Archive for August, 2010
Hardening guide for Cisco Firewall (PIX, ASA, FWSM)
Important note
The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM).
Not all commands will work on every device series or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.
Hardening phase
Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX):
aaa authentication enable console LOCAL
Configure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX):
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
Configure Local Password (ASA, FWSM, PIX):
passwd
Configure ASDM Access Control (ASA, FWSM, PIX):
http
Configuring SSH (ASA, FWSM, PIX):
hostname
domain-name
crypto key generate rsa modulus 2048
Configure SSH for Remote Device Access (ASA, PIX):
no telnet 0.0.0.0 0.0.0.0
ssh
ssh version 2
Configure Timeout for Login Sessions (ASA, FWSM, PIX):
console timeout 10
ssh timeout 10
Configure Local User and Encrypted Password (ASA, FWSM, PIX):
username
Configure Enable Password (ASA, FWSM, PIX):
enable password
Disable SNMP Read Access (ASA, FWSM, PIX):
clear configure snmp-server
no snmp-server host
Disable SNMP Traps (ASA, FWSM, PIX):
no snmp-server enable traps all
Configure Clock Time Zone (ASA, PIX):
clock timezone GMT
Disable DHCP Server Service (ASA, FWSM, PIX):
clear configure dhcpd
no dhcpd enable
Disable HTTP Service (ASA, FWSM, PIX) – in-case not in use:
no http server enable
Configure Console Logging Severity Level (ASA, FWSM, PIX):
logging console critical
Configure Timestamps in Log Messages (ASA, FWSM, PIX):
logging timestamp
Configure AAA Flood Guard (FWSM, PIX):
floodguard enable
Configure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX):
fragment chain 1
Configure Protocol Inspection (FWSM, PIX):
fixup protocol ftp
fixup protocol http
fixup protocol smtp
Configure Protocol Inspection (ASA):
inspect ftp [map_name]
inspect http [map_name]
inspect esmtp [map_name]
Configure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX):
interface
ip verify reverse-path interface
exit
Save the changes:
wr
Hardening guide for Cisco Routers and Switches
Important note
The guide bellow instructs how to secure Cisco router/switch.
Not all commands will work on every device series (router/switch) or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.
Hardening phase
Configure AAA service:
aaa new-model
Configure AAA Authentication for Login:
aaa authentication login default local-case
Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable
Configure AAA Authentication for Local Console Line:
line console 0
login authentication default
exit
Configure AAA Authentication for VTY Lines:
line vty 0 4
login authentication default
exit
line vty 5 15
login authentication default
exit
Set and secure passwords:
service password-encryption
enable secret 0
Configure Local User and Encrypted Password:
username
Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T:
username
Configure SSH:
hostname
domain-name
crypto key generate rsa modulus 2048
Configure SSH for Remote Device Access:
ip ssh timeout 60
ip ssh authentication-retries 3
Configure VTY Transport SSH:
line console 0
transport input ssh
exit
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit
Configure Timeout for Login Sessions:
line vty 0 4
exec-timeout 5 0
exit
line vty 5 15
exec-timeout 5 0
exit
Disable Auxiliary Port:
line aux 0
no exec
exec-timeout 0 10
transport input none
exit
Disable SNMP server (in-case not in use):
no snmp-server
Disable SNMP Community Strings private and public:
no snmp-server community private
no snmp-server community public
Configure Clock Timezone – GMT:
clock timezone GMT
Disable Router Name and DNS Name Resolution (in-case not in use):
no ip domain-lookup
Disable CDP Run Globally:
no cdp run
Disable PAD service (in-case not in use):
no service pad
Disable Finger Service:
no service finger
Disable Maintenance Operations Protocol (MOP):
interface
no mop enabled
exit
Disable DHCP server (in-case not in use):
no service dhcp
Disable IP BOOTP server (in-case not in use):
no ip bootp server
Disable Identification Service:
no identd
Disable IP HTTP Server (in-case not in use):
no ip http server
Disable Remote Startup Configuration:
no boot network
no service config
Configure TCP keepalives Services:
service tcp-keepalives-in
service tcp-keepalives-out
Disable small-servers:
no service tcp-small-servers
no service udp-small-servers
Disable TFTP Server:
no tftp-server
Configure Logging:
logging on
logging buffered 16000
logging console critical
Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
Disable IP source-route:
no ip source-route
Disable Directed Broadcast:
interface
no ip directed-broadcast
exit
Configure Unicast Reverse-Path Forwarding:
interface
ip verify unicast reverse-path
exit
Disable IP Proxy ARP:
interface
no ip proxy-arp
exit
Disable Gratuitous-Arps:
no ip gratuitous-arps
Configure switch port-security:
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky
Save the changes:
wr
How to implement SSL on Nginx 0.7.65
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
- Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
Note: The command above should be written as one line.
- Send the file /tmp/nginx.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
- Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
Note: The command above should be written as one line.
- Remove the original server.crt and ca-bundle.crt files:
rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt
- Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
# HTTPS server
To:
#
#server {
# listen 443;
# server_name localhost;# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
# ssl_prefer_server_ciphers on;# location / {
# root html;
# index index.html index.htm;
# }
#}
server {
listen 443;
server_name Server_FQDN;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /www;
index index.html index.htm;
}
}
- Restart the Nginx service:
/etc/init.d/nginx restart
Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)
- Login to the server using Root account.
- Create a new account:
groupadd nginx
useradd -g nginx -d /dev/null -s /sbin/nologin nginx
- Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
- Before compiling the Nginx environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
- Download Nginx 0.7.65 from:
http://wiki.nginx.org/NginxInstall - Copy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Extract the nginx-0.7.65.tar.gz file:
tar -zxvf nginx-0.7.65.tar.gz
- Move to the Nginx source folder:
cd /tmp/nginx-0.7.65
- Edit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from:
static char ngx_http_server_string[] = "Server: nginx" CRLF;
To:
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Secure Web Server" CRLF;
- Run the commands bellow to compile the Nginx environment:
./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module
make
make install
- Remove the Nginx source files:
rm -rf /tmp/nginx-0.7.65
rm -f /tmp/nginx-0.7.65.tar.gz
- Remove Default Content
rm -rf /usr/local/nginx/html
- Updating Ownership and Permissions on Nginx folders:
chown -R root:root /usr/local/nginx
chmod 750 /usr/local/nginx/sbin/nginx
chmod -R 640 /usr/local/nginx/conf
chmod -R 770 /usr/local/nginx/logs
- Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www - Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
From:
#user nobody;
To:
user nginx nginx;
From:
#error_log logs/error.log notice;
To:
error_log logs/error.log notice;
From:
server_name localhost;
To:
server_name Server_FQDN;
From:
root html;
To:
root /www;
- Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file:
server_tokens off;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 10;
- Create using VI, the file /etc/init.d/nginx with the following content:
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid# Source function library.
. /etc/rc.d/init.d/functions# Source networking configuration.
. /etc/sysconfig/network# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"
[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
lockfile=/var/lock/subsys/nginx
start() {
[ -x $nginx ] exit 5
[ -f $NGINX_CONF_FILE ] exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}restart() {
configtest return $?
stop
sleep 1
start
}reload() {
configtest return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}force_reload() {
restart
}configtest() {
$nginx -t -c $NGINX_CONF_FILE
}rh_status() {
status $prog
}rh_status_q() {
rh_status >/dev/null 2>&1
}case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q exit 0
$1
;;
restartconfigtest)
$1
;;
reload)
rh_status_q exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestarttry-restart)
rh_status_q exit 0
;;
*)
echo $"Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}"
exit 2
esac
- Change the permissions of the file /etc/init.d/nginx
chmod +x /etc/init.d/nginx
- To start Nginx service at server start-up, run the command:
chkconfig nginx on
- To manually start the Nginx service, use the command:
/etc/init.d/nginx start
- Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5
How to implement SSL on Lighttpd 1.4.26
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /etc/lighttpd/ssl
chmod 600 /etc/lighttpd/ssl
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
Note: Specify a complex pass phrase for the private key (and document it)
- Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
Note: The command above should be written as one line.
- Send the file /tmp/lighttpd.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /etc/lighttpd/ssl/
- Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pem
Note: The command above should be written as one line. - Remove the original server.crt file:
rm -f /etc/lighttpd/ssl/server.crt
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /etc/lighttpd/ssl
- Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
$SERVER["socket"] == "Server_FQDN:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
server.name = "Server_FQDN"
server.document-root = "/www"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
ssl.use-sslv2 = "disable"
ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
} - Restart the Lighttpd service.
Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)
- Login to the server using Root account.
- Create a new account:
groupadd lighttpd
useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd
- Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
- Before compiling the Lighttpd environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-49.x86_64.rpm
rpm -ivh glibc-devel-2.5-49.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm
- Download Lighttpd 1.4.26 from:
http://www.lighttpd.net/download/ - Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Extract the lighttpd-1.4.26.tar.gz file:
tar -zxvf lighttpd-1.4.26.tar.gz
- Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c
- Move to the Lighttpd source folder:
cd /tmp/lighttpd-1.4.26
- Run the commands bellow to compile the Lighttpd environment:
./configure --with-openssl --without-bzip2
make
make install
- Create the following folders:
mkdir -p /etc/lighttpd
mkdir -p /var/log/lighttpd
mkdir -p /var/cache/lighttpd/compress
- Copy the lighttpd.conf file:
cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
- Updating Ownership and Permissions on Lighttpd folders:
chown lighttpd:lighttpd /var/log/lighttpd
chown lighttpd:root /etc/lighttpd/lighttpd.conf
chown lighttpd:lighttpd /var/cache/lighttpd/compress
chmod o-r /etc/lighttpd/lighttpd.conf
chmod -R o-r /var/log/lighttpd
- Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
- Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings:
From:
server.document-root = "/srv/www/htdocs/"
To:
server.document-root = "/www"
From:
#server.bind = "127.0.0.1"
To:
server.bind = "Server_FQDN"
From:
# server.tag = "lighttpd"
To:
server.tag = "Secure Web Server"
From:
#server.username = "wwwrun"
To:
server.username = "lighttpd"
From:
#server.groupname = "wwwrun"
To:
server.groupname = "lighttpd"
From:
#dir-listing.activate = "enable"
To:
dir-listing.activate = "disable"
- Create using VI, a file called /etc/sysconfig/lighttpd with the following content:
LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf
- To manually start Lighttpd use the command:
/usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
- To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
- Remove the Lighttpd source files:
rm -rf /tmp/lighttpd-1.4.26
rm -f /tmp/lighttpd-1.4.26.tar.gz
- Uninstall the following RPM:
rpm -e gcc-4.1.2-48.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-49
rpm -e glibc-headers-2.5-49
rpm -e kernel-headers-2.6.18-194.el5