Archive for July, 2010
Hardening guide for WordPress 2.9.2
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Installation and configuration phase
- Login to the server using Root account.
- Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount - Run the commands bellow to switch to the SSH account:
su sshaccount
- Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
- Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
- Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
- Exit the SSH account shell and return to the Root account:
exit
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name. - Download WordPress 2.9.2 from:
http://wordpress.org/download - Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
- Move to /www
cd /www
- Extract the wordpress-2.9.2.tar.gz file:
tar -zxvf wordpress-2.9.2.tar.gz
- Remove WordPress source file:
rm -f /www/wordpress-2.9.2.tar.gz
- Create using VI the file /www/config.php with the following content:
<?php
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
- Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here'); - Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
- Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
- Restart the Apache service.
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
- Specify the following information:
- Blog Title
- Click on “Install WordPress” button, and close the web browser.
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
use m6gf42s;
Note 1: Replace “m6gf42s” with your own WordPress database name.
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “johnd” with your own new WordPress admin.
Note 2: Replace “password3” with complex password (at least 14 characters). - Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
'timeout' => apply_filters( 'http_request_timeout', 5),
To:
'timeout' => apply_filters( 'http_request_timeout', 30),
- Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Note 1: Replace 1.1.1.0 with the internal network IP address.
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 2: Replace Server_FQDN with the server FQDN (DNS name). - Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> - Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 - Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
- Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Database Backup” plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
- Create a folder for the “WordPress Database Backup” plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
- Set permissions for the “WordPress Database Backup” plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
- From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
- From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
wp-content/uploads
- Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
- Click “Submit”.
- From the upper pane, click on “Log Out”.
- In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);
Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
Installation and configuration phase
- Login to the server using Root account.
- Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm
- Download MySQL development RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/ - Download PHP 5.3.2 source files from:
http://php.net/downloads.php - Copy the MySQL development RPM using PSCP (or SCP) into /tmp
- Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Install the MySQL development RPM:
rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
- Remove MySQL development RPM:
rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
- Extract the php-5.3.2.tar.gz file:
tar -zxvf php-5.3.2.tar.gz
- Move to the PHP source folder:
cd /tmp/php-5.3.2
- Run the commands bellow to compile the PHP environment:
./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib
make
make install
- Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Make sure the following string exists at the end of the LoadModule section:
LoadModule php5_module modules/libphp5.so
Add the following string, to the end of the AddType section:
AddType application/x-httpd-php .php
Replace the line from:
DirectoryIndex index.html
To:
DirectoryIndex index.php index.html index.htm
- Copy the PHP.ini file
cp /tmp/php-5.3.2/php.ini-development /etc/php.ini
- Change the permissions on the php.ini file:
chmod 640 /etc/php.ini
- Edit using VI, the file /etc/php.ini and replace the following values:
From:
mysql.default_host =
To:
mysql.default_host = 127.0.0.1:3306
From:
allow_url_fopen = On
To:
allow_url_fopen = Off
From:
expose_php = On
To:
expose_php = Off
From:
memory_limit = 128M
To:
memory_limit = 8M
From:
;open_basedir =
To:
open_basedir = "/www"
From:
post_max_size = 8M
To:
post_max_size = 2M
From:
upload_max_filesize = 2M
To:
upload_max_filesize = 1M
From:
disable_functions =
To:
disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid
From:
;include_path = ".:/php/includes"
To:
include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"
From:
display_errors = On
To:
display_errors = Off
From:
display_startup_errors = On
To:
display_startup_errors = Off
- Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
- Remove the PHP source and test files:
rm -rf /tmp/php-5.3.2
rm -f /tmp/php-5.3.2.tar.gz
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test
- Uninstall the following RPM:
rpm -e libxml2-devel-2.6.26-2.1.2.8
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Login to the server using Root account.
- Create a new account:
groupadd mysql
useradd -d /dev/null -g mysql -s /bin/false mysql
- Download MySQL server and client RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/ - Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Install the MySQL packages:
rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
- Delete the MySQL source files:
rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
- Run the commands bellow to set ownership and permissions:
chown -R root /usr/bin/mysql*
chown -R mysql:root /var/lib/mysql
chmod -R go-rwx /var/lib/mysql
mkdir -p /var/log/mysql
chown -R mysql:root /var/log/mysql
- Run the command bellow to copy the main configuration file:
cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
- Run the commands bellow to remove default folder:
rm -rf /var/lib/mysql/test
rm -f /usr/share/mysql/*.cnf
- Run the command bellow to set ownership and permissions for my.cnf file:
chown root /etc/my.cnf
chmod 644 /etc/my.cnf
- Edit using VI, the file /etc/my.cnf
Add the strings bellow under the [mysqld] section
pid-file = /var/lib/mysql/mysqld.pid
Add the section bellow:
log = /var/log/mysql/mysql.log
bind-address = 127.0.0.1
[safe_mysqld]
err-log = /var/log/mysql/mysql.err
- Run the command bellow to restart the target server:
reboot
- Login to the server using Root account.
- Run the commands bellow to set password for the MySQL root user:
/usr/bin/mysqladmin -u root password 'new-password'
Note 1: Specify complex password (at least 14 characters) and document it.
/usr/bin/mysqladmin -u root -h hostname password 'new-password'
Note 2: Replace “hostname” with the server FQDN (DNS name) - Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
use mysql;
DELETE FROM mysql.user WHERE user = '';
DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
DROP DATABASE test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;
quit
- Run the command bellow to stop the MySQL service:
/etc/init.d/mysql stop
- Run the command bellow to start the MySQL service:
/etc/init.d/mysql start
How to implement SSL on Apache 2.2.15
Pre-installation notes
The guide bellow is based on the previous guide
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /usr/local/apache2/ssl
chmod 600 /usr/local/apache2/ssl - Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it) - Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
- Send the file /tmp/apache.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /usr/local/apache2/ssl/
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/apache2/ssl/
- Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
Listen Server_FQDN:443
Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
SSLCertificateFile /usr/local/apache2/ssl/server.crt
SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
- Restart the Apache services:
/usr/local/apache2/bin/apachectl restart
- Backup the file /usr/local/apache2/ssl/server.key
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Login to the server using Root account.
- Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
- Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
- Before compiling the Apache environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
- Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Extract the httpd-2.2.15.tar.gz file:
tar -zxvf httpd-2.2.15.tar.gz
- Move to the Apache source folder:
cd httpd-2.2.15
- Run the commands bellow to compile the Apache environment:
./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl
make
make install
- Remove the Apache source files:
rm -rf /tmp/httpd-2.2.15rm -f /tmp/httpd-2.2.15.tar.gz
- Remove Default Content
rm -rf /usr/local/apache2/cgi-bin
rm -rf /usr/local/apache2/htdocs
rm -rf /usr/local/apache2/icons
rm -rf /usr/local/apache2/man
rm -rf /usr/local/apache2/manual
rm -rf /usr/local/apache2/conf/extra
rm -rf /usr/local/apache2/conf/original
- Updating Ownership and Permissions on Apache2 folders:
chown root:root /usr/local/apache2/bin/apachectl
chown root:root /usr/local/apache2/bin/httpd*
chmod 770 /usr/local/apache2/bin/apachectl
chmod 770 /usr/local/apache2/bin/httpd*
chown -R root:root /usr/local/apache2
chmod -R go-r /usr/local/apache2
chown -R root:root /usr/local/apache2/logs
chmod -R 700 /usr/local/apache2/logs - Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
- Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
From:
DocumentRoot "/var/www/html"
To:
DocumentRoot "/www"
From:
Listen 80
To:
Listen Server_FQDN:80
From:
ServerAdmin root@localhost
To:
ServerAdmin webmaster@mycompany.com
From:
#ServerName www.example.com:80
To:
ServerName Server_FQDN
From:
LogLevel warn
To:
LogLevel notice
From:
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
To:
# ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
From:
<Directory />
To:
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>
From:
<Directory "/usr/local/apache2/htdocs">
To:
<Directory "/www">
<LimitExcept GET POST>
deny from all
</limitexcept>
From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews
- Add the following sections to the end of the httpd.conf file:
ServerSignature Off
ServerTokens Prod
Timeout 60
# Maximum size of the request body.
LimitRequestBody 10000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4094
# Maximum size of the request line.
LimitRequestLine 500 - Remove the sections bellow from the file httpd.conf
<Directory "/usr/local/apache2/cgi-bin">
- Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"
From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
- Starting Apache from command line:
/usr/local/apache2/bin/apachectl start
- To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/apache2/bin/apachectl start
- Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5
Previous guides:
Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform
OS installation phase
- Boot the server using Windows 2008 R2 bootable DVD.
- Specify the product ID -> click Next.
- From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
- Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
- Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
- Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
- Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
Web server installation phase
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- For minimal installation of IIS7.5 features, run the command bellow from command prompt:
start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
- For full installation of IIS7.5 (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
- For full installation of IIS7.5, including .NET framework (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64
- Create a new folder for the WWW content, in a different partition then the operating system, for example:
md D:\WWW
- Copy the content of the web site to the newly created folder.
- Use the Cacls.exe command to configure the required NTFS permissions for the new WWW folder (according to the principle of least privilege).
- Run the command bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW
- Create a new folder for the LogFiles content, in a different partition then the operating system, for example:
md D:\LogFiles
- Use the Cacls.exe command to configure the required NTFS permissions for the new LogFiles folder (according to the principle of least privilege).
- Run the commands bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"D:\LogFiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles" - Run the command bellow to configure the newly created WWW folder for service packs and other installers:
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW
How to implement SSL on Apache 2.0
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.0 on Solaris 10 platform
SSL implementation phase
- Login to the server using Root account.
- Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
- Run the command bellow to install OpenSSL packages:
pkgadd -d . SUNWopensslr SUNWopenssl-commands SUNWopenssl-include SUNWopenssl-libraries
- Create folder for the SSL certificate files:
mkdir -p /etc/apache2/ssl.crt
- Create folder for the SSL private key:
mkdir -p /etc/apache2/ssl.key
- Run the command bellow to generate a key pair:
/usr/sfw/bin/openssl genrsa -des3 -out /etc/apache2/ssl.key/server.key 1024
Specify a complex pass phrase for the private key (and document it) - Change the permissions on the private key file:
chmod 600 /etc/apache2/ssl.key/server.key
- Run the command bellow to generate the CSR:
/usr/sfw/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/apache2/ssl.key/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
- Send the file /tmp/apache.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /etc/apache2/ssl.crt/
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /etc/apache2/ssl.crt/
- Edit using VI the file /etc/apache2/ssl.conf and change the following strings:
From:
SSLSessionCache dbm:/var/run/apache2/ssl_scache
To:
SSLSessionCache dbm:/var/ apache2/ssl_scache
From:
SSLMutex file:/var/run/apache2/ssl_mutex
To:
SSLMutex file:/var/apache2/ssl_mutex
From:
ServerName 127.0.0.1:443
To:
ServerName Server_FQDN:443
From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"
From:
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
To:
SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
From:
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
To:
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
- Remove the section bellow:
<Directory "/var/apache2/cgi-bin">
- Stopping Apache from command line:
/usr/apache2/bin/apachectl stop
- Starting Apache from command line:
/usr/apache2/bin/apachectl startssl
Hardening guide for Apache 2.0 on Solaris 10 platform
- Login to the server using Root account.
- Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
passwd apache
passwd -l apache
- Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
- Run the command bellow to install Apache2 packages:
pkgadd -d . SUNWapch2r SUNWapch2u
- Remove Default Content
rm -r /var/apache2/htdocs/
rm -r /var/apache2/cgi-bin/
rm -r /var/apache2/icons/
- Updating Ownership and Permissions on Apache2 folders:
chown -R root:root /usr/apache2
chmod -R 770 /usr/apache2/bin
chown -R root:root /etc/apache2
chmod -R go-r /etc/apache2
chmod -R 770 /etc/apache2
chown -R root:root /var/apache2/logs
chmod -R 700 /var/apache2/logs
- Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www - Copy the configuration file in-order to edit it:
cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
- Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
From:
# LockFile /var/apache2/logs/accept.lock
To:
LockFile /var/apache2/logs/accept.lock
From:
User webservd
To:
User apache
From:
Group webservd
To:
Group apache
From:
PidFile /var/run/apache2/httpd.pid
To:
PidFile /var/apache2/logs/httpd.pid
From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"
From:
ServerSignature On
To:
ServerSignature Off
HostnameLookups Off
From:
# ServerTokens
To:
ServerTokens Prod
From:
ServerAdmin [email protected]
To:
ServerAdmin webmaster@yourcompany.com
From:
ServerName 127.0.0.1
To:
ServerName Server_FQDN
From:
Timeout 300
To:
Timeout 60
From:
LogLevel warn
To:
LogLevel notice
From:
IndexOptions FancyIndexing VersionSort
To:
# IndexOptions FancyIndexing VersionSort
From:
ReadmeName README.html
To:
# ReadmeName README.html
From:
HeaderName HEADER.html
To:
# HeaderName HEADER.html
From:
AddIcon
To:
# AddIcon
From:
DefaultIcon /icons/unknown.gif
To:
# DefaultIcon /icons/unknown.gif
From:
Alias /icons/ "/var/apache2/icons/"
To:
# Alias /icons/ "/var/apache2/icons/"
From:
AliasMatch
To:
# AliasMatch
From:
ScriptAlias
To:
# ScriptAlias
From:
LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
To:
# LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
From
LoadModule imap_module libexec/mod_imap.so
To:
# LoadModule imap_module libexec/mod_imap.so
From:
LoadModule cgi_module libexec/mod_cgi.so
To:
# LoadModule cgi_module libexec/mod_cgi.so
From:
LoadModule suexec_module libexec/mod_suexec.so
To:
# LoadModule suexec_module libexec/mod_suexec.so
From:
LoadModule autoindex_module libexec/mod_autoindex.so
To:
# LoadModule autoindex_module libexec/mod_autoindex.so
From:
LoadModule info_module libexec/mod_info.so
To:
# LoadModule info_module libexec/mod_info.so
From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule userdir_module libexec/mod_userdir.so
To:
# LoadModule userdir_module libexec/mod_userdir.so
From:
LoadModule cern_meta_module modules/mod_cern_meta.so
To:
# LoadModule cern_meta_module modules/mod_cern_meta.so
From:
LoadModule dav_module modules/mod_dav.so
To:
# LoadModule dav_module modules/mod_dav.so
From:
<Directory />
To:
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>
From:
<Directory "/var/apache2/htdocs">
To:
<Directory "/www">
<Limitexcept GET POST>
deny from all
</Limitexcept>
From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews
- Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
- Remove the sections bellow from the file httpd.conf
<Directory "/usr/apache2/manual">
<Directory "/var/apache2/cgi-bin"> - Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"
From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
- Starting Apache from command line:
/usr/apache2/bin/apachectl start
- Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2
How to implement SSL on Tomcat 5.5
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /var/apache/tomcat55/conf/ssl.crt
- Create folder for the SSL private key:
mkdir -p /var/apache/tomcat55/conf/ssl.key
- Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
- Run the command bellow to generate a key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
- Run the command bellow to generate a CSR (certificate request):
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
- Send the file /tmp/tomcat.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
- Run the command bellow to import the trusted root CA public certificate:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.
- Run the command bellow to import the signed public key into the key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.
- Stop the Tomcat service:
/etc/init.d/tomcat stop
- Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3"
keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
keystorePass="ComplexPassword"
truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
truststorePass="changeit"
ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
tcpNoDelay="true" /> - Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
<user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
- Start the Tomcat service:
/etc/init.d/tomcat start -security
Hardening guide for Tomcat 5.5 on Solaris 10 platform
Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.
Installation phase
- Login to the server using Root account.
- Make sure the folder /usr/jdk exists:
ls /ad /usr/jdk
- If the folder /usr/jdk doesn’t exists, manually create it:
mkdir /usr/jdk
- Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
- Move to /usr/jdk folder
cd /usr/jdk
- Change the permissions on the JDK 1.6 (32bit) script:
chmod +x jdk-6u15-solaris-i586.sh
- Run the command bellow to install JDK 1.6 (32bit):
./jdk-6u15-solaris-i586.sh
- Change the permissions on the JDK 1.6 (x64) script:
chmod +x jdk-6u15-solaris-x64.sh
- Run the command bellow to install JDK 1.6 (x64):
./jdk-6u15-solaris-x64.sh
- Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
rm /usr/jdk/jdk-6u15-solaris-i586.sh
rm /usr/jdk/jdk-6u15-solaris-x64.sh
rm /usr/jdk/jdk1.6.0_15/src.zip
rm -r /usr/jdk/jdk1.6.0_15/demo
rm -r /usr/jdk/jdk1.6.0_15/sample
- Remove the link for the Java
rm /usr/bin/java
- Create new link for the Java (for x64 servers):
ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
- Reload the links into memory:
rehash
- Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
- Run the command bellow to install Tomcat packages:
pkgadd -d . SUNWtcatr SUNWtcatu
- Remove the following default folders:
rm -r /usr/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
rm -r /var/apache/tomcat55/webapps/jsp-examples
rm -r /var/apache/tomcat55/webapps/servlets-examples
rm -r /var/apache/tomcat55/webapps/webdav
rm -r /var/apache/tomcat55/webapps/balancer
- Copy the server.xml configuration file:
cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xml
Note: The above command should be written as one line. - Edit using VI, the file /var/apache/tomcat55/conf/server.xml
Uncomment the section bellow:
org.apache.catalina.valves.AccessLogValve
Replace the non-SSL HTTP/1.1 Connector:
From:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
To:
<connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" /> - Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</ROLE-NAME>
</auth-constraint>
</security-constraint> - Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
<role rolename="admin">
Note: Specify complex password for the admin account (and document it).
<role rolename="manager">
<user roles="admin,manager" password="adminpass" username="admin"> - Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
Uncomment the section bellow:
org.apache.catalina.valves.RemoteAddrValve
Replace the data of the value bellow:
From:
allow="127.0.0.1"
To:
allow="172.16.*.*"
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″ - Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
Inside the “Context” section, add the following line:
<valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″ - Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
- Extract the file catalina.jar
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
- Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.propertiesReplace the string bellow from:
server.infoerver.info=Apache Tomcat/5.5.26
To:
server.infoerver.info=Secure Web server
Replace the string bellow from:
server.number=5.5.26.0
To:
server.number=1.0.0.0
- Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
- Repackage the file catalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
- Remove the folder bellow:
rm -r /usr/apache/tomcat55/server/lib/org
- Create a user account for the Tomcat service:
mkdir /home/tomcatgroupadd tomcat
useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
chown tomcat:tomcat /home/tomcat/
passwd tomcat
passwd -l tomcat - Create using VI, the file /etc/init.d/tomcat with the following content:
#!/bin/sh
#
# Startup script for Tomcat
#
case "$1" in
start)
echo -n "Starting Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
;;
stop)
echo -n "Stopping Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {startstoprestart}"
exit 1
esac - Change the permissions on the file /etc/init.d/tomcat
chmod u+x /etc/init.d/tomcat
- Create soft link/symoblic links for system level startup
ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat - Reload the links into memory:
rehash
- Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/*
chown -R tomcat:tomcat /usr/apache/tomcat55/*