The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help on which options to install with Apache/PHP compiled via Easy Apache

Discussion in 'EasyApache' started by tnedator, Jun 11, 2008.

  1. tnedator

    tnedator Member

    Joined:
    Oct 20, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    I am on a VPS (Centos 4.6, 1152mb RAM) and basically just host a vBulletin forum (and associated emails) on the VPS. So, I am looking for the best balance of security and performance for the VPS (I have already made my.conf, httpd and other changes based on a server optimization request on the vBulletin forums). I am currently on vBulletin 3.6.8, but will soon be moving to 3.7.1.

    I just updated WHM (release version), and was going to update Apache and PHP via Easy Apache 3.

    Currently:
    Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 PHP/5.2.5

    eAccelerator Version 0.9.5.2


    My plan was to leave all setttings alone, but to upgrade to PHP 5.2.6, but I had questions about whether or not to enable these options prior to the compile:

    Mod SuPHP
    Mod Bandwidth
    Mod Security
    Suhosin for PHP
    Zend Optimizer for PHP

    So, my main question is about those five options, which have not been included in previous compiles of Apache I have done, plus any other suggestions that I should include in my Apache compile. Again, with my goal being the best balance of security/performance for a vBulletin message board.

    Thanks
     
  2. natong

    natong Well-Known Member

    Joined:
    May 17, 2008
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    I enable only two modules.

    Mod SuPHP
    Mod Security
     
  3. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Note, by default, enabling mod_security doesn't enable any mod_security rules (a preventative measure to ensure you don't inadvertently break any existing websites). You can get some mod_security rules from 403security.org.
     
  4. natong

    natong Well-Known Member

    Joined:
    May 17, 2008
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Oops! you are right.

    I just check my config. I enable only Mod SuPHP
    and zend optimize is required by some scripts.
     
  5. tnedator

    tnedator Member

    Joined:
    Oct 20, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Should I add zend optimize only if I receive errors stating I need it, or add it in case?

    Is zend optimize and zend the same thing, as I thought eaccelerator was tied in with zend in some way.

    As is probably pretty obvious, I am still fairly new to VPS/WHM, having come over from shared hosting 6 months or so ago, and my VPS host has done some of my configurations/setups and I have done some. so, I am learning on the fly.
     
  6. tnedator

    tnedator Member

    Joined:
    Oct 20, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    When I compiled with suPHP and then changed the PHP5 handler from DSO to suPHP, vBulletin stopped working. I received the following error when trying to pull up "New Posts" in vBulletin:

    Fatal error: Out of memory (allocated 4456448) (tried to allocate 56407 bytes) in /home/useracct/public_html/forums/search.php(3443) : eval()'d code on line 115
     
  7. ChrisRHS

    ChrisRHS Well-Known Member

    Joined:
    Jul 12, 2006
    Messages:
    292
    Likes Received:
    5
    Trophy Points:
    18
  8. tnedator

    tnedator Member

    Joined:
    Oct 20, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Also, for the mod security rules. I have the rules from 403security.org, but I am not sure how to install them.

    I have looked at the instructions at:

    http://www.gotroot.com/tiki-index.php?page=Setup+of+mod_security

    However, they don't seem to match my httpd.conf, since it now relies on all the include files.

    Gotroot says that this "Include conf.d/*.conf" should be in httpd.conf, and therefore you would load as many the modsecurity.conf in conf.d, but that isn't matching with what I see.

    So, three questions:

    1. where should I put the modsecurity.conf file?
    2. do I need to add an include in my httpd.conf?
    3. should the rules be included in modsecurity.conf or seperate the settings and rules, as suggested on gotroot.com?

    Thanks
     
  9. ChrisRHS

    ChrisRHS Well-Known Member

    Joined:
    Jul 12, 2006
    Messages:
    292
    Likes Received:
    5
    Trophy Points:
    18
    To edit mod_security rules, log into whm, go to the bottom of the page, under 'Plugins', there is a link to Mod Security. Once clicked, the Edit config button is at the top, and you can just paste in your rules.
     
  10. natong

    natong Well-Known Member

    Joined:
    May 17, 2008
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    As I remember, vBulletin doesn't require Zend Optimize.
     
  11. tnedator

    tnedator Member

    Joined:
    Oct 20, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    It wasn't located there, as it was installed with easy apache 3, rather than with the plugin system. However, I did locate it in CSF:

    When clicking edit, it shows:

    Code:
    LoadFile /opt/xml2/lib/libxml2.so
    LoadModule security2_module  modules/mod_security2.so
    <IfModule mod_security2.c>
    SecRuleEngine On
    # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf 
    #  "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On 
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log 
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec2.user.conf"
    </IfModule>
    If I am reading this right, it looks like I should copy and paste the rules from http://403security.org/files/modsec_rules.txt into /usr/local/apache/conf/modsec2.user.conf

    Is that correct? What about the configuration settings?

    Code:
    SecAuditLogType Serial
    SecAuditLog logs/modsec_audit.log
    and such. There are many more listed on 403security.org than in the CSF config. Do I just copy the whole file from 403security and put it in the conf, and it will override any dupes in the CSF configuration?
     
  12. tnedator

    tnedator Member

    Joined:
    Oct 20, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    No, I didn't install suhosin, only mod security and mod suphp.
     
  13. tnedator

    tnedator Member

    Joined:
    Oct 20, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Can anyone tell me if the above is correct. Should I just copy all mod_security rules from 403security.org and paste them in the modsec2.user.conf file via the edit function in CSF?

    I noticed there are some duplicate entries between what is listed in modsec2.conf and what I would paste into modsec2.user.conf from 403security, such as:

    Code:
    SecRuleEngine On
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log
    
    and possibly a couple others.
    Thanks
     
  14. revolver

    revolver Registered

    Joined:
    Jul 27, 2002
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Yes - that's correct.
     
Loading...

Share This Page