• Visitor Count
    RSS Security Google Group
    RSS Security Patch Management

    Archive for the ‘RedHat’ Category

    Newer Entries »

    How to implement SSL on Apache 2.2.15

    PostDateIcon July 22nd, 2010 | PostAuthorIcon Author: eyalestrin

    Pre-installation notes
    The guide bellow is based on the previous guide

    SSL implementation phase

    1. Login to the server using Root account.
    2. Create folder for the SSL certificate files:
      mkdir -p /usr/local/apache2/ssl
      chmod 600 /usr/local/apache2/ssl
    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
      Note: The command above should be written as one line.
    5. Send the file /tmp/apache.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
    7. Copy the file “server.crt” using SCP into /usr/local/apache2/ssl/
    8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
    9. Copy the file “ca-bundle.crt” using SCP into /usr/local/apache2/ssl/
    10. Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
      Listen Server_FQDN:443
      SSLEngine on
      SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
      SSLCertificateFile /usr/local/apache2/ssl/server.crt
      SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
      SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
      Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
    11. Restart the Apache services:
      /usr/local/apache2/bin/apachectl restart
    12. Backup the file /usr/local/apache2/ssl/server.key
    Print Friendly Print Get a PDF version of this webpage PDF
    PostCategoryIcon Posted in Apache, Certificate Authority, RedHat, SSL | PostCommentsIcon 1 Comment »

    Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

    PostDateIcon July 22nd, 2010 | PostAuthorIcon Author: eyalestrin
    1. Login to the server using Root account.
    2. Create a new account:
      groupadd apache
      useradd -g apache -d /dev/null -s /bin/false apache
    3. Mount RHEL 5.4 DVD, and move to the RPM folder:
      mount /dev/hdc /media
      cd /media/Server
    4. Before compiling the Apache environment, install the following RPM:
      rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
      rpm -ivh glibc-headers-2.5-42.x86_64.rpm
      rpm -ivh glibc-devel-2.5-42.x86_64.rpm
      rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
      rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
      rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
      rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
      rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
      rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
      rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
      rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
      rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
      rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
    5. Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
    6. Move to /tmp
      cd /tmp
    7. Extract the httpd-2.2.15.tar.gz file:
      tar -zxvf httpd-2.2.15.tar.gz
    8. Move to the Apache source folder:
      cd httpd-2.2.15
    9. Run the commands bellow to compile the Apache environment:
      ./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl

      make

      make install

    10. Remove the Apache source files:
      rm -rf /tmp/httpd-2.2.15rm -f /tmp/httpd-2.2.15.tar.gz
    11. Remove Default Content
      rm -rf /usr/local/apache2/cgi-bin
      rm -rf /usr/local/apache2/htdocs
      rm -rf /usr/local/apache2/icons
      rm -rf /usr/local/apache2/man
      rm -rf /usr/local/apache2/manual
      rm -rf /usr/local/apache2/conf/extra
      rm -rf /usr/local/apache2/conf/original
    12. Updating Ownership and Permissions on Apache2 folders:
      chown root:root /usr/local/apache2/bin/apachectl
      chown root:root /usr/local/apache2/bin/httpd*
      chmod 770 /usr/local/apache2/bin/apachectl
      chmod 770 /usr/local/apache2/bin/httpd*
      chown -R root:root /usr/local/apache2
      chmod -R go-r /usr/local/apache2
      chown -R root:root /usr/local/apache2/logs
      chmod -R 700 /usr/local/apache2/logs
    13. Create folder for the web content:
      mkdir -p /www
    14. Updating Ownership and Permissions on the web content folder:
      chown -R root /www
      chmod -R 775 /www
    15. Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
      From:
      DocumentRoot "/var/www/html"To:
      DocumentRoot "/www"

      From:
      Listen 80To:
      Listen Server_FQDN:80

      From:
      ServerAdmin root@localhost To:
      ServerAdmin webmaster@mycompany.com

      From:
      #ServerName www.example.com:80To:
      ServerName Server_FQDN

      From:
      LogLevel warnTo:
      LogLevel notice

      From:
      ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"To:
      # ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

      From:
      <Directory />
      Options FollowSymLinks
      AllowOverride None
      Order deny,allow
      Deny from all
      </Directory>      To:
      <Directory />
      Options None
      AllowOverride None
      Order deny,allow
      deny from all
      </Directory>

      From:
      <Directory "/usr/local/apache2/htdocs">To:
      <Directory "/www">
      <LimitExcept GET POST>
      deny from all
      </limitexcept>

      From:
      Options Indexes FollowSymLinksTo:
      Options -FollowSymLinks -Includes -Indexes -MultiViews

    16. Add the following sections to the end of the httpd.conf file:
      ServerSignature Off
      ServerTokens Prod
      Timeout 60
      # Maximum size of the request body.
      LimitRequestBody 10000
      # Maximum number of request headers in a request.
      LimitRequestFields 40
      # Maximum size of request header lines.
      LimitRequestFieldSize 4094
      # Maximum size of the request line.
      LimitRequestLine 500
    17. Remove the sections bellow from the file httpd.conf
      <Directory "/usr/local/apache2/cgi-bin">
    18. Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
      From:
      #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
      #define AP_SERVER_BASEVENDOR "Restricted server"

      From:
      #define AP_SERVER_BASEPRODUCT "Apache"To:
      #define AP_SERVER_BASEPRODUCT "Secure Web Server"

    19. Starting Apache from command line:
      /usr/local/apache2/bin/apachectl start
    20. To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
      /usr/local/apache2/bin/apachectl start
    21. Uninstall the following RPM:
      rpm -e gcc-4.1.2-46.el5
      rpm -e libgomp-4.4.0-6.el5
      rpm -e gmp-4.1.4-10.el5
      rpm -e glibc-devel-2.5-42
      rpm -e glibc-headers-2.5-42
      rpm -e kernel-headers-2.6.18-164.el5

    Previous guides:

    Print Friendly Print Get a PDF version of this webpage PDF
    PostCategoryIcon Posted in Apache, RedHat | PostCommentsIcon 3 Comments »
    Newer Entries »
    Search This Blog
    Blog Archive
    Labels
    NetworkedBlogs

    Log in
    Copyright © 2012 Security 24/7. All Rights Reserved.

    Powered by Wordpress.org, WP Theme Design Powered by playstation wordpress templates and free provided by nixcheckcashing.com.