Need help on which options to install with Apache/PHP compiled via Easy Apache

[tnedator]

I am on a VPS (Centos 4.6, 1152mb RAM) and basically just host a vBulletin forum (and associated emails) on the VPS. So, I am looking for the best balance of security and performance for the VPS (I have already made my.conf, httpd and other changes based on a server optimization request on the vBulletin forums). I am currently on vBulletin 3.6.8, but will soon be moving to 3.7.1.

I just updated WHM (release version), and was going to update Apache and PHP via Easy Apache 3.

Currently:
Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 PHP/5.2.5

eAccelerator Version 0.9.5.2


My plan was to leave all setttings alone, but to upgrade to PHP 5.2.6, but I had questions about whether or not to enable these options prior to the compile:

Mod SuPHP
Mod Bandwidth
Mod Security
Suhosin for PHP
Zend Optimizer for PHP

So, my main question is about those five options, which have not been included in previous compiles of Apache I have done, plus any other suggestions that I should include in my Apache compile. Again, with my goal being the best balance of security/performance for a vBulletin message board.

Thanks

[natong]

I enable only two modules.

Mod SuPHP
Mod Security

[cPanelDavidG]

I enable only two modules.

Mod SuPHP
Mod Security

Note, by default, enabling mod_security doesn't enable any mod_security rules (a preventative measure to ensure you don't inadvertently break any existing websites). You can get some mod_security rules from 403security.org.

[natong]

Oops! you are right.

I just check my config. I enable only Mod SuPHP
and zend optimize is required by some scripts.

[tnedator]

Oops! you are right.

I just check my config. I enable only Mod SuPHP
and zend optimize is required by some scripts.

Should I add zend optimize only if I receive errors stating I need it, or add it in case?

Is zend optimize and zend the same thing, as I thought eaccelerator was tied in with zend in some way.

As is probably pretty obvious, I am still fairly new to VPS/WHM, having come over from shared hosting 6 months or so ago, and my VPS host has done some of my configurations/setups and I have done some. so, I am learning on the fly.

[tnedator]

When I compiled with suPHP and then changed the PHP5 handler from DSO to suPHP, vBulletin stopped working. I received the following error when trying to pull up "New Posts" in vBulletin:

Fatal error: Out of memory (allocated 4456448) (tried to allocate 56407 bytes) in /home/useracct/public_html/forums/search.php(3443) : eval()'d code on line 115

[ChrisRHS]

Did you also enable Suhosin? If so, you'll need to make some adjustments for your vb forum to function correctly :

http://forums.cpanel.net/showthread.php?t=82513

[tnedator]

Also, for the mod security rules. I have the rules from 403security.org, but I am not sure how to install them.

I have looked at the instructions at:

http://www.gotroot.com/tiki-index.ph...f+mod_security

However, they don't seem to match my httpd.conf, since it now relies on all the include files.

Gotroot says that this "Include conf.d/*.conf" should be in httpd.conf, and therefore you would load as many the modsecurity.conf in conf.d, but that isn't matching with what I see.

So, three questions:

1. where should I put the modsecurity.conf file?
2. do I need to add an include in my httpd.conf?
3. should the rules be included in modsecurity.conf or seperate the settings and rules, as suggested on gotroot.com?

Thanks

[ChrisRHS]

To edit mod_security rules, log into whm, go to the bottom of the page, under 'Plugins', there is a link to Mod Security. Once clicked, the Edit config button is at the top, and you can just paste in your rules.

[natong]

As I remember, vBulletin doesn't require Zend Optimize.

[tnedator]

To edit mod_security rules, log into whm, go to the bottom of the page, under 'Plugins', there is a link to Mod Security. Once clicked, the Edit config button is at the top, and you can just paste in your rules.

It wasn't located there, as it was installed with easy apache 3, rather than with the plugin system. However, I did locate it in CSF:

When clicking edit, it shows:

Code:

LoadFile /opt/xml2/lib/libxml2.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On 
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log 
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>

If I am reading this right, it looks like I should copy and paste the rules from http://403security.org/files/modsec_rules.txt into /usr/local/apache/conf/modsec2.user.conf

Is that correct? What about the configuration settings?

Code:

SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log

and such. There are many more listed on 403security.org than in the CSF config. Do I just copy the whole file from 403security and put it in the conf, and it will override any dupes in the CSF configuration?

[tnedator]

Did you also enable Suhosin? If so, you'll need to make some adjustments for your vb forum to function correctly :

http://forums.cpanel.net/showthread.php?t=82513

No, I didn't install suhosin, only mod security and mod suphp.

[tnedator]

It wasn't located there, as it was installed with easy apache 3, rather than with the plugin system. However, I did locate it in CSF:

When clicking edit, it shows:

Code:

LoadFile /opt/xml2/lib/libxml2.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On 
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log 
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>

If I am reading this right, it looks like I should copy and paste the rules from http://403security.org/files/modsec_rules.txt into /usr/local/apache/conf/modsec2.user.conf

Is that correct? What about the configuration settings?

Code:

SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log

and such. There are many more listed on 403security.org than in the CSF config. Do I just copy the whole file from 403security and put it in the conf, and it will override any dupes in the CSF configuration?

Can anyone tell me if the above is correct. Should I just copy all mod_security rules from 403security.org and paste them in the modsec2.user.conf file via the edit function in CSF?

I noticed there are some duplicate entries between what is listed in modsec2.conf and what I would paste into modsec2.user.conf from 403security, such as:

Code:

SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log

and possibly a couple others.

Thanks

[revolver]

Can anyone tell me if the above is correct. Should I just copy all mod_security rules from 403security.org and paste them in the modsec2.user.conf file via the edit function in CSF?

Yes - that's correct.