Jun 082016
 

Here is how you can compile and install xtables-addons on CentOS 7.
first, Install Dependencies:

# yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` wget unzip iptables-devel perl-Text-CSV_XS

download xtables-addons

# wget http://ufpr.dl.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.10.tar.xz

extract, compile and install

# tar -xJf xtables-addons-2.10.tar.xz
# cd xtables-addons-2.10
# configure
# make && make install

done!

and now for example we want to use geoip module, first of all install geoip database for xtables-addons.
still from xtables-addons-2.10 directory.

# cd geoip
# ./xt_geoip_dl
# ./xt_geoip_build GeoIPCountryWhois.csv
# mkdir -p /usr/share/xt_geoip
# cp -r {BE,LE} /usr/share/xt_geoip
# modprobe xt_geoip

if you want only allow ssh connection from certain country(ie. ID) and drop the rest here’s how to do it.

# iptables -I INPUT -p tcp --dport 22 -m geoip ! --src-cc ID -j DROP
Jun 042016
 

Starting from version 2.4 apache offers 3 MPM we can choose, it’s depend in what you needs.

  • prefork MPM uses multiple child processes without threading. Each process handles one connection at a time without creating separate threads for each.
  • worker MPM uses several threads per child processes, where each thread handles one connection at a time.
  • event MPM It is similar to the worker MPM in that it also creates multiple threads per child process but with an advantage: it causes KeepAlive or idle connections (while they remain in that state) to be handled by a single thread, thus freeing up memory that can be allocated to other threads. This MPM is not suitable for non-thread-safe modules like mod_php, to use event MPM, PHP-FPM must be used instead.

check the MPM used by your Apache:

# httpd -V
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 202.74.43.187. Set the 'ServerName' directive globally to suppress this message
Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 19 2015 21:43:13
Server's Module Magic Number: 20120211:24
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

To change this, edit /etc/httpd/conf.modules.d/00-mpm.conf
and uncomment the line that loads mpm_event_module

LoadModule mpm_event_module modules/mod_mpm_event.so

install php-fpm, fcgi,mod_fcgid

# yum -y install php-fpm mod_fcgid fcgi

change php handler in order to use php-fpm in /etc/httpd/conf.d/php.conf

<FilesMatch \.php$>
#   SetHandler application/x-httpd-php
    SetHandler "proxy:fcgi://127.0.0.1:9000" 
</FilesMatch>

restart/start all services

# systemctl start php-fpm.service 
# systemctl enable php-fpm.service
# systemctl restart httpd.service

recheck the MPM used by your Apache:

# httpd -V
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 202.74.43.187. Set the 'ServerName' directive globally to suppress this message
Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 19 2015 21:43:13
Server's Module Magic Number: 20120211:24
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

create phpinfo if php handler using fpm/fastCGI now

$ echo '<?php phpinfo(); ?>' > /var/www/html/info.php

have fun 🙂