HOWTO : Install XOOPS on Ubuntu 9.04 Server with security modules

What is XOOPS?
XOOPS is developed by PHP and it is a Content Management System (CMS). The current version is 2.3.3 by this writing. It comes with a module namely Protector which can protect your site from some kind of attacks. XOOPS works with Apache, PHP and MySQL. It can be installed to Linux, Windows and Mac systems.

Installation of Ubuntu 9.04 Server
Install Ubuntu 9.04 Server edition to your server as usual. By the end of the installation, you should select LAMP, Mail server and OpenSSH. It will install Apache, MySQL, PHP5, Postfix and OpenSSH automatically. Write down the password of MySQL that you are entered.

Make sure your ports 22 and 80 are forwarded when your server is behind a firewall or NAT. In addition, they are not blocked by your firewall. Port 22 is for OpenSSH while port 80 is for Apache.

*** Step 1 to 8 are steps for installing XOOPS ***

Step 1 :

You can remote login to the server by OpenSSH or login in front of the server. If you are remote login, you should issue the following command at the terminal.

ssh "your server domain or IP address" -p "port number" -l "user name"

For example :

ssh -p 22 -l samiux

You will be then prompted for the password after answering “yes”.

Step 2 :

sudo apt-get install php5-gd
sudo /etc/init.d/apache2 restart

Step 3

Download the current version 2.3.3 of XOOPS at at your working directory such as /home/samiux.


tar -xvzf xoops-2.3.3.tar.gz

Step 4 :

Go to /etc/apache2/sites-available and copy the “default” to another file that represent your domain name, e.g.

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/

sudo nano /etc/apache2/sites-available/

Add “ServerName” below “DocumentRoot /var/www

sudo a2ensite

Step 4a :

Edit /etc/apache2/sites-available/ :

sudo nano /etc/apache2/sites-available/

Then change the value as the following at /var/www section :

Options -Indexes FollowSymLinks

Step 4b :

sudo a2enmod rewrite

sudo nano /etc/apache2/sites-available/

Add the following lines within the <VirtualHost *:80>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [F]

Restart your Apache server :

sudo /etc/init.d/apache2 restart

Step 5 :

sudo cp -Ra /home/samiux/xoops-2.3.3/htdocs/* /var/www/

sudo cp -a /home/samiux/xoops-2.3.3/extras/mainfile.dist.php.protector /var/www/mainfile.dist.php

sudo find /var/www -type f -exec chmod -x {} \;

Step 6 (Optional – for security consideration) :

sudo mkdir /var/xoops

sudo cp -Ra /var/www/xoops_data /var/xoops
sudo cp -Ra /var/www/xoops_lib /var/xoops
sudo rm -R /var/www/xoops_data
sudo rm -R /var/www/xoops_lib

* write down the path of these files for the XOOPS installation

Step 7 :

Open your browser and type the url of your domain or “localhost” when you are in front of the server. The installation process will start. Follows the instructions on screen.

Install all the modules provided (three only at the time of this writing) especially for the module Protector.

Step 8 :

After the installation, you will be advised to remove the “install” directory and make the file “mainfile.php” to read only.

sudo rm -R /var/www/install
sudo chmod 444 mainfile.php

** Step 9 to 10 are for hardening your Apache server only **

Step 9 :

sudo apt-get install libapache2-mod-evasive

Step 10 : (To be replaced by Step 10a)

sudo apt-get -y install libapache-mod-security

Add the following lines to the /etc/apache2/conf.d/modsecurity2.conf :

sudo nano /etc/apache2/conf.d/modsecurity2.conf

<ifmodule mod_security2.c>
Include conf.d/modsecurity/*.conf

sudo mkdir /var/log/apache2/mod_security
sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs

Add the rules for the security module :

sudo mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
sudo wget
sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz

sudo /etc/init.d/apache2 restart

Step 10a :

Since there is a bug in Ubuntu’s mod_security, you can replace the Step 10 with this step.


sudo dpkg -i libapache-mod-security_2.5.9-1_i386.deb mod-security-common_2.5.9-1_all.deb

If the Apache does not restart, do it :

sudo /etc/init.d/apache2 restart

** Step 9 to 10 are used for hardening your Apache server. Make sure you install XOOPS before conducting Step 9 to 10 as the installation process cannot be completed. **

Step 11 :

This step is for hardening the PHP. Make sure all the following setting to be completed at “php.ini“.

sudo nano /etc/php5/apache2/php.ini

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

sudo /etc/init.d/apache2 restart

Step 12 :

This step is for hardening the SSH connection. Anyone attempts to connect to the server via SSH has 6 tries; otherwise, he will be banned for a period of time.

sudo apt-get install fail2ban

Optional Steps

Step a : (If you applied Step 10a, this step is invalid)

If you want to edit or change the “Preference” setting of some modules of XOOPS and the modsecurity (firewall) is enabled, you can disable it for a moment and reactivate it after the change.

sudo nano /etc/apache2/conf.d/modsecurity/modsecurity_crs_10_config.conf

Change “SecRuleEngine On” to “DetectionOnly” or “Off“.

SecRuleEngine Off

sudo /etc/init.d/apache2 restart

Step b :

If you do not want to display the information of Apache and OS, you can disable it.

sudo nano /etc/apache2/conf.d/security

Change “ServerToken Full” to “Prod“.

ServerToken Prod

sudo /etc/init.d/apache2 restart

Step c :
Backup the database of XOOPS – daily and send the file to an email automatically.

sudo nano

# optimize the XOOPS database
mysqlcheck -Aao -u root -p doremefaso --databases xoops > /dev/null
# backup the XOOPS database with current date
mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --databases xoops | gzip > /home/samiux/xoops-backup_`date +%F`.sql.gz
# send email with the backup file
echo | mutt -a /home/samiux/xoops-backup_`date +%F`.sql.gz -s "Daily backup"

sudo chmod +x

Backup at 06:00 every day :

sudo crontab -e

0 6 * * * /home/samiux/

THE LAST STEP (It is more secure) :

To make your XOOPS more secure by the following commands:

cd /var/www
sudo chmod -R 655 xoops
sudo find /var/www/xoops/*/ -type d -exec chmod 777 {} \;
sudo chmod 777 /var/www/xoops
sudo chown -R root:root xoops

That’s all!

Reference :</

2 Responses

  1. Do you know is the tutorial will work with Ubuntu 10.04 and XOOPS 2.4.x ? If not would you mind creating one? Any help I can give let me know.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: