Security and Cloud 24/7

Archive for the ‘SSL’ Category

Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.

1. Request from your hosting provider access through SSH.
2. Login to the hosted server using SSH.
3. Edit using VI the file ~/html/wp-config.php and write down the data of the following values:
   • DB_NAME
   • DB_USER
   • DB_PASSWORD
4. Create using VI the file ~/config.php with the following content:
   <?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
?>Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
   Note 2: Replace “blgusr” with the MySQL account to access the database.
   Note 3: Replace “password2” with the MySQL account password.
   Note 4: Replace “m6gf42s” with the WordPress database name.
   Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
   http://api.wordpress.org/secret-key/1.1/
5. Edit using VI, the file ~/html/wp-config.php
   Add the following line:
   include('/path/config.php');Note: Replace /path/ with the full path to the config.php file.

   Remove the following sections:
   define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

6. Remove default content:
   rm -f ~/html/license.txt
rm -f ~/html/readme.html
rm -f ~/html/wp-config-sample.php
rm -f ~/html/wp-content/plugins/hello.php
7. Create using VI the file ~/html/.htaccess with the following content:
   <files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
</Files>
8. Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content:
   AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
9. Create the following folders:
   mkdir -p ~/html/wp-content/cache
mkdir -p ~/html/wp-content/uploads
mkdir -p ~/html/wp-content/upgrade

10. Change the file permissions:
    chmod -R 777 ~/html/wp-content/cache
chmod -R 777 ~/html/wp-content/uploads
chmod -R 777 ~/html/wp-content/upgrade
11. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
12. Download “Limit Login” plugin from:
    http://wordpress.org/extend/plugins/limit-login-attempts/
13. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
14. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
15. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
16. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
17. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /html/wp-content/plugins
18. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php
19. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
20. Click on “Save changes”.
21. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
22. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
23. Click “Submit”.
24. From the upper pane, click on “Log Out”.
25. Delete the file /wp-admin/install.php
26. In-case the server was configured with SSL certificate, add the following line to the config.php file:
    define('FORCE_SSL_LOGIN', true);

Pre-installation notes
The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase

1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
   groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount

3. Run the commands bellow to switch to the SSH account:
   su sshaccount

4. Run the command bellow to generate SSH keys:
   ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
   cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys

6. Change permissions for the SSH keys:
   chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*

7. Exit the SSH account shell and return to the Root account:
   exit

8. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 3.0 from:
    http://wordpress.org/download
11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
12. Move to /www
    cd /www
13. Extract the wordpress-3.0.zip file:
    unzip wordpress-3.0.zip
14. Remove WordPress source file:
    rm -f /www/wordpress-3.0.zip
15. Create using VI the file /www/config.php with the following content:
    <?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “m6gf42s” with your own WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
    cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
    Add the following line:
    include('/www/config.php');

    Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

18. Remove default content:
    rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php

19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
    Replace the value of the string, from:
    DocumentRoot "/www"To:
    DocumentRoot "/www/wordpress"

    Replace the value of the string, from:
    LimitRequestBody 10000To:
    LimitRequestBody 200000

20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
    • Site Title
    • Username – replace the default “admin“
    • Password
    • E-mail
23. Click on “Install WordPress” button, and close the web browser.
24. Create using VI the file /www/wordpress/.htaccess with the following content:
    <files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address.
    Note 2: Replace Server_FQDN with the server FQDN (DNS name).
25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> Note: Replace 1.1.1.0 with the internal network IP address.
26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 Note: Replace 1.1.1.0 with the internal network IP address.
27. Create the following folders:
    mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade

28. Change the file permissions:
    chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
29. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
30. Download “Limit Login” plugin from:
    http://wordpress.org/extend/plugins/limit-login-attempts/
31. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
32. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
33. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
34. Download “WordPress Database Backup” plugin from:
    http://austinmatzko.com/wordpress-plugins/wp-db-backup/
35. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
36. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
37. Create a folder for the “WordPress Database Backup” plugin:
    mkdir -p /www/wordpress/wp-content/backup-ed602
38. Set permissions for the “WordPress Database Backup” plugin:
    chmod 777 /www/wordpress/wp-content/backup-ed602
39. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php
40. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
41. From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
    wp-content/uploads
42. Click on “Save changes”.
43. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
44. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php

45. Click “Submit”.
46. From the upper pane, click on “Log Out”.
47. Delete the file /wp-admin/install.php
48. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
    define('FORCE_SSL_LOGIN', true);

The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

Installation phase

1. Login to the server using Root account.
2. Install from the RHEL 5.4 DVD the following RPM:
   rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
3. Create a group for FTP users:
   groupadd ftp-users
4. Create folder for the FTP:
   mkdir -p /ftp
5. Change ownership and permissions on the FTP folder:
   chown root:ftp-users /ftp
chmod 777 -R /ftp
6. Example of user creation:
   useradd -g ftp-users -d /ftp user1
passwd user1

7. Edit using VI, the file /etc/vsftpd/vsftpd.conf
   Change from:
   anonymous_enable=YESTo:
   anonymous_enable=NO

   Change from:
   xferlog_std_format=YESTo:
   xferlog_std_format=NO

   Change from:
   #tftpd_banner=Welcome to blah FTP service.To:
   tftpd_banner=Secure FTP server

   Add the lines bellow:
   local_root=/ftp
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
vsftpd_log_file=/var/log/vsftpd.log
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
rsa_cert_file=/etc/vsftpd/vsftpd.pem


8. Run the command bellow to create VSFTP SSL key:
   openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Note: The command above should written as one line.
9. Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
10. Run the command bellow to manually start the VSFTP service:
    /etc/init.d/vsftpd start
11. Run the command bellow to configure the VSFTP to start at server startup:
    chkconfig vsftpd on

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl

3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
Note: The command above should be written as one line.
5. Send the file /tmp/nginx.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
    cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
Note: The command above should be written as one line.
11. Remove the original server.crt and ca-bundle.crt files:
    rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt

12. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
    # HTTPS server
    #
    #server {
    # listen 443;
    # server_name localhost;

    # ssl on;
    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;

    # ssl_session_timeout 5m;

    # ssl_protocols SSLv2 SSLv3 TLSv1;
    # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    # ssl_prefer_server_ciphers on;

    # location / {
# root html;
# index index.html index.htm;
# }
#}
To:
    server {
listen 443;
server_name Server_FQDN;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /www;
index index.html index.htm;
}
}


13. Restart the Nginx service:
    /etc/init.d/nginx restart

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /etc/lighttpd/ssl
chmod 600 /etc/lighttpd/ssl

3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
Note: Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
Note: The command above should be written as one line.
5. Send the file /tmp/lighttpd.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
7. Copy the file “server.crt” using SCP into /etc/lighttpd/ssl/
8. Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
   cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pemNote: The command above should be written as one line.
9. Remove the original server.crt file:
   rm -f /etc/lighttpd/ssl/server.crt

10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
11. Copy the file “ca-bundle.crt” using SCP into /etc/lighttpd/ssl
12. Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
    $SERVER["socket"] == "Server_FQDN:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
server.name = "Server_FQDN"
server.document-root = "/www"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
ssl.use-sslv2 = "disable"
ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
}
13. Restart the Lighttpd service.

Pre-installation notes
The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase

1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
   groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account:
   su sshaccount
4. Run the command bellow to generate SSH keys:
   ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
   cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys:
   chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*

7. Exit the SSH account shell and return to the Root account:
   exit
8. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
   Note 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 2.9.2 from:
    http://wordpress.org/download
11. Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
12. Move to /www
    cd /www
13. Extract the wordpress-2.9.2.tar.gz file:
    tar -zxvf wordpress-2.9.2.tar.gz
14. Remove WordPress source file:
    rm -f /www/wordpress-2.9.2.tar.gz
15. Create using VI the file /www/config.php with the following content:
    <?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “m6gf42s” with your own WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
    cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
    Add the following line:
    include('/www/config.php');Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
18. Remove default content:
    rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php

19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
    Replace the value of the string, from:
    DocumentRoot "/www"
To:
    DocumentRoot "/www/wordpress"
Replace the value of the string, from:
    LimitRequestBody 10000
To:
    LimitRequestBody 200000

20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
    • Blog Title
    • E-Mail
23. Click on “Install WordPress” button, and close the web browser.
24. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
25. Run the following commands from the MySQL prompt:
    use m6gf42s;
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “m6gf42s” with your own WordPress database name.
    Note 1: Replace “johnd” with your own new WordPress admin.
    Note 2: Replace “password3” with complex password (at least 14 characters).
26. Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
    'timeout' => apply_filters( 'http_request_timeout', 5),
To:
    'timeout' => apply_filters( 'http_request_timeout', 30),
27. Create using VI the file /www/wordpress/.htaccess with the following content:
    <files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address.
    Note 2: Replace Server_FQDN with the server FQDN (DNS name).
28. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> Note: Replace 1.1.1.0 with the internal network IP address.
29. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0Note: Replace 1.1.1.0 with the internal network IP address.
30. Create the following folders:
    mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade

31. Change the file permissions:
    chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
32. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
33. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
34. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
35. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
36. Download “WordPress Database Backup” plugin from:
    http://austinmatzko.com/wordpress-plugins/wp-db-backup/
37. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
38. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
39. Create a folder for the “WordPress Database Backup” plugin:
    mkdir -p /www/wordpress/wp-content/backup-ed602

40. Set permissions for the “WordPress Database Backup” plugin:
    chmod 777 /www/wordpress/wp-content/backup-ed602

41. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php

42. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
43. From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
    wp-content/uploads

44. Click on “Save changes”.
45. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
46. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php

47. Click “Submit”.
48. From the upper pane, click on “Log Out”.
49. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
    define('FORCE_SSL_LOGIN', true);

Pre-installation notes
The guide bellow is based on the previous guide

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /usr/local/apache2/ssl
chmod 600 /usr/local/apache2/ssl
3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
5. Send the file /tmp/apache.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
7. Copy the file “server.crt” using SCP into /usr/local/apache2/ssl/
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file “ca-bundle.crt” using SCP into /usr/local/apache2/ssl/
10. Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
    Listen Server_FQDN:443
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
SSLCertificateFile /usr/local/apache2/ssl/server.crt
SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
11. Restart the Apache services:
    /usr/local/apache2/bin/apachectl restart
12. Backup the file /usr/local/apache2/ssl/server.key

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.0 on Solaris 10 platform

SSL implementation phase

1. Login to the server using Root account.
2. Mount Solaris 10 DVD, and move to the packages folder:
   cd /cdrom/sol_10_1008_x86/Solaris_10/Product
3. Run the command bellow to install OpenSSL packages:
   pkgadd -d . SUNWopensslr SUNWopenssl-commands SUNWopenssl-include SUNWopenssl-libraries
4. Create folder for the SSL certificate files:
   mkdir -p /etc/apache2/ssl.crt
5. Create folder for the SSL private key:
   mkdir -p /etc/apache2/ssl.key
6. Run the command bellow to generate a key pair:
   /usr/sfw/bin/openssl genrsa -des3 -out /etc/apache2/ssl.key/server.key 1024
   Specify a complex pass phrase for the private key (and document it)
7. Change the permissions on the private key file:
   chmod 600 /etc/apache2/ssl.key/server.key
8. Run the command bellow to generate the CSR:
   /usr/sfw/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/apache2/ssl.key/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
9. Send the file /tmp/apache.csr to a Certificate Authority server.
10. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
11. Copy the file “server.crt” using SCP into /etc/apache2/ssl.crt/
12. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
13. Copy the file “ca-bundle.crt” using SCP into /etc/apache2/ssl.crt/
14. Edit using VI the file /etc/apache2/ssl.conf and change the following strings:
    From:
    SSLSessionCache dbm:/var/run/apache2/ssl_scacheTo:
    SSLSessionCache dbm:/var/ apache2/ssl_scache

    From:
    SSLMutex file:/var/run/apache2/ssl_mutexTo:
    SSLMutex file:/var/apache2/ssl_mutex

    From:
    ServerName 127.0.0.1:443To:
    ServerName Server_FQDN:443

    From:
    DocumentRoot "/var/apache2/htdocs"To:
    DocumentRoot "/www"

    From:
    #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crtTo:
    SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

    From:
    SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLTo:
    SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

15. Remove the section bellow:
    <Directory "/var/apache2/cgi-bin">
16. Stopping Apache from command line:
    /usr/apache2/bin/apachectl stop
17. Starting Apache from command line:
    /usr/apache2/bin/apachectl startssl

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /var/apache/tomcat55/conf/ssl.crt
3. Create folder for the SSL private key:
   mkdir -p /var/apache/tomcat55/conf/ssl.key
4. Change ownership of all server files to the tomcat user:
   chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
5. Run the command bellow to generate a key store:
   For 32bit operating system:
   /usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
   For x64 operating system:
   /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
6. Run the command bellow to generate a CSR (certificate request):
   For 32bit operating system:
   /usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
   For x64 operating system:
   /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
7. Send the file /tmp/tomcat.csr to a Certificate Authority server.
8. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
9. Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
11. Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
12. Run the command bellow to import the trusted root CA public certificate:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

13. Run the command bellow to import the signed public key into the key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

14. Stop the Tomcat service:
    /etc/init.d/tomcat stop
15. Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
    <Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3"
keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
keystorePass="ComplexPassword"
truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
truststorePass="changeit"
ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
tcpNoDelay="true" />
16. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
    <user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

17. Start the Tomcat service:
    /etc/init.d/tomcat start -security