web analytics

Archive for the ‘TLS’ Category

Integrate security aspects in a DevOps process

A diagram of a common DevOps lifecycle:

The DevOps world meant to provide complementary solution for both quick development (such as Agile) and a solution for cloud environments, where IT personnel become integral part of the development process. In the DevOps world, managing large number of development environments manually is practically infeasible. Monitoring mixed environments become a complex solution and deploying large number of different builds is becoming extremely fast and sensitive to changes.

The idea behind any DevOps solution is to provide a solution for deploying an entire CI/CD process, which means supporting constant changes and immediate deployment of builds/versions.
For the security department, this kind of process is at first look a nightmare – dozen builds, partial tests, no human control for any change, etc.

For this reason, it is crucial for the security department to embrace DevOps attitude, which means, embedding security in any part of the development lifecycle, software deployment or environment change.

It is important to understand that there are no constant stages as we used to have in waterfall development lifecycle, and most of the stages are parallel – in the CI/CD world everything changes quickly, components can be part of different stages, and for this reason it is important to confer the processes, methods and tools in all developments and DevOps teams.

In-order to better understand how to embed security into the DevOps lifecycle, we need to review the different stages in the development lifecycle:

Planning phase

This stage in the development process is about gathering business requirements.

At this stage, it is important to embed the following aspects:

  • Gather information security requirements (such as authentication, authorization, auditing, encryptions, etc.)
  • Conduct threat modeling in-order to detect possible code weaknesses
  • Training / awareness programs for developers and DevOps personnel about secure coding

 

Creation / Code writing phase

This stage in the development process is about the code writing itself.

At this stage, it is important to embed the following aspects:

  • Connect the development environments (IDE) to a static code analysis products
  • Review the solution architecture by a security expert or a security champion on his behalf
  • Review open source components embedded inside the code

 

Verification / Testing phase

This stage in the development process is about testing, conducted mostly by QA personnel.

At this stage, it is important to embed the following aspects:

  • Run SAST (Static application security tools) on the code itself (pre-compiled stage)
  • Run DAST (Dynamic application security tools) on the binary code (post-compile stage)
  • Run IAST (Interactive application security tools) against the application itself
  • Run SCA (Software composition analysis) tools in-order to detect known vulnerabilities in open source components or 3rd party components

 

Software packaging and pre-production phase

This stage in the development process is about software packaging of the developed code before deployment/distribution phase.

At this stage, it is important to embed the following aspects:

  • Run IAST (Interactive application security tools) against the application itself
  • Run fuzzing tools in-order to detect buffer overflow vulnerabilities – this can be done automatically as part of the build environment by embedding security tests for functional testing / negative testing
  • Perform code signing to detect future changes (such as malwares)

 

Software packaging release phase

This stage is between the packaging and deployment stages.

At this stage, it is important to embed the following aspects:

  • Compare code signature with the original signature from the software packaging stage
  • Conduct integrity checks to the software package
  • Deploy the software package to a development environment and conduct automate or stress tests
  • Deploy the software package in a green/blue methodology for software quality and further security quality tests

 

Software deployment phase

At this stage, the software package (such as mobile application code, docker container, etc.) is moving to the deployment stage.

At this stage, it is important to embed the following aspects:

  • Review permissions on destination folder (in case of code deployment for web servers)
  • Review permissions for Docker registry
  • Review permissions for further services in a cloud environment (such as storage, database, application, etc.) and fine-tune the service role for running the code

 

Configure / operate / Tune phase

At this stage, the development is in the production phase and passes modifications (according to business requirements) and on-going maintenance.

At this stage, it is important to embed the following aspects:

  • Patch management processes or configuration management processes using tools such as Chef, Ansible, etc.
  • Scanning process for detecting vulnerabilities using vulnerability assessment tools
  • Deleting and re-deployment of vulnerable environments with an up-to-date environments (if possible)

 

On-going monitoring phase

At this stage, constant application monitoring is being conducted by the infrastructure or monitoring teams.

At this stage, it is important to embed the following aspects:

  • Run RASP (Runtime application self-production) tools
  • Implement defense at the application layer using WAF (Web application firewall) products
  • Implement products for defending the application from Botnet attacks
  • Implement products for defending the application from DoS / DDoS attacks
  • Conduct penetration testing
  • Implement monitoring solution using automated rules such as automated recovery of sensitive changes (tools such as GuardRails)

 

Security recommendations for developments based on CI/CD / DevOps process

  • It is highly recommended to perform on-going training for the development and DevOps teams on security aspects and secure development
  • It is highly recommended to nominate a security champion among the development and DevOps teams in-order to allow them to conduct threat modeling at early stages of the development lifecycle and in-order to embed security aspects as soon as possible in the development lifecycle
  • Use automated tools for deploying environments in a simple and standard form.
    Tools such as Puppet require root privileges for folders it has access to. In-order to lower the risk, it is recommended to enable folder access auditing.
  • Avoid storing passwords and access keys, hard-coded inside scripts and code.
  • It is highly recommended to store credentials (SSH keys, privileged credentials, API keys, etc.) in a vault (Solutions such as HashiCorp vault or CyberArk).
  • It is highly recommended to limit privilege access based on role (Role based access control) using least privileged.
  • It is recommended to perform network separation between production environment and Dev/Test environments.
  • Restrict all developer teams’ access to production environments, and allow only DevOps team’s access to production environments.
  • Enable auditing and access control for all development environments and identify access attempts anomalies (such as developers access attempt to a production environment)
  • Make sure sensitive data (such as customer data, credentials, etc.) doesn’t pass in clear text at transit. In-case there is a business requirement for passing sensitive data at transit, make sure the data is passed over encrypted protocols (such as SSH v2, TLS 1.2, etc.), while using strong cipher suites.
  • It is recommended to follow OWASP organization recommendations (such as OWASP Top10, OWASP ASVS, etc.)
  • When using Containers, it is recommended to use well-known and signed repositories.
  • When using Containers, it is recommended not to rely on open source libraries inside the containers, and to conduct scanning to detect vulnerable versions (including dependencies) during the build creation process.
  • When using Containers, it is recommended to perform hardening using guidelines such as CIS Docker Benchmark or CIS Kubernetes Benchmark.
  • It is recommended to deploy automated tools for on-going tasks, starting from build deployments, code review for detecting vulnerabilities in the code and open source code, and patch management processes that will be embedded inside the development and build process.
  • It is recommended to perform scanning to detect security weaknesses, using vulnerability management tools during the entire system lifetime.
  • It is recommended to deploy configuration management tools, in-order to detect and automatically remediate configuration anomalies from the original configuration.

 

Additional reading sources:

 

 

This article was written by Eyal Estrin, cloud security architect and Vitaly Unic, application security architect.

Fixing the “Heartbleed” OpenSSL Bug: A Tutorial for Sys Admins

The following article is a guest post from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.

So what exactly is the bug anyway?

Here’s a very quick rundown:

A potentially critical problem has surfaced in the widely used OpenSSL cryptographic library. It is nicknamed “Heartbleed” because the vulnerability exists in the “heartbeat extension” (RFC6520) to the Transport Layer Security (TLS)  and it is a memory leak (“bleed”) issue.  User passwords and other important data may have been compromised on any site affected by the vulnerability.

The vulnerability is particularly dangerous for two reasons:

  1. Potentially critical data is leaked.
  2. The attack leaves no trace.

The affected OpenSSL versions are 1.0.1 through 1.0.1f, 1.0.2-beta, and 1.0.2-beta1.

Who is affected by the problem?

Short answer:  Anyone and everyone who uses these versions of OpenSSL.

And that’s a LOT of companies and a LOT of people.

Before we get into our Heartbleed tutorial, here’s just a brief sampling of major companies and websites that are known to have been affected and that needed to patch their sites:  GmailYahoo MailIntuit TurboTaxUSAA, Dropbox, Flickr, Instagram, PinterestSoundCloud, Tumblr, GitHubGoDaddyBoingo Wireless, and many more.

If you're wondering how to protect against openssl Heartbleed, start by using the Heartbleed test.

Many, many corporate websites, of companies of all sizes, have been (or still need to be!) patched to fix the Heartbleed vulnerability.

The vulnerability has existed since December 31, 2011, with OpenSSL being used by about 66% of Internet hosts.

As a user, chances are that sites you frequent regularly are affected and that your data may have been compromised. As a developer or sys admin, sites or servers you’re responsible for are likely to have been affected as well.

So what do I need to do to protect myself if I use any of the affected sites?

The main thing you should do immediately is to change your passwords for any of the affected sites for which you have a login account.

And what do I need to do to fix and protect against Heartbleed if I’m the sys admin for a site that uses OpenSSL?

If you’re using OpenSSL 1.0.1, do one of the following immediately:

  • Upgrade to OpenSSL 1.0.1g, or
  • Recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

If you’re using OpenSSL 1.0.2, the vulnerability will be fixed in 1.0.2-beta2 but you can’t wait for that.  In the interim, do one of the following immediately:

  • Revert to OpenSSL 1.0.1g, or
  • Recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

Most distributions (e.g., Ubuntu, Fedora, Debian, Arch Linux) have upgraded their packages already.  In cases like Gentoo, you can upgrade to a patched ebuild.

Once you’ve upgraded (or recompiled) and have established a secure version on your server:

  • Be sure to restart all potentially affected processes.  Major daemons affected by the bug include Apache, Nginx, OpenVPN, and sshd; basically anything and everything linked against libssl. (Note that a restart of these daemons should be sufficient.  There should be no need to rebuild these binaries since they are dynamically linked with the openssl libraries.)
  • Verify that you are no longer vulnerable using tools like this online test or this tool on GitHub or this tool on Pastebin.

If your infrastructure was vulnerable, there are Heartbleed tutorial steps that you can and should take.  A useful list of such mitigations is available here.

More gory Heartbleed details, for those who are interested…

As explained in the GitHub commit for the fix, a missing bounds check in the handling of the TLS heartbeat extension could be exploited to reveal up to 64k of memory to a connected client or server.

While the exposed memory could potentially just be garbage, it could just as easily turn out to be extremely valuable to a malicious attacker.

Here’s how the Heartbleed vulnerability works:  An attacker provides the payload as well as the payload length.  However, no validation is done to confirm that the payload length was actually provided by the attacker.  If the payload length was not provided, an out-of-bounds read occurs, which in turn leaks process memory from the heap.

Leaking previous request headers can be a very serious security problem. Specifically, a prior user’s login post data might still be available with their username, password, and cookies, all of which can then be exposed and exploited. Moreover, although private key leakage through Heartbleed was initially deemed to be unlikely, it has been verified that private SSL keys can be stolen by exploiting this vulnerability.

Fixing Heartbleed is critical as it has been confirmed that private SSL keys can be stolen this way.

The vulnerability is also made possible due to OpenSSL’s silly use of a malloc() cache.  By wrapping away libc functions and not actually freeing memory, the exploitation countermeasures in libc are never given the chance to kick in and render the bug useless.

Additional details on these ways to fix Heartbleed are available here and here.

And, for what it’s worth, here’s a more amusing perspective.

Kudos to the discoverer, Neel Mehta of Google Security, as well as Adam Langley and Bodo Moeller who promptly provided the patch and helped sys admins determine how to fix Heartbleed. I also encourage you to educate yourself on some of the other common web security vulnerabilities to avoid issues in the future.

Hardening guide for Tomcat 8 on RedHat 6.5 (64bit edition)

This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from
BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:

  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Installation phase

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd tomcat
    useradd -g tomcat -d /home/tomcat -s /bin/sh tomcat
  3. Download the lastest JDK8 for Linux from:
    http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
  4. Upgrade to the latest build of Oracle JDK:
    rpm -Uvh /tmp/jdk-8u45-linux-x64.rpm
  5. Delete the JDK8 source files:
    rm -rf /tmp/jdk-8u45-linux-x64.rpm
    rm -rf /usr/java/jdk1.8.0_45/src.zip
  6. Download the latest Tomcat 8 source files:
    cd /opt
    wget http://apache.spd.co.il/tomcat/tomcat-8/v8.0.21/bin/apache-tomcat-8.0.21.tar.gz
  7. Extract Tomcat source files:
    tar zxf /opt/apache-tomcat-8.0.21.tar.gz -C /opt
  8. Rename the Tomcat folder:
    mv /opt/apache-tomcat-8.0.21 /opt/tomcat
  9. Remove default content:
    rm -rf /opt/apache-tomcat-8.0.21.tar.gz
    rm -rf /opt/tomcat/webapps/docs
    rm -rf /opt/tomcat/webapps/examples
    rm -rf /opt/tomcat/webapps/ROOT/RELEASE-NOTES.txt
    rm -rf /opt/tomcat/webapps/host-manager
    rm -rf /opt/tomcat/webapps/manager
    rm -rf /opt/tomcat/work/Catalina/localhost/docs
    rm -rf /opt/tomcat/work/Catalina/localhost/examples
    rm -rf /opt/tomcat/work/Catalina/localhost/host-manager
    rm -rf /opt/tomcat/work/Catalina/localhost/manager
  10. Change folder ownership and permissions:
    chown -R tomcat.tomcat /opt/tomcat
    chmod g-w,o-rwx /opt/tomcat
    chmod g-w,o-rwx /opt/tomcat/conf
    chmod o-rwx /opt/tomcat/logs
    chmod o-rwx /opt/tomcat/temp
    chmod g-w,o-rwx /opt/tomcat/bin
    chmod g-w,o-rwx /opt/tomcat/webapps
    chmod 770 /opt/tomcat/conf/catalina.policy
    chmod g-w,o-rwx /opt/tomcat/conf/catalina.properties
    chmod g-w,o-rwx /opt/tomcat/conf/context.xml
    chmod g-w,o-rwx /opt/tomcat/conf/logging.properties
    chmod g-w,o-rwx /opt/tomcat/conf/server.xml
    chmod g-w,o-rwx /opt/tomcat/conf/tomcat-users.xml
    chmod g-w,o-rwx /opt/tomcat/conf/web.xml
  11. Move to the folder /opt/tomcat/lib
    cd /opt/tomcat/lib
  12. Extract the file catalina.jar
    jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  13. Edit using VI, the file /opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties
    Replace the string below from:
    server.infoerver.info=Apache Tomcat/8.0.21
    To:
    server.infoerver.info=Secure Web serverReplace the string below from:
    server.number=8.0.21.0
    To:
    server.number=1.0.0.0Replace the string below from:
    server.built=Mar 23 2015 14:11:21 UTC
    To:
    server.built=Jan 01 2000 00:00:00 UTC
  14. Move to the folder /opt/tomcat/lib
    cd /opt/tomcat/lib
  15. Repackage the file catalina.jar
    jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
  16. Remove the folder below:
    rm -rf /opt/tomcat/lib/org
  17. Edit using VI, the file /opt/tomcat/conf/server.xml and make the following changes:
    Replace the:
    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443" />

    To:
    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    xpoweredBy="false"
    allowTrace="false"
    redirectPort="8443" />
    Replace the:
    <Server port="8005" shutdown="SHUTDOWN">
    To:
    <Server port="-1" shutdown="SHUTDOWN">Replace the:
    autoDeploy="true"
    To:
    autoDeploy="false"
  18. Create using VI, the file error.jsp inside the application directory (example: /opt/tomcat/webapps/ROOT/error.jsp) with the following content:
    <html>
    <head>
    <title>404-Page Not Found</title>
    </head>
    <body> The requested URL was not found on this server. </body>
    </html>
  19. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <error-page>
    <error-code>400</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>401</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-page>
    <error-code>403</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-code>404</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>405</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>410</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>411</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>412</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>413</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>408</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>500</error-code>
    <location>/error.jsp </error-page><!-- Define a Security Constraint on this Application -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HTMLManger and Manager command</web-resource-name>
    <url-pattern>/jmxproxy/*</url-pattern>
    <url-pattern>/html/*</url-pattern>
    <url-pattern>/list</url-pattern>
    <url-pattern>/sessions</url-pattern>
    <url-pattern>/start</url-pattern>
    <url-pattern>/stop</url-pattern>
    <url-pattern>/install</url-pattern>
    <url-pattern>/remove</url-pattern>
    <url-pattern>/deploy</url-pattern>
    <url-pattern>/undeploy</url-pattern>
    <url-pattern>/reload</url-pattern>
    <url-pattern>/save</url-pattern>
    <url-pattern>/serverinfo</url-pattern>
    <url-pattern>/status/*</url-pattern>
    <url-pattern>/roles</url-pattern>
    <url-pattern>/resources</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</role-name>
    </auth-constraint>
    </security-constraint>
  20. Create using VI, the file /etc/init.d/tomcat, with the following content:
    #!/bin/bash
    # description: Tomcat Start Stop Restart
    # processname: tomcat
    # chkconfig: 234 20 80
    JAVA_HOME=/usr/java/jdk1.8.0_45
    export JAVA_HOME
    PATH=$JAVA_HOME/bin:$PATH
    export PATH
    CATALINA_HOME=/opt/tomcat/bin
    case $1 in
    start)
    /bin/su tomcat $CATALINA_HOME/startup.sh
    ;;
    stop)
    /bin/su tomcat $CATALINA_HOME/shutdown.sh
    ;;
    restart)
    /bin/su tomcat $CATALINA_HOME/shutdown.sh
    /bin/su tomcat $CATALINA_HOME/startup.sh
    ;;
    esac
    exit 0
    Note: Update the “JAVA_HOME” path according to the install JDK build.
  21. Change the permission on the tomcat script:
    chmod 755 /etc/init.d/tomcat
  22. To start Tomcat service at server start-up, run the command:
    chkconfig tomcat on
  23. To manually start the Tomcat service, use the command:
    service tomcat start
  24. Configure IPTables:
    service iptables stop
    iptables -P INPUT DROP
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  25. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
  26. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  27. Save the IPTables settings:
    service iptables save
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /opt/tomcat/ssl
    chown -R tomcat:tomcat /opt/tomcat/ssl
    chmod -R 755 /opt/tomcat/ssl
  3. Run the command below to generate a key store:
    /usr/java/jdk1.8.0_45/bin/keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -validity 1095 -alias "FQDN_Name"Note 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  4. Run the command below to generate a CSR (certificate request):
    /usr/java/jdk1.8.0_45/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -alias "FQDN_Name"Note 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  5. Send the file /tmp/tomcat.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /opt/tomcat/ssl
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /opt/tomcat/ssl
  10. Run the command below to import the trusted root CA public certificate:
    /usr/java/jdk1.8.0_45/bin/keytool -import -alias "FQDN_Name" -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/ca-bundle.crtNote 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  11. Run the command below to import the signed public key into the key store:
    /usr/java/jdk1.8.0_45/bin/keytool -import -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/server.crtNote 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
  12. Stop the Tomcat service:
    service tomcat stop
  13. Edit using VI, the file /opt/tomcat/conf/server.xml and add the section below:
    <Connector port="8443"
    protocol="HTTP/1.1"
    maxThreads="150"
    xpoweredBy="false"
    allowTrace="false"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="/opt/tomcat/ssl/server.key"
    keystorePass="ComplexPassword"
    keyAlias="FQDN_Name"
    clientAuth="false"
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"
    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />
    Note 1: Replace ComplexPassword with your own complex password.
    Note 2: Replace “FQDN_Name” with the server DNS name.
  14. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <user-data-constraint>
    <description>
    Constrain the user data transport for the whole application
    </description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  15. Edit using VI, the file /opt/tomcat/conf/context.xml and add the following parameter inside the context tag:
    usehttponly="true"
  16. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  17. Save the IPTables settings:
    service iptables save
  18. To manually start the Tomcat service, use the command:
    service tomcat start

Hardening guide for NGINX 1.5.8 on RedHat 6.4 (64bit edition)

This document explains the process of installation, configuration and hardening of NGINX server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack

Some of the features explained in this document are supported by only some of the Internet browsers:

  • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Installation Phase

  1. Login to the server using Root account
  2. Install pre-requirement packages:
    yum install policycoreutils-python-* -y
    yum install setools-libs-* -y
    yum install libcgroup-* -y
    yum install audit-libs-python-* -y
    yum install libsemanage-python-* -y
    yum install setools-libs-python-* -y
    yum install gcc* -y
  3. Create a new account:
    groupadd nginx
    useradd -g nginx -d /dev/null -s /sbin/nologin nginx
  4. Upgrade the Openssl build:
    rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
    yum --enablerepo=axivo update openssl -y
  5. Download Openssl source files:
    cd /opt
    wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
  6. Extract Openssl source files:
    tar zxvf /opt/openssl-1.0.1e.tar.gz -C /opt
  7. Remove Openssl source file:
    rm -rf /opt/openssl-1.0.1e.tar.gz
  8. Download PCRE source file into /tmp, from:
    http://sourceforge.net/projects/pcre/files/pcre/
  9. Compile PCRE from source file:
    tar zxvf /tmp/pcre-8.34.tar.gz -C /tmp
    mv /tmp/pcre-8.34 /usr/local/pcre
    cd /usr/local/pcre
    ./configure --prefix=/usr/local/pcre
    make
    make install
  10. Remove PCRE package:
    rm -rf /tmp/pcre-8.34.tar.gz
  11. Download Nginx 1.5.8:
    cd /tmp
    wget http://nginx.org/download/nginx-1.5.8.tar.gz
  12. Extract the nginx-1.5.8.tar.gz file:
    tar -zxvf /tmp/nginx-1.5.8.tar.gz -C /tmp
  13. Move to the Nginx source folder:
    cd /tmp/nginx-1.5.8
  14. Edit using VI, the file
    /tmp/nginx-1.5.8/src/http/ngx_http_header_filter_module.c and replace the following section, from:
    static char ngx_http_server_string[] = "Server: nginx" CRLF;
    static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
    To:
    static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
    static char ngx_http_server_full_string[] = "Server: Secure Web Server" NGINX_VER CRLF;
  15. Run the commands bellow to compile the Nginx environment:
    ./configure --with-openssl=/opt/openssl-1.0.1e --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --with-pcre=/usr/local/pcreNote: The command above should be written as one line.
    make
    make install
  16. Remove the Nginx source files:
    cd /
    rm -rf /tmp/nginx-1.5.8
    rm -f /tmp/nginx-1.5.8.tar.gz
  17. Remove Default Content
    rm -rf /usr/local/nginx/html
  18. Updating Ownership and Permissions on Nginx folders:
    chown -R root:root /usr/local/nginx
    chmod 750 /usr/local/nginx/sbin/nginx
    chmod -R 640 /usr/local/nginx/conf
    chmod -R 770 /usr/local/nginx/logs
  19. Create folder for the web content:
    mkdir -p /www
  20. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  21. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
    From:
    #user nobody;To:
    user nginx nginx;From:
    #error_log logs/error.log notice;To:
    error_log logs/error.log notice;From:
    server_name localhost;To:
    server_name Server_FQDN;Note: Replace Server_FQDN with the actual server DNS name.

    From:
    root html;To:
    root /www;

  22. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file (before the last “}” character):
    ## turn off nginx version number ##
    server_tokens off;
    ## Size Limits & Buffer Overflows ##
    client_body_buffer_size 1K;
    client_header_buffer_size 1k;
    client_max_body_size 1k;
    large_client_header_buffers 2 2k;
    ## Timeouts ##
    client_body_timeout 10;
    client_header_timeout 10;
    send_timeout 10;
  23. Create using VI, the file /etc/init.d/nginx with the following content:
    #!/bin/sh
    #
    # nginx - this script starts and stops the nginx daemon
    #
    # chkconfig: - 85 15
    # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
    # proxy and IMAP/POP3 proxy server
    # processname: nginx
    # config: /usr/local/nginx/conf/nginx.conf
    # config: /etc/sysconfig/nginx
    # pidfile: /var/run/nginx.pid
    # Source function library.
    . /etc/rc.d/init.d/functions
    # Source networking configuration.
    . /etc/sysconfig/network

    # Check that networking is up.
    [ "$NETWORKING" = "no" ] && exit 0

    nginx="/usr/local/nginx/sbin/nginx"
    prog=$(basename $nginx)

    NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

    [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

    lockfile=/var/lock/subsys/nginx

    start() {
    [ -x $nginx ] || exit 5
    [ -f $NGINX_CONF_FILE ] || exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
    }

    stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
    }

    restart() {
    configtest || return $?
    stop
    sleep 1
    start
    }

    reload() {
    configtest || return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
    }

    force_reload() {
    restart
    }

    configtest() {
    $nginx -t -c $NGINX_CONF_FILE
    }

    rh_status() {
    status $prog
    }

    rh_status_q() {
    rh_status >/dev/null 2>&1
    }

    case "$1" in
    start)
    rh_status_q && exit 0
    $1
    ;;
    stop)
    rh_status_q || exit 0
    $1
    ;;
    restart|configtest)
    $1
    ;;
    reload)
    rh_status_q || exit 7
    $1
    ;;
    force-reload)
    force_reload
    ;;
    status)
    rh_status
    ;;
    condrestart|try-restart)
    rh_status_q || exit 0
    ;;
    *)
    echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
    exit 2
    esac

  24. Change the permissions of the file /etc/init.d/nginx
    chmod +x /etc/init.d/nginx
  25. To start Nginx service at server start-up, run the command:
    chkconfig nginx on
  26. To manually start the Nginx service, use the command:
    /etc/init.d/nginx start
  27. Configure IPTables:
    service iptables stop
    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  28. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
  29. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  30. Save the IPTables settings:
    service iptables save
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /usr/local/nginx/ssl
    chmod 600 /usr/local/nginx/ssl
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -aes256 -out /usr/local/nginx/ssl/server-sec.key 2048Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -days 1095 -key /usr/local/nginx/ssl/server-sec.key -out /tmp/server.csrNote: The command above should be written as one line.
  5. Send the file /tmp/server.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
  7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
  10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
    cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pemNote: The command above should be written as one line.
  11. Remove the key store passphrase:
    /usr/bin/openssl rsa -in /usr/local/nginx/ssl/server-sec.key -out /usr/local/nginx/ssl/server.keyNote: The command above should be written as one line.
  12. Remove the original “server.crt”, “server.csr” and “ca-bundle.crt” files:
    rm -f /tmp/server.csr
    rm -f /usr/local/nginx/ssl/server.crt
    rm -f /usr/local/nginx/ssl/ca-bundle.crt
  13. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
    # HTTPS server
    #
    #server {
    # listen 443 ssl;
    # server_name localhost;
    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;
    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout 5m;
    # ssl_ciphers HIGH:!aNULL:!MD5;
    # ssl_prefer_server_ciphers on;
    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}
    To:
    # HTTPS server
    #
    server {
    listen 443;
    server_name Server_FQDN;
    ssl on;
    ssl_certificate /usr/local/nginx/ssl/server.pem;
    ssl_certificate_key /usr/local/nginx/ssl/server.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    ssl_prefer_server_ciphers on;
    # HTTP Strict Transport Security #
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # X-Frame-Options header #
    add_header X-Frame-Options SAMEORIGIN;
    location / {
    root /www;
    index index.html index.htm;
    }
    }
    Note: Replace Server_FQDN with the actual server DNS name.
  14. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
  15. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
  16. Save the IPTables settings:
    service iptables save
  17. Restart the nginx:
    service nginx restart

Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)

      This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
      Some of the features explained in this document are supported by only some of the Internet browsers:

    • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
    • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Pre-Requirements

    • policycoreutils-python-* package installed
    • setools-libs-* package installed
    • libcgroup-* package installed
    • audit-libs-python-* package installed
    • libsemanage-python-* package installed
    • setools-libs-python-* package installed
    • gcc* package installed
    • gcc-c++* package installed
    • autoconf* package installed
    • automake* package installed
    Installation Phase

  1. Login to the server using Root account
  2. Upgrade the Openssl build:
    rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

    yum --enablerepo=axivo update openssl -y

  3. Download Apache source file into /tmp, from:
    http://httpd.apache.org/download.cgi
  4. Download APR and APR-Util source files into /tmp, from:
    https://apr.apache.org/download.cgi
  5. Download PCRE source file into /tmp, from:
    http://sourceforge.net/projects/pcre/files/pcre/
  6. Compile PCRE from source file:

    tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp

    mv /tmp/pcre-8.33 /usr/local/pcre

    cd /usr/local/pcre

    ./configure --prefix=/usr/local/pcre

    make

    make install

  7. Extract Apache source files:
    cd /tmp

    tar zxvf httpd-2.4.6.tar.gz

    cd httpd-2.4.6/srclib/

    tar zxvf ../../apr-1.4.8.tar.gz

    ln -s apr-1.4.8/ apr

    tar zxvf ../../apr-util-1.5.2.tar.gz

    ln -s apr-util-1.5.2/ apr-util

  8. Compile the Apache from source files:
    cd /tmp/httpd-2.4.6

    ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre

    make

    make install

  9. Remove the source files:
    rm -rf /tmp/apr-1.4.8.tar.gz

    rm -rf /tmp/apr-util-1.5.2.tar.gz

    rm -rf /tmp/httpd-2.4.6.tar.gz

    rm -rf /tmp/httpd-2.4.6

    rm -rf /tmp/pcre-8.33.tar.gz

  10. Remove Default Content:
    rm -rf /opt/httpd/cgi-bin

    rm -rf /opt/httpd/htdocs

    rm -rf /opt/httpd/icons

    rm -rf /opt/httpd/man

    rm -rf /opt/httpd/manual

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-default.conf

    rm -rf /opt/httpd/conf/extra/httpd-default.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-info.conf

    rm -rf /opt/httpd/conf/extra/httpd-info.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in

    rm -rf /opt/httpd/conf/extra/proxy-html.conf

    rm -rf /opt/httpd/conf/extra/proxy-html.conf.in

    rm -rf /opt/httpd/conf/original

  11. Updating Ownership and Permissions on Apache folders:
    chown root:root /opt/httpd/bin/apachectl

    chown root:root /opt/httpd/bin/httpd

    chmod 770 /opt/httpd/bin/apachectl

    chmod 770 /opt/httpd/bin/httpd

    chown -R root:root /opt/httpd

    chmod -R go-r /opt/httpd

    chown -R root:root /opt/httpd/logs

    chmod -R 700 /opt/httpd/logs

  12. Create folder for the web content:
    mkdir -p /www
  13. Updating Ownership and Permissions on the web content folder:
    chown -R root /www

    chmod -R 775 /www

  14. Fix the SELinux security context on the new web folder:
    semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"

    restorecon -F -R -v /www

  15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    Listen 80To:
    Listen Server_FQDN:80
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerAdmin root@localhostTo:
    ServerAdmin webmaster@mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    #ServerName www.example.com:80To:
    ServerName Server_FQDN
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"To:
    # ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Require all denied
    Order deny,allow
    deny from all
    <LimitExcept GET POST>
    deny from all
    </limitexcept>
    </Directory>

    From:
    <Directory "/opt/httpd/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory "/www">
    Options None
    AllowOverride None
    Require all granted
    Order allow,deny
    Allow from all
    <LimitExcept GET POST>
    deny from all
    </limitexcept>
    </Directory>

  16. Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
    ScriptAlias

    IndexOptions

    AddIconByEncoding

    AddIconByType

    AddIcon

    DefaultIcon

    ReadmeName

    HeaderName

    IndexIgnore

    LanguagePriority

    ForceLanguagePriority

  17. Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
    LoadModule cgi_module modules/mod_cgi.so

    LoadModule status_module modules/mod_status.so

    LoadModule info_module modules/mod_info.so

    LoadModule autoindex_module modules/mod_autoindex.so

    LoadModule include_module modules/mod_include.so

    LoadModule userdir_module modules/mod_userdir.so

    LoadModule env_module modules/mod_env.so

    LoadModule negotiation_module modules/mod_negotiation.so

    LoadModule actions_module modules/mod_actions.so

  18. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
  19. Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
    # Configure custom error message:
    ErrorDocument 400 "The requested URL was not found on this server."
    ErrorDocument 401 "The requested URL was not found on this server."
    ErrorDocument 403 "The requested URL was not found on this server."
    ErrorDocument 404 "The requested URL was not found on this server."
    ErrorDocument 405 "The requested URL was not found on this server."
    ErrorDocument 408 "The requested URL was not found on this server."
    ErrorDocument 410 "The requested URL was not found on this server."
    ErrorDocument 411 "The requested URL was not found on this server."
    ErrorDocument 412 "The requested URL was not found on this server."
    ErrorDocument 413 "The requested URL was not found on this server."
    ErrorDocument 414 "The requested URL was not found on this server."
    ErrorDocument 415 "The requested URL was not found on this server."
    ErrorDocument 500 "The requested URL was not found on this server."
    # Configure Server Tokens
    ServerTokens Prod
    # Disable Server Signature
    ServerSignature Off
    # Disable Tracing
    TraceEnable Off
    # Maximum size of the request body.
    LimitRequestBody 25000
    # Maximum number of request headers in a request.
    LimitRequestFields 40
    # Maximum size of request header lines.
    LimitRequestFieldSize 4000
    # Maximum size of the request line.
    LimitRequestLine 4000
    MaxRequestsPerChild 10000
    # Configure clickjacking protection
    Header always append X-Frame-Options SAMEORIGIN
  20. Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"

    From:
    #define AP_SERVER_BASEPROJECT "Apache HTTP Server"To:
    #define AP_SERVER_BASEPROJECT "Secure Web Server"

    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"

  21. Download the Apache boot script into /tmp from:
    http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2
  22. Extract and install the Apache boot script:
    cd /tmp/

    tar xvjf blfs-bootscripts-20131023.tar.bz2

    cd /tmp/blfs-bootscripts-20131023

    make install-httpd

  23. Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
    From:
    /usr/sbin/apachectlTo:
    /opt/httpd/bin/apachectl

    From:
    log_info_msgTo:
    echo

    From:
    evaluate_retvalTo:
    #evaluate_retval

  24. Configure the Apache to start automatically:
    chkconfig httpd on
  25. Configure IPTables:
    service iptables stop

    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  26. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
    Note: Replace 10.0.0.0/8 with the internal segment and subnet mask
  27. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  28. Save the IPTables settings:
    service iptables save
  29. Start the Apache daemon:
    service httpd start
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /opt/httpd/conf/ssl

    chmod 600 /opt/httpd/conf/ssl

  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
    Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
    Note: The command above should be written as one line.
  5. Send the file /tmp/apache.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
  7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
  8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    Listen Server_FQDN:80To:
    Listen Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerName Server_FQDNTo:
    ServerName Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    #Include conf/extra/httpd-ssl.confTo:
    Include conf/extra/httpd-ssl.conf

    From:
    #LoadModule socache_shmcb_module modules/mod_socache_shmcb.soTo:
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

  9. Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
    From:
    SSLCertificateFile "/opt/httpd/conf/server.crt"To:
    SSLCertificateFile /opt/httpd/conf/ssl/server.crt

    From:
    SSLCertificateKeyFile "/opt/httpd/conf/server.key"To:
    SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key

    From:
    #SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"To:
    SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt

    From:
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To:
    SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

    From:
    #SSLHonorCipherOrder onTo:
    SSLHonorCipherOrder On

    From:
    Listen @@SSLPort@@To:
    Listen Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    ServerName www.example.com:@@SSLPort@@To:
    #ServerName www.example.com:@@SSLPort@@

    From:
    ServerAdmin [email protected]To:
    ServerAdmin webmaster@mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    <VirtualHost _default_:@@SSLPort@@>To:
    <VirtualHost _default_:443>

  10. Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
    # Disable SSLv2
    SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
    # Disable SSL Compression
    SSLCompression Off
  11. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
  12. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  13. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  14. Save the IPTables settings:
    service iptables save
  15. Restart the Apache service:
    service httpd restart