Configuring Centos 8 and Apache

I'm down to hosting just 11 websites, three of which are my own. If all goes well I'll soon be down to 10. One day I'll be free!

Until I relaunched this site all my the sites were hosted on a single Digital Ocean VPS. I've decided to start moving some of the sites to a Hetzner VPS. I like the idea of using a European hosting company and migrating sites is an easy way to move from Centos 7 to Centos 8. Also, Hetzner's prices are quite competitive. As at June 2020 a basic VPS with 1 CPU, 2GB of RAM and 20GB of disk space costs €2.96 per month. A similarly specced Digital Ocean VPS is current $5 per month.

It's not all singing and dancing; Hetzner currently only has data centres in Germany and Finland and their documentation is shite. Still, if you're familiar with the likes of Digital Ocean then you'll have no issues with Hetzner. Creating a VPS works pretty much the same: you choose an operating system, location and hosting plan; add a public SSH key and you're off to the races. I'm not going to describe how to create a VPS, as there's nothing remarkable about it. I also don't want to cover things like enabling key-based authentication and disabling SSH access for root, as there are a million other people who have already done that. Instead, I want to document some of the things you might want to do after creating a VPS.

Am I blacklisted?

I always first check the server's IP address against blacklists. Cloud providers never mention this in their documentation, presumably because they don't want to draw attention to the fact that unmanaged servers are rather popular with spammers and scammers. It's very likely that your server's IP address is listed on major blacklists. If the IP of your brand new VPS is on loads of blacklists then it might be easiest to destroy the VPS and create another one - with a bit of luck you'll get a less tainted IP address. The same is true if your IP address is on extortion lists masquerading as blacklists (I'm thinking about Backscatter in particular).

My VPS was only listed on spamsources.fabel.dk and delisting the IP was easy enough. You do need to have a Google account to log in, so don't forget to log out of your Google account after signing in (unless you've already surrendered your soul to Google).

Put SELinux in enforcing mode

I found that SELinux was in permissive mode. As far as I'm aware it's in enforcing mode by default on Centos, so that appears to be a change made by Hetzner. For me, SELinux is one of the reasons why I like using Centos, so I had to enable that. So, set SELINUX= to enforcing in /etc/selinx/config and do a reboot to make sure everything is labelled properly.

Install and confire firewalld

firewalld was not installed by default. After installing and enabling the service I found that the cockpit service was enabled in the firewall, while http and https were not. That's easily fixed:

# firewall-cmd -zone=public --remove-service=cockpit --permanent
# firewall-cmd -zone=public --add-service=http --permanent
# firewall-cmd -zone=public --add-service=https --permanent
# firewall-cmd --reload
        

Set the timezone

As my VPS is in Germany I had to set change the system's timezone. It's one of those things you easily forget. I only realised the timezone was wrong after I noticed time stamps in logs were an hour ahead. Because systemd is lovely changing the timezone is a doddle:

# timedatectl set-timezone "Europe/London"
        

Set the hostname

I got a thing for hostnames and I like to use user@domain rather than user@ip to SSH to a server. To do so I changed the hostname (and added the relevant A record):

# hostnamectl set-hostname server.beepmode.co.uk
        

Install certbot

The only issue I ran into is that I couldn't install certbot from the Epel repository. This is a known bug which can be resolved by enabling the powertools repo. Instead of that I decided to user the generic install instructions. It works a little different than I'm used to but it's fine for now.

I haven't set up a cron job to auto-renew SSL certificates. That's mainly because I'm not quite familiar with certbot and because I've noticed some minor changes in how the utility works. For instance, I don't want certbot to add redirects to config files (as I already got them sorted). To make sure that cerbot doesn't fiddle with config files for websites you now have to use the --no-redirect option. Until I'm more familiar with the utility I'll manually manage the dozen or so certificates that need to be renewed every couple of monhts.

Install and configure fail2ban

I had no issues installing fail2ban from the Epel repo. My configuration is dead-simply; I got a minimal /etc/fail2ban/jail.local file that just aggressively blocks SSH logins.

Install comfort tools

There are always a few utilities that you don't really need but which provide comfort and consolation. For me, the main one is vim-enhanced, which replaces the basic Vim version with a full-featured one. I also want to give a shout-out to sar, which is a great tool for post-mortem examinations. It's part of the sysstat package:

# dnf install sysstat
         

My sar set-up is pretty standard; stats are collected every 10 minutes and a daily summary is produced just before midnight:

# cat /etc/cron.d/sysstat 
*/10 * * * * root /usr/lib64/sa/sa1 1 1
53 23 * * * root /usr/lib64/sa/sa2 -A
        

Get A+ ratings

And finally, I added a bunch of stuff to the Apache config file to make things a little more secure. This are mostly header tweaks recommended by Sucuri:

# Disable server banners
ServerSignature Off
ServerTokens Prod

<IfModule mod_headers.c>
  <Directory />
    Header always set X-XSS-Protection "1; mode=block"
    Header always set x-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
    Header always set Referrer-Policy "strict-origin"
    Header set Feature-Policy: "autoplay 'none'; battery 'none'; camera 'none'; encrypted-media 'none'; geolocation 'none'; microphone 'none'; payment 'none'"
  </Directory>
</IfModule>
        

The site now gets an A+ rating at securityheaders.com, and I think the changes also boosted the Let's Encrypt certificate's rating from A to A+ on ssllabs.com. As for the Let's Encrypt rating, I didn't have to disable any outdated TLS protocols or cipher suites, and I think the only other change I made was adding a CAA DNS record.

To automate, or to toil?

As we live in the age of Ansible et al I should probably learn how to automate this stuff. On the other hand, I do a VPS set-up only a couple of times a year and I always learn one or two new things. In other words, I'm still tweaking and testing, trying to find the perfect set-up. It's a bit like not using a cron job for certbot; doing stuff manually hasn't yet become tedious and a waste of time. There's something to be said for toiling in the proverbial server fields.