccess (in the directory that needs to be secured)
  • sudo htpasswd -c ./.htpasswd someusername
  • sudo vi ./.htaccess

Put these lines into the .htaccess file
AuthType BasicAuthName "Authentication required"
AuthBasicProvider fileAuthUserFile /full/path/to/.htpasswdRequire valid-user

Lock down specific directories (URL paths) (using "sudo vi /etc/httpd/conf/httpd.conf")
<Directory "/home/demo/www/protecteddir">
    RedirectPermanent /demo/protecteddir/ https://domain.name.com/demo/protecteddir/
</Directory>

Install PHPMiniAdmin - search Google for this PHP file and FTP it to your new FTP root folder.
Note: It would be a good idea to "hide" it, e.g. rename to 'myhiddenmysqltool.php'
Create a MySQL with a password and a user-owned database

  • create user 'username'@'localhost' identified by 'password';
  • create database username;
  • grant all privileges on username.* to 'username'@'localhost';


CentOS 7 LAMP Installation from scratch

SSH Remotely (Go ahead and type yes, and then enter your root password.)
  • ssh root@123.45.67.890
Change root password
  • passwd
Create new root-level superuser
  • adduser demo
  • passwd demo
Allow this user to run everything that root can
  • visudo
Look for the first line below after comment, and add the 2nd line
# User privilege specification
root ALL=(ALL) ALL
demo ALL=(ALL) ALL 
Change SSH port, and disable remote root login
  • sudo vi /etc/ssh/sshd_config
Find the following sections and change the information where applicable (add the last line):
Port 12345
PermitRootLogin no
AllowUsers demo
Reload SSH
  • systemctl reload sshd.service
Edit "/etc/selinux/config" and change the SELINUX line to "SELINUX=disabled"

New syntax for remote SSH (test this works before disconnecting from root session and rebooting!)
  • ssh -p 12345 demo@123.45.67.890
Reboot server to completely turn off SELinux. It will take a while to relabel all files.

Install Apache, PHP, MySQL (MariaDB)
  • sudo yum install httpd mariadb-server mariadb php php-mysql
Start services and enable for auto-start
  • sudo systemctl start httpd
  • sudo systemctl enable httpd.service
  • sudo systemctl start mariadb
  • sudo systemctl enable mariadb.service
Root for Apache is /var/www/html, so you can test by creating a test file in there with this content
  • <?php phpinfo();
Secure MariaDB
  • sudo mysql_secure_installation
Add common PHP extensions, then restart Apache
  • sudo yum -y install php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel
  • sudo systemctl restart httpd.service
Install FTP server (VSFTPD)
  • sudo yum install vsftpd ftp -y
  • sudo vi /etc/vsftpd/vsftpd.conf
Find and change this line from YES to NO
  • anonymous_enable=NO
Enable auto-start and start 
  • sudo systemctl enable vsftpd
  • sudo systemctl start vsftpd

references:
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-6
https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-centos-7