Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation_tmp [2020/03/24 08:15] urbanl |
tutorial:adm:server_preparation_tmp [2020/07/24 08:05] fiserp [Instalation and software configuration] |
||
---|---|---|---|
Line 1: | Line 1: | ||
<note important> | <note important> | ||
- | This tutorial is in development | + | **This tutorial is under development, DO NOT USE.** |
Author: Ludek Urban | Author: Ludek Urban | ||
Line 11: | Line 11: | ||
{{tag> | {{tag> | ||
- | This tutorial shows how to prepare the server for test or production | + | This tutorial shows how to prepare the server for test or production |
===== Basic system setup ===== | ===== Basic system setup ===== | ||
- | * 1 server (can be virtualized) for all: backend, frontend and database. | + | * 1 server (can be virtualized) for everything: backend, frontend and database. |
- | * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation | + | * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation |
- | * It is possible to use Debian but you have to adjust | + | * It is possible to use Debian |
- | * PostgreSQL - installed from a new repository | + | * PostgreSQL |
- | * Java - distribution repository (OpenJDK 1.8) | + | * Java 11 - installed from OS packages. |
- | * Apache Tomcat - manually | + | * Apache Tomcat |
- | * Services | + | * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx. |
- | * Services run under dedicated | + | * All services |
+ | * Each service runs under dedicated non-privileged | ||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
Prerequisities - Basic installation of CentOS 8 | Prerequisities - Basic installation of CentOS 8 | ||
<code bash> | <code bash> | ||
# EPEL installation | # EPEL installation | ||
- | yum clean all | + | dnf clean all |
- | yum install | + | dnf -y install |
- | yum update -y | + | dnf update -y |
- | # check installed packages. It's recommanded to have them installed. | + | |
- | yum list installed | + | |
# other recommended packages installation | # other recommended packages installation | ||
- | yum install | + | dnf -y install |
# enable haveged after OS start | # enable haveged after OS start | ||
systemctl start haveged.service | systemctl start haveged.service | ||
systemctl enable haveged.service | systemctl enable haveged.service | ||
- | # remove unnecessary software | + | |
- | yum remove -y postfix | + | |
- | systemctl stop avahi-daemon.socket avahi-daemon.service | + | |
- | systemctl disable avahi-daemon.socket avahi-daemon.service | + | |
- | yum remove -y avahi-autoipd avahi | + | |
# set the hostname | # set the hostname | ||
hostnamectl set-hostname FQDN_server_name | hostnamectl set-hostname FQDN_server_name | ||
Line 104: | Line 100: | ||
Change SELINUX labels: | Change SELINUX labels: | ||
< | < | ||
- | chcon -Rt postgresql_db_t pgsql/ | + | chcon -Rt postgresql_db_t |
chcon -Rt postgresql_log_t / | chcon -Rt postgresql_log_t / | ||
</ | </ | ||
Line 210: | Line 206: | ||
useradd -r -s / | useradd -r -s / | ||
getent passwd tomcat | getent passwd tomcat | ||
- | tomcat: | + | #tomcat: |
</ | </ | ||
Line 388: | Line 384: | ||
* Make Tomcat listen only on localhost: | * Make Tomcat listen only on localhost: | ||
* In the ''/ | * In the ''/ | ||
- | | + | |
+ | * Set the '' | ||
+ | * In the ''/ | ||
+ | |||
+ | | ||
< | < | ||
Line 567: | Line 567: | ||
* Audit log: ''/ | * Audit log: ''/ | ||
* Directory with activated rules: ''/ | * Directory with activated rules: ''/ | ||
- | * basic configuration file for mod\_security: | + | * basic configuration file for mod\_security: |
* The file for chosen rules deactivation: | * The file for chosen rules deactivation: | ||
Line 581: | Line 581: | ||
==== Disabling mod_security rules ==== | ==== Disabling mod_security rules ==== | ||
+ | |||
+ | These rules are disabled for modsec_crs 3.0. | ||
In the file ''/ | In the file ''/ | ||
+ | |||
<code xml> | <code xml> | ||
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
+ | | ||
+ | | ||
# Allow Czech signs | # Allow Czech signs | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
| | ||
# Too restrictive for login format | # Too restrictive for login format | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
+ | |||
# Needed by Websockets | # Needed by Websockets | ||
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
</ | </ | ||
| | ||
- | # These break Certificate Authority module | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
- | |||
- | # Modsec can throw false positives on some files due to multipart boundary check | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
- | |||
# do not log request/ | # do not log request/ | ||
SecAuditLogParts ABFHZ | SecAuditLogParts ABFHZ | ||
Line 622: | Line 614: | ||
==== mod_security configuration - CentOS8 | ==== mod_security configuration - CentOS8 | ||
- | In the file / | + | In the file / |
- | Whole rules after the changes looks like this: | + | |
+ | * find the rule 900200 and add methods | ||
< | < | ||
Line 633: | Line 626: | ||
nolog,\ | nolog,\ | ||
setvar:' | setvar:' | ||
+ | </ | ||
+ | * find the rule 900220 and add support for content\_type=application/ | ||
+ | |||
+ | < | ||
# Default HTTP policy: allowed_request_content_type (rule 900220) | # Default HTTP policy: allowed_request_content_type (rule 900220) | ||
SecRule & | SecRule & |