From 668cced572ff229b6426db7381ea9fea1a9f225a Mon Sep 17 00:00:00 2001 From: El RIDO Date: Mon, 4 Jul 2016 16:50:30 +0200 Subject: [PATCH] Imported submitted tutorial from https://www.pozzo-balbi.com/help/Zerobin --- Installation-on-Red-Hat-with-SELinux.md | 235 ++++++++++++++++++++++++ 1 file changed, 235 insertions(+) create mode 100644 Installation-on-Red-Hat-with-SELinux.md diff --git a/Installation-on-Red-Hat-with-SELinux.md b/Installation-on-Red-Hat-with-SELinux.md new file mode 100644 index 0000000..c08a3e6 --- /dev/null +++ b/Installation-on-Red-Hat-with-SELinux.md @@ -0,0 +1,235 @@ +This tutorial on how to install httpd, php70 and ZeroBin on a minimal red hat or CentOS 7 installation was provided by [@pozzo-balbi](https://github.com/pozzo-balbi) and was originally published at [pozzo-balbi.com/help/Zerobin](https://www.pozzo-balbi.com/help/Zerobin). + +## Prerequisits + +Assuming you are running a VM with minimal installation, you will need to install the following. First php in the latest version and httpd. + + rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm + yum -y install php70w php70w-opcache php70w-gd php70w-intl php70w-mbstring php70w-mcrypt php70w-xml httpd httpd-tools + +Update php.ini: + + sed -i 's/expose_php = On/expose_php = Off/' /etc/php.ini + sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php.ini + sed -i 's/;date.timezone =/date.timezone = Europe\/Berlin/' /etc/php.ini + sed -i 's/;mail.log = syslog/mail.log = syslog/' /etc/php.ini + sed -i 's/;realpath_cache_size = 16k/realpath_cache_size = 256k/' /etc/php.ini + sed -i 's/;realpath_cache_ttl = 120/realpath_cache_ttl = 1200/' /etc/php.ini + +Now customize httpd. Remove unnecessary modules (for ZeroBin) from `/etc/httpd/conf.modules.d`. Uncomment as needed. + +00-base.conf: + + LoadModule access_compat_module modules/mod_access_compat.so + #Group authorizations based on host (name or IP address) + #LoadModule actions_module modules/mod_actions.so #Execute CGI scripts based on media type or request method. + #LoadModule alias_module modules/mod_alias.so #Provides for mapping different parts of the host filesystem in the document tree and for URL redirection + #LoadModule allowmethods_module modules/mod_allowmethods.so #Easily restrict what HTTP methods can be used on the server + #LoadModule auth_basic_module modules/mod_auth_basic.so #Basic HTTP authentication + #LoadModule auth_digest_module modules/mod_auth_digest.so #User authentication using MD5 Digest Authentication + #LoadModule authn_anon_module modules/mod_authn_anon.so #Allows "anonymous" user access to authenticated areas + #LoadModule authn_core_module modules/mod_authn_core.so #Core Authentication + #LoadModule authn_dbd_module modules/mod_authn_dbd.so #User authentication using an SQL database + #LoadModule authn_dbm_module modules/mod_authn_dbm.so #User authentication using DBM files + #LoadModule authn_file_module modules/mod_authn_file.so #User authentication using text files + #LoadModule authn_socache_module modules/mod_authn_socache.so #Manages a cache of authentication credentials to relieve the load on backends + LoadModule authz_core_module modules/mod_authz_core.so + #Core Authorization + #LoadModule authz_dbd_module modules/mod_authz_dbd.so #Group Authorization and Login using SQL + #LoadModule authz_dbm_module modules/mod_authz_dbm.so #Group authorization using DBM files + #LoadModule authz_groupfile_module modules/mod_authz_groupfile.so #Group authorization using plaintext files + #LoadModule authz_host_module modules/mod_authz_host.so #Group authorizations based on host (name or IP address) + #LoadModule authz_owner_module modules/mod_authz_owner.so #Authorization based on file ownership + #LoadModule authz_user_module modules/mod_authz_user.so #User Authorization + #LoadModule autoindex_module modules/mod_autoindex.so #Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command + LoadModule cache_module modules/mod_cache.so + #RFC 2616 compliant HTTP caching filter. + LoadModule cache_disk_module modules/mod_cache_disk.so + #Disk based storage module for the HTTP caching filter. + LoadModule data_module modules/mod_data.so + #Convert response body into an RFC2397 data URL + #LoadModule dbd_module modules/mod_dbd.so #Manages SQL database connections + LoadModule deflate_module modules/mod_deflate.so + #Compress content before it is delivered to the client + LoadModule dir_module modules/mod_dir.so + #Provides for "trailing slash" redirects and serving directory index files + #LoadModule dumpio_module modules/mod_dumpio.so #Dumps all I/O to error log as desired. + #LoadModule echo_module modules/mod_echo.so #A simple echo server to illustrate protocol modules + #LoadModule env_module modules/mod_env.so #Modifies the environment which is passed to CGI scripts and SSI pages + LoadModule expires_module modules/mod_expires.so + #Generation of Expires and Cache-Control HTTP headers according to user-specified criteria + #LoadModule ext_filter_module modules/mod_ext_filter.so #Pass the response body through an external program before delivery to the client + #LoadModule filter_module modules/mod_filter.so #Context-sensitive smart filter configuration module + LoadModule headers_module modules/mod_headers.so + #Customization of HTTP request and response headers + #LoadModule include_module modules/mod_include.so #Server-parsed html documents (Server Side Includes) + #LoadModule info_module modules/mod_info.so #Provides a comprehensive overview of the server configuration + LoadModule log_config_module modules/mod_log_config.so + #Logging of the requests made to the server + #LoadModule logio_module modules/mod_logio.so #Logging of input and output bytes per request + #LoadModule mime_magic_module modules/mod_mime_magic.so #Determines the MIME type of a file by looking at a few bytes of its contents + LoadModule mime_module modules/mod_mime.so + #Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding) + #LoadModule negotiation_module modules/mod_negotiation.so #Provides for content negotiation + LoadModule remoteip_module modules/mod_remoteip.so + #Replaces the original client IP address for the connection with the useragent IP address list presented by a proxies or a load balancer via the request headers. + #LoadModule reqtimeout_module modules/mod_reqtimeout.so #Set timeout and minimum data rate for receiving requests + LoadModule rewrite_module modules/mod_rewrite.so + #Provides a rule-based rewriting engine to rewrite requested URLs on the fly + #LoadModule setenvif_module modules/mod_setenvif.so #Allows the setting of environment variables based on characteristics of the request + #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so #Slot-based shared memory provider. + #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #Slot-based shared memory provider. + #LoadModule socache_dbm_module modules/mod_socache_dbm.so #DBM based shared object cache provider. + #LoadModule socache_memcache_module modules/mod_socache_memcache.so #Memcache based shared object cache provider. + LoadModule socache_shmcb_module modules/mod_socache_shmcb.so + #shmcb based shared object cache provider. + #LoadModule status_module modules/mod_status.so #Provides information on server activity and performance + #LoadModule substitute_module modules/mod_substitute.so #Perform search and replace operations on response bodies + #LoadModule suexec_module modules/mod_suexec.so #Allows CGI scripts to run as a specified user and Group + LoadModule unique_id_module modules/mod_unique_id.so + #Provides an environment variable with a unique identifier for each request + LoadModule unixd_module modules/mod_unixd.so + #Basic (required) security for Unix-family platforms. + #LoadModule userdir_module modules/mod_userdir.so #User-specific directories + #LoadModule version_module modules/mod_version.so #Version dependent configuration + #LoadModule vhost_alias_module modules/mod_vhost_alias.so #Provides for dynamically configured mass virtual hosting + + #LoadModule buffer_module modules/mod_buffer.so #Support for request buffering + #LoadModule watchdog_module modules/mod_watchdog.so #provides infrastructure for other modules to periodically run tasks + #LoadModule heartbeat_module modules/mod_heartbeat.so #Sends messages with server status to frontend proxy + #LoadModule heartmonitor_module modules/mod_heartmonitor.so #Centralized monitor for mod_heartbeat origin servers + #LoadModule usertrack_module modules/mod_usertrack.so #Clickstream logging of user activity on a site + #LoadModule dialup_module modules/mod_dialup.so #Send static content at a bandwidth rate limit, defined by the various old modem standards + #LoadModule charset_lite_module modules/mod_charset_lite.so #Specify character set translation or recoding + #LoadModule log_debug_module modules/mod_log_debug.so #Additional configurable debug logging + #LoadModule ratelimit_module modules/mod_ratelimit.so #Bandwidth Rate Limiting for Clients + #LoadModule reflector_module modules/mod_reflector.so #Reflect a request body as a response via the output filter stack. + #LoadModule request_module modules/mod_request.so #Filters to handle and make available HTTP request bodies + #LoadModule sed_module modules/mod_sed.so #Filter Input (request) and Output (response) content using sed syntax + #LoadModule speling_module modules/mod_speling.so #Attempts to correct mistaken URLs by ignoring capitalization, or attempting to correct various minor misspellings. + +00-dav.conf: + + #LoadModule dav_module modules/mod_dav.so + #LoadModule dav_fs_module modules/mod_dav_fs.so + #LoadModule dav_lock_module modules/mod_dav_lock.so + +00-lua.conf: + + #LoadModule lua_module modules/mod_lua.so + +00-proxy.conf: + + #LoadModule proxy_module modules/mod_proxy.so + #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so + #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so + #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so + #LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so + #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so + #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so + #LoadModule proxy_connect_module modules/mod_proxy_connect.so + #LoadModule proxy_express_module modules/mod_proxy_express.so + #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so + #LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so + #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so + #LoadModule proxy_http_module modules/mod_proxy_http.so + #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so + +01-cgi.conf: + + + # LoadModule cgid_module modules/mod_cgid.so + + + # LoadModule cgid_module modules/mod_cgid.so + + + # LoadModule cgi_module modules/mod_cgi.so + + +Next adjust settings for modules in /etc/httpd/conf.d . + + mv /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/autoindex.conf.orig + mv /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/userdir.conf.orig + touch /etc/httpd/conf.d/autoindex.conf + touch /etc/httpd/conf.d/userdir.conf + +Last but not least configure Apache httpd itself. + + cd /etc/httpd/conf + cp httpd.conf httpd.conf.orig + #sed -i 's/ServerAdmin root@localhost/ServerAdmin youremail@example.com/' /etc/httpd/conf/httpd.conf # change against your email if needed + sed -i 's/Listen 80/Listen 0.0.0.0:80/' /etc/httpd/conf/httpd.conf + sed -i 's/LogLevel warn/LogLevel error/' /etc/httpd/conf/httpd.conf + sed -i 's/#EnableMMAP off/EnableMMAP on/' /etc/httpd/conf/httpd.conf + #echo -e "ServerSignature off\nServerTokens Prod\nExtendedStatus Off\nStartServers 10\nMinSpareServers 1\nMaxSpareServers 2\nServerLimit 12\nMaxClients 12\nMaxRequestsPerChild 10000\nKeepAlive on\nKeepAliveTimeout 120" | cat - /etc/httpd/conf/httpd.conf > /etc/httpd/conf/temp && mv /etc/httpd/conf/temp /etc/httpd/conf/httpd.conf <<< y + cat >> /etc/httpd/conf.d/custom.conf << EOF + ServerSignature off + ServerTokens Prod + ExtendedStatus Off + StartServers 10 + MinSpareServers 1 + MaxSpareServers 2 + ServerLimit 12 + MaxClients 12 + MaxRequestsPerChild 10000 + KeepAlive on + KeepAliveTimeout 120 + + Require all denied + + + Require all denied + + + Require all denied + + + Require all denied + + ExpiresActive On + ExpiresDefault A2592000 # (= one month) + Header set Cache-Control "max-age=2592000, public" + + Header unset Cache-Control + Header unset Expires + Header unset Last-Modified + FileETag None + Header unset Pragma + + EOF + setsebool -P httpd_execmem=1 + setsebool -P httpd_builtin_scripting=1 + systemctl enable httpd + +## Installation + +Download the [latest version of ZeroBin](https://github.com/elrido/ZeroBin/releases/latest) and extract it to `/var/www/html/paste`. + +Create directories needed by ZeroBin, update permissions and (re)start httpd: + + cd /var/www/html/paste + mkdir data + mkdir tmp + chown apache:apache * + semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/paste/tmp(/.*)?" + semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/paste/data(/.*)?" + systemctl restart httpd + +Update selinux after some time with: + + cd /var/log/audit + grep hugetlbfs audit.log | audit2allow -M hugetlbfs + semodule -i hugetlbfs.pp + +## Nginx/Naxsi + +If using nginx with naxsi on your reverse proxy, add these whitelist_rules: + + BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:data"; + BasicRule wl:1315 "mz:$URL:/paste/|$HEADERS_VAR:cookie"; + BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:data"; + BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:data"; + BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:nickname"; + BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:nickname"; + BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:nickname"; \ No newline at end of file