The Apache web server, one of the most widely used web servers globally, operates under specific user and group permissions. These permissions determine which files and directories the server …
Read More
The DocumentRoot is a directive in the Apache web server that specifies where the web files for a particular domain or virtual host reside. By default, many distributions like …
Read More
Caching, when properly configured, can instruct user's browsers to locally store and reuse previously fetched resources. This ensures faster page loads for returning users, as their browsers can retrieve …
Read More
It’s always a good idea to test your newly updated Apache config file before restarting the service itself. This will help avoid downtime due to Apache refusing to start due to misconfiguration. You can use apachectl, httpd or equivalent binaries as in the examples below;
Different platform might use different binary names such as apache, apache2 or apache2ctl
httpd
# httpd -t AH00112: Warning: DocumentRoot [/var/www/mywebsite] does not exist AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Syntax OK
apachectl
# apachectl configtest AH00112: Warning: DocumentRoot [/var/www/mywebsite] does not exist AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message Syntax OK
What happens is that the programs will try to parse the configuration files without implementing any of your changes. Once you get Syntax OK at the end of the output and are satisfied with all the warnings (if any), you could confidently restart your Apache service.
SSHd is by default configured to perform DNS Lookup everytime you connect to the server. This is especially true for CentOS/Red Hat and could significantly increase login time.
UseDNS
Specifies whether sshd(8) should look up the remote host name
and check that the resolved host name for the remote IP address
maps back to the very same IP address. The default is “yes”.
To fix this you’ll have to disable the UseDNS option on the server via the following steps;
SSHd config file.
/etc/ssh/sshd_config
UseDNS and set the value to no
UseDNS no
SSHd service
SSH in most system by default allow public key login. You can disable it with these simple steps if you somehow need to;
PubkeyAuthentication to no in /etc/ssh/sshd_config
PubkeyAuthentication no
SSH
SSH clients will automatically be disconnected from the server and prompt the below message after being idle or inactive for a while.
Read from remote host oseems.com: Connection reset by peer Connection to oseems.com closed.
This is due to the SSH servers’ configuration (often by default) to avoid hanging sessions and free up resources.
If you have administrative access to the SSH servers, you can configure it so that it will not easily disconnect idle sessions. This could be achieved by setting the parameters for TCPKeepAlive, ClientAliveInterval, and ClientAliveCountMax as per the following;
TCPKeepAlive no ClientAliveInterval 30 ClientAliveCountMax 240
SSH server configuration file is normally /etc/ssh/sshd_config. Restart the SSHd service for the changes to take effect.
What it basically means is that the server will not send the TCP alive packet to check if the client’s connection is working, yet will still send the encrypted alive message every 30 seconds. It will only disconnect after at least 2 hours of inactivity.
The following is the full explanation for the options;
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the
connection or crash of one of the machines will be properly noticed. However, this means that connections will die
if the route is down temporarily, and some people find it annoying. On the other hand, if TCP keepalives are not
sent, sessions may hang indefinitely on the server, leaving “ghost” users and consuming server resources.
The default is “yes” (to send TCP keepalive messages), and the server will notice if the network goes down or the
client host crashes. This avoids infinitely hanging sessions.
To disable TCP keepalive messages, the value should be set to “no”.
This option was formerly called KeepAlive.
ClientAliveCountMax
Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back
from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the
client, terminating the session. It is important to note that the use of client alive messages is very different
from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not
be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valu‐
able when the client or server depend on knowing when a connection has become inactive.
The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the
default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to pro‐
tocol version 2 only.
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a
message through the encrypted channel to request a response from the client. The default is 0, indicating that
these messages will not be sent to the client. This option applies to protocol version 2 only.
If you don’t have administrative access to the server, you can configure your SSH client to send the alive message to the server instead to achieve the same result. The key here is the ServerAliveInterval option for the SSH client.
You can do this by updating /etc/ssh/ssh_config (applying the setting to every user in the system) or in ~/.ssh/config (single user). Set the following option to have the client send the alive packet every 30 seconds to the server;
ServerAliveInterval 30
The other alternative is to manually set the ServerAliveInterval option every time you’re connecting to a server by using the -o ServerAliveInterval=<time-in-second> prefix as the following example;
$ ssh -o ServerAliveInterval=30 [email protected]
You can change the port that your SSH server runs other than the default 22 by specifying the desired port number in your SSH server configuration file.
Set the Port option in /etc/ssh/sshd_config to your desired port as in the following example;
Port 22
You can use any number between 1 to 65535 as long as it’s not used by other programs.
Be sure to reboot your SSH server afterwards.
Apache normally runs as an unprivileged user without shell access in most platforms. This is for security reason as a poorly written script or configuration if exploited will not escalate and cause much harm to the system.
If you’re running a development environment and know exactly what you’re doing, you can change the user and group that the Apache process runs as with these simple steps;
Apache process to run as. The following example is to run it as root.
User root Group root
This could be a big security risk, especially to run it as root.
Make sure the user and group has appropriate permission to DocumentRoot and related files and folders.
Apache.
$ ps aux | grep apache2 root 1188 0.0 0.1 162184 6664 ? Ss Mar29 0:02 /usr/sbin/apache2 -k start root 1197 0.0 0.1 162184 5668 ? S Mar29 0:00 /usr/sbin/apache2 -k start root 1198 0.0 0.1 162184 5916 ? S Mar29 0:00 /usr/sbin/apache2 -k start root 1200 0.0 0.1 162184 5684 ? S Mar29 0:00 /usr/sbin/apache2 -k start root 1201 0.0 0.1 162184 5684 ? S Mar29 0:00 /usr/sbin/apache2 -k start root 1202 0.0 0.1 162184 5684 ? S Mar29 0:00 /usr/sbin/apache2 -k start
In some distributions the Apache binary could be named httpd instead of apache2.
OTP (One-time password) with a soft token is one of the most widely-used 2FA (Two-factor authentication) or MFA (Multi-factor authentication) methods.
openSSH server supports two-factor …
Read More
