CentOS Server Security | Steps to Configuring SELinux
If your operating a website or blog on a shared hosting server and need the flexibility of tweaking the OS or simply installing additional daemon/software then it’s about time you switched to a Virtual Private Server(VPS). In shared hosting environments your a tenant sharing everything from OS configurations to bandwidth. That’s like sharing air condition(one setting for everyone) and the front door(shared pipeline for guests). Your right, it can work but lets face it it’s a nuisance. This type of environment hardly fosters growth or offer realistic security. Think about an intrusion for example, on a shared hosting server every customer would be at risk.
Virtual Private Servers provides fully configurable hosting environments capable of allowing individuals to install their own services (excluding the bloatware), configure their own settings and acquire dedicated bandwidth. The flip side to this type of service is that it’s now up to you to manage and monitor your web server.
Now, lets take a look at some of the steps you will need to take to ensure that you have a healthy, secure and well oiled web server.
Configuring SELinux instead of Turning it off(setenforce=0 is bad for security)
Firstly, to see if SELinux is the culprit you could stop it using setenforce 0.
1. SELinux: Allowing Apache to connect to MySQL on CentOS
#Stop the httpd service service httpd stop setsebool httpd_can_network_connect 1 setsebool httpd_can_network_connect_db 1 # Start the httpd service service httpd start
2. SELinux: Allowing Apache to upload files
Configuring SELinux is important if you find that your upload directory has the correct permissions but you are still unable to upload files via your web application. The correct thing is to apply chmod -R 755 on the uploads directory as well as grant the Apache user access to the folder using chown -R apache:root
# Set SELinux context semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/
(/.*)?" # Apply context to directory restorecon -Rv "/var/www/html/ec5online/ " # Apache user needs to have rights to create files in both directories setfacl -R -m u:apache:rwX /
Security via TCP Wrappers (hosts.allow and hosts.deny)
On CentOS Web Severs one can selectively block or allow services via the hosts.deny and hosts.allow files. Both of which are located under /etc folder. It is important to note that you must be careful when editing these files as you could potentially lock yourself out permanently.
ONLY restrict SSHD service if you are connecting from a static ip address.
ALWAYS update the hosts.allow before the hosts.deny (prevent lockout)
RESTART SSHD service after updating tcp wrappers (service sshd restart).
Restricting Services to a Specific IP via hosts.allow
sshd: 192.168.1.55 sshd: 126.96.36.199
Blocking Services via hosts.deny
sshd: all ssh: all ftp: all smtp: all