Archive for the ‘Apache’ Category
Hardening guide for Apache 2.0 on Solaris 10 platform
- Login to the server using Root account.
- Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
passwd apache
passwd -l apache
- Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
- Run the command bellow to install Apache2 packages:
pkgadd -d . SUNWapch2r SUNWapch2u
- Remove Default Content
rm -r /var/apache2/htdocs/
rm -r /var/apache2/cgi-bin/
rm -r /var/apache2/icons/
- Updating Ownership and Permissions on Apache2 folders:
chown -R root:root /usr/apache2
chmod -R 770 /usr/apache2/bin
chown -R root:root /etc/apache2
chmod -R go-r /etc/apache2
chmod -R 770 /etc/apache2
chown -R root:root /var/apache2/logs
chmod -R 700 /var/apache2/logs
- Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www - Copy the configuration file in-order to edit it:
cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
- Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
From:
# LockFile /var/apache2/logs/accept.lock
To:
LockFile /var/apache2/logs/accept.lock
From:
User webservd
To:
User apache
From:
Group webservd
To:
Group apache
From:
PidFile /var/run/apache2/httpd.pid
To:
PidFile /var/apache2/logs/httpd.pid
From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"
From:
ServerSignature On
To:
ServerSignature Off
HostnameLookups Off
From:
# ServerTokens
To:
ServerTokens Prod
From:
ServerAdmin [email protected]
To:
ServerAdmin webmaster@yourcompany.com
From:
ServerName 127.0.0.1
To:
ServerName Server_FQDN
From:
Timeout 300
To:
Timeout 60
From:
LogLevel warn
To:
LogLevel notice
From:
IndexOptions FancyIndexing VersionSort
To:
# IndexOptions FancyIndexing VersionSort
From:
ReadmeName README.html
To:
# ReadmeName README.html
From:
HeaderName HEADER.html
To:
# HeaderName HEADER.html
From:
AddIcon
To:
# AddIcon
From:
DefaultIcon /icons/unknown.gif
To:
# DefaultIcon /icons/unknown.gif
From:
Alias /icons/ "/var/apache2/icons/"
To:
# Alias /icons/ "/var/apache2/icons/"
From:
AliasMatch
To:
# AliasMatch
From:
ScriptAlias
To:
# ScriptAlias
From:
LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
To:
# LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
From
LoadModule imap_module libexec/mod_imap.so
To:
# LoadModule imap_module libexec/mod_imap.so
From:
LoadModule cgi_module libexec/mod_cgi.so
To:
# LoadModule cgi_module libexec/mod_cgi.so
From:
LoadModule suexec_module libexec/mod_suexec.so
To:
# LoadModule suexec_module libexec/mod_suexec.so
From:
LoadModule autoindex_module libexec/mod_autoindex.so
To:
# LoadModule autoindex_module libexec/mod_autoindex.so
From:
LoadModule info_module libexec/mod_info.so
To:
# LoadModule info_module libexec/mod_info.so
From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule userdir_module libexec/mod_userdir.so
To:
# LoadModule userdir_module libexec/mod_userdir.so
From:
LoadModule cern_meta_module modules/mod_cern_meta.so
To:
# LoadModule cern_meta_module modules/mod_cern_meta.so
From:
LoadModule dav_module modules/mod_dav.so
To:
# LoadModule dav_module modules/mod_dav.so
From:
<Directory />
To:
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>
From:
<Directory "/var/apache2/htdocs">
To:
<Directory "/www">
<Limitexcept GET POST>
deny from all
</Limitexcept>
From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews
- Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
- Remove the sections bellow from the file httpd.conf
<Directory "/usr/apache2/manual">
<Directory "/var/apache2/cgi-bin"> - Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"
From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
- Starting Apache from command line:
/usr/apache2/bin/apachectl start
- Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2
How to implement SSL on Tomcat 5.5
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /var/apache/tomcat55/conf/ssl.crt
- Create folder for the SSL private key:
mkdir -p /var/apache/tomcat55/conf/ssl.key
- Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
- Run the command bellow to generate a key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
- Run the command bellow to generate a CSR (certificate request):
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
- Send the file /tmp/tomcat.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
- Run the command bellow to import the trusted root CA public certificate:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.
- Run the command bellow to import the signed public key into the key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.
- Stop the Tomcat service:
/etc/init.d/tomcat stop
- Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3"
keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
keystorePass="ComplexPassword"
truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
truststorePass="changeit"
ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
tcpNoDelay="true" /> - Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
<user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
- Start the Tomcat service:
/etc/init.d/tomcat start -security