• Visitor Count
    RSS Security Google Group
    RSS Security Patch Management

    Archive for the ‘SSL’ Category

    « Older Entries

    Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

    PostDateIcon February 9th, 2013 | PostAuthorIcon Author: roycoren

    thought that SSL + TLS are the magic words??
    think again!

    http://www.isg.rhul.ac.uk/tls/

    Roy Coren
    Security Specialist
    Roy Coren AT gmail

    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in SSL | PostCommentsIcon No Comments »

    Hardening guide for Drupal 7.7

    PostDateIcon September 3rd, 2011 | PostAuthorIcon Author: eyalestrin

    Pre-installation notes
    The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

    The guide bellow is based on the previous guides:

    PHP installation phase

    1. Login to the server using Root account.
    2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
      rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
      rpm -ivh glibc-headers-2.5-49.i386.rpm
      rpm -ivh glibc-devel-2.5-49.i386.rpm
      rpm -ivh gmp-4.1.4-10.el5.i386.rpm
      rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
      rpm -ivh gcc-4.1.2-48.el5.i386.rpm
      rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
      rpm -ivh zlib-devel-1.2.3-3.i386.rpm
      rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
      rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
      rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
      rpm -ivh libjpeg-devel-6b-37.i386.rpm
    3. Download MySQL development RPM from:
      http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
    4. Download PHP 5.3.8 source files from:
      http://php.net/downloads.php
    5. Download the latest libxml2 for PHP from:
      http://xmlsoft.org/sources/
    6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
    7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
    8. Move to /tmp
      cd /tmp
    9. Install the MySQL development RPM:
      rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
    10. Remove MySQL development RPM:
      rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
    11. Extract the php-5.3.8.tar.gz file:
      tar -zxvf php-5.3.8.tar.gz
    12. Extract the libxml2 source file:
      tar -zxvf libxml2-2.7.7.tar.gz
    13. Move the libxml2-2.7.7 folder:
      cd /tmp/libxml2-2.7.7
    14. Run the commands bellow to compile the libxml2:
      ./configuremakemake install
    15. Move to the PHP source folder:
      cd /tmp/php-5.3.8
    16. Run the commands bellow to compile the PHP environment:
      ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftpmakemake install
    17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
      Add the following string, to the end of the AddType section:
      AddType application/x-httpd-php .php
      Replace the line from:
      DirectoryIndex index.htmlTo:
      DirectoryIndex index.php index.html index.htm
      Replace the value of the string, from:
      LimitRequestBody 10000To:
      LimitRequestBody 600000
    18. Copy the PHP.ini file
      cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
    19. Change the permissions on the php.ini file:
      chmod 640 /etc/php.ini
    20. Edit using VI, the file /etc/php.ini
      Replace the value of the string, from:
      mysql.default_host =To:
      mysql.default_host = 127.0.0.1:3306Replace the value of the string, from:
      pdo_mysql.default_socket=To:
      pdo_mysql.default_socket=127.0.0.1Replace the value of the string, from:
      allow_url_fopen = OnTo:
      allow_url_fopen = OffReplace the value of the string, from:
      expose_php = OnTo:
      expose_php = OffReplace the value of the string, from:
      memory_limit = 128MTo:
      memory_limit = 64MReplace the value of the string, from:
      ;open_basedir =To:
      open_basedir = "/www"Replace the value of the string, from:
      post_max_size = 8MTo:
      post_max_size = 2MReplace the value of the string, from:
      disable_functions =To:
      disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidReplace the value of the string, from:
      ;include_path = ".:/php/includes"To:
      include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"Replace the value of the string, from:
      display_errors = OnTo:
      display_errors = OffReplace the value of the string, from:
      display_startup_errors = OnTo:
      display_startup_errors = Off

      Replace the value of the string, from:
      ;gd.jpeg_ignore_warning = 0To:
      gd.jpeg_ignore_warning = 1

    21. Run the commands bellow to restart the Apache service:
      /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
    22. Remove the PHP source and test files:
      rm -f /tmp/php-5.3.8.tar.gz
      rm -f /tmp/libxml2-2.7.7.tar.gz
      rm -rf /tmp/php-5.3.8
      rm -rf /tmp/libxml2-2.7.7
      rm -rf /tmp/pear
      rm -rf /usr/local/apache2/lib/php/test
      rm -rf /usr/local/lib/php/test

    Drupal installation phase

    1. Login to the server using Root account.
    2. Run the command bellow to login to the MySQL:
      /usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
    3. Run the following commands from the MySQL prompt:
      CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
      SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
      CREATE DATABASE Z5J6Dw1;
      GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
      FLUSH PRIVILEGES;
      quit      Note 1: Replace “blgusr” with your own MySQL account to access the database.
      Note 2: Replace “password2” with complex password (at least 14 characters).
      Note 3: Replace “Z5J6Dw1” with your own Drupal database name.
    4. Download Drupal 7.7 from:
      http://drupal.org/project/drupal
    5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
    6. Move to /www
      cd /www
    7. Extract the file bellow:
      tar -zxvf drupal-7.7.tar.gz
    8. Remove Drupal source file:
      rm -f /www/drupal-7.7.tar.gz
    9. Rename the Drupal folder:
      mv /www/drupal-7.7 /www/drupal
    10. Remove default content:
      rm -f /www/drupal/CHANGELOG.txt
      rm -f /www/drupal/COPYRIGHT.txt
      rm -f /www/drupal/INSTALL.pgsql.txt
      rm -f /www/drupal/LICENSE.txt
      rm -f /www/drupal/UPGRADE.txt
      rm -f /www/drupal/INSTALL.mysql.txt
      rm -f /www/drupal/INSTALL.sqlite.txt
      rm -f /www/drupal/INSTALL.txt
      rm -f /www/drupal/MAINTAINERS.txt
      rm -f /www/drupal/sites/example.sites.php
    11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
      Replace the line from:
      DocumentRoot "/www"To:
      DocumentRoot "/www/drupal"
    12. Run the commands bellow to restart the Apache service:
      /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
    13. Create the following folders:
      mkdir /www/drupal/sites/default/filesmkdir /www/private
    14. Copy the settings.php file:
      cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
    15. Change permissions on the settings.php file:
      chmod a+w /www/drupal/sites/default/settings.phpchmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private
    16. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/install.php
    17. Select “Standard” installation and click “Save and continue”.
    18. Choose the default “English” and click “Save and continue”.
    19. Specify the following details:
      • Database type: MySQL
      • Database name: Z5J6Dw1
      • Database username: blgusr
      • Database password: password2
      • Click on Advanced Options
      • Database host: 127.0.0.1
      • Table prefix: Z5J6Dw1_

      Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
      Note 2: Replace “blgusr” with your own MySQL account to access the database.
      Note 3: Replace “password2” with complex password (at least 14 characters).

    20. Click “Save and Continue”.
    21. Specify the following information:
      • Site name
      • Site e-mail address (for automated e-mails, such as registration information)
      • Username (for the default administrator account)
      • E-mail address
      • Password
    22. Select “Default country” and “Default time zone”.
    23. Unselect the “Update Notifications” checkboxes.
    24. Click “Save and Continue”.
    25. Close the web browser.
    26. Create using VI the file /www/config.php with the following content:
      <?php
      $databases = array (
      'default' =>
      array (
      'default' =>
      array (
      'driver' => 'mysql',
      'database' => 'Z5J6Dw1',
      'username' => 'blgusr',
      'password' => 'password2',
      'host' => '127.0.0.1',
      'port' => '',
      'prefix' => 'Z5J6Dw1_',
      ),
      ),
      );
      ?>      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag.
      Note 2: Replace “blgusr” with your own MySQL account to access the database.
      Note 3: Replace “password2” with complex password (at least 14 characters).
      Note 4: Replace “Z5J6Dw1” with your own Drupal database name.
    27. Edit using VI, the file /www/drupal/sites/default/settings.php
      Add the following line:
      include('/www/config.php');Remove the following section:
      $databases = array (
      'default' =>
      array (
      'default' =>
      array (
      'driver' => 'mysql',
      'database' => 'Z5J6Dw1',
      'username' => 'blgusr',
      'password' => 'password2',
      'host' => '127.0.0.1',
      'port' => '',
      'prefix' => 'Z5J6Dw1_',
      ),
      ),
      );      Replace the string from:
      ini_set('session.cookie_lifetime', 2000000);To:
      ini_set('session.cookie_lifetime', 0);
    28. Change permissions on the settings.php file:
      chmod a-w /www/drupal/sites/default/settings.php
    29. Add the following lines to the /www/drupal/.htaccess file:
      # Block any file that starts with "."
      <FilesMatch "^\..*$">
      Order allow,deny
      </FilesMatch>
      <FilesMatch "^.*\..*$">
      Order allow,deny
      </FilesMatch>
      # Allow "." files with safe content types
      <FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$">
      Order deny,allow
      </FilesMatch>
    30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
      chmod 444 /www/drupal/.htaccess
    31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    32. From SSH session, move to the folder /www/drupal/sites/all/modules.
    33. Extract the downloaded above modules:
      tar zxvf dfw-7.x-1.1.tar.gztar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gztar zxvf security_review-7.x-1.x-dev.tar.gztar zxvf system_perm-7.x-1.x-dev.tar.gztar zxvf blockanonymouslinks-7.x-1.1.tar.gz
    34. Remove the modules source files:
      rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gzrm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gzrm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

      rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

    35. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/?q=user/login
    36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
    37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
    38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
    39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
    40. From the upper menu, click on Modules -> from the main page, select the following modules:
      • Drupal firewall
      • SpamSpan
      • Content Security Policy
      • Content Security Policy Reporting
      • GoAway
      • IP anonymize
      • Flood control
      • Password change tab
      • Password policy
      • Persistent Login
      • Secure Permissions
      • Security Review
      • System Perms
      • BlockAnonymousLinks
    41. Click on Save configuration.

    Drupal SSL configuration phase

    1. Add the following line to the /www/drupal/sites/default/settings.php file:
      $conf['https'] = TRUE;
    2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    3. From SSH session, move to the folder /www/drupal/sites/all/modules.
    4. Extract the downloaded above modules:
      tar zxvf securepages-7.x-1.x-dev.tar.gztar zxvf securelogin-7.x-1.2.tar.gz
    5. Remove the modules source files:
      rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz
    6. Open a web browser from a client machine, and enter the URL bellow:
      https://Server_FQDN/?q=user/login
    7. From the upper menu, click on Modules -> from the main page, select the following modules:
      • Secure Login
      • Secure Pages
    8. Click on Save configuration.
    9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in Apache, CentOS, Drupal, MySQL, PHP, SSL | PostCommentsIcon 4 Comments »

    Generating self-signed SSL certificate using OpenSSL

    PostDateIcon August 13th, 2010 | PostAuthorIcon Author: eyalestrin

    OpenSSL allows you to request, sign, generate, export and convert digital certificates.
    OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
    The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
    The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

    Download link for Windows binaries:
    http://www.slproweb.com/products/Win32OpenSSL.html
    Download link for Linux source files (pre-compiled):
    http://www.openssl.org/source/

    1. Install OpenSSL.
    2. Run the command bellow to generate a new key store called “server.key
      openssl genrsa -des3 -out /tmp/server.key 1024
    3. Run the commands bellow to request a new SSL certificate:
      openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

      openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

    4. Run the command bellow to backup the key store file that has a password:
      cp /tmp/server.key /tmp/server.key.bak
    5. Run the command bellow to generate a new key store without a password:
      openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
    6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
      cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
    7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
      openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

    Appendix:

    • server.key – Key store file
    • server.crt – Server SSL public key file
    • no.pwd.server.key – Key store file (without a password)
    • no.pwd.server.pem – Key store file + server SSL public key file (without a password)
    • server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in Apache, IIS 7.5, Lighttpd, Nginx, RedHat, Resin, Solaris, SSL | PostCommentsIcon 6 Comments »

    How to implement SSL on Resin 4.0.8

    PostDateIcon August 10th, 2010 | PostAuthorIcon Author: eyalestrin

    Pre-installation notes
    The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

    1. Login to the server using Root account.
    2. Change permissions on the keys folder:
      chmod 640 /usr/local/resin/keys
    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csrNote: The command above should be written as one line.
    5. Send the file /tmp/resin.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
    7. Copy the file “server.crt” using SCP into /usr/local/resin/keys/
    8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
    9. Copy the file “ca-bundle.crt” using SCP into /usr/local/resin/keys/
    10. Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from:
      <!-- SSL port configuration: -->
      <http address="*" port="8443">
      <jsse-ssl self-signed-certificate-name="resin@localhost"/>
      </http>
      To:
      <http address="Server_DNS_Name" port="443">
      <openssl>
      <certificate-key-file>/usr/local/resin/keys/server.key</certificate-key-file>
      <certificate-file>/usr/local/resin/keys/server.crt</certificate-file>
      <certificate-chain-file>/usr/local/resin/keys/ca-bundle.crt</certificate-chain-file>
      <password>my-password</password>
      </openssl>
      </http>
      Note: Replace “my-password” with the password for the “server.key” file.
    11. Restart the Resin services:
      /etc/init.d/resin restart
    12. Backup the file
      /usr/local/resin/keys/server.key
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in Certificate Authority, Resin, SSL | PostCommentsIcon No Comments »

    Hardening guide for WordPress 3.0 for hosted web sites

    PostDateIcon August 9th, 2010 | PostAuthorIcon Author: eyalestrin

    Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.

    1. Request from your hosting provider access through SSH.
    2. Login to the hosted server using SSH.
    3. Edit using VI the file ~/html/wp-config.php and write down the data of the following values:
      • DB_NAME
      • DB_USER
      • DB_PASSWORD
    4. Create using VI the file ~/config.php with the following content:
      <?php
      define('DB_NAME', 'm6gf42s');
      define('DB_USER', 'blgusr');
      define('DB_PASSWORD', 'password2');
      define('AUTH_KEY', 'put your unique phrase here');
      define('SECURE_AUTH_KEY', 'put your unique phrase here');
      define('LOGGED_IN_KEY', 'put your unique phrase here');
      define('NONCE_KEY', 'put your unique phrase here');
      define('AUTH_SALT', 'put your unique phrase here');
      define('SECURE_AUTH_SALT', 'put your unique phrase here');
      define('LOGGED_IN_SALT', 'put your unique phrase here');
      define('NONCE_SALT', 'put your unique phrase here');
      ?>      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
      Note 2: Replace “blgusr” with the MySQL account to access the database.
      Note 3: Replace “password2” with the MySQL account password.
      Note 4: Replace “m6gf42s” with the WordPress database name.
      Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
      http://api.wordpress.org/secret-key/1.1/
    5. Edit using VI, the file ~/html/wp-config.php
      Add the following line:
      include('/path/config.php');Note: Replace /path/ with the full path to the config.php file.

      Remove the following sections:
      define('DB_NAME', 'putyourdbnamehere');
      define('DB_USER', 'usernamehere');
      define('DB_PASSWORD', 'yourpasswordhere');
      define('AUTH_KEY', 'put your unique phrase here');
      define('SECURE_AUTH_KEY', 'put your unique phrase here');
      define('LOGGED_IN_KEY', 'put your unique phrase here');
      define('NONCE_KEY', 'put your unique phrase here');
      define('AUTH_SALT', 'put your unique phrase here');
      define('SECURE_AUTH_SALT', 'put your unique phrase here');
      define('LOGGED_IN_SALT', 'put your unique phrase here');
      define('NONCE_SALT', 'put your unique phrase here');

    6. Remove default content:
      rm -f ~/html/license.txt
      rm -f ~/html/readme.html
      rm -f ~/html/wp-config-sample.php
      rm -f ~/html/wp-content/plugins/hello.php
    7. Create using VI the file ~/html/.htaccess with the following content:
      <files wp-config.php>
      Order deny,allow
      deny from all
      </files>
      <Files wp-login.php>
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName "Access Control"
      AuthType Basic
      </Files>
    8. Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content:
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName "Access Control"
      AuthType Basic
    9. Create the following folders:
      mkdir -p ~/html/wp-content/cache
      mkdir -p ~/html/wp-content/uploads
      mkdir -p ~/html/wp-content/upgrade
    10. Change the file permissions:
      chmod -R 777 ~/html/wp-content/cache
      chmod -R 777 ~/html/wp-content/uploads
      chmod -R 777 ~/html/wp-content/upgrade
    11. Download “Login Lockdown” plugin from:
      http://www.bad-neighborhood.com/login-lockdown.html
    12. Download “Limit Login” plugin from:
      http://wordpress.org/extend/plugins/limit-login-attempts/
    13. Download “WP-Secure Remove WordPress Version” plugin from:
      http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
    14. Download “WP Security Scan” plugin from:
      http://wordpress.org/extend/plugins/wp-security-scan/
    15. Download “KB Robots.txt” plugin from:
      http://wordpress.org/extend/plugins/kb-robotstxt/
    16. Download “WordPress Firewall” plugin from:
      http://www.seoegghead.com/software/wordpress-firewall.seo
    17. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /html/wp-content/plugins
    18. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/wp-login.php
    19. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
    20. Click on “Save changes”.
    21. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
      Note: Install and activate all the above downloaded plugins.
    22. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
      Disallow: /wp-*
      Disallow: /wp-admin
      Disallow: /wp-includes
      Disallow: /wp-content/plugins
      Disallow: /wp-content/cache
      Disallow: /wp-content/themes
      Disallow: /wp-login.php
      Disallow: /wp-register.php
    23. Click “Submit”.
    24. From the upper pane, click on “Log Out”.
    25. Delete the file /wp-admin/install.php
    26. In-case the server was configured with SSL certificate, add the following line to the config.php file:
      define('FORCE_SSL_LOGIN', true);
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in MySQL, SSL, WordPress | PostCommentsIcon 2 Comments »

    Hardening guide for WordPress 3.0

    PostDateIcon August 9th, 2010 | PostAuthorIcon Author: eyalestrin

    Pre-installation notes
    The guide bellow is based on the previous guides:

    Installation and configuration phase

    1. Login to the server using Root account.
    2. Create a new account for uploading files using SSH:
      groupadd sshaccount
      useradd -g sshaccount -d /home/sshaccount -m sshaccount
    3. Run the commands bellow to switch to the SSH account:
      su sshaccount
    4. Run the command bellow to generate SSH keys:
      ssh-keygen
      Note: Leave deafult values for the ssh-keygen.
    5. Copy the SSH keys:
      cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
    6. Change permissions for the SSH keys:
      chmod 755 /home/sshaccount/.ssh
      chmod 644 /home/sshaccount/.ssh/*
    7. Exit the SSH account shell and return to the Root account:
      exit
    8. Run the command bellow to login to the MySQL:
      /usr/bin/mysql -uroot -pnew-password
      Note: Replace the string “new-password” with the actual password for the root account.
    9. Run the following commands from the MySQL prompt:
      CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
      SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
      CREATE DATABASE m6gf42s;
      GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
      FLUSH PRIVILEGES;
      quit
      Note 1: Replace “blgusr” with your own MySQL account to access the database.
      Note 2: Replace “password2” with complex password (at least 14 characters).
      Note 3: Replace “m6gf42s” with your own WordPress database name.
    10. Download WordPress 3.0 from:
      http://wordpress.org/download
    11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
    12. Move to /www
      cd /www
    13. Extract the wordpress-3.0.zip file:
      unzip wordpress-3.0.zip
    14. Remove WordPress source file:
      rm -f /www/wordpress-3.0.zip
    15. Create using VI the file /www/config.php with the following content:
      <?php
      define('DB_NAME', 'm6gf42s');
      define('DB_USER', 'blgusr');
      define('DB_PASSWORD', 'password2');
      define('DB_HOST', '127.0.0.1');
      $table_prefix = 'm6gf42s_';
      define('AUTH_KEY', 'put your unique phrase here');
      define('SECURE_AUTH_KEY', 'put your unique phrase here');
      define('LOGGED_IN_KEY', 'put your unique phrase here');
      define('NONCE_KEY', 'put your unique phrase here');
      define('AUTH_SALT', 'put your unique phrase here');
      define('SECURE_AUTH_SALT', 'put your unique phrase here');
      define('LOGGED_IN_SALT', 'put your unique phrase here');
      define('NONCE_SALT', 'put your unique phrase here');
      define('FS_METHOD', 'direct');
      define('FS_CHMOD_DIR', 0777);
      define('FS_CHMOD_FILE', 0777);
      define('FTP_BASE', '/www/wordpress/');
      define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
      define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
      define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
      define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
      define('FTP_USER', 'sshaccount');
      define('FTP_HOST', '127.0.0.1:22');
      ?>
      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
      Note 2: Replace “blgusr” with your own MySQL account to access the database.
      Note 3: Replace “password2” with complex password (at least 14 characters).
      Note 4: Replace “m6gf42s” with your own WordPress database name.
      Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
      http://api.wordpress.org/secret-key/1.1/
    16. Copy the wp-config.php file:
      cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
    17. Edit using VI, the file /www/wordpress/wp-config.php
      Add the following line:
      include('/www/config.php');

      Remove the following sections:
      define('DB_NAME', 'putyourdbnamehere');
      define('DB_USER', 'usernamehere');
      define('DB_PASSWORD', 'yourpasswordhere');
      define('DB_HOST', 'localhost');
      $table_prefix = 'wp_';
      define('AUTH_KEY', 'put your unique phrase here');
      define('SECURE_AUTH_KEY', 'put your unique phrase here');
      define('LOGGED_IN_KEY', 'put your unique phrase here');
      define('NONCE_KEY', 'put your unique phrase here');
      define('AUTH_SALT', 'put your unique phrase here');
      define('SECURE_AUTH_SALT', 'put your unique phrase here');
      define('LOGGED_IN_SALT', 'put your unique phrase here');
      define('NONCE_SALT', 'put your unique phrase here');

    18. Remove default content:
      rm -f /www/wordpress/license.txt
      rm -f /www/wordpress/readme.html
      rm -f /www/wordpress/wp-config-sample.php
      rm -f /www/wordpress/wp-content/plugins/hello.php
    19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
      Replace the value of the string, from:
      DocumentRoot "/www"To:
      DocumentRoot "/www/wordpress"

      Replace the value of the string, from:
      LimitRequestBody 10000To:
      LimitRequestBody 200000

    20. Restart the Apache service.
    21. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/wp-admin/install.php
    22. Specify the following information:
      • Site Title
      • Username – replace the default “admin
      • Password
      • E-mail
    23. Click on “Install WordPress” button, and close the web browser.
    24. Create using VI the file /www/wordpress/.htaccess with the following content:
      <files wp-config.php>
      Order deny,allow
      deny from all
      </files>
      <Files wp-login.php>
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName "Access Control"
      AuthType Basic
      Order deny,allow
      Deny from All
      Allow from 1.1.1.0
      </Files>
      RewriteEngine On
      RewriteCond %{REQUEST_METHOD} POST
      RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
      RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
      RewriteCond %{HTTP_USER_AGENT} ^$
      RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]      Note 1: Replace 1.1.1.0 with the internal network IP address.
      Note 2: Replace Server_FQDN with the server FQDN (DNS name).
    25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName “Access Control”
      AuthType Basic
      <LIMIT GET POST>
      order deny,allow
      deny from all
      Allow from 1.1.1.0
      </LIMIT>
      <IfModule mod_security.c>
      SecFilterInheritance Off
      </IfModule>       Note: Replace 1.1.1.0 with the internal network IP address.
    26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName "Access Control"
      AuthType Basic
      Order deny,allow
      Deny from All
      Allow from 1.1.1.0       Note: Replace 1.1.1.0 with the internal network IP address.
    27. Create the following folders:
      mkdir -p /www/wordpress/wp-content/cache
      mkdir -p /www/wordpress/wp-content/uploads
      mkdir -p /www/wordpress/wp-content/upgrade
    28. Change the file permissions:
      chown -R root:root /www/wordpress
      chown daemon:root /www/wordpress/wp-content/plugins
      chmod 644 /www/config.php
      chmod 644 /www/wordpress/wp-config.php
      chmod 644 /www/wordpress/.htaccess
      chmod 644 /www/wordpress/wp-admin/.htaccess
      chmod 644 /www/wordpress/wp-content/plugins/.htaccess
      chmod -R 777 /www/wordpress/wp-content/cache
      chmod -R 777 /www/wordpress/wp-content/uploads
      chmod -R 777 /www/wordpress/wp-content/upgrade
    29. Download “Login Lockdown” plugin from:
      http://www.bad-neighborhood.com/login-lockdown.html
    30. Download “Limit Login” plugin from:
      http://wordpress.org/extend/plugins/limit-login-attempts/
    31. Download “WP-Secure Remove WordPress Version” plugin from:
      http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
    32. Download “WP Security Scan” plugin from:
      http://wordpress.org/extend/plugins/wp-security-scan/
    33. Download “KB Robots.txt” plugin from:
      http://wordpress.org/extend/plugins/kb-robotstxt/
    34. Download “WordPress Database Backup” plugin from:
      http://austinmatzko.com/wordpress-plugins/wp-db-backup/
    35. Download “WordPress Firewall” plugin from:
      http://www.seoegghead.com/software/wordpress-firewall.seo
    36. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
    37. Create a folder for the “WordPress Database Backup” plugin:
      mkdir -p /www/wordpress/wp-content/backup-ed602
    38. Set permissions for the “WordPress Database Backup” plugin:
      chmod 777 /www/wordpress/wp-content/backup-ed602
    39. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/wp-login.php
    40. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
    41. From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
      wp-content/uploads
    42. Click on “Save changes”.
    43. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
      Note: Install and activate all the above downloaded plugins.
    44. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
      Disallow: /wp-*
      Disallow: /wp-admin
      Disallow: /wp-includes
      Disallow: /wp-content/plugins
      Disallow: /wp-content/cache
      Disallow: /wp-content/themes
      Disallow: /wp-login.php
      Disallow: /wp-register.php
    45. Click “Submit”.
    46. From the upper pane, click on “Log Out”.
    47. Delete the file /wp-admin/install.php
    48. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
      define('FORCE_SSL_LOGIN', true);
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in Apache, MySQL, PHP, RedHat, SSL, WordPress | PostCommentsIcon No Comments »

    Hardening guide for VSFTPD on RHEL 5.4

    PostDateIcon August 9th, 2010 | PostAuthorIcon Author: eyalestrin

    The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

    Installation phase

    1. Login to the server using Root account.
    2. Install from the RHEL 5.4 DVD the following RPM:
      rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
    3. Create a group for FTP users:
      groupadd ftp-users
    4. Create folder for the FTP:
      mkdir -p /ftp
    5. Change ownership and permissions on the FTP folder:
      chown root:ftp-users /ftp
      chmod 777 -R /ftp
    6. Example of user creation:
      useradd -g ftp-users -d /ftp user1
      passwd user1
    7. Edit using VI, the file /etc/vsftpd/vsftpd.conf
      Change from:
      anonymous_enable=YESTo:
      anonymous_enable=NO

      Change from:
      xferlog_std_format=YESTo:
      xferlog_std_format=NO

      Change from:
      #tftpd_banner=Welcome to blah FTP service.To:
      tftpd_banner=Secure FTP server

      Add the lines bellow:
      local_root=/ftp
      userlist_file=/etc/vsftpd/user_list
      userlist_deny=NO
      vsftpd_log_file=/var/log/vsftpd.log
      ssl_enable=YES
      allow_anon_ssl=NO
      force_local_data_ssl=YES
      force_local_logins_ssl=YES
      ssl_tlsv1=YES
      ssl_sslv2=NO
      ssl_sslv3=NO
      ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
      rsa_cert_file=/etc/vsftpd/vsftpd.pem

    8. Run the command bellow to create VSFTP SSL key:
      openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
      Note: The command above should written as one line.
    9. Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
    10. Run the command bellow to manually start the VSFTP service:
      /etc/init.d/vsftpd start
    11. Run the command bellow to configure the VSFTP to start at server startup:
      chkconfig vsftpd on
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in FTP, RedHat, SFTP, SSL, VSFTP | PostCommentsIcon No Comments »

    How to implement SSL on Nginx 0.7.65

    PostDateIcon August 8th, 2010 | PostAuthorIcon Author: eyalestrin

    Pre-installation notes
    The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

    SSL implementation phase

    1. Login to the server using Root account.
    2. Create folder for the SSL certificate files:
      mkdir -p /usr/local/nginx/ssl
      chmod 600 /usr/local/nginx/ssl
    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
      Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
      Note: The command above should be written as one line.
    5. Send the file /tmp/nginx.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
    7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
    8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
    9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
    10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
      cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
      Note: The command above should be written as one line.
    11. Remove the original server.crt and ca-bundle.crt files:
      rm -f /usr/local/nginx/ssl/server.crt
      rm -f /usr/local/nginx/ssl/ca-bundle.crt
    12. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
      # HTTPS server
      #
      #server {
      # listen 443;
      # server_name localhost;

      # ssl on;
      # ssl_certificate cert.pem;
      # ssl_certificate_key cert.key;

      # ssl_session_timeout 5m;

      # ssl_protocols SSLv2 SSLv3 TLSv1;
      # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
      # ssl_prefer_server_ciphers on;

      # location / {
      # root html;
      # index index.html index.htm;
      # }
      #}
      To:
      server {
      listen 443;
      server_name Server_FQDN;
      ssl on;
      ssl_certificate /usr/local/nginx/ssl/server.pem;
      ssl_certificate_key /usr/local/nginx/ssl/server.key;
      ssl_session_timeout 5m;
      ssl_protocols SSLv3;
      ssl_ciphers HIGH:!ADH:!MD5;
      ssl_prefer_server_ciphers on;
      location / {
      root /www;
      index index.html index.htm;
      }
      }

    13. Restart the Nginx service:
      /etc/init.d/nginx restart
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in Certificate Authority, Nginx, SSL | PostCommentsIcon No Comments »

    How to implement SSL on Lighttpd 1.4.26

    PostDateIcon August 8th, 2010 | PostAuthorIcon Author: eyalestrin

    Pre-installation notes
    The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

    SSL implementation phase

    1. Login to the server using Root account.
    2. Create folder for the SSL certificate files:
      mkdir -p /etc/lighttpd/ssl
      chmod 600 /etc/lighttpd/ssl
    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
      Note: Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
      Note: The command above should be written as one line.
    5. Send the file /tmp/lighttpd.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
    7. Copy the file “server.crt” using SCP into /etc/lighttpd/ssl/
    8. Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
      cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pemNote: The command above should be written as one line.
    9. Remove the original server.crt file:
      rm -f /etc/lighttpd/ssl/server.crt
    10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
    11. Copy the file “ca-bundle.crt” using SCP into /etc/lighttpd/ssl
    12. Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
      $SERVER["socket"] == "Server_FQDN:443" {
      ssl.engine = "enable"
      ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
      ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
      server.name = "Server_FQDN"
      server.document-root = "/www"
      server.errorlog = "/var/log/lighttpd/serror.log"
      accesslog.filename = "/var/log/lighttpd/saccess.log"
      ssl.use-sslv2 = "disable"
      ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
      }
    13. Restart the Lighttpd service.
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in Certificate Authority, Lighttpd, SSL | PostCommentsIcon No Comments »

    Hardening guide for WordPress 2.9.2

    PostDateIcon July 22nd, 2010 | PostAuthorIcon Author: eyalestrin


    Pre-installation notes
    The guide bellow is based on the previous guides:

    Installation and configuration phase

    1. Login to the server using Root account.
    2. Create a new account for uploading files using SSH:
      groupadd sshaccount
      useradd -g sshaccount -d /home/sshaccount -m sshaccount
    3. Run the commands bellow to switch to the SSH account:
      su sshaccount
    4. Run the command bellow to generate SSH keys:
      ssh-keygen
      Note: Leave deafult values for the ssh-keygen.
    5. Copy the SSH keys:
      cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
    6. Change permissions for the SSH keys:
      chmod 755 /home/sshaccount/.ssh
      chmod 644 /home/sshaccount/.ssh/*
    7. Exit the SSH account shell and return to the Root account:
      exit
    8. Run the command bellow to login to the MySQL:
      /usr/bin/mysql -uroot -pnew-password
      Note: Replace the string “new-password” with the actual password for the root account.
    9. Run the following commands from the MySQL prompt:
      CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
      SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
      CREATE DATABASE m6gf42s;
      GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
      FLUSH PRIVILEGES;
      quit
      Note 1: Replace “blgusr” with your own MySQL account to access the database.
      Note 2: Replace “password2” with complex password (at least 14 characters).
      Note 3: Replace “m6gf42s” with your own WordPress database name.
    10. Download WordPress 2.9.2 from:
      http://wordpress.org/download
    11. Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
    12. Move to /www
      cd /www
    13. Extract the wordpress-2.9.2.tar.gz file:
      tar -zxvf wordpress-2.9.2.tar.gz
    14. Remove WordPress source file:
      rm -f /www/wordpress-2.9.2.tar.gz
    15. Create using VI the file /www/config.php with the following content:
      <?php
      define('DB_NAME', 'm6gf42s');
      define('DB_USER', 'blgusr');
      define('DB_PASSWORD', 'password2');
      define('DB_HOST', '127.0.0.1');
      $table_prefix = 'm6gf42s_';
      define('AUTH_KEY', 'put your unique phrase here');
      define('SECURE_AUTH_KEY', 'put your unique phrase here');
      define('LOGGED_IN_KEY', 'put your unique phrase here');
      define('NONCE_KEY', 'put your unique phrase here');
      define('FS_METHOD', 'direct');
      define('FS_CHMOD_DIR', 0777);
      define('FS_CHMOD_FILE', 0777);
      define('FTP_BASE', '/www/wordpress/');
      define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
      define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
      define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
      define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
      define('FTP_USER', 'sshaccount');
      define('FTP_HOST', '127.0.0.1:22');
      ?>
      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
      Note 2: Replace “blgusr” with your own MySQL account to access the database.
      Note 3: Replace “password2” with complex password (at least 14 characters).
      Note 4: Replace “m6gf42s” with your own WordPress database name.
      Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
      http://api.wordpress.org/secret-key/1.1/
    16. Copy the wp-config.php file:
      cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
    17. Edit using VI, the file /www/wordpress/wp-config.php
      Add the following line:
      include('/www/config.php');Remove the following sections:
      define('DB_NAME', 'putyourdbnamehere');
      define('DB_USER', 'usernamehere');
      define('DB_PASSWORD', 'yourpasswordhere');
      define('DB_HOST', 'localhost');
      $table_prefix = 'wp_';
      define('AUTH_KEY', 'put your unique phrase here');
      define('SECURE_AUTH_KEY', 'put your unique phrase here');
      define('LOGGED_IN_KEY', 'put your unique phrase here');
      define('NONCE_KEY', 'put your unique phrase here');
    18. Remove default content:
      rm -f /www/wordpress/license.txt
      rm -f /www/wordpress/readme.html
      rm -f /www/wordpress/wp-config-sample.php
      rm -f /www/wordpress/wp-content/plugins/hello.php
    19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
      Replace the value of the string, from:
      DocumentRoot "/www"
      To:
      DocumentRoot "/www/wordpress"
      Replace the value of the string, from:
      LimitRequestBody 10000
      To:
      LimitRequestBody 200000
    20. Restart the Apache service.
    21. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/wp-admin/install.php
    22. Specify the following information:
      • Blog Title
      • E-Mail
    23. Click on “Install WordPress” button, and close the web browser.
    24. Run the command bellow to login to the MySQL:
      /usr/bin/mysql -uroot -pnew-password
      Note: Replace the string “new-password” with the actual password for the root account.
    25. Run the following commands from the MySQL prompt:
      use m6gf42s;
      UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
      UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
      FLUSH PRIVILEGES;
      quit
      Note 1: Replace “m6gf42s” with your own WordPress database name.
      Note 1: Replace “johnd” with your own new WordPress admin.
      Note 2: Replace “password3” with complex password (at least 14 characters).
    26. Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
      'timeout' => apply_filters( 'http_request_timeout', 5),
      To:
      'timeout' => apply_filters( 'http_request_timeout', 30),
    27. Create using VI the file /www/wordpress/.htaccess with the following content:
      <files wp-config.php>
      Order deny,allow
      deny from all
      </files>
      <Files wp-login.php>
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName "Access Control"
      AuthType Basic
      Order deny,allow
      Deny from All
      Allow from 1.1.1.0
      </Files>
      RewriteEngine On
      RewriteCond %{REQUEST_METHOD} POST
      RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
      RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
      RewriteCond %{HTTP_USER_AGENT} ^$
      RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]      Note 1: Replace 1.1.1.0 with the internal network IP address.
      Note 2: Replace Server_FQDN with the server FQDN (DNS name).
    28. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName “Access Control”
      AuthType Basic
      <LIMIT GET POST>
      order deny,allow
      deny from all
      Allow from 1.1.1.0
      </LIMIT>
      <IfModule mod_security.c>
      SecFilterInheritance Off
      </IfModule>       Note: Replace 1.1.1.0 with the internal network IP address.
    29. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName "Access Control"
      AuthType Basic
      Order deny,allow
      Deny from All
      Allow from 1.1.1.0      Note: Replace 1.1.1.0 with the internal network IP address.
    30. Create the following folders:
      mkdir -p /www/wordpress/wp-content/cache
      mkdir -p /www/wordpress/wp-content/uploads
      mkdir -p /www/wordpress/wp-content/upgrade
    31. Change the file permissions:
      chown -R root:root /www/wordpress
      chown daemon:root /www/wordpress/wp-content/plugins
      chmod 644 /www/config.php
      chmod 644 /www/wordpress/wp-config.php
      chmod 644 /www/wordpress/.htaccess
      chmod 644 /www/wordpress/wp-admin/.htaccess
      chmod 644 /www/wordpress/wp-content/plugins/.htaccess
      chmod -R 777 /www/wordpress/wp-content/cache
      chmod -R 777 /www/wordpress/wp-content/uploads
      chmod -R 777 /www/wordpress/wp-content/upgrade
    32. Download “Login Lockdown” plugin from:
      http://www.bad-neighborhood.com/login-lockdown.html
    33. Download “WP-Secure Remove WordPress Version” plugin from:
      http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
    34. Download “WP Security Scan” plugin from:
      http://wordpress.org/extend/plugins/wp-security-scan/
    35. Download “KB Robots.txt” plugin from:
      http://wordpress.org/extend/plugins/kb-robotstxt/
    36. Download “WordPress Database Backup” plugin from:
      http://austinmatzko.com/wordpress-plugins/wp-db-backup/
    37. Download “WordPress Firewall” plugin from:
      http://www.seoegghead.com/software/wordpress-firewall.seo
    38. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
    39. Create a folder for the “WordPress Database Backup” plugin:
      mkdir -p /www/wordpress/wp-content/backup-ed602
    40. Set permissions for the “WordPress Database Backup” plugin:
      chmod 777 /www/wordpress/wp-content/backup-ed602
    41. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/wp-login.php
    42. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
    43. From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
      wp-content/uploads
    44. Click on “Save changes”.
    45. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
      Note: Install and activate all the above downloaded plugins.
    46. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
      Disallow: /wp-*
      Disallow: /wp-admin
      Disallow: /wp-includes
      Disallow: /wp-content/plugins
      Disallow: /wp-content/cache
      Disallow: /wp-content/themes
      Disallow: /wp-login.php
      Disallow: /wp-register.php
    47. Click “Submit”.
    48. From the upper pane, click on “Log Out”.
    49. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
      define('FORCE_SSL_LOGIN', true);
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in Apache, MySQL, PHP, RedHat, SSL, WordPress | PostCommentsIcon No Comments »
    « Older Entries
    Search This Blog
    Blog Archive
    Labels
    NetworkedBlogs

    Log in
    Copyright © 2013 Security 24/7. All Rights Reserved.

    Powered by Wordpress.org, WP Theme Design Powered by playstation wordpress templates and free provided by nixcheckcashing.com.