HOWTO : Install XOOPS on Ubuntu 9.04 Server with security modules

What is XOOPS?
XOOPS is developed by PHP and it is a Content Management System (CMS). The current version is 2.3.3 by this writing. It comes with a module namely Protector which can protect your site from some kind of attacks. XOOPS works with Apache, PHP and MySQL. It can be installed to Linux, Windows and Mac systems.

Installation of Ubuntu 9.04 Server
Install Ubuntu 9.04 Server edition to your server as usual. By the end of the installation, you should select LAMP, Mail server and OpenSSH. It will install Apache, MySQL, PHP5, Postfix and OpenSSH automatically. Write down the password of MySQL that you are entered.

Make sure your ports 22 and 80 are forwarded when your server is behind a firewall or NAT. In addition, they are not blocked by your firewall. Port 22 is for OpenSSH while port 80 is for Apache.

*** Step 1 to 8 are steps for installing XOOPS ***

Step 1 :

You can remote login to the server by OpenSSH or login in front of the server. If you are remote login, you should issue the following command at the terminal.

ssh "your server domain or IP address" -p "port number" -l "user name"

For example :

ssh samiux.com -p 22 -l samiux

You will be then prompted for the password after answering “yes”.

Step 2 :

sudo apt-get install php5-gd
sudo /etc/init.d/apache2 restart

Step 3

Download the current version 2.3.3 of XOOPS at http://sourceforge.net/projects/xoops/ at your working directory such as /home/samiux.

wget http://nchc.dl.sourceforge.net/sourceforge/xoops/xoops-2.3.3.tar.gz

tar -xvzf xoops-2.3.3.tar.gz

Step 4 :

Go to /etc/apache2/sites-available and copy the “default” to another file that represent your domain name, e.g. samiux.com.

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/samiux.com

sudo nano /etc/apache2/sites-available/samiux.com

Add “ServerName http://www.samiux.com” below “DocumentRoot /var/www

sudo a2ensite samiux.com

Step 4a :

Edit /etc/apache2/sites-available/samiux.com :

sudo nano /etc/apache2/sites-available/samiux.com

Then change the value as the following at /var/www section :

Options -Indexes FollowSymLinks

Step 4b :

sudo a2enmod rewrite

sudo nano /etc/apache2/sites-available/samiux.com

Add the following lines within the <VirtualHost *:80>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>

Restart your Apache server :

sudo /etc/init.d/apache2 restart

Step 5 :

sudo cp -Ra /home/samiux/xoops-2.3.3/htdocs/* /var/www/

sudo cp -a /home/samiux/xoops-2.3.3/extras/mainfile.dist.php.protector /var/www/mainfile.dist.php

sudo find /var/www -type f -exec chmod -x {} \;

Step 6 (Optional – for security consideration) :

sudo mkdir /var/xoops

sudo cp -Ra /var/www/xoops_data /var/xoops
sudo cp -Ra /var/www/xoops_lib /var/xoops
sudo rm -R /var/www/xoops_data
sudo rm -R /var/www/xoops_lib

* write down the path of these files for the XOOPS installation

Step 7 :

Open your browser and type the url of your domain or “localhost” when you are in front of the server. The installation process will start. Follows the instructions on screen.

http://www.samiux.com
or
http://localhost

Install all the modules provided (three only at the time of this writing) especially for the module Protector.

Step 8 :

After the installation, you will be advised to remove the “install” directory and make the file “mainfile.php” to read only.

sudo rm -R /var/www/install
sudo chmod 444 mainfile.php

** Step 9 to 10 are for hardening your Apache server only **

Step 9 :

sudo apt-get install libapache2-mod-evasive

Step 10 : (To be replaced by Step 10a)

sudo apt-get -y install libapache-mod-security

Add the following lines to the /etc/apache2/conf.d/modsecurity2.conf :

sudo nano /etc/apache2/conf.d/modsecurity2.conf

<ifmodule mod_security2.c>
Include conf.d/modsecurity/*.conf
</ifmodule>

sudo mkdir /var/log/apache2/mod_security
sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs

Add the rules for the security module :

sudo mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
sudo wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz

sudo /etc/init.d/apache2 restart

Step 10a :

Since there is a bug in Ubuntu’s mod_security, you can replace the Step 10 with this step.

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/libapache-mod-security_2.5.9-1_i386.deb
wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/mod-security-common_2.5.9-1_all.deb

sudo dpkg -i libapache-mod-security_2.5.9-1_i386.deb mod-security-common_2.5.9-1_all.deb

If the Apache does not restart, do it :

sudo /etc/init.d/apache2 restart

** Step 9 to 10 are used for hardening your Apache server. Make sure you install XOOPS before conducting Step 9 to 10 as the installation process cannot be completed. **

Step 11 :

This step is for hardening the PHP. Make sure all the following setting to be completed at “php.ini“.

sudo nano /etc/php5/apache2/php.ini

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

sudo /etc/init.d/apache2 restart

Step 12 :

This step is for hardening the SSH connection. Anyone attempts to connect to the server via SSH has 6 tries; otherwise, he will be banned for a period of time.

sudo apt-get install fail2ban

Optional Steps

Step a : (If you applied Step 10a, this step is invalid)

If you want to edit or change the “Preference” setting of some modules of XOOPS and the modsecurity (firewall) is enabled, you can disable it for a moment and reactivate it after the change.

sudo nano /etc/apache2/conf.d/modsecurity/modsecurity_crs_10_config.conf

Change “SecRuleEngine On” to “DetectionOnly” or “Off“.

SecRuleEngine Off

sudo /etc/init.d/apache2 restart

Step b :

If you do not want to display the information of Apache and OS, you can disable it.

sudo nano /etc/apache2/conf.d/security

Change “ServerToken Full” to “Prod“.

ServerToken Prod

sudo /etc/init.d/apache2 restart

Step c :
Backup the database of XOOPS – samiux.com daily and send the file to an email automatically.

sudo nano backup.sh

#!/bin/bash
# optimize the XOOPS database
mysqlcheck -Aao -u root -p doremefaso --databases xoops > /dev/null
# backup the XOOPS database with current date
mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --databases xoops | gzip > /home/samiux/xoops-backup_`date +%F`.sql.gz
# send email with the backup file
echo | mutt -a /home/samiux/xoops-backup_`date +%F`.sql.gz -s "Daily backup" samiux@gmail.com

sudo chmod +x backup.sh

Backup at 06:00 every day :

sudo crontab -e

0 6 * * * /home/samiux/backup.sh

THE LAST STEP (It is more secure) :

To make your XOOPS more secure by the following commands:

cd /var/www
sudo chmod -R 655 xoops
sudo find /var/www/xoops/*/ -type d -exec chmod 777 {} \;
sudo chmod 777 /var/www/xoops
sudo chown -R root:root xoops

That’s all!

Reference :
http://ubuntuforums.org/showthread.php?t=1142222</

Advertisements

HOWTO : VIA S3 Unichrome Pro problems fixed on Ubuntu 9.04

I have a fanless PC that equipped with VIA CPU and display card namely S3 Unichrome Pro (cx700/vx700). Please check it by issuing the following command :

lspci | grep VGA

I upgraded the fanless PC from Ubuntu 8.10 to 9.04 and encountered the following problems even I fresh installed 9.04. The problems are that the mouse cursor is missing and the resolution is not detected correctly. It runs into 640×480.

However, I fixed those problems by editing the xorg.conf file.

sudo nano /etc/X11/xorg.conf

Add the following lines to the Section Device.

Option "PanelSize" "1024x768"
Option "sw_cursor"

The final looking on the Section is :

Section "Device"
Identifier "Configured Video Device"
Option "PanelSize" "1024x768"
Option "sw_cursor"
EndSection

Thanks all!

Let’s surf internet everywhere

The price of 3G/3.5G modem and data plan are dropping. The minimum monthly service charge is $98-HK ($1-US = $7.8-HK) and the maximum charge is $188-HK for unlimited usage. The 3G modem is free of charge, surprise? However, you need to sign a contract from 18 to 24 months.

I bought a 3G wireless router, Edimax 3G-6200Wg, for sharing my 3.5G modem (Huawei E180). The turbo mode can increase the strength of wireless signal a lot although it is a IEEE 802.11 b/g router.

I tested it with Lenovo ThinkPad X61 and X200 as well as some other wireless network interfaces. When the router is enabled the function of WMM, X61 and X200 cannot associated with the router via Ubuntu 8.10 and 9.04. When it is disabled, all ThinkPads connected to the router flawlessly. Later learned that it is the bug of the Intel wireless card Linux driver/firmware. The bug has been reported to Intel.

In addition, you can use Huawei 3G modem flawlessly in Ubuntu 9.04 with a little bit of setting at the Network Manager.

By the way, I provide the APN of Hong Kong 3G data plan providers here for your quick reference.

3 HK : ipc.three.com.hk or mobile.three.com.hk (for some data card)
Smartone : internet
PCCW : pccw
CSL : HKCSL