Archive for the ‘SSL’ Category

9 Essential System Security Interview Questions

  1. What is a pentest?

“Pentest” is short for “penetration test”, and involves having a trusted security expert attack a system for the purpose of discovering, and repairing, security vulnerabilities before malicious attackers can exploit them. This is a critical procedure for securing a system, as the alternative method for discovering vulnerabilities is to wait for unknown agents to exploit them. By this time it is, of course, too late to do anything about them.

In order to keep a system secure, it is advisable to conduct a pentest on a regular basis, especially when new technology is added to the stack, or vulnerabilities are exposed in your current stack.

 

2. What is social engineering?

“Social engineering” refers to the use of humans as an attack vector to compromise a system. It involves fooling or otherwise manipulating human personnel into revealing information or performing actions on the attacker’s behalf. Social engineering is known to be a very effective attack strategy, since even the strongest security system can be compromised by a single poor decision. In some cases, highly secure systems that cannot be penetrated by computer or cryptographic means, can be compromised by simply calling a member of the target organization on the phone and impersonating a colleague or IT professional.

Common social engineering techniques include phishing, clickjacking, and baiting, although several other tricks are at an attacker’s disposal. Baiting with foreign USB drives was famously used to introduce the Stuxnet worm into Iran’s uranium enrichment facilities, damaging the nation’s ability to produce nuclear material.

For more information, a good read is Christopher Hadnagy’s book Social Engineering: The Art of Human Hacking.

3. You find PHP queries overtly in the URL, such as /index.php=?page=userID. What would you then be looking to test? 

This is an ideal situation for injection and querying. If we know that the server is using a database such as SQL with a PHP controller, it becomes quite easy. We would be looking to test how the server reacts to multiple different types of requests, and what it throws back, looking for anomalies and errors.

One example could be code injection. If the server is not using authentication and evaluating each user, one could simply try /index.php?arg=1;system(‘id’) and see if the host returns unintended data.

4. You find yourself in an airport in the depths of of a foreign superpower. You’re out of mobile broadband and don’t trust the WI-FI. What do you do? Further, what are the potential threats from open WI-FIs?

Ideally you want all of your data to pass through an encrypted connection. This would usually entail tunneling via SSH into whatever outside service you need, over a virtual private network (VPN). Otherwise, you’re vulnerable to all manner of attacks, from man-in-the-middle, to captive portals exploitation, and so on.

5. What does it mean for a machine to have an “air gap”? Why are air gapped machines important?

An air gapped machine is simply one that cannot connect to any outside agents. From the highest level being the internet, to the lowest being an intranet or even bluetooth.

Air gapped machines are isolated from other computers, and are important for storing sensitive data or carrying out critical tasks that should be immune from outside interference. For example, a nuclear power plant should be operated from computers that are behind a full air gap. For the most part, real world air gapped computers are usually connected to some form of intranet in order to make data transfer and process execution easier. However, every connection increases the risk that outside actors will be able to penetrate the system.

 

6. You’re tasked with setting up an email encryption system for certain employees of a company. What’s the first thing you should be doing to set them up? How would you distribute the keys?

The first task is to do a full clean and make sure that the employees’ machines aren’t compromised in any way. This would usually involve something along the lines of a selective backup. One would take only the very necessary files from one computer and copy them to a clean replica of the new host. We give the replica an internet connection and watch for any suspicious outgoing or incoming activity. Then one would perform a full secure erase on the employee’s original machine, to delete everything right down to the last data tick, before finally restoring the backed up files.

The keys should then be given out by transferring them over wire through a machine or device with no other connections, importing any necessary .p7s email certificate files into a trusted email client, then securely deleting any trace of the certificate on the originating computer.

The first step, cleaning the computers, may seem long and laborious. Theoretically, if you are 100% certain that the machine is in no way affected by any malicious scripts, then of course there is no need for such a process. However in most cases, you’ll never know this for sure, and if any machine has been backdoored in any kind of way, this will usually mean that setting up secure email will be done in vain.

7. You manage to capture email packets from a sender that are encrypted through Pretty Good Privacy (PGP). What are the most viable options to circumvent this?

First, one should be considering whether to even attempt circumventing the encryption directly. Decryption is nearly impossible here unless you already happen to have the private key. Without this, your computer will be spending multiple lifetimes trying to decrypt a 2048-bit key. It’s likely far easier to simply compromise an end node (i.e. the sender or receiver). This could involve phishing, exploiting the sending host to try and uncover the private key, or compromising the receiver to be able to view the emails as plain text.

8. What makes a script fully undetectable (FUD) to antivirus software? How would you go about writing a FUD script? 

A script is FUD to an antivirus when it can infect a target machine and operate without being noticed on that machine by that AV. This usually entails a script that is simple, small, and precise

To know how to write a FUD script, one must understand what the targeted antivirus is actually looking for. If the script contains events such as Hook_Keyboard(), File_Delete(), or File_Copy(), it’s very likely it wil be picked up by antivirus scanners, so these events are not used. Further, FUD scripts will often mask function names with common names used in the industry, rather than naming them things like fToPwn1337(). A talented attacker might even break up his or her files into smaller chunks, and then hex edit each individual file, thereby making it even more unlikely to be detected.

As antivirus software becomes more and more sophisticated, attackers become more sophisticated in response. Antivirus software such as McAfee is much harder to fool now than it was 10 years ago. However, there are talented hackers everywhere who are more than capable of writing fully undetectable scripts, and who will continue to do so. Virus protection is very much a cat and mouse game.

9. What is a “Man-in-the-Middle” attack?

A man-in-the-middle attack is one in which the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker, who even has the ability to modify the content of each message. Often abbreviated to MITM, MitM, or MITMA, and sometimes referred to as a session hijacking attack, it has a strong chance of success if the attacker can impersonate each party to the satisfaction of the other. MITM attacks pose a serious threat to online security because they give the attacker the ability to capture and manipulate sensitive information in real-time while posing as a trusted party during transactions, conversations, and the transfer of data. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted WiFi access point, can insert himself as a man-in-the-middle.

This article is from Toptal.

Fixing the “Heartbleed” OpenSSL Bug: A Tutorial for Sys Admins

The following article is a guest post from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.

So what exactly is the bug anyway?

Here’s a very quick rundown:

A potentially critical problem has surfaced in the widely used OpenSSL cryptographic library. It is nicknamed “Heartbleed” because the vulnerability exists in the “heartbeat extension” (RFC6520) to the Transport Layer Security (TLS)  and it is a memory leak (“bleed”) issue.  User passwords and other important data may have been compromised on any site affected by the vulnerability.

The vulnerability is particularly dangerous for two reasons:

  1. Potentially critical data is leaked.
  2. The attack leaves no trace.

The affected OpenSSL versions are 1.0.1 through 1.0.1f, 1.0.2-beta, and 1.0.2-beta1.

Who is affected by the problem?

Short answer:  Anyone and everyone who uses these versions of OpenSSL.

And that’s a LOT of companies and a LOT of people.

Before we get into our Heartbleed tutorial, here’s just a brief sampling of major companies and websites that are known to have been affected and that needed to patch their sites:  GmailYahoo MailIntuit TurboTaxUSAA, Dropbox, Flickr, Instagram, PinterestSoundCloud, Tumblr, GitHubGoDaddyBoingo Wireless, and many more.

If you're wondering how to protect against openssl Heartbleed, start by using the Heartbleed test.

Many, many corporate websites, of companies of all sizes, have been (or still need to be!) patched to fix the Heartbleed vulnerability.

The vulnerability has existed since December 31, 2011, with OpenSSL being used by about 66% of Internet hosts.

As a user, chances are that sites you frequent regularly are affected and that your data may have been compromised. As a developer or sys admin, sites or servers you’re responsible for are likely to have been affected as well.

So what do I need to do to protect myself if I use any of the affected sites?

The main thing you should do immediately is to change your passwords for any of the affected sites for which you have a login account.

And what do I need to do to fix and protect against Heartbleed if I’m the sys admin for a site that uses OpenSSL?

If you’re using OpenSSL 1.0.1, do one of the following immediately:

  • Upgrade to OpenSSL 1.0.1g, or
  • Recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

If you’re using OpenSSL 1.0.2, the vulnerability will be fixed in 1.0.2-beta2 but you can’t wait for that.  In the interim, do one of the following immediately:

  • Revert to OpenSSL 1.0.1g, or
  • Recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

Most distributions (e.g., Ubuntu, Fedora, Debian, Arch Linux) have upgraded their packages already.  In cases like Gentoo, you can upgrade to a patched ebuild.

Once you’ve upgraded (or recompiled) and have established a secure version on your server:

  • Be sure to restart all potentially affected processes.  Major daemons affected by the bug include Apache, Nginx, OpenVPN, and sshd; basically anything and everything linked against libssl. (Note that a restart of these daemons should be sufficient.  There should be no need to rebuild these binaries since they are dynamically linked with the openssl libraries.)
  • Verify that you are no longer vulnerable using tools like this online test or this tool on GitHub or this tool on Pastebin.

If your infrastructure was vulnerable, there are Heartbleed tutorial steps that you can and should take.  A useful list of such mitigations is available here.

More gory Heartbleed details, for those who are interested…

As explained in the GitHub commit for the fix, a missing bounds check in the handling of the TLS heartbeat extension could be exploited to reveal up to 64k of memory to a connected client or server.

While the exposed memory could potentially just be garbage, it could just as easily turn out to be extremely valuable to a malicious attacker.

Here’s how the Heartbleed vulnerability works:  An attacker provides the payload as well as the payload length.  However, no validation is done to confirm that the payload length was actually provided by the attacker.  If the payload length was not provided, an out-of-bounds read occurs, which in turn leaks process memory from the heap.

Leaking previous request headers can be a very serious security problem. Specifically, a prior user’s login post data might still be available with their username, password, and cookies, all of which can then be exposed and exploited. Moreover, although private key leakage through Heartbleed was initially deemed to be unlikely, it has been verified that private SSL keys can be stolen by exploiting this vulnerability.

Fixing Heartbleed is critical as it has been confirmed that private SSL keys can be stolen this way.

The vulnerability is also made possible due to OpenSSL’s silly use of a malloc() cache.  By wrapping away libc functions and not actually freeing memory, the exploitation countermeasures in libc are never given the chance to kick in and render the bug useless.

Additional details on these ways to fix Heartbleed are available here and here.

And, for what it’s worth, here’s a more amusing perspective.

Kudos to the discoverer, Neel Mehta of Google Security, as well as Adam Langley and Bodo Moeller who promptly provided the patch and helped sys admins determine how to fix Heartbleed. I also encourage you to educate yourself on some of the other common web security vulnerabilities to avoid issues in the future.

Hardening guide for Tomcat 8 on RedHat 6.5 (64bit edition)

This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from
BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:

  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Installation phase

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd tomcat
    useradd -g tomcat -d /home/tomcat -s /bin/sh tomcat
  3. Download the lastest JDK8 for Linux from:
    http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
  4. Upgrade to the latest build of Oracle JDK:
    rpm -Uvh /tmp/jdk-8u45-linux-x64.rpm
  5. Delete the JDK8 source files:
    rm -rf /tmp/jdk-8u45-linux-x64.rpm
    rm -rf /usr/java/jdk1.8.0_45/src.zip
  6. Download the latest Tomcat 8 source files:
    cd /opt
    wget http://apache.spd.co.il/tomcat/tomcat-8/v8.0.21/bin/apache-tomcat-8.0.21.tar.gz
  7. Extract Tomcat source files:
    tar zxf /opt/apache-tomcat-8.0.21.tar.gz -C /opt
  8. Rename the Tomcat folder:
    mv /opt/apache-tomcat-8.0.21 /opt/tomcat
  9. Remove default content:
    rm -rf /opt/apache-tomcat-8.0.21.tar.gz
    rm -rf /opt/tomcat/webapps/docs
    rm -rf /opt/tomcat/webapps/examples
    rm -rf /opt/tomcat/webapps/ROOT/RELEASE-NOTES.txt
    rm -rf /opt/tomcat/webapps/host-manager
    rm -rf /opt/tomcat/webapps/manager
    rm -rf /opt/tomcat/work/Catalina/localhost/docs
    rm -rf /opt/tomcat/work/Catalina/localhost/examples
    rm -rf /opt/tomcat/work/Catalina/localhost/host-manager
    rm -rf /opt/tomcat/work/Catalina/localhost/manager
  10. Change folder ownership and permissions:
    chown -R tomcat.tomcat /opt/tomcat
    chmod g-w,o-rwx /opt/tomcat
    chmod g-w,o-rwx /opt/tomcat/conf
    chmod o-rwx /opt/tomcat/logs
    chmod o-rwx /opt/tomcat/temp
    chmod g-w,o-rwx /opt/tomcat/bin
    chmod g-w,o-rwx /opt/tomcat/webapps
    chmod 770 /opt/tomcat/conf/catalina.policy
    chmod g-w,o-rwx /opt/tomcat/conf/catalina.properties
    chmod g-w,o-rwx /opt/tomcat/conf/context.xml
    chmod g-w,o-rwx /opt/tomcat/conf/logging.properties
    chmod g-w,o-rwx /opt/tomcat/conf/server.xml
    chmod g-w,o-rwx /opt/tomcat/conf/tomcat-users.xml
    chmod g-w,o-rwx /opt/tomcat/conf/web.xml
  11. Move to the folder /opt/tomcat/lib
    cd /opt/tomcat/lib
  12. Extract the file catalina.jar
    jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  13. Edit using VI, the file /opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties
    Replace the string below from:
    server.infoerver.info=Apache Tomcat/8.0.21
    To:
    server.infoerver.info=Secure Web serverReplace the string below from:
    server.number=8.0.21.0
    To:
    server.number=1.0.0.0Replace the string below from:
    server.built=Mar 23 2015 14:11:21 UTC
    To:
    server.built=Jan 01 2000 00:00:00 UTC
  14. Move to the folder /opt/tomcat/lib
    cd /opt/tomcat/lib
  15. Repackage the file catalina.jar
    jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
  16. Remove the folder below:
    rm -rf /opt/tomcat/lib/org
  17. Edit using VI, the file /opt/tomcat/conf/server.xml and make the following changes:
    Replace the:
    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443" />

    To:
    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    xpoweredBy="false"
    allowTrace="false"
    redirectPort="8443" />
    Replace the:
    <Server port="8005" shutdown="SHUTDOWN">
    To:
    <Server port="-1" shutdown="SHUTDOWN">Replace the:
    autoDeploy="true"
    To:
    autoDeploy="false"
  18. Create using VI, the file error.jsp inside the application directory (example: /opt/tomcat/webapps/ROOT/error.jsp) with the following content:
    <html>
    <head>
    <title>404-Page Not Found</title>
    </head>
    <body> The requested URL was not found on this server. </body>
    </html>
  19. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <error-page>
    <error-code>400</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>401</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-page>
    <error-code>403</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-code>404</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>405</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>410</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>411</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>412</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>413</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>408</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>500</error-code>
    <location>/error.jsp </error-page><!-- Define a Security Constraint on this Application -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HTMLManger and Manager command</web-resource-name>
    <url-pattern>/jmxproxy/*</url-pattern>
    <url-pattern>/html/*</url-pattern>
    <url-pattern>/list</url-pattern>
    <url-pattern>/sessions</url-pattern>
    <url-pattern>/start</url-pattern>
    <url-pattern>/stop</url-pattern>
    <url-pattern>/install</url-pattern>
    <url-pattern>/remove</url-pattern>
    <url-pattern>/deploy</url-pattern>
    <url-pattern>/undeploy</url-pattern>
    <url-pattern>/reload</url-pattern>
    <url-pattern>/save</url-pattern>
    <url-pattern>/serverinfo</url-pattern>
    <url-pattern>/status/*</url-pattern>
    <url-pattern>/roles</url-pattern>
    <url-pattern>/resources</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</role-name>
    </auth-constraint>
    </security-constraint>
  20. Create using VI, the file /etc/init.d/tomcat, with the following content:
    #!/bin/bash
    # description: Tomcat Start Stop Restart
    # processname: tomcat
    # chkconfig: 234 20 80
    JAVA_HOME=/usr/java/jdk1.8.0_45
    export JAVA_HOME
    PATH=$JAVA_HOME/bin:$PATH
    export PATH
    CATALINA_HOME=/opt/tomcat/bin
    case $1 in
    start)
    /bin/su tomcat $CATALINA_HOME/startup.sh
    ;;
    stop)
    /bin/su tomcat $CATALINA_HOME/shutdown.sh
    ;;
    restart)
    /bin/su tomcat $CATALINA_HOME/shutdown.sh
    /bin/su tomcat $CATALINA_HOME/startup.sh
    ;;
    esac
    exit 0
    Note: Update the “JAVA_HOME” path according to the install JDK build.
  21. Change the permission on the tomcat script:
    chmod 755 /etc/init.d/tomcat
  22. To start Tomcat service at server start-up, run the command:
    chkconfig tomcat on
  23. To manually start the Tomcat service, use the command:
    service tomcat start
  24. Configure IPTables:
    service iptables stop
    iptables -P INPUT DROP
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  25. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
  26. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  27. Save the IPTables settings:
    service iptables save
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /opt/tomcat/ssl
    chown -R tomcat:tomcat /opt/tomcat/ssl
    chmod -R 755 /opt/tomcat/ssl
  3. Run the command below to generate a key store:
    /usr/java/jdk1.8.0_45/bin/keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -validity 1095 -alias "FQDN_Name"Note 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  4. Run the command below to generate a CSR (certificate request):
    /usr/java/jdk1.8.0_45/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -alias "FQDN_Name"Note 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  5. Send the file /tmp/tomcat.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /opt/tomcat/ssl
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /opt/tomcat/ssl
  10. Run the command below to import the trusted root CA public certificate:
    /usr/java/jdk1.8.0_45/bin/keytool -import -alias "FQDN_Name" -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/ca-bundle.crtNote 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  11. Run the command below to import the signed public key into the key store:
    /usr/java/jdk1.8.0_45/bin/keytool -import -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/server.crtNote 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
  12. Stop the Tomcat service:
    service tomcat stop
  13. Edit using VI, the file /opt/tomcat/conf/server.xml and add the section below:
    <Connector port="8443"
    protocol="HTTP/1.1"
    maxThreads="150"
    xpoweredBy="false"
    allowTrace="false"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="/opt/tomcat/ssl/server.key"
    keystorePass="ComplexPassword"
    keyAlias="FQDN_Name"
    clientAuth="false"
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"
    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />
    Note 1: Replace ComplexPassword with your own complex password.
    Note 2: Replace “FQDN_Name” with the server DNS name.
  14. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <user-data-constraint>
    <description>
    Constrain the user data transport for the whole application
    </description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  15. Edit using VI, the file /opt/tomcat/conf/context.xml and add the following parameter inside the context tag:
    usehttponly="true"
  16. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  17. Save the IPTables settings:
    service iptables save
  18. To manually start the Tomcat service, use the command:
    service tomcat start

Data and Web Security in Business

Not all businesses are aware of just how much of their data is potentially at risk within their own systems and even their website; there simply isn’t the education in place to identify the flaws in one’s system before it’s too late in most cases, which results in compromised data, stolen data, loss of trust from customers and potentially a loss of funds or profits for the business in question; usually because of issues that could have easily been avoided.

First of all you need to secure the internal workings of your business; which means users and data storage. One of the biggest threats to your computer and data security systems is actually the people that you give access to those systems; the human element is less predictable so be sure to take the necessary precautions that will prevent or limit damages should an employee choose to act maliciously. Start by ensuring logins are required and are unique to each user, this allows you to control exactly what each person has access to, and means that it is easier to trace who is responsible if damage is caused. You should also be very careful about providing permissions to these users; consider what they absolutely must have access to, and why, and consider whether or not they really need access to everything they can access. Limitations are the first step towards protection.

Once you have this much protected you can start to think about how to avoid unauthorised access; password protecting everything is a good start, and encrypting sensitive information can be a fantastic way to avoid giving away data that is particularly valuable to your company. These are generally very easy systems to implement, and most security organisations you may choose to work with will help you to set up systems for encryption, data recovery, remote destruction (allowing you to delete data on a stolen device), as well as other aspects of data protections that can be very important to your business. These are important if your business handles a great deal of sensitive information, and of course if that is the case and security is of particularly importance you will want to get a security firm to help you protect it, however in a lot of cases your own IT department can set up the encryption, passwords, firewalls and defences needed to protect basic levels of data against reasonably tough attacks.

Of course your online systems can require something a little different in order to keep them safe, and this is true of your website as well as any online content management, project management or other systems you might be using in the day to day running of your business. Again it is important that everything is password protected to keep things safe and secure as far as your users and their access levels are concerned, but you should also ensure that the development of the websites and tools are done with a certain level of security in mind. There are some rules to this, but in general it isn’t too difficult if you can already develop a website.

No WordPress. If you want a secure website to handle lots of valuable data then WordPress isn’t for you, no matter how easy you think it makes your life. The problem with WordPress is that literally anyone can get it, and they all get the same version. Within a short time the vulnerabilities of that version will have been discovered and likely shared among hackers and other such people, meaning that you can either update or remain vulnerable – your only hope is that WordPress and you update often enough to stay one step ahead of the hackers. This is an issue that exists with a variety of similar platforms and would be difficult to keep yourself secure using these platforms – the best option is to use a secure platform and your own web development team or company.

The variations in the programming that come from using your own team help to create diversity online, which means that it is much harder for hackers and malicious users to find the ways into your system; thus keeping you protected for longer. Of course even with your own website you are likely to be working with systems like Magento for database integration and content management, which will need to be updated every so often but are considerably more secure than systems like WordPress, and you will have to keep certificates up to date, particularly your SSL certificates.

 

Kate Critchlow is a freelance writer with a passionate interest for technology covering everything from web development to IT security services.

Hardening guide for NGINX 1.5.8 on RedHat 6.4 (64bit edition)

This document explains the process of installation, configuration and hardening of NGINX server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack
 
Some of the features explained in this document are supported by only some of the Internet browsers:

  • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    1. Installation Phase

    2. Login to the server using Root account
    3. Install pre-requirement packages:
      yum install policycoreutils-python-* -y
      yum install setools-libs-* -y
      yum install libcgroup-* -y
      yum install audit-libs-python-* -y
      yum install libsemanage-python-* -y
      yum install setools-libs-python-* -y
      yum install gcc* -y
    4. Create a new account:
      groupadd nginx

      useradd -g nginx -d /dev/null -s /sbin/nologin nginx

    5. Upgrade the Openssl build:
      rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

      yum --enablerepo=axivo update openssl -y

    6. Download Openssl source files:
      cd /opt

      wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz

    7. Extract Openssl source files:
      tar zxvf /opt/openssl-1.0.1e.tar.gz -C /opt
    8. Remove Openssl source file:
      rm -rf /opt/openssl-1.0.1e.tar.gz
    9. Download PCRE source file into /tmp, from:
      http://sourceforge.net/projects/pcre/files/pcre/
    10. Compile PCRE from source file:
      tar zxvf /tmp/pcre-8.34.tar.gz -C /tmp

      mv /tmp/pcre-8.34 /usr/local/pcre

      cd /usr/local/pcre

      ./configure --prefix=/usr/local/pcre

      make

      make install

    11. Remove PCRE package:
      rm -rf /tmp/pcre-8.34.tar.gz
    12. Download Nginx 1.5.8:
      cd /tmp

      wget http://nginx.org/download/nginx-1.5.8.tar.gz

    13. Extract the nginx-1.5.8.tar.gz file:
      tar -zxvf /tmp/nginx-1.5.8.tar.gz -C /tmp
    14. Move to the Nginx source folder:
      cd /tmp/nginx-1.5.8
    15. Edit using VI, the file
      /tmp/nginx-1.5.8/src/http/ngx_http_header_filter_module.c and replace the following section, from:
      static char ngx_http_server_string[] = "Server: nginx" CRLF;

      static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;To:
      static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
      static char ngx_http_server_full_string[] = "Server: Secure Web Server" NGINX_VER CRLF;

    16. Run the commands bellow to compile the Nginx environment:
      ./configure --with-openssl=/opt/openssl-1.0.1e --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --with-pcre=/usr/local/pcreNote: The command above should be written as one line.
      make

      make install

    17. Remove the Nginx source files:
      cd /

      rm -rf /tmp/nginx-1.5.8

      rm -f /tmp/nginx-1.5.8.tar.gz

    18. Remove Default Content
      rm -rf /usr/local/nginx/html
    19. Updating Ownership and Permissions on Nginx folders:
      chown -R root:root /usr/local/nginx

      chmod 750 /usr/local/nginx/sbin/nginx

      chmod -R 640 /usr/local/nginx/conf

      chmod -R 770 /usr/local/nginx/logs

    20. Create folder for the web content:
      mkdir -p /www
    21. Updating Ownership and Permissions on the web content folder:
      chown -R root /www

      chmod -R 775 /www

    22. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
      From:
      #user nobody;To:
      user nginx nginx;

      From:
      #error_log logs/error.log notice;To:
      error_log logs/error.log notice;

      From:
      server_name localhost;To:
      server_name Server_FQDN;Note: Replace Server_FQDN with the actual server DNS name.

      From:
      root html;To:
      root /www;

    23. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file (before the last “}” character):
      ## turn off nginx version number ##
      server_tokens off;
      ## Size Limits & Buffer Overflows ##
      client_body_buffer_size 1K;
      client_header_buffer_size 1k;
      client_max_body_size 1k;
      large_client_header_buffers 2 2k;
      ## Timeouts ##
      client_body_timeout 10;
      client_header_timeout 10;
      send_timeout 10;
    24. Create using VI, the file /etc/init.d/nginx with the following content:
      #!/bin/sh
      #
      # nginx - this script starts and stops the nginx daemon
      #
      # chkconfig: - 85 15
      # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
      # proxy and IMAP/POP3 proxy server
      # processname: nginx
      # config: /usr/local/nginx/conf/nginx.conf
      # config: /etc/sysconfig/nginx
      # pidfile: /var/run/nginx.pid

      # Source function library.
      . /etc/rc.d/init.d/functions

      # Source networking configuration.
      . /etc/sysconfig/network

      # Check that networking is up.
      [ "$NETWORKING" = "no" ] && exit 0

      nginx="/usr/local/nginx/sbin/nginx"
      prog=$(basename $nginx)

      NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

      [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

      lockfile=/var/lock/subsys/nginx

      start() {
      [ -x $nginx ] || exit 5
      [ -f $NGINX_CONF_FILE ] || exit 6
      echo -n $"Starting $prog: "
      daemon $nginx -c $NGINX_CONF_FILE
      retval=$?
      echo
      [ $retval -eq 0 ] && touch $lockfile
      return $retval
      }

      stop() {
      echo -n $"Stopping $prog: "
      killproc $prog -QUIT
      retval=$?
      echo
      [ $retval -eq 0 ] && rm -f $lockfile
      return $retval
      }

      restart() {
      configtest || return $?
      stop
      sleep 1
      start
      }

      reload() {
      configtest || return $?
      echo -n $"Reloading $prog: "
      killproc $nginx -HUP
      RETVAL=$?
      echo
      }

      force_reload() {
      restart
      }

      configtest() {
      $nginx -t -c $NGINX_CONF_FILE
      }

      rh_status() {
      status $prog
      }

      rh_status_q() {
      rh_status >/dev/null 2>&1
      }

      case "$1" in
      start)
      rh_status_q && exit 0
      $1
      ;;
      stop)
      rh_status_q || exit 0
      $1
      ;;
      restart|configtest)
      $1
      ;;
      reload)
      rh_status_q || exit 7
      $1
      ;;
      force-reload)
      force_reload
      ;;
      status)
      rh_status
      ;;
      condrestart|try-restart)
      rh_status_q || exit 0
      ;;
      *)
      echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
      exit 2
      esac

    25. Change the permissions of the file /etc/init.d/nginx
      chmod +x /etc/init.d/nginx
    26. To start Nginx service at server start-up, run the command:
      chkconfig nginx on
    27. To manually start the Nginx service, use the command:
      /etc/init.d/nginx start
    28. Configure IPTables:
      service iptables stop

      iptables -P INPUT DROP

      iptables -A INPUT -i lo -j ACCEPT

      iptables -A OUTPUT -o lo -j ACCEPT

      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    29. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
      iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
    30. Allow HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
    31. Save the IPTables settings:
      service iptables save
      SSL Configuration Phase

    1. Login to the server using Root account.
    2. Create folder for the SSL certificate files:
      mkdir -p /usr/local/nginx/ssl

      chmod 600 /usr/local/nginx/ssl

    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -aes256 -out /usr/local/nginx/ssl/server-sec.key 2048Note: Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -days 1095 -key /usr/local/nginx/ssl/server-sec.key -out /tmp/server.csrNote: The command above should be written as one line.
    5. Send the file /tmp/server.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
    7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
    8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
    9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
    10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
      cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pemNote: The command above should be written as one line.
    11. Remove the key store passphrase:
      /usr/bin/openssl rsa -in /usr/local/nginx/ssl/server-sec.key -out /usr/local/nginx/ssl/server.keyNote: The command above should be written as one line.
    12. Remove the original “server.crt”, “server.csr” and “ca-bundle.crt” files:
      rm -f /tmp/server.csr

      rm -f /usr/local/nginx/ssl/server.crt

      rm -f /usr/local/nginx/ssl/ca-bundle.crt

    13. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
      # HTTPS server
      #
      #server {
      # listen 443 ssl;
      # server_name localhost;
      # ssl_certificate cert.pem;
      # ssl_certificate_key cert.key;
      # ssl_session_cache shared:SSL:1m;
      # ssl_session_timeout 5m;
      # ssl_ciphers HIGH:!aNULL:!MD5;
      # ssl_prefer_server_ciphers on;
      # location / {
      # root html;
      # index index.html index.htm;
      # }
      #}
      To:
      # HTTPS server
      #
      server {
      listen 443;
      server_name Server_FQDN;
      ssl on;
      ssl_certificate /usr/local/nginx/ssl/server.pem;
      ssl_certificate_key /usr/local/nginx/ssl/server.key;
      ssl_session_timeout 5m;
      ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
      ssl_prefer_server_ciphers on;
      # HTTP Strict Transport Security #
      add_header Strict-Transport-Security max-age=63072000;
      # X-Frame-Options header #
      add_header X-Frame-Options SAMEORIGIN;
      location / {
      root /www;
      index index.html index.htm;
      }
      }
      Note: Replace Server_FQDN with the actual server DNS name.
    14. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
    15. Remove HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
    16. Save the IPTables settings:
      service iptables save
    17. Restart the nginx:
      service nginx restart

    Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)

        This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
        Some of the features explained in this document are supported by only some of the Internet browsers:

      • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
      • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
      Pre-Requirements

      • policycoreutils-python-* package installed
      • setools-libs-* package installed
      • libcgroup-* package installed
      • audit-libs-python-* package installed
      • libsemanage-python-* package installed
      • setools-libs-python-* package installed
      • gcc* package installed
      • gcc-c++* package installed
      • autoconf* package installed
      • automake* package installed
      Installation Phase

    1. Login to the server using Root account
    2. Upgrade the Openssl build:
      rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

      yum --enablerepo=axivo update openssl -y

    3. Download Apache source file into /tmp, from:
      http://httpd.apache.org/download.cgi
    4. Download APR and APR-Util source files into /tmp, from:
      https://apr.apache.org/download.cgi
    5. Download PCRE source file into /tmp, from:
      http://sourceforge.net/projects/pcre/files/pcre/
    6. Compile PCRE from source file:

      tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp

      mv /tmp/pcre-8.33 /usr/local/pcre

      cd /usr/local/pcre

      ./configure --prefix=/usr/local/pcre

      make

      make install

    7. Extract Apache source files:
      cd /tmp

      tar zxvf httpd-2.4.6.tar.gz

      cd httpd-2.4.6/srclib/

      tar zxvf ../../apr-1.4.8.tar.gz

      ln -s apr-1.4.8/ apr

      tar zxvf ../../apr-util-1.5.2.tar.gz

      ln -s apr-util-1.5.2/ apr-util

    8. Compile the Apache from source files:
      cd /tmp/httpd-2.4.6

      ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre

      make

      make install

    9. Remove the source files:
      rm -rf /tmp/apr-1.4.8.tar.gz

      rm -rf /tmp/apr-util-1.5.2.tar.gz

      rm -rf /tmp/httpd-2.4.6.tar.gz

      rm -rf /tmp/httpd-2.4.6

      rm -rf /tmp/pcre-8.33.tar.gz

    10. Remove Default Content:
      rm -rf /opt/httpd/cgi-bin

      rm -rf /opt/httpd/htdocs

      rm -rf /opt/httpd/icons

      rm -rf /opt/httpd/man

      rm -rf /opt/httpd/manual

      rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf

      rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-dav.conf

      rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-default.conf

      rm -rf /opt/httpd/conf/extra/httpd-default.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-info.conf

      rm -rf /opt/httpd/conf/extra/httpd-info.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-languages.conf

      rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-manual.conf

      rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-mpm.conf

      rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf

      rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-userdir.conf

      rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in

      rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf

      rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in

      rm -rf /opt/httpd/conf/extra/proxy-html.conf

      rm -rf /opt/httpd/conf/extra/proxy-html.conf.in

      rm -rf /opt/httpd/conf/original

    11. Updating Ownership and Permissions on Apache folders:
      chown root:root /opt/httpd/bin/apachectl

      chown root:root /opt/httpd/bin/httpd

      chmod 770 /opt/httpd/bin/apachectl

      chmod 770 /opt/httpd/bin/httpd

      chown -R root:root /opt/httpd

      chmod -R go-r /opt/httpd

      chown -R root:root /opt/httpd/logs

      chmod -R 700 /opt/httpd/logs

    12. Create folder for the web content:
      mkdir -p /www
    13. Updating Ownership and Permissions on the web content folder:
      chown -R root /www

      chmod -R 775 /www

    14. Fix the SELinux security context on the new web folder:
      semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"

      restorecon -F -R -v /www

    15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
      From:
      LogLevel warnTo:
      LogLevel notice

      From:
      DocumentRoot "/opt/httpd/htdocs"To:
      DocumentRoot "/www"

      From:
      Listen 80To:
      Listen Server_FQDN:80
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      ServerAdmin [email protected]To:
      ServerAdmin webmaster@mycompany.com
      Note: Replace mycompany.com with the actual Company DNS name.

      From:
      #ServerName www.example.com:80To:
      ServerName Server_FQDN
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"To:
      # ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"

      From:
      <Directory />
      Options FollowSymLinks
      AllowOverride None
      </Directory>
      To:
      <Directory />
      Options None
      AllowOverride None
      Require all denied
      Order deny,allow
      deny from all
      <LimitExcept GET POST>
      deny from all
      </limitexcept>
      </Directory>

      From:
      <Directory "/opt/httpd/htdocs">
      Options Indexes FollowSymLinks
      AllowOverride None
      </Directory>
      To:
      <Directory "/www">
      Options None
      AllowOverride None
      Require all granted
      Order allow,deny
      Allow from all
      <LimitExcept GET POST>
      deny from all
      </limitexcept>
      </Directory>

    16. Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
      ScriptAlias

      IndexOptions

      AddIconByEncoding

      AddIconByType

      AddIcon

      DefaultIcon

      ReadmeName

      HeaderName

      IndexIgnore

      LanguagePriority

      ForceLanguagePriority

    17. Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
      LoadModule cgi_module modules/mod_cgi.so

      LoadModule status_module modules/mod_status.so

      LoadModule info_module modules/mod_info.so

      LoadModule autoindex_module modules/mod_autoindex.so

      LoadModule include_module modules/mod_include.so

      LoadModule userdir_module modules/mod_userdir.so

      LoadModule env_module modules/mod_env.so

      LoadModule negotiation_module modules/mod_negotiation.so

      LoadModule actions_module modules/mod_actions.so

    18. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
    19. Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
      # Configure custom error message:
      ErrorDocument 400 "The requested URL was not found on this server."
      ErrorDocument 401 "The requested URL was not found on this server."
      ErrorDocument 403 "The requested URL was not found on this server."
      ErrorDocument 404 "The requested URL was not found on this server."
      ErrorDocument 405 "The requested URL was not found on this server."
      ErrorDocument 408 "The requested URL was not found on this server."
      ErrorDocument 410 "The requested URL was not found on this server."
      ErrorDocument 411 "The requested URL was not found on this server."
      ErrorDocument 412 "The requested URL was not found on this server."
      ErrorDocument 413 "The requested URL was not found on this server."
      ErrorDocument 414 "The requested URL was not found on this server."
      ErrorDocument 415 "The requested URL was not found on this server."
      ErrorDocument 500 "The requested URL was not found on this server."
      # Configure Server Tokens
      ServerTokens Prod
      # Disable Server Signature
      ServerSignature Off
      # Disable Tracing
      TraceEnable Off
      # Maximum size of the request body.
      LimitRequestBody 25000
      # Maximum number of request headers in a request.
      LimitRequestFields 40
      # Maximum size of request header lines.
      LimitRequestFieldSize 4000
      # Maximum size of the request line.
      LimitRequestLine 4000
      MaxRequestsPerChild 10000
      # Configure clickjacking protection
      Header always append X-Frame-Options SAMEORIGIN
    20. Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
      From:
      #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
      #define AP_SERVER_BASEVENDOR "Restricted server"

      From:
      #define AP_SERVER_BASEPROJECT "Apache HTTP Server"To:
      #define AP_SERVER_BASEPROJECT "Secure Web Server"

      From:
      #define AP_SERVER_BASEPRODUCT "Apache"To:
      #define AP_SERVER_BASEPRODUCT "Secure Web Server"

    21. Download the Apache boot script into /tmp from:
      http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2
    22. Extract and install the Apache boot script:
      cd /tmp/

      tar xvjf blfs-bootscripts-20131023.tar.bz2

      cd /tmp/blfs-bootscripts-20131023

      make install-httpd

    23. Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
      From:
      /usr/sbin/apachectlTo:
      /opt/httpd/bin/apachectl

      From:
      log_info_msgTo:
      echo

      From:
      evaluate_retvalTo:
      #evaluate_retval

    24. Configure the Apache to start automatically:
      chkconfig httpd on
    25. Configure IPTables:
      service iptables stop

      iptables -P INPUT DROP

      iptables -A INPUT -i lo -j ACCEPT

      iptables -A OUTPUT -o lo -j ACCEPT

      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    26. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
      iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
      Note: Replace 10.0.0.0/8 with the internal segment and subnet mask
    27. Allow HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
      Note: Replace eth0 with the public interface name
    28. Save the IPTables settings:
      service iptables save
    29. Start the Apache daemon:
      service httpd start
      SSL Configuration Phase

    1. Login to the server using Root account.
    2. Create folder for the SSL certificate files:
      mkdir -p /opt/httpd/conf/ssl

      chmod 600 /opt/httpd/conf/ssl

    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
      Note: Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
      Note: The command above should be written as one line.
    5. Send the file /tmp/apache.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
    7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
    8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
      From:
      Listen Server_FQDN:80To:
      Listen Server_FQDN:443
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      ServerName Server_FQDNTo:
      ServerName Server_FQDN:443
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      #Include conf/extra/httpd-ssl.confTo:
      Include conf/extra/httpd-ssl.conf

      From:
      #LoadModule socache_shmcb_module modules/mod_socache_shmcb.soTo:
      LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

    9. Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
      From:
      SSLCertificateFile "/opt/httpd/conf/server.crt"To:
      SSLCertificateFile /opt/httpd/conf/ssl/server.crt

      From:
      SSLCertificateKeyFile "/opt/httpd/conf/server.key"To:
      SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key

      From:
      #SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"To:
      SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt

      From:
      SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To:
      SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

      From:
      #SSLHonorCipherOrder onTo:
      SSLHonorCipherOrder On

      From:
      Listen @@SSLPort@@To:
      Listen Server_FQDN:443
      Note: Replace Server_FQDN with the actual DNS name.

      From:
      DocumentRoot "/opt/httpd/htdocs"To:
      DocumentRoot "/www"

      From:
      ServerName www.example.com:@@SSLPort@@To:
      #ServerName www.example.com:@@SSLPort@@

      From:
      ServerAdmin [email protected]To:
      ServerAdmin webmaster@mycompany.com
      Note: Replace mycompany.com with the actual Company DNS name.

      From:
      <VirtualHost _default_:@@SSLPort@@>To:
      <VirtualHost _default_:443>

    10. Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
      # Disable SSLv2
      SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
      # Disable SSL Compression
      SSLCompression Off
    11. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
    12. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
      iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
      Note: Replace eth0 with the public interface name
    13. Remove HTTP access from the Internet on the public interface (i.e. eth0)
      iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
      Note: Replace eth0 with the public interface name
    14. Save the IPTables settings:
      service iptables save
    15. Restart the Apache service:
      service httpd restart

    Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

    thought that SSL + TLS are the magic words??
    think again!
    http://www.isg.rhul.ac.uk/tls/

    Roy Coren
    Security Specialist
    Roy Coren AT gmail

    Hardening guide for Drupal 7.7

    Pre-installation notes
    The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

    The guide bellow is based on the previous guides:

    PHP installation phase

    1. Login to the server using Root account.
    2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
      rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
      rpm -ivh glibc-headers-2.5-49.i386.rpm
      rpm -ivh glibc-devel-2.5-49.i386.rpm
      rpm -ivh gmp-4.1.4-10.el5.i386.rpm
      rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
      rpm -ivh gcc-4.1.2-48.el5.i386.rpm
      rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
      rpm -ivh zlib-devel-1.2.3-3.i386.rpm
      rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
      rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
      rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
      rpm -ivh libjpeg-devel-6b-37.i386.rpm
    3. Download MySQL development RPM from:
      http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
    4. Download PHP 5.3.8 source files from:
      http://php.net/downloads.php
    5. Download the latest libxml2 for PHP from:
      http://xmlsoft.org/sources/
    6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
    7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
    8. Move to /tmp
      cd /tmp
    9. Install the MySQL development RPM:
      rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
    10. Remove MySQL development RPM:
      rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
    11. Extract the php-5.3.8.tar.gz file:
      tar -zxvf php-5.3.8.tar.gz
    12. Extract the libxml2 source file:
      tar -zxvf libxml2-2.7.7.tar.gz
    13. Move the libxml2-2.7.7 folder:
      cd /tmp/libxml2-2.7.7
    14. Run the commands bellow to compile the libxml2:
      ./configuremakemake install
    15. Move to the PHP source folder:
      cd /tmp/php-5.3.8
    16. Run the commands bellow to compile the PHP environment:
      ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftpmakemake install
    17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
      Add the following string, to the end of the AddType section:
      AddType application/x-httpd-php .php
      Replace the line from:
      DirectoryIndex index.htmlTo:
      DirectoryIndex index.php index.html index.htm
      Replace the value of the string, from:
      LimitRequestBody 10000To:
      LimitRequestBody 600000
    18. Copy the PHP.ini file
      cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
    19. Change the permissions on the php.ini file:
      chmod 640 /etc/php.ini
    20. Edit using VI, the file /etc/php.ini
      Replace the value of the string, from:
      mysql.default_host =To:
      mysql.default_host = 127.0.0.1:3306Replace the value of the string, from:
      pdo_mysql.default_socket=To:
      pdo_mysql.default_socket=127.0.0.1Replace the value of the string, from:
      allow_url_fopen = OnTo:
      allow_url_fopen = OffReplace the value of the string, from:
      expose_php = OnTo:
      expose_php = OffReplace the value of the string, from:
      memory_limit = 128MTo:
      memory_limit = 64MReplace the value of the string, from:
      ;open_basedir =To:
      open_basedir = "/www"Replace the value of the string, from:
      post_max_size = 8MTo:
      post_max_size = 2MReplace the value of the string, from:
      disable_functions =To:
      disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidReplace the value of the string, from:
      ;include_path = ".:/php/includes"To:
      include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"Replace the value of the string, from:
      display_errors = OnTo:
      display_errors = OffReplace the value of the string, from:
      display_startup_errors = OnTo:
      display_startup_errors = Off

      Replace the value of the string, from:
      ;gd.jpeg_ignore_warning = 0To:
      gd.jpeg_ignore_warning = 1

    21. Run the commands bellow to restart the Apache service:
      /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
    22. Remove the PHP source and test files:
      rm -f /tmp/php-5.3.8.tar.gz
      rm -f /tmp/libxml2-2.7.7.tar.gz
      rm -rf /tmp/php-5.3.8
      rm -rf /tmp/libxml2-2.7.7
      rm -rf /tmp/pear
      rm -rf /usr/local/apache2/lib/php/test
      rm -rf /usr/local/lib/php/test

    Drupal installation phase

    1. Login to the server using Root account.
    2. Run the command bellow to login to the MySQL:
      /usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
    3. Run the following commands from the MySQL prompt:
      CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
      SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
      CREATE DATABASE Z5J6Dw1;
      GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
      FLUSH PRIVILEGES;
      quit
      Note 1: Replace “blgusr” with your own MySQL account to access the database.
      Note 2: Replace “password2” with complex password (at least 14 characters).
      Note 3: Replace “Z5J6Dw1” with your own Drupal database name.
    4. Download Drupal 7.7 from:
      http://drupal.org/project/drupal
    5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
    6. Move to /www
      cd /www
    7. Extract the file bellow:
      tar -zxvf drupal-7.7.tar.gz
    8. Remove Drupal source file:
      rm -f /www/drupal-7.7.tar.gz
    9. Rename the Drupal folder:
      mv /www/drupal-7.7 /www/drupal
    10. Remove default content:
      rm -f /www/drupal/CHANGELOG.txt
      rm -f /www/drupal/COPYRIGHT.txt
      rm -f /www/drupal/INSTALL.pgsql.txt
      rm -f /www/drupal/LICENSE.txt
      rm -f /www/drupal/UPGRADE.txt
      rm -f /www/drupal/INSTALL.mysql.txt
      rm -f /www/drupal/INSTALL.sqlite.txt
      rm -f /www/drupal/INSTALL.txt
      rm -f /www/drupal/MAINTAINERS.txt
      rm -f /www/drupal/sites/example.sites.php
    11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
      Replace the line from:
      DocumentRoot "/www"To:
      DocumentRoot "/www/drupal"
    12. Run the commands bellow to restart the Apache service:
      /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
    13. Create the following folders:
      mkdir /www/drupal/sites/default/filesmkdir /www/private
    14. Copy the settings.php file:
      cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
    15. Change permissions on the settings.php file:
      chmod a+w /www/drupal/sites/default/settings.phpchmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private
    16. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/install.php
    17. Select “Standard” installation and click “Save and continue”.
    18. Choose the default “English” and click “Save and continue”.
    19. Specify the following details:
      • Database type: MySQL
      • Database name: Z5J6Dw1
      • Database username: blgusr
      • Database password: password2
      • Click on Advanced Options
      • Database host: 127.0.0.1
      • Table prefix: Z5J6Dw1_

      Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
      Note 2: Replace “blgusr” with your own MySQL account to access the database.
      Note 3: Replace “password2” with complex password (at least 14 characters).

    20. Click “Save and Continue”.
    21. Specify the following information:
      • Site name
      • Site e-mail address (for automated e-mails, such as registration information)
      • Username (for the default administrator account)
      • E-mail address
      • Password
    22. Select “Default country” and “Default time zone”.
    23. Unselect the “Update Notifications” checkboxes.
    24. Click “Save and Continue”.
    25. Close the web browser.
    26. Create using VI the file /www/config.php with the following content:
      <?php
      $databases = array (
      'default' =>
      array (
      'default' =>
      array (
      'driver' => 'mysql',
      'database' => 'Z5J6Dw1',
      'username' => 'blgusr',
      'password' => 'password2',
      'host' => '127.0.0.1',
      'port' => '',
      'prefix' => 'Z5J6Dw1_',
      ),
      ),
      );
      ?>
      Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag.
      Note 2: Replace “blgusr” with your own MySQL account to access the database.
      Note 3: Replace “password2” with complex password (at least 14 characters).
      Note 4: Replace “Z5J6Dw1” with your own Drupal database name.
    27. Edit using VI, the file /www/drupal/sites/default/settings.php
      Add the following line:
      include('/www/config.php');Remove the following section:
      $databases = array (
      'default' =>
      array (
      'default' =>
      array (
      'driver' => 'mysql',
      'database' => 'Z5J6Dw1',
      'username' => 'blgusr',
      'password' => 'password2',
      'host' => '127.0.0.1',
      'port' => '',
      'prefix' => 'Z5J6Dw1_',
      ),
      ),
      );
      Replace the string from:
      ini_set('session.cookie_lifetime', 2000000);To:
      ini_set('session.cookie_lifetime', 0);
    28. Change permissions on the settings.php file:
      chmod a-w /www/drupal/sites/default/settings.php
    29. Add the following lines to the /www/drupal/.htaccess file:
      # Block any file that starts with "."
      <FilesMatch "^\..*$">
      Order allow,deny
      </FilesMatch>
      <FilesMatch "^.*\..*$">
      Order allow,deny
      </FilesMatch>
      # Allow "." files with safe content types
      <FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$">
      Order deny,allow
      </FilesMatch>
    30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
      chmod 444 /www/drupal/.htaccess
    31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    32. From SSH session, move to the folder /www/drupal/sites/all/modules.
    33. Extract the downloaded above modules:
      tar zxvf dfw-7.x-1.1.tar.gztar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gztar zxvf security_review-7.x-1.x-dev.tar.gztar zxvf system_perm-7.x-1.x-dev.tar.gztar zxvf blockanonymouslinks-7.x-1.1.tar.gz
    34. Remove the modules source files:
      rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gzrm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gzrm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

      rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

    35. Open a web browser from a client machine, and enter the URL bellow:
      http://Server_FQDN/?q=user/login
    36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
    37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
    38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
    39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
    40. From the upper menu, click on Modules -> from the main page, select the following modules:
      • Drupal firewall
      • SpamSpan
      • Content Security Policy
      • Content Security Policy Reporting
      • GoAway
      • IP anonymize
      • Flood control
      • Password change tab
      • Password policy
      • Persistent Login
      • Secure Permissions
      • Security Review
      • System Perms
      • BlockAnonymousLinks
    41. Click on Save configuration.

    Drupal SSL configuration phase

    1. Add the following line to the /www/drupal/sites/default/settings.php file:
      $conf['https'] = TRUE;
    2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    3. From SSH session, move to the folder /www/drupal/sites/all/modules.
    4. Extract the downloaded above modules:
      tar zxvf securepages-7.x-1.x-dev.tar.gztar zxvf securelogin-7.x-1.2.tar.gz
    5. Remove the modules source files:
      rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz
    6. Open a web browser from a client machine, and enter the URL bellow:
      https://Server_FQDN/?q=user/login
    7. From the upper menu, click on Modules -> from the main page, select the following modules:
      • Secure Login
      • Secure Pages
    8. Click on Save configuration.
    9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

    Generating self-signed SSL certificate using OpenSSL

    OpenSSL allows you to request, sign, generate, export and convert digital certificates.
    OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
    The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
    The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

    Download link for Windows binaries:
    http://www.slproweb.com/products/Win32OpenSSL.html
    Download link for Linux source files (pre-compiled):
    http://www.openssl.org/source/

    1. Install OpenSSL.
    2. Run the command bellow to generate a new key store called “server.key
      openssl genrsa -des3 -out /tmp/server.key 1024
    3. Run the commands bellow to request a new SSL certificate:
      openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

      openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

    4. Run the command bellow to backup the key store file that has a password:
      cp /tmp/server.key /tmp/server.key.bak
    5. Run the command bellow to generate a new key store without a password:
      openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
    6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
      cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
    7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
      openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

    Appendix:

    • server.key – Key store file
    • server.crt – Server SSL public key file
    • no.pwd.server.key – Key store file (without a password)
    • no.pwd.server.pem – Key store file + server SSL public key file (without a password)
    • server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

    How to implement SSL on Resin 4.0.8

    Pre-installation notes
    The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

    1. Login to the server using Root account.
    2. Change permissions on the keys folder:
      chmod 640 /usr/local/resin/keys
    3. Run the command bellow to generate a key pair:
      /usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024Specify a complex pass phrase for the private key (and document it)
    4. Run the command bellow to generate the CSR:
      /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csrNote: The command above should be written as one line.
    5. Send the file /tmp/resin.csr to a Certificate Authority server.
    6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
    7. Copy the file “server.crt” using SCP into /usr/local/resin/keys/
    8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
    9. Copy the file “ca-bundle.crt” using SCP into /usr/local/resin/keys/
    10. Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from:
      <!-- SSL port configuration: -->
      <http address="*" port="8443">
      <jsse-ssl self-signed-certificate-name="[email protected]"/>
      </http>
      To:
      <http address="Server_DNS_Name" port="443">
      <openssl>
      <certificate-key-file>/usr/local/resin/keys/server.key</certificate-key-file>
      <certificate-file>/usr/local/resin/keys/server.crt</certificate-file>
      <certificate-chain-file>/usr/local/resin/keys/ca-bundle.crt</certificate-chain-file>
      <password>my-password</password>
      </openssl>
      </http>
      Note: Replace “my-password” with the password for the “server.key” file.
    11. Restart the Resin services:
      /etc/init.d/resin restart
    12. Backup the file
      /usr/local/resin/keys/server.key
    Search This Blog
    NetworkedBlogs