All About Kloxo

This tutorial is total dedicated to Kloxo, its security and tricks & tips.

By Bharat Vashist https://www.shineservers.com

Update your CentOS

yum update - y

Install WGET in not installed

yum install -y wget

Install nano editor (very handy)

yum install -y nano

Install Kloxo
wget http://download.lxcenter.org/download/kloxo/production/kloxo-install-master.sh sh ./kloxo-install-master.sh

Login to kloxo, it is your server IP:7778, with username and pass admin (that you must change) Enter your DNS details and make resource plans. Configure mod_ruid2 for security (Quote from Kloxo Development Forums) "With this module, all httpd process run under user's access right, not nobody or apache. mod_ruid2 is similar to mod_suid2, but has better performance than mod_suid2 because it doesn`t need to kill httpd children after one request. It "makes use of kernel capabilites and after receiving a new request suids again." - it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities - it has better performance than mod_suid2 because it doesn`t need to kill httpd children after one request. it makes use of kernel capabilities and after receiving a new request suids again."

Make Repo
/etc/yum.repos.d/atomic.repo

By Bharat Vashist https://www.shineservers.com

Page 1

Add this to file

# Name: Atomic Rocket Turtle RPM Repository for CentOS / Red Hat Enterprise Linux 5 # URL: http://www.atomicrocketturtle.com/ [atomic] name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com mirrorlist = http://www.atomicorp.com/mirrorlist/atomic/centos-5-$basearch #mirrorlist = http://www.atomicorp.com/channels/atomic/centos/5/mirrors-atomic enabled = 1 gpgkey = http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt gpgcheck = 1 # ony need mod_ package includepkgs=mod_* # Almost Stable, release candidates for [atomic] [atomic-testing] name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com (Testing) mirrorlist = http://www.atomicorp.com/mirrorlist/atomic-testing/centos-5-$basearch enabled = 0 gpgkey = http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt gpgcheck = 1 # Untested, Unstable, known buggy, and incomplete packages. #[atomic-bleeding] #name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com (Bleeding) #baseurl = http://www.atomicorp.com/channels/atomic-bleeding/centos/5/$basearch/ #enabled = 0 #gpgkey = http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt #gpgcheck = 1

Install mod_ruid2
yum install mod_ruid2

edit web__ apachelib.php

nano /usr/local/lxlabs/kloxo/httpdocs/lib/domain/web/driver/web__ apachelib.php

By Bharat Vashist https://www.shineservers.com

Page 2

Delete all and enter this (be aware of wordwrap)

function getSuexecString($username) { $string = "\n"; $string .= "<IfModule suexec.c>\n"; $string .= "SuexecUserGroup {$this->main->username} {$this->main>username}\n"; $string .= "</IfModule>\n\n"; $string .= "<IfModule mod_suphp.c>\n"; /* --- too much code and overlap with suphp.conf (http://project.lxcenter.org/issues/563) $string $string $string $string $string $string $string $string --- */ $string .= "SuPhp_UserGroup {$this->main->username} {$this->main>username}\n"; $string .= "</IfModule>\n\n"; $string $string $string $string $string $string $string .= .= .= .= .= .= .= "<IfModule !sapi_apache2.c>\n"; "<IfModule !mod_php5.c>\n"; "<Location />\n"; "Options MultiViews Indexes Includes FollowSymLinks ExecCGI\n"; "</Location>\n"; "</IfModule>\n\n"; "</IfModule>\n\n"; .= .= .= .= .= .= .= .= "AddType application/x-httpd-php .php\n"; "RemoveHandler .php\n"; "<FilesMatch \"\.php$\" >\n"; "SetHandler x-httpd-php\n"; "</FilesMatch>\n"; "<Location />\n"; "suPHP_AddHandler x-httpd-php \n"; "</Location>\n";

// begin - this portion for mod_ruid2 $string $string $string $string $string $string // end return $string; } .= .= .= .= .= .= "<IfModule mod_ruid2.c>\n"; "RMode config\n"; "RUidGid {$this->main->username} {$this->main->username}\n"; "RMinUidGid {$this->main->username} {$this->main->username}\n"; "RGroups {$this->main->username}\n"; "</IfModule>\n\n";

Login to kloxo and then change suphp to mod_php in 'Webserver Config'. Choose 'Apache' instead Lighttpd in 'Switch Program'. This is default setting so if you did not change it since kloxo install there is nothing to do. If you have domains added run this
sh /script/fixweb

Restart apache
service httpd restart

By Bharat Vashist https://www.shineservers.com

Page 3

Stop iptables service:

/etc/init.d/iptables stop

Disable iptables service:

chkconfig iptables off

Copy this code to /etc/init.d/firewall (Reminder: Disable "word wrap" in your text editor. Ex.: nano -w /etc/init.d/firewall)
#!/bin/sh # firewall # chkconfig: 3 21 91 # description: Starts, stops iptables firewall case "$1" in start) # Clear rules iptables -t filter -F iptables -t filter -X echo - Clear rules : [OK] # SSH In iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT echo - SSH : [OK] # Don't break established connections iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT echo - established connections : [OK] # Block all connections by default iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP echo - Block all connections : [OK] # SYN-Flood Protection iptables -N syn-flood iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: " iptables -A syn-flood -j DROP echo - SYN-Flood Protection : [OK]

By Bharat Vashist https://www.shineservers.com

Page 4

# Loopback iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT echo - Loopback : [OK] # ICMP (Ping) iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT echo - PING : [OK] # DNS In/Out iptables -t filter iptables -t filter iptables -t filter iptables -t filter echo - DNS : [OK] -A -A -A -A OUTPUT -p tcp --dport 53 -j ACCEPT OUTPUT -p udp --dport 53 -j ACCEPT INPUT -p tcp --dport 53 -j ACCEPT INPUT -p udp --dport 53 -j ACCEPT

# NTP Out iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT echo - NTP : [OK] # WHOIS Out iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT echo - WHOIS : [OK] # FTP Out iptables -t filter iptables -t filter # FTP In iptables -t filter iptables -t filter iptables -t filter echo - FTP : [OK] -A OUTPUT -p tcp --dport 20:21 -j ACCEPT -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT -A INPUT -p tcp --dport 20:21 -j ACCEPT -A INPUT -p tcp --dport 30000:50000 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# HTTP + HTTPS Out iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTP + HTTPS In iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT echo - HTTP/HTTPS : [OK] # Mail SMTP:25 iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT echo - SMTP : [OK] # Mail POP3:110 iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT echo - POP : [OK] # Mail IMAP:143 iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT echo - IMAP : [OK] # Kloxo iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT

By Bharat Vashist https://www.shineservers.com

Page 5

echo - Kloxo : [OK] echo - Firewall [OK] exit 0 ;; stop) echo "Stopping Firewall... " iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -t filter -F echo "Firewall Stopped!" exit 0 ;; restart) /etc/init.d/firewall stop /etc/init.d/firewall start ;; *) echo "Usage: /etc/init.d/firewall {start|stop|restart}" exit 1 ;; esac

chmod 700 /etc/init.d/firewall

Add firewall service:

chkconfig --add firewall

Auto start firewall:

chkconfig --level 2345 firewall on

Start firewall:
/etc/init.d/firewall start

If you have slave server, add this on the master

iptables -t filter -A INPUT -p tcp -s SLAVE_IP --dport 7779 -j ACCEPT iptables -t filter -A OUTPUT -p tcp -d SLAVE_IP --dport 7779 -j ACCEPT

Note: replace SLAVE_IP with your Slave server IP.

By Bharat Vashist https://www.shineservers.com

Page 6

Add this on slave server

iptables -t filter -A INPUT -p tcp -s MASTER_IP --dport 7779 -j ACCEPT iptables -t filter -A OUTPUT -p tcp -d MASTER_IP --dport 7779 -j ACCEPT

Note: replace MASTER_IP with your Master server IP.

Tweaking a web server is very necessary, the less it will consume resource, the more stable it will be and the more website it will be able to handle. Kloxo/lxadmin is a free control panel, and has been working quite great but the problem with it is, it use alot of RAM though kloxo documentation claims that it only eat 33MB ram which is completely wrong in my experience.
If you are running simple website or blogs, then you do not need innodb. innodb is a mysql storage system and do not require for simple websites. Therefore disablinginnodb in kloxo will safe alot of RAM. Same with bdb, it is storage translator in kloxo. 1. Login to server using ssh 2. open /etc/my.cnf 3. and add lines to disable innodb and bdb 4. save and close file 5. restart mysql, and you will see the huge decrease in RAM. skip-bdb skip-innodb RAM usage before disabling innodb and bdb [root@mailserver1 ~]# top top - 07:16:22 up 2:50, 1 user, load average: 0.00, 0.00, 0.00 Tasks: 29 total, 2 running, 27 sleeping, 0 stopped, 0 zombie Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2097152k total, 269420k used, 1827732k free, 0k buffers Swap: 0k total, 0k used, 0k free, 0k cached Disabling innodb and bdb [root@mailserver1 etc]# cp my.cnf my.cnf.backup [root@mailserver1 etc]# nano my.cnf Added

By Bharat Vashist https://www.shineservers.com

Page 7

skip-bdb skip-innodb Restart mysql [root@mailserver1 etc]# service mysqld restart Stopping MySQL: Starting MySQL:

[ [

OK OK

] ]

RAM usage after [root@mailserver1 etc]# top top - 07:18:20 up 2:52, 1 user, load average: 0.06, 0.03, 0.01 Tasks: 29 total, 1 running, 28 sleeping, 0 stopped, 0 zombie Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2097152k total, 163464k used, 1933688k free, 0k buffers Swap: 0k total, 0k used, 0k free, 0k cached You can clearly notice that ram usage is decreased from 256MB to 164MB after disabling innodb and bdbd.

By Bharat Vashist https://www.shineservers.com

Page 8

By Bharat Vashist https://www.shineservers.com

Page 9