ServerBloke's questions

Server: CentOS 6, Apache 2.2 and OpenVPN installed.

The httpd.conf has:

#Listen 443
Listen 80

Websites work in https so I think OpenVPN might be listening on 443 and forwarding to Apache (port-share), but I can't find this config. Also, if this were the case, Apache should be listening on a second port to accept the forwarded requests, shouldn't it?

I have searched all config includes and there are no other Listen directives. I've also restarted Apache.

If I try to see what process listens on 443:

# lsof -i tcp:443

COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   1635   root    6u  IPv6 352710      0t0  TCP *:https (LISTEN)
httpd   1259 apache    6u  IPv6 352710      0t0  TCP *:https (LISTEN)
httpd   2286 apache    6u  IPv6 352710      0t0  TCP *:https (LISTEN)

The last two lines are repeated about 20 times but with different PIDs.

Also tried:

# netstat -tulpn

tcp     0    0 :::443     :::*    LISTEN  1635/httpd

The above all seem to show that Apache is the one listening. I have verified that I'm working with the correct httpd.conf.

If I uncomment the #Listen 443 and restart Apache, I get an error that the port is already in use.

Also, I have tried commenting out one of the SSL vhosts to see if the site went down, and it did, so I know this is the correct Apache (rules out a separate Apache install I think).

The only thing I can find in OpenVPN's as.conf is this:

# web server will use three consecutive ports starting at this
# address, for use with the OpenVPN port share feature
cs.dynamic_port_base=870

How can I find out what's listening on 443 so I can stop it and have Apache listen normally?

Ubuntu 11.10 server

I have a user bob who's home directory is /home/sites/bob. In that there are directories public_html and logs.

Apache runs under the www-data user. bob's primary group is www-data. Apache updates the access.log and error.log in the logs directory. The two log files are owned by root:root and have permission 644.

The bob user logs in to an FTP server which works. The problem is bob can delete or overwrite the two log files. I need Apache to be able to write to the logs, and for bob to only have read access - no overwriting or deleting the logs. How can this be done?

What I've tried:

cd /home/sites/bob
chown www-data:www-data logs
chmod 644 logs

I expected this to work because it should give Apache write access and the www-data group (i.e the bob user) just read access. What actually happens is in the FTP session bob can see logs in the directory list but he can't open it up, when he tries to change to logs, the error is:

Command: CWD logs
Response: 550 logs: No such file or directory
Error: Failed to retrieve directory listing

So my question is how can I give write access to Apache (www-data) to logs but only read access (and no delete) to bob?

Server: CentOS 6.2 64bit

How can I install Proftpd using yum? A search for the package doesn't find it:

yum list proftpd

Error: No matching Packages to list

Although my CentOS 6 VPS does find it, but this server doesn't. I have read I need to install an rpm of some kind. How would I do that and where is the reliable place to get it (64bit)?

I have done Proftpd installs by compiling the source in the past but would prefer to use yum this time.

I have a CentOS LAMP server. It has several vhosts configured. If I navigate to:

http://xxx.xxx.xxx.xxx/  (server IP)

Apache displays one of the sites. How can I configure Apache to show nothing or perhaps a 403 Forbidden? If it could show a forbidden before checking for malformed requests that would be even better.

I'm looking for a htaccess redirect (not rewrite) which will redirect this:

site.com/./everything

To

site.com/

So, everything can be anything, like /./script.php or /./path/to/script.php.

I only want to redirect if there is the /./ slash dot slash. How can I do this without using mod_rewrite?

I can't get a custom error document to work for 400 Bad Request. It's a CentOS LAMP server.

ErrorDocument 400 /badrdoc.html

I've tried using the above in:

1. Apache http.conf
2. Apache httpd-vhosts.conf (in each vhost)
3. .htaccess in the root htdocs of the site

None of them are working. Apache is serving its default 400 Bad Request page.

Can anyone shed any light on this?

Edit: forgot to mention, I have restarted Apache after changes.

On a CentOS LAMP box, a PCI compliance scan is failing on:

Apache Shiro URI Path Security Traversal Information Disclosure http/80

As far as I can tell the server doesn't have Shiro installed, unless it's built in to Apache. I can't find any trace of it from searching the server for shiro and shiro.ini.

What could cause the scanner to believe Shiro is intalled and potentially vulnerable? Nothing is exposed in the Server header or the ServerSignature.

A PCI compliance scan, on a CentOS LAMP server fails with this message. The server header and ServerSignature don't expose the Apache version.

Apache httpOnly Cookie Information Disclosure CVE-2012-0053

Can this be resolved by simply specifying a custom ErrorDocument for the 400 Bad Request response? How is the scanner determining this vulnerability, is it invoking a bad request then looking to see if it's the default Apache 400 response?

The server is a CentOS box with the default LAMP stack running. A PCI scan lists this as a fail:

 SSL Certificate Cannot Be Trusted https (443/tcp)
 Severity: Medium
 Notes: none

We don't actually have an SSL cert, nor do we attempt to use SSL on this box. Is it just a case of closing port 443? If so, what's the best way to go about that, Apache conf?

Update

I have commented out Listen 443 from /etc/httpd/conf.d/ssl.conf and 443 now appears to be closed. If anyone has any criticisms etc, please post...

I understand that RedHat backport CVE fixes to Apache and PHP for CentOS as updates where the version number doesn't necessarily increase, and that I can get these fixes with yum update php etc, so whilst looking at the version number it may appear to be vulnerable to CVE xyz but it could actually have the fixes. Please correct me if this is wrong.

How can I verify which CVE numbers are patched in my current PHP and Apache on a CentOS box?

For one reason or another at random times, my webhost reboots the sever that hosts my CentOS VPS, when this happens it often causes one of my MySQL tables to crash. The table handles the sites PHP sessions (a Joomla site powered by PHP).

The site gets a fair amount of traffic so when the VPS is rebooted, the session table is often being written to.

Is there anything I can do to stop this happening? Perhaps some sort of soft MySQL shutdown when the server gets the reboot command?

The only thing I am doing now is auto repairing the table when the server comes back up.

I have a CentOS VPS. The problem is my html files in /var/www/html seem to need to be owned by the apache user in order for some web applications to work (ie file uploads). If they are owned by the apache user, the web apps work but my ftp user no longer has access to the files. If they are owned by the ftp user, then the web apps stop working again.

What can I do to solve this? The only temp solution for the moment is keep them owned by the ftp user and give the directories 777 that need file uploads. I understand that this isn't secure though?

CentOS is setup with the default Apache config. FTP is proftpd and my user is in an ftpusers group.

I've created a user and assigned a password and group (new group). The problem is this user can only login to FTP (proftpd) if he has shell = /bin/bash

If I set the shell to /bin/false then Proftpd doesn't let him in and serves a 530 Login incorrect response.

I want the user to be able to login to FTP but no other access, so no access to login via SSH. The /etc/proftpd.conf is all defaults and it's version 1.3.3e, and it's CentOS 6.

I am a customer with a webhost and my account is on a shared server. The problem is, it looks like one of the other customers on the same server has gone and got the shared IP blacklisted as spam/virus. I can see the IP listed.

Because of this, my legitimate emails sent from my web application are not being sent. They either end up in the spam folder every time or are not delivered at all.

What options do I have for getting my mail sent out without problems?

Edit: I should have mentioned I'm only sending contact form submission emails and the like, no mass mailing, but the bulk mail advice supplied is good nevertheless - thanks.