web analytics

Archive for July, 2010

Hardening guide for WordPress 2.9.2


Pre-installation notes
The guide bellow is based on the previous guides:

Installation and configuration phase

  1. Login to the server using Root account.
  2. Create a new account for uploading files using SSH:
    groupadd sshaccount
    useradd -g sshaccount -d /home/sshaccount -m sshaccount
  3. Run the commands bellow to switch to the SSH account:
    su sshaccount
  4. Run the command bellow to generate SSH keys:
    ssh-keygen
    Note: Leave deafult values for the ssh-keygen.
  5. Copy the SSH keys:
    cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
  6. Change permissions for the SSH keys:
    chmod 755 /home/sshaccount/.ssh
    chmod 644 /home/sshaccount/.ssh/*
  7. Exit the SSH account shell and return to the Root account:
    exit
  8. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
    Note: Replace the string “new-password” with the actual password for the root account.
  9. Run the following commands from the MySQL prompt:
    CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
    SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
    CREATE DATABASE m6gf42s;
    GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
    FLUSH PRIVILEGES;
    quit

    Note 1: Replace “blgusr” with your own MySQL account to access the database.
    Note 2: Replace “password2” with complex password (at least 14 characters).
    Note 3: Replace “m6gf42s” with your own WordPress database name.
  10. Download WordPress 2.9.2 from:
    http://wordpress.org/download
  11. Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
  12. Move to /www
    cd /www
  13. Extract the wordpress-2.9.2.tar.gz file:
    tar -zxvf wordpress-2.9.2.tar.gz
  14. Remove WordPress source file:
    rm -f /www/wordpress-2.9.2.tar.gz
  15. Create using VI the file /www/config.php with the following content:
    <?php
    define('DB_NAME', 'm6gf42s');
    define('DB_USER', 'blgusr');
    define('DB_PASSWORD', 'password2');
    define('DB_HOST', '127.0.0.1');
    $table_prefix = 'm6gf42s_';
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    define('FS_METHOD', 'direct');
    define('FS_CHMOD_DIR', 0777);
    define('FS_CHMOD_FILE', 0777);
    define('FTP_BASE', '/www/wordpress/');
    define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
    define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
    define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
    define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
    define('FTP_USER', 'sshaccount');
    define('FTP_HOST', '127.0.0.1:22');
    ?>
    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “m6gf42s” with your own WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
  16. Copy the wp-config.php file:
    cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
  17. Edit using VI, the file /www/wordpress/wp-config.php
    Add the following line:
    include('/www/config.php');Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
    define('DB_USER', 'usernamehere');
    define('DB_PASSWORD', 'yourpasswordhere');
    define('DB_HOST', 'localhost');
    $table_prefix = 'wp_';
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
  18. Remove default content:
    rm -f /www/wordpress/license.txt
    rm -f /www/wordpress/readme.html
    rm -f /www/wordpress/wp-config-sample.php
    rm -f /www/wordpress/wp-content/plugins/hello.php
  19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
    Replace the value of the string, from:
    DocumentRoot "/www"
    To:
    DocumentRoot "/www/wordpress"
    Replace the value of the string, from:
    LimitRequestBody 10000
    To:
    LimitRequestBody 200000
  20. Restart the Apache service.
  21. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-admin/install.php
  22. Specify the following information:
    • Blog Title
    • E-Mail
  23. Click on “Install WordPress” button, and close the web browser.
  24. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
    Note: Replace the string “new-password” with the actual password for the root account.
  25. Run the following commands from the MySQL prompt:
    use m6gf42s;
    UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
    UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
    FLUSH PRIVILEGES;
    quit
    Note 1: Replace “m6gf42s” with your own WordPress database name.
    Note 1: Replace “johnd” with your own new WordPress admin.
    Note 2: Replace “password3” with complex password (at least 14 characters).
  26. Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
    'timeout' => apply_filters( 'http_request_timeout', 5),
    To:
    'timeout' => apply_filters( 'http_request_timeout', 30),
  27. Create using VI the file /www/wordpress/.htaccess with the following content:
    <files wp-config.php>
    Order deny,allow
    deny from all
    </files>
    <Files wp-login.php>
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    Order deny,allow
    Deny from All
    Allow from 1.1.1.0
    </Files>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    Note 1: Replace 1.1.1.0 with the internal network IP address.
    Note 2: Replace Server_FQDN with the server FQDN (DNS name).
  28. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Access Control”
    AuthType Basic
    <LIMIT GET POST>
    order deny,allow
    deny from all
    Allow from 1.1.1.0
    </LIMIT>
    <IfModule mod_security.c>
    SecFilterInheritance Off
    </IfModule>
    Note: Replace 1.1.1.0 with the internal network IP address.
  29. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    Order deny,allow
    Deny from All
    Allow from 1.1.1.0
    Note: Replace 1.1.1.0 with the internal network IP address.
  30. Create the following folders:
    mkdir -p /www/wordpress/wp-content/cache
    mkdir -p /www/wordpress/wp-content/uploads
    mkdir -p /www/wordpress/wp-content/upgrade
  31. Change the file permissions:
    chown -R root:root /www/wordpress
    chown daemon:root /www/wordpress/wp-content/plugins
    chmod 644 /www/config.php
    chmod 644 /www/wordpress/wp-config.php
    chmod 644 /www/wordpress/.htaccess
    chmod 644 /www/wordpress/wp-admin/.htaccess
    chmod 644 /www/wordpress/wp-content/plugins/.htaccess
    chmod -R 777 /www/wordpress/wp-content/cache
    chmod -R 777 /www/wordpress/wp-content/uploads
    chmod -R 777 /www/wordpress/wp-content/upgrade
  32. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
  33. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
  34. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
  35. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
  36. Download “WordPress Database Backup” plugin from:
    http://austinmatzko.com/wordpress-plugins/wp-db-backup/
  37. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
  38. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
  39. Create a folder for the “WordPress Database Backup” plugin:
    mkdir -p /www/wordpress/wp-content/backup-ed602
  40. Set permissions for the “WordPress Database Backup” plugin:
    chmod 777 /www/wordpress/wp-content/backup-ed602
  41. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php
  42. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
  43. From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
    wp-content/uploads
  44. Click on “Save changes”.
  45. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
  46. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins
    Disallow: /wp-content/cache
    Disallow: /wp-content/themes
    Disallow: /wp-login.php
    Disallow: /wp-register.php
  47. Click “Submit”.
  48. From the upper pane, click on “Log Out”.
  49. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
    define('FORCE_SSL_LOGIN', true);

Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Pre-installation notes
The guide bellow is based on the previous guides:

Installation and configuration phase

  1. Login to the server using Root account.
  2. Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
    rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
    rpm -ivh glibc-headers-2.5-42.x86_64.rpm
    rpm -ivh glibc-devel-2.5-42.x86_64.rpm
    rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
    rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
    rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
    rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
    rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
    rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm
  3. Download MySQL development RPM from:
    http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
  4. Download PHP 5.3.2 source files from:
    http://php.net/downloads.php
  5. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
  6. Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
  7. Move to /tmp
    cd /tmp
  8. Install the MySQL development RPM:
    rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
  9. Remove MySQL development RPM:
    rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
  10. Extract the php-5.3.2.tar.gz file:
    tar -zxvf php-5.3.2.tar.gz
  11. Move to the PHP source folder:
    cd /tmp/php-5.3.2
  12. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib

    make

    make install

  13. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Make sure the following string exists at the end of the LoadModule section:
    LoadModule php5_module modules/libphp5.so
    Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php
    Replace the line from:
    DirectoryIndex index.htmlTo:
    DirectoryIndex index.php index.html index.htm
  14. Copy the PHP.ini file
    cp /tmp/php-5.3.2/php.ini-development /etc/php.ini
  15. Change the permissions on the php.ini file:
    chmod 640 /etc/php.ini
  16. Edit using VI, the file /etc/php.ini and replace the following values:
    From:
    mysql.default_host =To:
    mysql.default_host = 127.0.0.1:3306

    From:
    allow_url_fopen = OnTo:
    allow_url_fopen = Off

    From:
    expose_php = OnTo:
    expose_php = Off

    From:
    memory_limit = 128MTo:
    memory_limit = 8M

    From:
    ;open_basedir =To:
    open_basedir = "/www"

    From:
    post_max_size = 8MTo:
    post_max_size = 2M

    From:
    upload_max_filesize = 2MTo:
    upload_max_filesize = 1M

    From:
    disable_functions =To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

    From:
    ;include_path = ".:/php/includes"To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

    From:
    display_errors = OnTo:
    display_errors = Off

    From:
    display_startup_errors = OnTo:
    display_startup_errors = Off

  17. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop
    /usr/local/apache2/bin/apachectl start
  18. Remove the PHP source and test files:
    rm -rf /tmp/php-5.3.2
    rm -f /tmp/php-5.3.2.tar.gz
    rm -rf /usr/local/apache2/lib/php/test
    rm -rf /usr/local/lib/php/test
  19. Uninstall the following RPM:
    rpm -e libxml2-devel-2.6.26-2.1.2.8
    rpm -e gcc-4.1.2-46.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-42
    rpm -e glibc-headers-2.5-42
    rpm -e kernel-headers-2.6.18-164.el5

Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd mysql
    useradd -d /dev/null -g mysql -s /bin/false mysql
  3. Download MySQL server and client RPM from:
    http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
  4. Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
  5. Move to /tmp
    cd /tmp
  6. Install the MySQL packages:
    rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
    rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
  7. Delete the MySQL source files:
    rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
    rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
  8. Run the commands bellow to set ownership and permissions:
    chown -R root /usr/bin/mysql*
    chown -R mysql:root /var/lib/mysql
    chmod -R go-rwx /var/lib/mysql
    mkdir -p /var/log/mysql
    chown -R mysql:root /var/log/mysql
  9. Run the command bellow to copy the main configuration file:
    cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
  10. Run the commands bellow to remove default folder:
    rm -rf /var/lib/mysql/test
    rm -f /usr/share/mysql/*.cnf
  11. Run the command bellow to set ownership and permissions for my.cnf file:
    chown root /etc/my.cnf
    chmod 644 /etc/my.cnf
  12. Edit using VI, the file /etc/my.cnf
    Add the strings bellow under the [mysqld] section
    pid-file = /var/lib/mysql/mysqld.pid
    log = /var/log/mysql/mysql.log
    bind-address = 127.0.0.1
    Add the section bellow:
    [safe_mysqld]
    err-log = /var/log/mysql/mysql.err
  13. Run the command bellow to restart the target server:
    reboot
  14. Login to the server using Root account.
  15. Run the commands bellow to set password for the MySQL root user:
    /usr/bin/mysqladmin -u root password 'new-password'
    /usr/bin/mysqladmin -u root -h hostname password 'new-password'
    Note 1: Specify complex password (at least 14 characters) and document it.
    Note 2: Replace “hostname” with the server FQDN (DNS name)
  16. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
    Note: Replace the string “new-password” with the actual password for the root account.
  17. Run the following commands from the MySQL prompt:
    use mysql;
    DELETE FROM mysql.user WHERE user = '';
    DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
    DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
    DROP DATABASE test;
    DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
    FLUSH PRIVILEGES;
    quit
  18. Run the command bellow to stop the MySQL service:
    /etc/init.d/mysql stop
  19. Run the command bellow to start the MySQL service:
    /etc/init.d/mysql start

How to implement SSL on Apache 2.2.15

Pre-installation notes
The guide bellow is based on the previous guide

SSL implementation phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /usr/local/apache2/ssl
    chmod 600 /usr/local/apache2/ssl
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
    Note: The command above should be written as one line.
  5. Send the file /tmp/apache.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /usr/local/apache2/ssl/
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /usr/local/apache2/ssl/
  10. Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
    Listen Server_FQDN:443
    SSLEngine on
    SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
    SSLCertificateFile /usr/local/apache2/ssl/server.crt
    SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
    SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
  11. Restart the Apache services:
    /usr/local/apache2/bin/apachectl restart
  12. Backup the file /usr/local/apache2/ssl/server.key

Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd apache
    useradd -g apache -d /dev/null -s /bin/false apache
  3. Mount RHEL 5.4 DVD, and move to the RPM folder:
    mount /dev/hdc /media
    cd /media/Server
  4. Before compiling the Apache environment, install the following RPM:
    rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
    rpm -ivh glibc-headers-2.5-42.x86_64.rpm
    rpm -ivh glibc-devel-2.5-42.x86_64.rpm
    rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
    rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
    rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
    rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
    rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
  5. Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
  6. Move to /tmp
    cd /tmp
  7. Extract the httpd-2.2.15.tar.gz file:
    tar -zxvf httpd-2.2.15.tar.gz
  8. Move to the Apache source folder:
    cd httpd-2.2.15
  9. Run the commands bellow to compile the Apache environment:
    ./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl

    make

    make install

  10. Remove the Apache source files:
    rm -rf /tmp/httpd-2.2.15rm -f /tmp/httpd-2.2.15.tar.gz
  11. Remove Default Content
    rm -rf /usr/local/apache2/cgi-bin
    rm -rf /usr/local/apache2/htdocs
    rm -rf /usr/local/apache2/icons
    rm -rf /usr/local/apache2/man
    rm -rf /usr/local/apache2/manual
    rm -rf /usr/local/apache2/conf/extra
    rm -rf /usr/local/apache2/conf/original
  12. Updating Ownership and Permissions on Apache2 folders:
    chown root:root /usr/local/apache2/bin/apachectl
    chown root:root /usr/local/apache2/bin/httpd*
    chmod 770 /usr/local/apache2/bin/apachectl
    chmod 770 /usr/local/apache2/bin/httpd*
    chown -R root:root /usr/local/apache2
    chmod -R go-r /usr/local/apache2
    chown -R root:root /usr/local/apache2/logs
    chmod -R 700 /usr/local/apache2/logs
  13. Create folder for the web content:
    mkdir -p /www
  14. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  15. Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
    From:
    DocumentRoot "/var/www/html"To:
    DocumentRoot "/www"

    From:
    Listen 80To:
    Listen Server_FQDN:80

    From:
    ServerAdmin root@localhost To:
    ServerAdmin webmaster@mycompany.com

    From:
    #ServerName www.example.com:80To:
    ServerName Server_FQDN

    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"To:
    # ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Order deny,allow
    deny from all
    </Directory>

    From:
    <Directory "/usr/local/apache2/htdocs">To:
    <Directory "/www">
    <LimitExcept GET POST>
    deny from all
    </limitexcept>

    From:
    Options Indexes FollowSymLinksTo:
    Options -FollowSymLinks -Includes -Indexes -MultiViews

  16. Add the following sections to the end of the httpd.conf file:
    ServerSignature Off
    ServerTokens Prod
    Timeout 60
    # Maximum size of the request body.
    LimitRequestBody 10000
    # Maximum number of request headers in a request.
    LimitRequestFields 40
    # Maximum size of request header lines.
    LimitRequestFieldSize 4094
    # Maximum size of the request line.
    LimitRequestLine 500
  17. Remove the sections bellow from the file httpd.conf
    <Directory "/usr/local/apache2/cgi-bin">
  18. Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"

    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"

  19. Starting Apache from command line:
    /usr/local/apache2/bin/apachectl start
  20. To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
    /usr/local/apache2/bin/apachectl start
  21. Uninstall the following RPM:
    rpm -e gcc-4.1.2-46.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-42
    rpm -e glibc-headers-2.5-42
    rpm -e kernel-headers-2.6.18-164.el5

Previous guides:

Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform

OS installation phase

  1. Boot the server using Windows 2008 R2 bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  9. From the command prompt window, run the command bellow:
    sconfig.cmd
  10. Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
  11. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  12. From the command prompt window, run the command bellow:
    sconfig.cmd
  13. Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
  14. Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
  15. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  16. From the command prompt window, run the command bellow:
    sconfig.cmd
  17. In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
  18. Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
  19. Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
  20. Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.

Web server installation phase

  1. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  2. For minimal installation of IIS7.5 features, run the command bellow from command prompt:
    start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
  3. For full installation of IIS7.5 (not recommended on production environments), run the command bellow from command prompt:
    start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
  4. For full installation of IIS7.5, including .NET framework (not recommended on production environments), run the command bellow from command prompt:
    start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64
  5. Create a new folder for the WWW content, in a different partition then the operating system, for example:
    md D:\WWW
  6. Copy the content of the web site to the newly created folder.
  7. Use the Cacls.exe command to configure the required NTFS permissions for the new WWW folder (according to the principle of least privilege).
  8. Run the command bellow to configure IIS metadata to use the new folder:
    %windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW
  9. Create a new folder for the LogFiles content, in a different partition then the operating system, for example:
    md D:\LogFiles
  10. Use the Cacls.exe command to configure the required NTFS permissions for the new LogFiles folder (according to the principle of least privilege).
  11. Run the commands bellow to configure IIS metadata to use the new folder:
    %windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"
    %windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"D:\LogFiles"
    %windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles"
  12. Run the command bellow to configure the newly created WWW folder for service packs and other installers:
    reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW

How to implement SSL on Apache 2.0

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.0 on Solaris 10 platform

SSL implementation phase

  1. Login to the server using Root account.
  2. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  3. Run the command bellow to install OpenSSL packages:
    pkgadd -d . SUNWopensslr SUNWopenssl-commands SUNWopenssl-include SUNWopenssl-libraries
  4. Create folder for the SSL certificate files:
    mkdir -p /etc/apache2/ssl.crt
  5. Create folder for the SSL private key:
    mkdir -p /etc/apache2/ssl.key
  6. Run the command bellow to generate a key pair:
    /usr/sfw/bin/openssl genrsa -des3 -out /etc/apache2/ssl.key/server.key 1024
    Specify a complex pass phrase for the private key (and document it)
  7. Change the permissions on the private key file:
    chmod 600 /etc/apache2/ssl.key/server.key
  8. Run the command bellow to generate the CSR:
    /usr/sfw/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/apache2/ssl.key/server.key -out /tmp/apache.csr
    Note: The command above should be written as one line.
  9. Send the file /tmp/apache.csr to a Certificate Authority server.
  10. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  11. Copy the file “server.crt” using SCP into /etc/apache2/ssl.crt/
  12. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  13. Copy the file “ca-bundle.crt” using SCP into /etc/apache2/ssl.crt/
  14. Edit using VI the file /etc/apache2/ssl.conf and change the following strings:
    From:
    SSLSessionCache dbm:/var/run/apache2/ssl_scacheTo:
    SSLSessionCache dbm:/var/ apache2/ssl_scache

    From:
    SSLMutex file:/var/run/apache2/ssl_mutexTo:
    SSLMutex file:/var/apache2/ssl_mutex

    From:
    ServerName 127.0.0.1:443To:
    ServerName Server_FQDN:443

    From:
    DocumentRoot "/var/apache2/htdocs"To:
    DocumentRoot "/www"

    From:
    #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crtTo:
    SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

    From:
    SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLTo:
    SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

  15. Remove the section bellow:
    <Directory "/var/apache2/cgi-bin">
  16. Stopping Apache from command line:
    /usr/apache2/bin/apachectl stop
  17. Starting Apache from command line:
    /usr/apache2/bin/apachectl startssl

Hardening guide for Apache 2.0 on Solaris 10 platform

  1. Login to the server using Root account.
  2. Create a new account:

    groupadd apache
    useradd -g apache -d /dev/null -s /bin/false apache
    passwd apache
    passwd -l apache
  3. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  4. Run the command bellow to install Apache2 packages:
    pkgadd -d . SUNWapch2r SUNWapch2u
  5. Remove Default Content
    rm -r /var/apache2/htdocs/
    rm -r /var/apache2/cgi-bin/
    rm -r /var/apache2/icons/
  6. Updating Ownership and Permissions on Apache2 folders:
    chown -R root:root /usr/apache2
    chmod -R 770 /usr/apache2/bin
    chown -R root:root /etc/apache2
    chmod -R go-r /etc/apache2
    chmod -R 770 /etc/apache2
    chown -R root:root /var/apache2/logs
    chmod -R 700 /var/apache2/logs
  7. Create folder for the web content:
    mkdir -p /www
  8. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  9. Copy the configuration file in-order to edit it:
    cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
  10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
    From:
    # LockFile /var/apache2/logs/accept.lockTo:
    LockFile /var/apache2/logs/accept.lock

    From:
    User webservdTo:
    User apache
    From:
    Group webservdTo:
    Group apache

    From:
    PidFile /var/run/apache2/httpd.pidTo:
    PidFile /var/apache2/logs/httpd.pid

    From:
    DocumentRoot "/var/apache2/htdocs"To:
    DocumentRoot "/www"

    From:
    ServerSignature OnTo:
    ServerSignature Off
    HostnameLookups Off

    From:
    # ServerTokensTo:
    ServerTokens Prod

    From:
    ServerAdmin [email protected]To:
    ServerAdmin webmaster@yourcompany.com

    From:
    ServerName 127.0.0.1To:
    ServerName Server_FQDN

    From:
    Timeout 300To:
    Timeout 60

    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    IndexOptions FancyIndexing VersionSortTo:
    # IndexOptions FancyIndexing VersionSort

    From:
    ReadmeName README.htmlTo:
    # ReadmeName README.html

    From:
    HeaderName HEADER.htmlTo:
    # HeaderName HEADER.html

    From:
    AddIconTo:
    # AddIcon

    From:
    DefaultIcon /icons/unknown.gifTo:
    # DefaultIcon /icons/unknown.gif

    From:
    Alias /icons/ "/var/apache2/icons/"To:
    # Alias /icons/ "/var/apache2/icons/"

    From:
    AliasMatchTo:
    # AliasMatch

    From:
    ScriptAliasTo:
    # ScriptAlias

    From:
    LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo:
    # LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

    From
    LoadModule imap_module libexec/mod_imap.soTo:
    # LoadModule imap_module libexec/mod_imap.so

    From:
    LoadModule cgi_module libexec/mod_cgi.soTo:
    # LoadModule cgi_module libexec/mod_cgi.so

    From:
    LoadModule suexec_module libexec/mod_suexec.soTo:
    # LoadModule suexec_module libexec/mod_suexec.so

    From:
    LoadModule autoindex_module libexec/mod_autoindex.soTo:
    # LoadModule autoindex_module libexec/mod_autoindex.so

    From:
    LoadModule info_module libexec/mod_info.soTo:
    # LoadModule info_module libexec/mod_info.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule userdir_module libexec/mod_userdir.soTo:
    # LoadModule userdir_module libexec/mod_userdir.so

    From:
    LoadModule cern_meta_module modules/mod_cern_meta.soTo:
    # LoadModule cern_meta_module modules/mod_cern_meta.so

    From:
    LoadModule dav_module modules/mod_dav.soTo:
    # LoadModule dav_module modules/mod_dav.so

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Order deny,allow
    deny from all
    </Directory>

    From:
    <Directory "/var/apache2/htdocs">To:
    <Directory "/www">
    <Limitexcept GET POST>
    deny from all
    </Limitexcept>

    From:
    Options Indexes FollowSymLinksTo:
    Options -FollowSymLinks -Includes -Indexes -MultiViews

  11. Add the following sections to the end of the httpd.conf file:
    LimitRequestBody 10000
    LimitRequestFields 40
    LimitRequestFieldSize 100
    LimitRequestLine 500
  12. Remove the sections bellow from the file httpd.conf
    <Directory "/usr/apache2/manual">
    <Directory "/var/apache2/cgi-bin">
  13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"
    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"
  14. Starting Apache from command line:
    /usr/apache2/bin/apachectl start
  15. Run the command bellow to start the Apache service at server start-up:
    svcadm enable apache2

How to implement SSL on Tomcat 5.5

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform

SSL implementation phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /var/apache/tomcat55/conf/ssl.crt
  3. Create folder for the SSL private key:
    mkdir -p /var/apache/tomcat55/conf/ssl.key
  4. Change ownership of all server files to the tomcat user:
    chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
  5. Run the command bellow to generate a key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
    Note: The command above should be written as one line.
    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
    Note: The command above should be written as one line.
  6. Run the command bellow to generate a CSR (certificate request):
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
    Note: The command above should be written as one line.
    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
    Note: The command above should be written as one line.
  7. Send the file /tmp/tomcat.csr to a Certificate Authority server.
  8. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  9. Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
  10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  11. Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
  12. Run the command bellow to import the trusted root CA public certificate:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
    Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
    Note: The command above should be written as one line.

  13. Run the command bellow to import the signed public key into the key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
    Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
    Note: The command above should be written as one line.

  14. Stop the Tomcat service:
    /etc/init.d/tomcat stop
  15. Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
    <Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="SSLv3"
    keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
    keystorePass="ComplexPassword"
    truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
    truststorePass="changeit"
    ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
    tcpNoDelay="true" />
  16. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
    <user-data-constraint>
    <description>
    Constrain the user data transport for the whole application
    </description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  17. Start the Tomcat service:
    /etc/init.d/tomcat start -security

Hardening guide for Tomcat 5.5 on Solaris 10 platform

Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.

Installation phase

  1. Login to the server using Root account.
  2. Make sure the folder /usr/jdk exists:
    ls /ad /usr/jdk
  3. If the folder /usr/jdk doesn’t exists, manually create it:
    mkdir /usr/jdk
  4. Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
  5. Move to /usr/jdk folder
    cd /usr/jdk
  6. Change the permissions on the JDK 1.6 (32bit) script:
    chmod +x jdk-6u15-solaris-i586.sh
  7. Run the command bellow to install JDK 1.6 (32bit):
    ./jdk-6u15-solaris-i586.sh
  8. Change the permissions on the JDK 1.6 (x64) script:
    chmod +x jdk-6u15-solaris-x64.sh
  9. Run the command bellow to install JDK 1.6 (x64):
    ./jdk-6u15-solaris-x64.sh
  10. Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
    rm /usr/jdk/jdk-6u15-solaris-i586.sh
    rm /usr/jdk/jdk-6u15-solaris-x64.sh
    rm /usr/jdk/jdk1.6.0_15/src.zip
    rm -r /usr/jdk/jdk1.6.0_15/demo
    rm -r /usr/jdk/jdk1.6.0_15/sample
  11. Remove the link for the Java
    rm /usr/bin/java
  12. Create new link for the Java (for x64 servers):
    ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
  13. Reload the links into memory:
    rehash
  14. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  15. Run the command bellow to install Tomcat packages:
    pkgadd -d . SUNWtcatr SUNWtcatu
  16. Remove the following default folders:
    rm -r /usr/apache/tomcat55/webapps/tomcat-docs
    rm /var/apache/tomcat55/webapps/tomcat-docs
    rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
    rm -r /var/apache/tomcat55/webapps/jsp-examples
    rm -r /var/apache/tomcat55/webapps/servlets-examples
    rm -r /var/apache/tomcat55/webapps/webdav
    rm -r /var/apache/tomcat55/webapps/balancer
  17. Copy the server.xml configuration file:
    cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xmlNote: The above command should be written as one line.
  18. Edit using VI, the file /var/apache/tomcat55/conf/server.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.AccessLogValveReplace the non-SSL HTTP/1.1 Connector:
    From:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />
    To:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" />
  19. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <!-- Define a Security Constraint on this Application -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HTMLManger and Manager command</web-resource-name>
    <url-pattern>/jmxproxy/*</url-pattern>
    <url-pattern>/html/*</url-pattern>
    <url-pattern>/list</url-pattern>
    <url-pattern>/sessions</url-pattern>
    <url-pattern>/start</url-pattern>
    <url-pattern>/stop</url-pattern>
    <url-pattern>/install</url-pattern>
    <url-pattern>/remove</url-pattern>
    <url-pattern>/deploy</url-pattern>
    <url-pattern>/undeploy</url-pattern>
    <url-pattern>/reload</url-pattern>
    <url-pattern>/save</url-pattern>
    <url-pattern>/serverinfo</url-pattern>
    <url-pattern>/status/*</url-pattern>
    <url-pattern>/roles</url-pattern>
    <url-pattern>/resources</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</ROLE-NAME>
    </auth-constraint>
    </security-constraint>
  20. Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
    <role rolename="admin">
    <role rolename="manager">
    <user roles="admin,manager" password="adminpass" username="admin">
    Note: Specify complex password for the admin account (and document it).
  21. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.RemoteAddrValveReplace the data of the value bellow:
    From:
    allow="127.0.0.1"To:
    allow="172.16.*.*"Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
  22. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
    Inside the “Context” section, add the following line:
    <valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
  23. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
  24. Extract the file catalina.jar
    jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  25. Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.propertiesReplace the string bellow from:
    server.infoerver.info=Apache Tomcat/5.5.26To:
    server.infoerver.info=Secure Web serverReplace the string bellow from:
    server.number=5.5.26.0To:
    server.number=1.0.0.0
  26. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
  27. Repackage the file catalina.jar
    jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
  28. Remove the folder bellow:
    rm -r /usr/apache/tomcat55/server/lib/org
  29. Create a user account for the Tomcat service:
    mkdir /home/tomcatgroupadd tomcat
    useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
    chown tomcat:tomcat /home/tomcat/
    passwd tomcat
    passwd -l tomcat
  30. Create using VI, the file /etc/init.d/tomcat with the following content:
    #!/bin/sh
    #
    # Startup script for Tomcat
    #
    case "$1" in
    start)
    echo -n "Starting Tomcat"
    JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
    ;;
    stop)
    echo -n "Stopping Tomcat"
    JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
    ;;
    restart)
    $0 stop
    $0 start
    ;;
    *)
    echo "Usage: $0 {startstoprestart}"
    exit 1
    esac
  31. Change the permissions on the file /etc/init.d/tomcat
    chmod u+x /etc/init.d/tomcat
  32. Create soft link/symoblic links for system level startup
    ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
    ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat
  33. Reload the links into memory:
    rehash
  34. Change ownership of all server files to the tomcat user:
    chown -R tomcat:tomcat /var/apache/tomcat55/*
    chown -R tomcat:tomcat /usr/apache/tomcat55/*