Archive for the ‘PHP’ Category
Hardening guide for Drupal 7.7
September 3rd, 2011 | 
Author: Pre-installation notes
The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
PHP installation phase
- Login to the server using Root account.
- Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
rpm -ivh libjpeg-devel-6b-37.i386.rpm
- Download MySQL development RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.5/ - Download PHP 5.3.8 source files from:
http://php.net/downloads.php - Download the latest libxml2 for PHP from:
http://xmlsoft.org/sources/ - Copy the MySQL development RPM using PSCP (or SCP) into /tmp
- Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp - Install the MySQL development RPM:
rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm - Remove MySQL development RPM:
rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm - Extract the php-5.3.8.tar.gz file:
tar -zxvf php-5.3.8.tar.gz - Extract the libxml2 source file:
tar -zxvf libxml2-2.7.7.tar.gz - Move the libxml2-2.7.7 folder:
cd /tmp/libxml2-2.7.7 - Run the commands bellow to compile the libxml2:
./configuremakemake install - Move to the PHP source folder:
cd /tmp/php-5.3.8 - Run the commands bellow to compile the PHP environment:
./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftp - Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Add the following string, to the end of the AddType section:
AddType application/x-httpd-php .php
Replace the line from:
DirectoryIndex index.htmlTo:
DirectoryIndex index.php index.html index.htm
Replace the value of the string, from:
LimitRequestBody 10000To:
LimitRequestBody 600000 - Copy the PHP.ini file
cp /tmp/php-5.3.8/php.ini-development /etc/php.ini - Change the permissions on the php.ini file:
chmod 640 /etc/php.ini - Edit using VI, the file /etc/php.ini
Replace the value of the string, from:
mysql.default_host =To:
mysql.default_host = 127.0.0.1:3306Replace the value of the string, from:
pdo_mysql.default_socket=To:
pdo_mysql.default_socket=127.0.0.1Replace the value of the string, from:
allow_url_fopen = OnTo:
allow_url_fopen = OffReplace the value of the string, from:
expose_php = OnTo:
expose_php = OffReplace the value of the string, from:
memory_limit = 128MTo:
memory_limit = 64MReplace the value of the string, from:
;open_basedir =To:
open_basedir = "/www"Replace the value of the string, from:
post_max_size = 8MTo:
post_max_size = 2MReplace the value of the string, from:
disable_functions =To:
disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidReplace the value of the string, from:
;include_path = ".:/php/includes"To:
include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"Replace the value of the string, from:
display_errors = OnTo:
display_errors = OffReplace the value of the string, from:
display_startup_errors = OnTo:
display_startup_errors = OffReplace the value of the string, from:
;gd.jpeg_ignore_warning = 0To:
gd.jpeg_ignore_warning = 1 - Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop - Remove the PHP source and test files:
rm -f /tmp/php-5.3.8.tar.gz
rm -f /tmp/libxml2-2.7.7.tar.gz
rm -rf /tmp/php-5.3.8
rm -rf /tmp/libxml2-2.7.7
rm -rf /tmp/pear
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test
Drupal installation phase
- Login to the server using Root account.
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account. - Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';Note 1: Replace “blgusr” with your own MySQL account to access the database.
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE Z5J6Dw1;
GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “Z5J6Dw1” with your own Drupal database name. - Download Drupal 7.7 from:
http://drupal.org/project/drupal - Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
- Move to /www
cd /www - Extract the file bellow:
tar -zxvf drupal-7.7.tar.gz - Remove Drupal source file:
rm -f /www/drupal-7.7.tar.gz - Rename the Drupal folder:
mv /www/drupal-7.7 /www/drupal - Remove default content:
rm -f /www/drupal/CHANGELOG.txt
rm -f /www/drupal/COPYRIGHT.txt
rm -f /www/drupal/INSTALL.pgsql.txt
rm -f /www/drupal/LICENSE.txt
rm -f /www/drupal/UPGRADE.txt
rm -f /www/drupal/INSTALL.mysql.txt
rm -f /www/drupal/INSTALL.sqlite.txt
rm -f /www/drupal/INSTALL.txt
rm -f /www/drupal/MAINTAINERS.txt
rm -f /www/drupal/sites/example.sites.php
- Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Replace the line from:
DocumentRoot "/www"To:
DocumentRoot "/www/drupal" - Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop - Create the following folders:
mkdir /www/drupal/sites/default/filesmkdir /www/private - Copy the settings.php file:
cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php - Change permissions on the settings.php file:
chmod a+w /www/drupal/sites/default/settings.phpchmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private - Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/install.php - Select “Standard” installation and click “Save and continue”.
- Choose the default “English” and click “Save and continue”.
- Specify the following details:
- Database type: MySQL
- Database name: Z5J6Dw1
- Database username: blgusr
- Database password: password2
- Click on Advanced Options
- Database host: 127.0.0.1
- Table prefix: Z5J6Dw1_
Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters). - Click “Save and Continue”.
- Specify the following information:
- Site name
- Site e-mail address (for automated e-mails, such as registration information)
- Username (for the default administrator account)
- E-mail address
- Password
- Select “Default country” and “Default time zone”.
- Unselect the “Update Notifications” checkboxes.
- Click “Save and Continue”.
- Close the web browser.
- Create using VI the file /www/config.php with the following content:
<?phpNote 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag.
$databases = array (
'default' =>
array (
'default' =>
array (
'driver' => 'mysql',
'database' => 'Z5J6Dw1',
'username' => 'blgusr',
'password' => 'password2',
'host' => '127.0.0.1',
'port' => '',
'prefix' => 'Z5J6Dw1_',
),
),
);
?>
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “Z5J6Dw1” with your own Drupal database name. - Edit using VI, the file /www/drupal/sites/default/settings.php
Add the following line:
include('/www/config.php');Remove the following section:
$databases = array (Replace the string from:
'default' =>
array (
'default' =>
array (
'driver' => 'mysql',
'database' => 'Z5J6Dw1',
'username' => 'blgusr',
'password' => 'password2',
'host' => '127.0.0.1',
'port' => '',
'prefix' => 'Z5J6Dw1_',
),
),
);
ini_set('session.cookie_lifetime', 2000000);To:
ini_set('session.cookie_lifetime', 0); - Change permissions on the settings.php file:
chmod a-w /www/drupal/sites/default/settings.php - Add the following lines to the /www/drupal/.htaccess file:
# Block any file that starts with "."
<FilesMatch "^\..*$">
Order allow,deny
</FilesMatch>
<FilesMatch "^.*\..*$">
Order allow,deny
</FilesMatch>
# Allow "." files with safe content types
<FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$">
Order deny,allow
</FilesMatch> - Run the command bellow to change permissions on the /www/drupal/.htaccess file:
chmod 444 /www/drupal/.htaccess - Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
- Drupal Firewall – http://drupal.org/project/dfw
- SpamSpan filter – http://drupal.org/project/spamspan
- Content Security Policy – http://drupal.org/project/content_security_policy
- GoAway – http://drupal.org/project/goaway
- IP anonymize – http://drupal.org/project/ip_anon
- Flood control – http://drupal.org/project/flood_control
- Password policy – http://drupal.org/project/password_policy
- Persistent Login – http://drupal.org/project/persistent_login
- Secure Permissions – http://drupal.org/project/secure_permissions
- Security Review – http://drupal.org/project/security_review
- System Permissions – http://drupal.org/project/system_perm
- Block anonymous links – http://drupal.org/project/blockanonymouslinks
- From SSH session, move to the folder /www/drupal/sites/all/modules.
- Extract the downloaded above modules:
tar zxvf dfw-7.x-1.1.tar.gz - Remove the modules source files:
rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gzrm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/?q=user/login - From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
- From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
- From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
- From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
- From the upper menu, click on Modules -> from the main page, select the following modules:
- Drupal firewall
- SpamSpan
- Content Security Policy
- Content Security Policy Reporting
- GoAway
- IP anonymize
- Flood control
- Password change tab
- Password policy
- Persistent Login
- Secure Permissions
- Security Review
- System Perms
- BlockAnonymousLinks
- Click on Save configuration.
Drupal SSL configuration phase
- Add the following line to the /www/drupal/sites/default/settings.php file:
$conf['https'] = TRUE; - Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
- Secure Pages – http://drupal.org/project/securepages
- Secure Login – http://drupal.org/project/securelogin
- From SSH session, move to the folder /www/drupal/sites/all/modules.
- Extract the downloaded above modules:
tar zxvf securepages-7.x-1.x-dev.tar.gztar zxvf securelogin-7.x-1.2.tar.gz - Remove the modules source files:
rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gz - Open a web browser from a client machine, and enter the URL bellow:
https://Server_FQDN/?q=user/login - From the upper menu, click on Modules -> from the main page, select the following modules:
- Secure Login
- Secure Pages
- Click on Save configuration.
- From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.
Print 
PDF
Posted in 
Hardening guide for WordPress 3.0
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Installation and configuration phase
- Login to the server using Root account.
- Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
- Run the commands bellow to switch to the SSH account:
su sshaccount
- Run the command bellow to generate SSH keys:
ssh-keygenNote: Leave deafult values for the ssh-keygen.
- Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
- Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
- Exit the SSH account shell and return to the Root account:
exit
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';Note 1: Replace “blgusr” with your own MySQL account to access the database.
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name. - Download WordPress 3.0 from:
http://wordpress.org/download - Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
- Move to /www
cd /www - Extract the wordpress-3.0.zip file:
unzip wordpress-3.0.zip - Remove WordPress source file:
rm -f /www/wordpress-3.0.zip - Create using VI the file /www/config.php with the following content:
< ?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
< ?php‘ tag or after a closing ‘?> ‘ tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php - Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here'); - Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
- Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"To:
DocumentRoot "/www/wordpress"Replace the value of the string, from:
LimitRequestBody 10000To:
LimitRequestBody 200000 - Restart the Apache service.
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php - Specify the following information:
- Site Title
- Username – replace the default “admin“
- Password
- Click on “Install WordPress” button, and close the web browser.
- Create using VI the file /www/wordpress/.htaccess with the following content:
< files wp-config.php>
Order deny,allow
deny from all
< /files>
< Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
< /Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 2: Replace Server_FQDN with the server FQDN (DNS name). - Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/nullNote: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
< LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
< /LIMIT>
< IfModule mod_security.c>
SecFilterInheritance Off
< /IfModule> - Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/nullNote: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 - Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
- Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “Limit Login” plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/ - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Database Backup” plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
- Create a folder for the “WordPress Database Backup” plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602 - Set permissions for the “WordPress Database Backup” plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602 - Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php - From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
- From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
wp-content/uploads - Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
- Click “Submit”.
- From the upper pane, click on “Log Out”.
- Delete the file /wp-admin/install.php
- In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);
Hardening guide for WordPress 2.9.2
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Installation and configuration phase
- Login to the server using Root account.
- Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount - Run the commands bellow to switch to the SSH account:
su sshaccount - Run the command bellow to generate SSH keys:
ssh-keygenNote: Leave deafult values for the ssh-keygen.
- Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys - Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
- Exit the SSH account shell and return to the Root account:
exit - Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name. - Download WordPress 2.9.2 from:
http://wordpress.org/download - Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
- Move to /www
cd /www - Extract the wordpress-2.9.2.tar.gz file:
tar -zxvf wordpress-2.9.2.tar.gz - Remove WordPress source file:
rm -f /www/wordpress-2.9.2.tar.gz - Create using VI the file /www/config.php with the following content:
<?phpNote 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php - Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here'); - Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
- Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"To:
DocumentRoot "/www/wordpress"Replace the value of the string, from:
LimitRequestBody 10000To:
LimitRequestBody 200000
- Restart the Apache service.
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php - Specify the following information:
- Blog Title
- Click on “Install WordPress” button, and close the web browser.
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
use m6gf42s;Note 1: Replace “m6gf42s” with your own WordPress database name.
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “johnd” with your own new WordPress admin.
Note 2: Replace “password3” with complex password (at least 14 characters). - Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
'timeout' => apply_filters( 'http_request_timeout', 5),To:
'timeout' => apply_filters( 'http_request_timeout', 30), - Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>Note 1: Replace 1.1.1.0 with the internal network IP address.
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 2: Replace Server_FQDN with the server FQDN (DNS name). - Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/nullNote: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> - Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/nullNote: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 - Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
- Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Database Backup” plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
- Create a folder for the “WordPress Database Backup” plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
- Set permissions for the “WordPress Database Backup” plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
- From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
- From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
wp-content/uploads
- Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
- Click “Submit”.
- From the upper pane, click on “Log Out”.
- In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);
Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
Installation and configuration phase
- Login to the server using Root account.
- Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm
- Download MySQL development RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/ - Download PHP 5.3.2 source files from:
http://php.net/downloads.php - Copy the MySQL development RPM using PSCP (or SCP) into /tmp
- Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp - Install the MySQL development RPM:
rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm - Remove MySQL development RPM:
rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm - Extract the php-5.3.2.tar.gz file:
tar -zxvf php-5.3.2.tar.gz - Move to the PHP source folder:
cd /tmp/php-5.3.2 - Run the commands bellow to compile the PHP environment:
./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlibmake
make install
- Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Make sure the following string exists at the end of the LoadModule section:
LoadModule php5_module modules/libphp5.so
Add the following string, to the end of the AddType section:
AddType application/x-httpd-php .php
Replace the line from:
DirectoryIndex index.htmlTo:
DirectoryIndex index.php index.html index.htm - Copy the PHP.ini file
cp /tmp/php-5.3.2/php.ini-development /etc/php.ini - Change the permissions on the php.ini file:
chmod 640 /etc/php.ini - Edit using VI, the file /etc/php.ini and replace the following values:
From:
mysql.default_host =To:
mysql.default_host = 127.0.0.1:3306From:
allow_url_fopen = OnTo:
allow_url_fopen = OffFrom:
expose_php = OnTo:
expose_php = OffFrom:
memory_limit = 128MTo:
memory_limit = 8MFrom:
;open_basedir =To:
open_basedir = "/www"From:
post_max_size = 8MTo:
post_max_size = 2MFrom:
upload_max_filesize = 2MTo:
upload_max_filesize = 1MFrom:
disable_functions =To:
disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidFrom:
;include_path = ".:/php/includes"To:
include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"From:
display_errors = OnTo:
display_errors = OffFrom:
display_startup_errors = OnTo:
display_startup_errors = Off - Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
- Remove the PHP source and test files:
rm -rf /tmp/php-5.3.2
rm -f /tmp/php-5.3.2.tar.gz
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test
- Uninstall the following RPM:
rpm -e libxml2-devel-2.6.26-2.1.2.8
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5
