Security 24/7

Archive for the ‘CentOS’ Category

Hardening guide for Drupal 7.7

September 3rd, 2011 |

Author: eyalestrin

Pre-installation notes
The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

The guide bellow is based on the previous guides:

PHP installation phase

Login to the server using Root account.
Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm rpm -ivh glibc-headers-2.5-49.i386.rpm rpm -ivh glibc-devel-2.5-49.i386.rpm rpm -ivh gmp-4.1.4-10.el5.i386.rpm rpm -ivh libgomp-4.4.0-6.el5.i386.rpm rpm -ivh gcc-4.1.2-48.el5.i386.rpm rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm rpm -ivh zlib-devel-1.2.3-3.i386.rpm rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm rpm -ivh pkgconfig-0.21-2.el5.i386.rpm rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm rpm -ivh libjpeg-devel-6b-37.i386.rpm
Download MySQL development RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
Download PHP 5.3.8 source files from:
http://php.net/downloads.php
Download the latest libxml2 for PHP from:
http://xmlsoft.org/sources/
Copy the MySQL development RPM using PSCP (or SCP) into /tmp
Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
Move to /tmp
cd /tmp
Install the MySQL development RPM:
rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
Remove MySQL development RPM:
rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
Extract the php-5.3.8.tar.gz file:
tar -zxvf php-5.3.8.tar.gz
Extract the libxml2 source file:
tar -zxvf libxml2-2.7.7.tar.gz
Move the libxml2-2.7.7 folder:
cd /tmp/libxml2-2.7.7
Run the commands bellow to compile the libxml2:
./configuremakemake install
Move to the PHP source folder:
cd /tmp/php-5.3.8
Run the commands bellow to compile the PHP environment:
./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftpmakemake install
Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Add the following string, to the end of the AddType section:
AddType application/x-httpd-php .php
Replace the line from:
DirectoryIndex index.htmlTo:
DirectoryIndex index.php index.html index.htm
Replace the value of the string, from:
LimitRequestBody 10000To:
LimitRequestBody 600000
Copy the PHP.ini file
cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
Change the permissions on the php.ini file:
chmod 640 /etc/php.ini
Edit using VI, the file /etc/php.ini
Replace the value of the string, from:
mysql.default_host =To:
mysql.default_host = 127.0.0.1:3306Replace the value of the string, from:
pdo_mysql.default_socket=To:
pdo_mysql.default_socket=127.0.0.1Replace the value of the string, from:
allow_url_fopen = OnTo:
allow_url_fopen = OffReplace the value of the string, from:
expose_php = OnTo:
expose_php = OffReplace the value of the string, from:
memory_limit = 128MTo:
memory_limit = 64MReplace the value of the string, from:
;open_basedir =To:
open_basedir = "/www"Replace the value of the string, from:
post_max_size = 8MTo:
post_max_size = 2MReplace the value of the string, from:
disable_functions =To:
disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidReplace the value of the string, from:
;include_path = ".:/php/includes"To:
include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"Replace the value of the string, from:
display_errors = OnTo:
display_errors = OffReplace the value of the string, from:
display_startup_errors = OnTo:
display_startup_errors = Off

Replace the value of the string, from:
;gd.jpeg_ignore_warning = 0To:
gd.jpeg_ignore_warning = 1
Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
Remove the PHP source and test files:
rm -f /tmp/php-5.3.8.tar.gz rm -f /tmp/libxml2-2.7.7.tar.gz rm -rf /tmp/php-5.3.8 rm -rf /tmp/libxml2-2.7.7 rm -rf /tmp/pear rm -rf /usr/local/apache2/lib/php/test rm -rf /usr/local/lib/php/test

Drupal installation phase

Login to the server using Root account.
Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2'); CREATE DATABASE Z5J6Dw1; GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2"; FLUSH PRIVILEGES; quitNote 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “Z5J6Dw1” with your own Drupal database name.
Download Drupal 7.7 from:
http://drupal.org/project/drupal
Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
Move to /www
cd /www
Extract the file bellow:
tar -zxvf drupal-7.7.tar.gz
Remove Drupal source file:
rm -f /www/drupal-7.7.tar.gz
Rename the Drupal folder:
mv /www/drupal-7.7 /www/drupal
Remove default content:
rm -f /www/drupal/CHANGELOG.txt rm -f /www/drupal/COPYRIGHT.txt rm -f /www/drupal/INSTALL.pgsql.txt rm -f /www/drupal/LICENSE.txt rm -f /www/drupal/UPGRADE.txt rm -f /www/drupal/INSTALL.mysql.txt rm -f /www/drupal/INSTALL.sqlite.txt rm -f /www/drupal/INSTALL.txt rm -f /www/drupal/MAINTAINERS.txt rm -f /www/drupal/sites/example.sites.php
Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Replace the line from:
DocumentRoot "/www"To:
DocumentRoot "/www/drupal"
Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
Create the following folders:
mkdir /www/drupal/sites/default/filesmkdir /www/private
Copy the settings.php file:
cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
Change permissions on the settings.php file:
chmod a+w /www/drupal/sites/default/settings.phpchmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private
Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/install.php
Select “Standard” installation and click “Save and continue”.
Choose the default “English” and click “Save and continue”.
Specify the following details:
- Database type: MySQL
- Database name: Z5J6Dw1
- Database username: blgusr
- Database password: password2
- Click on Advanced Options
- Database host: 127.0.0.1
- Table prefix: Z5J6Dw1_
Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Click “Save and Continue”.
Specify the following information:
- Site name
- Site e-mail address (for automated e-mails, such as registration information)
- Username (for the default administrator account)
- E-mail address
- Password
Select “Default country” and “Default time zone”.
Unselect the “Update Notifications” checkboxes.
Click “Save and Continue”.
Close the web browser.
Create using VI the file /www/config.php with the following content:
<?php $databases = array ( 'default' => array ( 'default' => array ( 'driver' => 'mysql', 'database' => 'Z5J6Dw1', 'username' => 'blgusr', 'password' => 'password2', 'host' => '127.0.0.1', 'port' => '', 'prefix' => 'Z5J6Dw1_', ), ), ); ?>Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “Z5J6Dw1” with your own Drupal database name.
Edit using VI, the file /www/drupal/sites/default/settings.php
Add the following line:
include('/www/config.php');Remove the following section:
$databases = array ( 'default' => array ( 'default' => array ( 'driver' => 'mysql', 'database' => 'Z5J6Dw1', 'username' => 'blgusr', 'password' => 'password2', 'host' => '127.0.0.1', 'port' => '', 'prefix' => 'Z5J6Dw1_', ), ), );Replace the string from:
ini_set('session.cookie_lifetime', 2000000);To:
ini_set('session.cookie_lifetime', 0);
Change permissions on the settings.php file:
chmod a-w /www/drupal/sites/default/settings.php
Add the following lines to the /www/drupal/.htaccess file:
# Block any file that starts with "." <FilesMatch "^\..*$"> Order allow,deny </FilesMatch> <FilesMatch "^.*\..*$"> Order allow,deny </FilesMatch> # Allow "." files with safe content types <FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$"> Order deny,allow </FilesMatch>
Run the command bellow to change permissions on the /www/drupal/.htaccess file:
chmod 444 /www/drupal/.htaccess
Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
- Drupal Firewall – http://drupal.org/project/dfw
- SpamSpan filter – http://drupal.org/project/spamspan
- Content Security Policy – http://drupal.org/project/content_security_policy
- GoAway – http://drupal.org/project/goaway
- IP anonymize – http://drupal.org/project/ip_anon
- Flood control – http://drupal.org/project/flood_control
- Password policy – http://drupal.org/project/password_policy
- Persistent Login – http://drupal.org/project/persistent_login
- Secure Permissions – http://drupal.org/project/secure_permissions
- Security Review – http://drupal.org/project/security_review
- System Permissions – http://drupal.org/project/system_perm
- Block anonymous links – http://drupal.org/project/blockanonymouslinks
From SSH session, move to the folder /www/drupal/sites/all/modules.
Extract the downloaded above modules:
tar zxvf dfw-7.x-1.1.tar.gztar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gztar zxvf security_review-7.x-1.x-dev.tar.gztar zxvf system_perm-7.x-1.x-dev.tar.gztar zxvf blockanonymouslinks-7.x-1.1.tar.gz
Remove the modules source files:
rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gzrm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gzrm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz
Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/?q=user/login
From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
From the upper menu, click on Modules -> from the main page, select the following modules:
- Drupal firewall
- SpamSpan
- Content Security Policy
- Content Security Policy Reporting
- GoAway
- IP anonymize
- Flood control
- Password change tab
- Password policy
- Persistent Login
- Secure Permissions
- Security Review
- System Perms
- BlockAnonymousLinks
Click on Save configuration.

Drupal SSL configuration phase

Add the following line to the /www/drupal/sites/default/settings.php file:
$conf['https'] = TRUE;
Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
- Secure Pages – http://drupal.org/project/securepages
- Secure Login – http://drupal.org/project/securelogin
From SSH session, move to the folder /www/drupal/sites/all/modules.
Extract the downloaded above modules:
tar zxvf securepages-7.x-1.x-dev.tar.gztar zxvf securelogin-7.x-1.2.tar.gz
Remove the modules source files:
rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz
Open a web browser from a client machine, and enter the URL bellow:
https://Server_FQDN/?q=user/login
From the upper menu, click on Modules -> from the main page, select the following modules:
- Secure Login
- Secure Pages
Click on Save configuration.
From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

Print

PDF

Posted in Apache, CentOS, Drupal, MySQL, PHP, SSL |

4 Comments »

Kickstart installation guide for CentOS 5.5

October 29th, 2010 |

Author: eyalestrin

This guide explain how to install and configure kickstart server for network based deployments of CentOS, from an NFS share.
The instructions should work the same on RedHat and Fedora.

Pre-requirement

CentOS 5.5 DVD
Static IP address for the Kickstart/DHCP server
/data partition
In case using CISCO switches, “Spanning tree port fast” must be enabled.

Installation phase

Login to the CentOS server using Root account.
Mount the CentOS DVD:
mount /dev/cdrom /media
Move to the CentOS RPM folder inside the DVD:
cd /media/CentOS
Run the command bellow to install the TFTP-Server:
rpm -ivh xinetd-2.3.14-10.el5.i386.rpm rpm -ivh tftp-server-0.49-2.el5.centos.i386.rpm
Run the command bellow to install the DHCP server:
rpm -ivh dhcp-3.0.5-23.el5.i386.rpm
Create new folder for the Kickstart server:
mkdir -p /data/kickstart
Edit using VI, the file /etc/xinetd.d/tftp and change the following settings:
From:
disable = yesTo:
disable = noFrom:
server_args = -s /tftpbootTo:
server_args = -s /data/kickstart
Run the command bellow to start the TFTP server:
/sbin/service xinetd start
Run the command bellow to start the TFTP server run at startup:
chkconfig xinetd on
Edit using VI, the file /etc/dhcpd.conf and add the following lines:
ddns-update-style none; allow bootp; allow booting; subnet 10.1.1.0 netmask 255.255.255.0 { option routers 10.1.1.254; option domain-name-servers 10.1.1.2; next-server 10.1.1.1; filename "pxelinux.0"; range dynamic-bootp 10.1.1.200 10.1.1.210; }Note 1: Replace 10.1.1.0 with the correct network ID.
Note 2: Replace 255.255.255.0 with the correct subnet mask.
Note 3: Replace 10.1.1.254 with the correct default gateway.
Note 4: Replace 10.1.1.1 with the Kickstart server IP address.
Note 5: Replace 10.1.1.200 with the first IP of the DHCP pool.
Note 6: Replace 10.1.1.210 with the last IP of the DHCP pool.
Note 7: Replace 10.1.1.2 with the correct DNS server.
Start the DHCP server
service dhcpd start
Run the command bellow to start the DHCP server run at startup:
chkconfig dhcpd on
Copy Boot Files
cp /usr/lib/syslinux/{pxelinux.0,menu.c32,memdisk,mboot.c32,chain.c32} /data/kickstart
Create a folder for the PXE menu files:
mkdir -p /data/kickstart/pxelinux.cfg
Move to the CentOS DVD root folder:
cd /media
Copy vmlinuz and initrd.img from the DVD to the images directory:
cp /media/images/pxeboot/{vmlinuz,initrd.img} /data/kickstart/images
Create the CentOS DVD structure:
cp -r CentOS /data/kickstart/ cp -r isolinux /data/kickstart/ cp -r repodata /data/kickstart/ cp -r images /data/kickstart/
Create using VI, the file /data/kickstart/pxelinux.cfg/default with the following content:
default menu.c32 prompt 0 MENU TITLE PXE Menu LABEL CentOS MENU LABEL CentOS KERNEL images/vmlinuz append initrd=images/initrd.img vga=normal network ks=nfs:10.1.1.1:/data/kickstart/ks.cfg textNote: Replace 10.1.1.1 with the Kickstart server IP address.
Create an unattended installation script /data/kickstart/ks.cfg
Note: Make sure the file starts with the following lines:
install nfs --server=10.1.1.1 --dir=/data/kickstartNote 1: Replace 10.1.1.1 with the Kickstart server IP address.
Note 2: Make sure the lines beginning with “cdrom” and “url” does not exist on the file.
Note 3: To review ks.cfg file options, see the link:
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/s1-kickstart2-options.html
Edit using VI, the file /etc/exports and add the following line:
/data/kickstart *(ro,no_root_squash)
Start the NFS service:
service portmap start service nfs start chkconfig nfs on

Print

PDF

Posted in CentOS, Kickstart |

3 Comments »