Security 24/7

Archive for the ‘RedHat’ Category

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

1. Install OpenSSL.
2. Run the command bellow to generate a new key store called “server.key”
   openssl genrsa -des3 -out /tmp/server.key 1024
3. Run the commands bellow to request a new SSL certificate:
   openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

   openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

4. Run the command bellow to backup the key store file that has a password:
   cp /tmp/server.key /tmp/server.key.bak
5. Run the command bellow to generate a new key store without a password:
   openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
   cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
   openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:

• server.key – Key store file
• server.crt – Server SSL public key file
• no.pwd.server.key – Key store file (without a password)
• no.pwd.server.pem – Key store file + server SSL public key file (without a password)
• server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

Print PDF

Pre-requirements:

• JDK 1.6 source file
• Resin Professional 4.0.8 source file

Installation phase

1. Login to the server using Root account.
2. Create a new account:
   groupadd resin
useradd -g resin -d /home/resin -s /bin/bash resin

3. Create folder for the web content:
   mkdir -p /www
4. Updating Ownership and Permissions on the web content folder:
   chown -R root /www
chmod -R 775 /www

5. Copy JDK 1.6 into /tmp
6. Change the permissions on the JDK 1.6:
   chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin
7. Run the command bellow to install JDK 1.6:
   /tmp/jdk-6u20-linux-i586-rpm.bin
8. Remove the JDK 1.6 source files:
   rm -f /tmp/jdk-6u20-linux-i586-rpm.bin
rm -f /usr/java/jdk1.6.0_20/src.zip
rm -rf /usr/java/jdk1.6.0_20/demo
rm -rf /usr/java/jdk1.6.0_20/sample
rm -rf /opt/sun/javadb/demo
rm -rf /opt/sun/javadb/docs

9. Before compiling the Resin environment, install the following RPM from the RHEL DVD:
   rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm
rpm -ivh glibc-headers-2.5-42.i386.rpm
rpm -ivh glibc-devel-2.5-42.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-46.el5.i386.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm
10. Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp
11. Move to /tmp
    cd /tmp
12. Extract the resin-pro-4.0.8.tar.gz file:
    tar -zxvf resin-pro-4.0.8.tar.gz
13. Move to the Resin 4.0.8 source folder:
    cd /tmp/resin-pro-4.0.8
14. Run the commands bellow to compile the Resin 4.0.8 environment:
    ./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20
Note: The command above should be written as one line.

    make
make install

15. Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow:
    From:
    <resin:if test="${resin.userName == 'root'}">To:
    <resin:if test="${resin.userName == 'resin'}">

    From:
    <user-name>www-data</user-name>To:
    <user-name>resin</user-name>

    From:
    <group-name>www-data</group-name>To:
    <group-name>resin</group-name>

    From:
    <server id="" address="127.0.0.1" port="6800">To:
    <server id="" address="Server_DNS_Name" port="6800">

    From:
    <http address="*" port="8080"/>To:
    <http address="Server_DNS_Name" port="8080"/>

    From:
    <dependency-check-interval>2s</dependency-check-interval>To:
    <dependency-check-interval>600s</dependency-check-interval>

    From:
    <host id="" root-directory=".">To:
    <host id="Server_DNS_Name" root-directory="/www">

    From:
    <root-directory>.</root-directory>To:
    <root-directory>/www</root-directory>

    From:
    <resin:set var="resin_admin_external" value="false"/>To:
    <resin:set var="resin_admin_external" value="true"/>

16. Change the ownership on the folder bellow:
    chown resin:root -R /www/*
17. Manually start the Resin service:
    /usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin
18. Manually stop the Resin service:
    /usr/local/resin/bin/resin.sh stop
19. Copy the Resin license file into
    /usr/local/resin/licenses
20. Change the ownership and permissions on the folders bellow:
    chmod 664 -R /www/watchdog-data/
chmod 777 /www/watchdog-data/default/
chown resin:root -R /www/watchdog-data/*

21. Remove the Resin 4.0.8 source folder:
    rm -rf /tmp/resin-pro-4.0.8
22. Remove default documents:
    rm -rf /www/doc/resin-doc
23. To start Resin service at server start-up, run the commands bellow:
    chkconfig --add resin
chkconfig resin on
/etc/init.d/resin start

24. From a client machine, open an internet browser and login to the address:
    http://Server_DNS_Name:8080/resin-admin/
25. Enter a username and password in the lower half of the page, then click “Create Configuration File”. The recommended username is “admin“.
26. Rename the admin-users.xml file:
    mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml
27. Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.

Print PDF

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html

Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html

Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

Print PDF

Pre-installation notes
The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase

1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
   groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount

3. Run the commands bellow to switch to the SSH account:
   su sshaccount

4. Run the command bellow to generate SSH keys:
   ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
   cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys

6. Change permissions for the SSH keys:
   chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*

7. Exit the SSH account shell and return to the Root account:
   exit

8. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 3.0 from:
    http://wordpress.org/download
11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
12. Move to /www
    cd /www
13. Extract the wordpress-3.0.zip file:
    unzip wordpress-3.0.zip
14. Remove WordPress source file:
    rm -f /www/wordpress-3.0.zip
15. Create using VI the file /www/config.php with the following content:
    <?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “m6gf42s” with your own WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
    cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
    Add the following line:
    include('/www/config.php');

    Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

18. Remove default content:
    rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php

19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
    Replace the value of the string, from:
    DocumentRoot "/www"To:
    DocumentRoot "/www/wordpress"

    Replace the value of the string, from:
    LimitRequestBody 10000To:
    LimitRequestBody 200000

20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
    • Site Title
    • Username – replace the default “admin“
    • Password
    • E-mail
23. Click on “Install WordPress” button, and close the web browser.
24. Create using VI the file /www/wordpress/.htaccess with the following content:
    <files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address.
    Note 2: Replace Server_FQDN with the server FQDN (DNS name).
25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> Note: Replace 1.1.1.0 with the internal network IP address.
26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 Note: Replace 1.1.1.0 with the internal network IP address.
27. Create the following folders:
    mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade

28. Change the file permissions:
    chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
29. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
30. Download “Limit Login” plugin from:
    http://wordpress.org/extend/plugins/limit-login-attempts/
31. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
32. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
33. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
34. Download “WordPress Database Backup” plugin from:
    http://austinmatzko.com/wordpress-plugins/wp-db-backup/
35. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
36. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
37. Create a folder for the “WordPress Database Backup” plugin:
    mkdir -p /www/wordpress/wp-content/backup-ed602
38. Set permissions for the “WordPress Database Backup” plugin:
    chmod 777 /www/wordpress/wp-content/backup-ed602
39. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php
40. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
41. From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
    wp-content/uploads
42. Click on “Save changes”.
43. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
44. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php

45. Click “Submit”.
46. From the upper pane, click on “Log Out”.
47. Delete the file /wp-admin/install.php
48. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
    define('FORCE_SSL_LOGIN', true);

Print PDF

The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

Installation phase

1. Login to the server using Root account.
2. Install from the RHEL 5.4 DVD the following RPM:
   rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
3. Create a group for FTP users:
   groupadd ftp-users
4. Create folder for the FTP:
   mkdir -p /ftp
5. Change ownership and permissions on the FTP folder:
   chown root:ftp-users /ftp
chmod 777 -R /ftp
6. Example of user creation:
   useradd -g ftp-users -d /ftp user1
passwd user1

7. Edit using VI, the file /etc/vsftpd/vsftpd.conf
   Change from:
   anonymous_enable=YESTo:
   anonymous_enable=NO

   Change from:
   xferlog_std_format=YESTo:
   xferlog_std_format=NO

   Change from:
   #tftpd_banner=Welcome to blah FTP service.To:
   tftpd_banner=Secure FTP server

   Add the lines bellow:
   local_root=/ftp
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
vsftpd_log_file=/var/log/vsftpd.log
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
rsa_cert_file=/etc/vsftpd/vsftpd.pem


8. Run the command bellow to create VSFTP SSL key:
   openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Note: The command above should written as one line.
9. Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
10. Run the command bellow to manually start the VSFTP service:
    /etc/init.d/vsftpd start
11. Run the command bellow to configure the VSFTP to start at server startup:
    chkconfig vsftpd on

Print PDF

1. Login to the server using Root account.
2. Create a new account:
   groupadd nginx
useradd -g nginx -d /dev/null -s /sbin/nologin nginx

3. Mount RHEL 5.4 DVD, and move to the RPM folder:
   mount /dev/hdc /media
cd /media/Server

4. Before compiling the Nginx environment, install the following RPM:
   rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm

5. Download Nginx 0.7.65 from:
   http://wiki.nginx.org/NginxInstall
6. Copy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
   cd /tmp

8. Extract the nginx-0.7.65.tar.gz file:
   tar -zxvf nginx-0.7.65.tar.gz

9. Move to the Nginx source folder:
   cd /tmp/nginx-0.7.65

10. Edit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from:
    static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
To:
    static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Secure Web Server" CRLF;

11. Run the commands bellow to compile the Nginx environment:
    ./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module

    make

    make install


12. Remove the Nginx source files:
    rm -rf /tmp/nginx-0.7.65
rm -f /tmp/nginx-0.7.65.tar.gz

13. Remove Default Content
    rm -rf /usr/local/nginx/html

14. Updating Ownership and Permissions on Nginx folders:
    chown -R root:root /usr/local/nginx
chmod 750 /usr/local/nginx/sbin/nginx
chmod -R 640 /usr/local/nginx/conf
chmod -R 770 /usr/local/nginx/logs

15. Create folder for the web content:
    mkdir -p /www
16. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
chmod -R 775 /www
17. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
    From:
    #user nobody;To:
    user nginx nginx;

    From:
    #error_log logs/error.log notice;To:
    error_log logs/error.log notice;

    From:
    server_name localhost;To:
    server_name Server_FQDN;

    From:
    root html;To:
    root /www;

18. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file:
    server_tokens off;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 10;

19. Create using VI, the file /etc/init.d/nginx with the following content:
    #!/bin/sh
    #
    # nginx - this script starts and stops the nginx daemon
    #
    # chkconfig: - 85 15
    # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
    # proxy and IMAP/POP3 proxy server
    # processname: nginx
    # config: /etc/nginx/nginx.conf
    # config: /etc/sysconfig/nginx
    # pidfile: /var/run/nginx.pid

    # Source function library.
    . /etc/rc.d/init.d/functions

    # Source networking configuration.
    . /etc/sysconfig/network

    # Check that networking is up.
    [ "$NETWORKING" = "no" ] && exit 0

    nginx="/usr/local/nginx/sbin/nginx"
    prog=$(basename $nginx)

    NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

    [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

    lockfile=/var/lock/subsys/nginx

    start() {
    [ -x $nginx ] exit 5
    [ -f $NGINX_CONF_FILE ] exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
    }

    stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
    }

    restart() {
    configtest return $?
    stop
    sleep 1
    start
    }

    reload() {
    configtest return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
    }

    force_reload() {
    restart
    }

    configtest() {
    $nginx -t -c $NGINX_CONF_FILE
    }

    rh_status() {
    status $prog
    }

    rh_status_q() {
    rh_status >/dev/null 2>&1
    }

    case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q exit 0
$1
;;
restartconfigtest)
$1
;;
reload)
rh_status_q exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestarttry-restart)
rh_status_q exit 0
;;
*)
echo $"Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}"
exit 2
esac


20. Change the permissions of the file /etc/init.d/nginx
    chmod +x /etc/init.d/nginx
21. To start Nginx service at server start-up, run the command:
    chkconfig nginx on

22. To manually start the Nginx service, use the command:
    /etc/init.d/nginx start

23. Uninstall the following RPM:
    rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Print PDF

1. Login to the server using Root account.
2. Create a new account:
   groupadd lighttpd
useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd

3. Mount RHEL 5.4 DVD, and move to the RPM folder:
   mount /dev/hdc /media
cd /media/Server

4. Before compiling the Lighttpd environment, install the following RPM:
   rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-49.x86_64.rpm
rpm -ivh glibc-devel-2.5-49.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm

5. Download Lighttpd 1.4.26 from:
   http://www.lighttpd.net/download/
6. Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
   cd /tmp
8. Extract the lighttpd-1.4.26.tar.gz file:
   tar -zxvf lighttpd-1.4.26.tar.gz
9. Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c
   
10. Move to the Lighttpd source folder:
    cd /tmp/lighttpd-1.4.26
11. Run the commands bellow to compile the Lighttpd environment:
    ./configure --with-openssl --without-bzip2

    make

    make install


12. Create the following folders:
    mkdir -p /etc/lighttpd
mkdir -p /var/log/lighttpd
mkdir -p /var/cache/lighttpd/compress

13. Copy the lighttpd.conf file:
    cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
14. Updating Ownership and Permissions on Lighttpd folders:
    chown lighttpd:lighttpd /var/log/lighttpd
chown lighttpd:root /etc/lighttpd/lighttpd.conf
chown lighttpd:lighttpd /var/cache/lighttpd/compress
chmod o-r /etc/lighttpd/lighttpd.conf
chmod -R o-r /var/log/lighttpd

15. Create folder for the web content:
    mkdir -p /www

16. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
chmod -R 775 /www

17. Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings:
    From:
    server.document-root = "/srv/www/htdocs/"To:
    server.document-root = "/www"

    From:
    #server.bind = "127.0.0.1"To:
    server.bind = "Server_FQDN"

    From:
    # server.tag = "lighttpd"To:
    server.tag = "Secure Web Server"

    From:
    #server.username = "wwwrun"To:
    server.username = "lighttpd"

    From:
    #server.groupname = "wwwrun"To:
    server.groupname = "lighttpd"

    From:
    #dir-listing.activate = "enable"To:
    dir-listing.activate = "disable"

18. Create using VI, a file called /etc/sysconfig/lighttpd with the following content:
    LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf
19. To manually start Lighttpd use the command:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
20. To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
21. Remove the Lighttpd source files:
    rm -rf /tmp/lighttpd-1.4.26
rm -f /tmp/lighttpd-1.4.26.tar.gz

22. Uninstall the following RPM:
    rpm -e gcc-4.1.2-48.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-49
rpm -e glibc-headers-2.5-49
rpm -e kernel-headers-2.6.18-194.el5

Print PDF

Pre-installation notes
The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase

1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
   groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account:
   su sshaccount
4. Run the command bellow to generate SSH keys:
   ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
   cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys:
   chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*

7. Exit the SSH account shell and return to the Root account:
   exit
8. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
   Note 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 2.9.2 from:
    http://wordpress.org/download
11. Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
12. Move to /www
    cd /www
13. Extract the wordpress-2.9.2.tar.gz file:
    tar -zxvf wordpress-2.9.2.tar.gz
14. Remove WordPress source file:
    rm -f /www/wordpress-2.9.2.tar.gz
15. Create using VI the file /www/config.php with the following content:
    <?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “m6gf42s” with your own WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
    cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
    Add the following line:
    include('/www/config.php');Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
18. Remove default content:
    rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php

19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
    Replace the value of the string, from:
    DocumentRoot "/www"
To:
    DocumentRoot "/www/wordpress"
Replace the value of the string, from:
    LimitRequestBody 10000
To:
    LimitRequestBody 200000

20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
    • Blog Title
    • E-Mail
23. Click on “Install WordPress” button, and close the web browser.
24. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
25. Run the following commands from the MySQL prompt:
    use m6gf42s;
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “m6gf42s” with your own WordPress database name.
    Note 1: Replace “johnd” with your own new WordPress admin.
    Note 2: Replace “password3” with complex password (at least 14 characters).
26. Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
    'timeout' => apply_filters( 'http_request_timeout', 5),
To:
    'timeout' => apply_filters( 'http_request_timeout', 30),
27. Create using VI the file /www/wordpress/.htaccess with the following content:
    <files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address.
    Note 2: Replace Server_FQDN with the server FQDN (DNS name).
28. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> Note: Replace 1.1.1.0 with the internal network IP address.
29. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0Note: Replace 1.1.1.0 with the internal network IP address.
30. Create the following folders:
    mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade

31. Change the file permissions:
    chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
32. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
33. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
34. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
35. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
36. Download “WordPress Database Backup” plugin from:
    http://austinmatzko.com/wordpress-plugins/wp-db-backup/
37. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
38. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
39. Create a folder for the “WordPress Database Backup” plugin:
    mkdir -p /www/wordpress/wp-content/backup-ed602

40. Set permissions for the “WordPress Database Backup” plugin:
    chmod 777 /www/wordpress/wp-content/backup-ed602

41. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php

42. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
43. From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
    wp-content/uploads

44. Click on “Save changes”.
45. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
46. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php

47. Click “Submit”.
48. From the upper pane, click on “Log Out”.
49. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
    define('FORCE_SSL_LOGIN', true);

Print PDF

Pre-installation notes
The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

Installation and configuration phase

1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
   rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm

3. Download MySQL development RPM from:
   http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
4. Download PHP 5.3.2 source files from:
   http://php.net/downloads.php
5. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
6. Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
   cd /tmp
8. Install the MySQL development RPM:
   rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
9. Remove MySQL development RPM:
   rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
10. Extract the php-5.3.2.tar.gz file:
    tar -zxvf php-5.3.2.tar.gz
11. Move to the PHP source folder:
    cd /tmp/php-5.3.2
12. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib

    make

    make install

13. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Make sure the following string exists at the end of the LoadModule section:
    LoadModule php5_module modules/libphp5.so
    Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php
    Replace the line from:
    DirectoryIndex index.htmlTo:
    DirectoryIndex index.php index.html index.htm
14. Copy the PHP.ini file
    cp /tmp/php-5.3.2/php.ini-development /etc/php.ini
15. Change the permissions on the php.ini file:
    chmod 640 /etc/php.ini
16. Edit using VI, the file /etc/php.ini and replace the following values:
    From:
    mysql.default_host =To:
    mysql.default_host = 127.0.0.1:3306

    From:
    allow_url_fopen = OnTo:
    allow_url_fopen = Off

    From:
    expose_php = OnTo:
    expose_php = Off

    From:
    memory_limit = 128MTo:
    memory_limit = 8M

    From:
    ;open_basedir =To:
    open_basedir = "/www"

    From:
    post_max_size = 8MTo:
    post_max_size = 2M

    From:
    upload_max_filesize = 2MTo:
    upload_max_filesize = 1M

    From:
    disable_functions =To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

    From:
    ;include_path = ".:/php/includes"To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

    From:
    display_errors = OnTo:
    display_errors = Off

    From:
    display_startup_errors = OnTo:
    display_startup_errors = Off

17. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start

18. Remove the PHP source and test files:
    rm -rf /tmp/php-5.3.2
rm -f /tmp/php-5.3.2.tar.gz
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test

19. Uninstall the following RPM:
    rpm -e libxml2-devel-2.6.26-2.1.2.8
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Print PDF

1. Login to the server using Root account.
2. Create a new account:
   groupadd mysql
useradd -d /dev/null -g mysql -s /bin/false mysql

3. Download MySQL server and client RPM from:
   http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
4. Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
5. Move to /tmp
   cd /tmp
6. Install the MySQL packages:
   rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm

7. Delete the MySQL source files:
   rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm

8. Run the commands bellow to set ownership and permissions:
   chown -R root /usr/bin/mysql*
chown -R mysql:root /var/lib/mysql
chmod -R go-rwx /var/lib/mysql
mkdir -p /var/log/mysql
chown -R mysql:root /var/log/mysql

9. Run the command bellow to copy the main configuration file:
   cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
10. Run the commands bellow to remove default folder:
    rm -rf /var/lib/mysql/test
rm -f /usr/share/mysql/*.cnf

11. Run the command bellow to set ownership and permissions for my.cnf file:
    chown root /etc/my.cnf
chmod 644 /etc/my.cnf

12. Edit using VI, the file /etc/my.cnf
    Add the strings bellow under the [mysqld] section
    pid-file = /var/lib/mysql/mysqld.pid
log = /var/log/mysql/mysql.log
bind-address = 127.0.0.1
Add the section bellow:
    [safe_mysqld]
err-log = /var/log/mysql/mysql.err

13. Run the command bellow to restart the target server:
    reboot
14. Login to the server using Root account.
15. Run the commands bellow to set password for the MySQL root user:
    /usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h hostname password 'new-password'
Note 1: Specify complex password (at least 14 characters) and document it.
    Note 2: Replace “hostname” with the server FQDN (DNS name)
16. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
17. Run the following commands from the MySQL prompt:
    use mysql;
DELETE FROM mysql.user WHERE user = '';
DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
DROP DATABASE test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;
quit

18. Run the command bellow to stop the MySQL service:
    /etc/init.d/mysql stop
19. Run the command bellow to start the MySQL service:
    /etc/init.d/mysql start

Print PDF