http://www.isg.rhul.ac.uk/tls/

Roy Coren
Security Specialist
Roy Coren AT gmail

http://mtc.sri.com/live_data/binaries/

HAPPY NEW YEAR!
Roy Coren
Security Specialist
Roycoren AT gmail.com

1) Hostile Downloaded from “some” website or using exposed browser holes to get into a computer.
BTW – the hostile file can be an innocent legitimate skype.exe file that has been downloaded NOT from skype website…

2) If section 1 succeeded and no AV engine has stopped it , the hostile file is trying to “sniff” it’s way inside your organization , trying to elevate privileges and get as much as information as he can before going into phase II.

3) After getting some idea of how your organization “works” – the hostile file trying to get out and connect to the operator site , this phase usually known as domain fluxing and expressed by multiple burst random DNS searches to sites like [aabbccdd.your company domain extension ] or any other random sequence.
At this step – if you have implemented the right products, the hostile activity should be block at your gateway via IDS\IPS \FW \proxy\url filtering\DLP or any other PREVENTION product.
If it doesn’t and you need to look at step 4 – chances are you are in deep trouble…

4) Also known as Phase II, in which the hostile file –using it’s operator, are evolving into one unit that is fully aware of your organization methods and can exploit almost any aspect on your INTERNAL network.
This includes admin users, passwords, emails, internal ip’s ,DC’s, DNS ,AD and even firewall changing data.
This allows the attacker or shell we say “your commander” , to do whatever he likes in your data. 1-0 to the bad guys….
The first question you might ask is: if my AV vendor is not discovering the bad guys , what can I do?
Well – a good one…this brings me back to my friend original request once again. And the answer is:
No AV vendor is “the one” , enough to look at sites like Virus total or URL Query to see that even 10 AV engines together can miss…therefore you need special tools for this special jobs.
Or worst , if you trust your AV vendor as your sole solution for security – change your job…
It has got to be a BEST OF BREAD solutions that will answer your dynamic organization’s requests and whims..
They MUST be able to do the following in order to crossfire any hostile file in your environment.

Also make sure you IRT team are Using them and their results on a daily bases, in fact – base your security protocols and procedures on their output.

1) Security Event Management (SIEM): [ Such As Arcsight ,Symantec,RSA ]
Connect every available and relevant device to your SIEM and write basic rules .
Improve those rules as you go and remember, those devices can archive almost everything that happened on your network fairly easily, it is the correlation between those events that makes your life easier.

2) A cross stream line analyzer: [ Such As Damballa FailSafe , Fire Eye , websense Full Suite, advanced Proxy\URL filtering ]
This device sole purpose is to analyze the data from the endpoint to the DNS server \ Proxy \ FW and correlate them to one valid event.
As I explained in the C&C life cycle , it is essential to expose the hostile before phase II , meaning if you can catch one machine [or Asset] trying to contact hostile URL or doing a Domain fluxing –than phase II won’t be an issue for you.
Hell , you can even make these connections terminate automatically or have an event based action to your remediate device.

3) Investigating tool: [ Such As : Sillicium ECAT , HBGARY responder or even GMER or Comodo CCE ]
MUST HAVE The “cross platform approach” , meaning running in your whole enterprise as a natural endpoint agent , collecting ALL your computers\servers files into one place ,analyzing them and give you suspected or convicted files.
The methods should be as follow :

a) Compare your files through several MD5 signatures databases such as BIT9, NIST, MSDN, or any other Cloud based comparison engine(HITMAN\CCE)
This will bring UP all the files that has no valid or Root CA or No Company embedded in them -so only sealed authentic files can reside on your machines.
Any other result such as unknown files or broken CA – can imply that the file has been compromised by another hostile that may take additional steps, such as injecting DLL’s into other processes\Services and loading a rootkit, or connecting to additional C&C sites.

b) Use Several AV engines or upload your suspicious files from section A to sites like VirusTotal and similar. You can even upload the MD5 string to the web , you can consult with other findings on your specific hash.

c) Analyze Floating codes and memory Hash in live mode.

d) Create your OWN white list of files that has been created by your organization software developers – and direct them to work as methodically as they can.

e) Check your current network connection from the process and up.
Meaning if you can see EXCEL.exe reaching out to the internet – it is NOT looking to be updated from microsoft…
Even Simple NETSTAT –NAB can give you desired results.

f) Use a good URL filtering engine\Anti Bot – this actually should be the first DOT in the line of crossfire since you will most probably have an alert from your URL filtering device saying on machine tried to reach a hostile website. You can advise many other Online URL Checking tools.
a good tool in this section has to be one that updates as quickly as he can – since automated cleaning processes are happening on those websites almost whithin the hour – so before you block an access to it from your domain – make sure the danger hasn’t passed already…

From there you can start your query using all the tools and methods I have mentioned the more conclusive results on an evil residing on a machine you’ll get – the better.

this approach is the NOT bullet proof – but it will defiantly filter out above 95+% of your hostile files..therefore keep up with the technology and bring the human resource to the game.

GOOD LUCK!

Roy Coren

Security Specialist

Roycoren@gmail.com

One of the reasons is that you can’t keep your sensitive enviroment clean enough without damaging the users freedom and productivity. Especially VP’s.

Most of the time CISO and IT managers come to me AFTER somebody has made a 207 or 207A on their domain (that’s the police code for Kidnapping) , in that case you have a legal and usually a very big Go! From the CTO\CEO to do everything you can to stop it from happening again.

Those are the good time for software vendors \integrators who can celebrate a 100% sell rate on those companies.

But – as you guessed, those time pressed CISO’s  are not always aware on which products to implement and most important which technology will give them the best results per dime for the longest time…having that said without the right consultant the will take Pain and turn it to Gain, they usually invest in the wrong methods.

Getting back to the original “bug free” request, on those special cases I would recommend a full revision in the company approach to data security, starting from bottom up.

Implementing a good solid, management backed, data security policy is not something that happened in a day, but it is worth putting a lot of effort and starts something good and harvest those applause later

Issues to consider:

-          Have every user to sign that the computer\software he gets from the company are NOT his own.

-          Publish a list of allowed software in your organization-saying that anything besides that list will cause issues with the HR department…

-          Start by classifying  and identifying your:

1)      Sensitive data – “Show me your data and I’ll tell you how to protect it”

In most cases you will find that they DO NO know the location and the amount of it…this step alone take several months to complete

2)      Weakest points in the LAN \WAN\DMZ

3)      Everyday use data flow – this is the stream that all problems are starting from.

4)      Gather and estimate your human resources, see if the team needs additional knowledge and if he can handle 911 calls and everyday tasks.

In most cases you will find 1 or 2 persons doing 5 persons jobs – this is not the kind of situation you would want to be when implementing a large DLP or SIEM project and realize your team can’t decrypt the results or lack of time to do it.

-          Harden security policies on Mobile users – have smartphones and laptops use hard rules and policies without losing the dynamic of work productivity.

-          Offer well known , dumb proof, productive solutions for the issues above, you can start by drilling down your AD GPO and dead users, continue with AV kill rate to start ,along with your main firewalls rules and block ratio.

-          Keep your software up to date – probably the best tip I can give , no holes ,no foxes…

-          Assign virtual “Data owners” – have them to take responsibility on their data in terms of backup and unwanted access.

-          Pick less tools and solutions as possible for all the scenarios you can imagine – if the 911 call will arrive , the first thing you need is to act as fast as possible and you would want the best results \outcomes\ logs\ products refined and stilled to your desktop.

Now you can start thinking on wide projects like DLP, Endpoint security, SIEM, virtual security, IDS\IPS and most important – a descent monitoring system Or any other solutions that your organization needs – just make sure it fits your gold rules above.

With the outcomes of those  products , you can assign an incident response team to be the task force for all kinds of alarms and events.

And since you will get tens of millions events per day, if this team can handle 10 REAL security events per day , you have scored it! Ace!

See you on part 3..

Roy Coren

Security Specialist

Roycoren@gmail.com

N-Joy
Roy Coren,
Security Specialist
roycoren@gmail.com

Purpose of this article
Organizations are interested to protect their sensitive data, and DLP provides them with the framework to do that. So far no news… However, the DLP world is a bit more complicated than that and the purpose of this article is to highlight few basic domains and areas that are worth thinking about when considering DLP solutions.

Common Data Locations and States

• Data in motion – Any data that is moving through the network to destinations outside the local / corporate LAN via the Internet
• Data at rest – Data that resides in files systems, databases and other storage methods
• Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices, external drives, MP3 players, laptops, and other highly-mobile devices)

Examples of sensitive data:

• Confidential and/or proprietary data, for example: processes, methodologies, development code and etc.
• Customer and employee data
• Financial data
• Data that is regulated by regional and national laws such as HIPAA, SOX and GLBA

Common Data Leakage Channels:
Technical side:

• Email Traffic – SMTP from mail servers
• Web mail (Gmail, Yahoo, etc)
• Uploading files to internet destinations (HTTP, HTTPS, FTP)
• Posting on internet sites (blogs, social media, forums)
• Instant messaging (gTalk, MSN, Yahoo, Skype)
• P2P networks
• Wi-Fi networks
• Key loggers, Trojan horses
• Multiple platform (Windows, Linux, MAC, etc)
• Application permissions (ERP, database, SaaS platforms, SharePoint)

Physical:

• Mobile devices
• Non-encrypted hard drives
• USB drives (Disk on key, external hard drives)
• Portable media (CD/DVD, floppy drive, backup tapes)
• Physical security (hard copy of documents)

Human factor:

• Lack of employee awareness to security risks
• Partners, suppliers, temporary employees and visitors
• Working from home, remote locations, internet cafe

Company’s needs to protect themselves from scenarios as mentioned below:

• Inadvertent forwarding of email containing product development or business plans to another email recipient
• An employee extracts data from a secure system and conducts the analysis on a less secure system
• Sending unreleased pricing information to the wrong email address
• Customer or competitive information sent by an employee to a third-party for financial gain
• A disgruntled employee with privileged access to sensitive information acts maliciously and steals information
• Proprietary information sent to a distributor, who might then forward it on to competitors
• Backup tapes are stored in a non-secure environment and curious intruder removes the tape to examine the content
• Incorrect settings of permissions of file and directory structure could allow anyone access the information

DLP solutions prevent confidential data loss by:

• Monitoring communications going outside of the organization
• Encrypting email containing confidential content
• Enabling compliance with global privacy and data security mandates
• Securing outsourcing and partner communications
• Protecting intellectual property
• Preventing malware-related data harvesting
• Enforcing acceptable use policies
• Providing a deterrent for malicious users (by creating the possibility of being caught)

How to implement DLP solution:

1. Perform risk assessment to find out:
• What type of data exists in the organization?
• Where is the data located/saved?
• How valuable is the data to the organization?
• What type of loss is the organization willing to accept?
• What are the regulatory and privacy gaps for the organization?
2. Classify the organization data:
• Top secret
• Secret
• Confidential
• Restricted
• Unclassified
3. Decide what information does the organization would like to search and protect:
• Pattern, keyword matching and dictionaries
• Document fingerprinting
• Database fingerprinting
4. Prepare data loss prevention plan:
• How to limit the damage to the organization
• How to avoid similar incidents from happening in the future
• How to report to the management, stock holders and media on the current data loss incident
5. Prepare policies, standards and procedures for handling data loss incidents:
• Scan HTTPS traffic on the gateway
• Block data from leaving the organization
• Encrypt sensitive information inside database
• Full disk encryption
• Encrypt data before sending to partners/suppliers
• Prevent use of portable media
• Employee awareness training
6. Deploy the DLP solution:
• Install a product on the gateway
• Configure SSL termination – recommended
• Configure encryption gateway for SMTP traffic – recommended
• Deploy agents on the end-points – highly recommended
7. Ongoing monitoring:
• Review incidents on regular basis (daily/weekly)
• Fine-tune the product to raise alerts on important incidents and collect all other incidents.
• Create reports on regular basis to locate top senders/targets
• Perform data discovery on regular basis (daily/weekly/month) on network shares, servers, end-points, etc.

1. Boot the server using Windows 2008 R2 bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
4. Accept the license agreement -> click Next.
5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the command prompt window, run the command bellow:
   sconfig.cmd
10. Press “2″ to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
11. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
12. From the command prompt window, run the command bellow:
    sconfig.cmd
13. Press “1” to join the server to the domain -> press “D” to join to domain -> specify the domain name -> click “Yes” to restart the server.
14. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
15. From the command prompt window, run the command bellow:
    sconfig.cmd
16. Press “5″ to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
17. Press “6″ to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
18. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
19. From the command prompt window, run the command bellow:
    sconfig.cmd
20. In-case you need to use RDP to access and manage the server, press “7″ to enable “Remote Desktop” -> choose “E” to enable -> choose either “1″ or “2″ according to your client settings -> Press OK.
21. Press “8″ to configure “Network settings” -> select the network adapter by its Index number -> press “1″ to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2″ to configure the DNS servers -> click OK -> press “4″ to return to the main menu.
22. Press “9″ to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
23. Press “11″ to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
24. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
25. To install the Hyper-V role, run the command bellow:
    start /w ocsetup Microsoft-Hyper-V
26. Click “Yes” to allow the server to restart.
27. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
28. To check that the installation completed, run the command:
    oclist | find /i "Microsoft-Hyper-V"
29. Run the commands bellow to enable remote management of the Hyper-V:
    netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes

    netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

30. In case you install antivirus for Server Core, add the following to the antivirus exclusions:
    • Virtual machine configuration files directory. By default, it is C:\ProgramData\Microsoft\Windows\Hyper-V.
    • Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.
    • Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.
    • Vmms.exe
    • Vmwp.exe

Manage Hyper-V VMs from Windows 7

1. Login to a Windows 7 client using administrative account.
2. Download and install the Remove Server Administration (RSAT) tools for Windows 7 from:
   http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
3. Open Control Panel and click Programs.
4. Click Turn Window features on or off.
5. Under Remote Server Administration Tools Role -> Administration Tools check Hyper-V Tools.
6. Launch to tools by either typing Hyper-V Manager at the Start menu or go to Start ->Administrative Tools ->Hyper-V Manager.

Virtual Machine Servicing Tool 3.0

Virtual Machine Servicing Tool 3.0 helps to update offline virtual machines, templates, and virtual hard disks with the latest operating system and application patches.
Download link:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23300

Using Authorization Manager for Hyper-V Security

Authorization Manager provides a flexible framework for integrating role-based access control into applications. It enables administrators who use those applications to provide access through assigned user roles that relate to job functions.
Link for more information:
http://technet.microsoft.com/en-us/library/cc726036.aspx

The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

PHP installation phase

1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
   rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
rpm -ivh libjpeg-devel-6b-37.i386.rpm

3. Download MySQL development RPM from:
   http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
4. Download PHP 5.3.8 source files from:
   http://php.net/downloads.php
5. Download the latest libxml2 for PHP from:
   http://xmlsoft.org/sources/
6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
8. Move to /tmp
   cd /tmp
9. Install the MySQL development RPM:
   rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
10. Remove MySQL development RPM:
    rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
11. Extract the php-5.3.8.tar.gz file:
    tar -zxvf php-5.3.8.tar.gz
12. Extract the libxml2 source file:
    tar -zxvf libxml2-2.7.7.tar.gz
13. Move the libxml2-2.7.7 folder:
    cd /tmp/libxml2-2.7.7
14. Run the commands bellow to compile the libxml2:
    ./configuremakemake install
15. Move to the PHP source folder:
    cd /tmp/php-5.3.8
16. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftpmakemake install
17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php
    Replace the line from:
    DirectoryIndex index.htmlTo:
    DirectoryIndex index.php index.html index.htm
    Replace the value of the string, from:
    LimitRequestBody 10000To:
    LimitRequestBody 600000
18. Copy the PHP.ini file
    cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
19. Change the permissions on the php.ini file:
    chmod 640 /etc/php.ini
20. Edit using VI, the file /etc/php.ini
    Replace the value of the string, from:
    mysql.default_host =To:
    mysql.default_host = 127.0.0.1:3306Replace the value of the string, from:
    pdo_mysql.default_socket=To:
    pdo_mysql.default_socket=127.0.0.1Replace the value of the string, from:
    allow_url_fopen = OnTo:
    allow_url_fopen = OffReplace the value of the string, from:
    expose_php = OnTo:
    expose_php = OffReplace the value of the string, from:
    memory_limit = 128MTo:
    memory_limit = 64MReplace the value of the string, from:
    ;open_basedir =To:
    open_basedir = "/www"Replace the value of the string, from:
    post_max_size = 8MTo:
    post_max_size = 2MReplace the value of the string, from:
    disable_functions =To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidReplace the value of the string, from:
    ;include_path = ".:/php/includes"To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"Replace the value of the string, from:
    display_errors = OnTo:
    display_errors = OffReplace the value of the string, from:
    display_startup_errors = OnTo:
    display_startup_errors = Off

    Replace the value of the string, from:
    ;gd.jpeg_ignore_warning = 0To:
    gd.jpeg_ignore_warning = 1

21. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
22. Remove the PHP source and test files:
    rm -f /tmp/php-5.3.8.tar.gz
rm -f /tmp/libxml2-2.7.7.tar.gz
rm -rf /tmp/php-5.3.8
rm -rf /tmp/libxml2-2.7.7
rm -rf /tmp/pear
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test


Drupal installation phase

1. Login to the server using Root account.
2. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
3. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE Z5J6Dw1;
GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quitNote 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “Z5J6Dw1” with your own Drupal database name.
4. Download Drupal 7.7 from:
   http://drupal.org/project/drupal
5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
6. Move to /www
   cd /www
7. Extract the file bellow:
   tar -zxvf drupal-7.7.tar.gz
8. Remove Drupal source file:
   rm -f /www/drupal-7.7.tar.gz
9. Rename the Drupal folder:
   mv /www/drupal-7.7 /www/drupal
10. Remove default content:
    rm -f /www/drupal/CHANGELOG.txt
rm -f /www/drupal/COPYRIGHT.txt
rm -f /www/drupal/INSTALL.pgsql.txt
rm -f /www/drupal/LICENSE.txt
rm -f /www/drupal/UPGRADE.txt
rm -f /www/drupal/INSTALL.mysql.txt
rm -f /www/drupal/INSTALL.sqlite.txt
rm -f /www/drupal/INSTALL.txt
rm -f /www/drupal/MAINTAINERS.txt
rm -f /www/drupal/sites/example.sites.php

11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Replace the line from:
    DocumentRoot "/www"To:
    DocumentRoot "/www/drupal"
12. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
13. Create the following folders:
    mkdir /www/drupal/sites/default/filesmkdir /www/private
14. Copy the settings.php file:
    cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
15. Change permissions on the settings.php file:
    chmod a+w /www/drupal/sites/default/settings.phpchmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private
16. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/install.php
17. Select “Standard” installation and click “Save and continue”.
18. Choose the default “English” and click “Save and continue”.
19. Specify the following details:
    • Database type: MySQL
    • Database name: Z5J6Dw1
    • Database username: blgusr
    • Database password: password2
    • Click on Advanced Options
    • Database host: 127.0.0.1
    • Table prefix: Z5J6Dw1_

    Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).

20. Click “Save and Continue”.
21. Specify the following information:
    • Site name
    • Site e-mail address (for automated e-mails, such as registration information)
    • Username (for the default administrator account)
    • E-mail address
    • Password
22. Select “Default country” and “Default time zone”.
23. Unselect the “Update Notifications” checkboxes.
24. Click “Save and Continue”.
25. Close the web browser.
26. Create using VI the file /www/config.php with the following content:
    <?php
$databases = array (
'default' =>
array (
'default' =>
array (
'driver' => 'mysql',
'database' => 'Z5J6Dw1',
'username' => 'blgusr',
'password' => 'password2',
'host' => '127.0.0.1',
'port' => '',
'prefix' => 'Z5J6Dw1_',
),
),
);
?>Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “Z5J6Dw1” with your own Drupal database name.
27. Edit using VI, the file /www/drupal/sites/default/settings.php
    Add the following line:
    include('/www/config.php');Remove the following section:
    $databases = array (
'default' =>
array (
'default' =>
array (
'driver' => 'mysql',
'database' => 'Z5J6Dw1',
'username' => 'blgusr',
'password' => 'password2',
'host' => '127.0.0.1',
'port' => '',
'prefix' => 'Z5J6Dw1_',
),
),
);Replace the string from:
    ini_set('session.cookie_lifetime', 2000000);To:
    ini_set('session.cookie_lifetime', 0);
28. Change permissions on the settings.php file:
    chmod a-w /www/drupal/sites/default/settings.php
29. Add the following lines to the /www/drupal/.htaccess file:
    # Block any file that starts with "."
<FilesMatch "^\..*$">
Order allow,deny
</FilesMatch>
<FilesMatch "^.*\..*$">
Order allow,deny
</FilesMatch>
# Allow "." files with safe content types
<FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$">
Order deny,allow
</FilesMatch>
30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
    chmod 444 /www/drupal/.htaccess
31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    • Drupal Firewall – http://drupal.org/project/dfw
    • SpamSpan filter – http://drupal.org/project/spamspan
    • Content Security Policy – http://drupal.org/project/content_security_policy
    • GoAway – http://drupal.org/project/goaway
    • IP anonymize – http://drupal.org/project/ip_anon
    • Flood control – http://drupal.org/project/flood_control
    • Password policy – http://drupal.org/project/password_policy
    • Persistent Login – http://drupal.org/project/persistent_login
    • Secure Permissions – http://drupal.org/project/secure_permissions
    • Security Review – http://drupal.org/project/security_review
    • System Permissions – http://drupal.org/project/system_perm
    • Block anonymous links – http://drupal.org/project/blockanonymouslinks
32. From SSH session, move to the folder /www/drupal/sites/all/modules.
33. Extract the downloaded above modules:
    tar zxvf dfw-7.x-1.1.tar.gztar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gztar zxvf security_review-7.x-1.x-dev.tar.gztar zxvf system_perm-7.x-1.x-dev.tar.gztar zxvf blockanonymouslinks-7.x-1.1.tar.gz
34. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gzrm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gzrm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

35. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/?q=user/login
36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
40. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Drupal firewall
    • SpamSpan
    • Content Security Policy
    • Content Security Policy Reporting
    • GoAway
    • IP anonymize
    • Flood control
    • Password change tab
    • Password policy
    • Persistent Login
    • Secure Permissions
    • Security Review
    • System Perms
    • BlockAnonymousLinks
41. Click on Save configuration.

Drupal SSL configuration phase

1. Add the following line to the /www/drupal/sites/default/settings.php file:
   $conf['https'] = TRUE;
2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
   • Secure Pages – http://drupal.org/project/securepages
   • Secure Login – http://drupal.org/project/securelogin
3. From SSH session, move to the folder /www/drupal/sites/all/modules.
4. Extract the downloaded above modules:
   tar zxvf securepages-7.x-1.x-dev.tar.gztar zxvf securelogin-7.x-1.2.tar.gz
5. Remove the modules source files:
   rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz
6. Open a web browser from a client machine, and enter the URL bellow:
   https://Server_FQDN/?q=user/login
7. From the upper menu, click on Modules -> from the main page, select the following modules:
   • Secure Login
   • Secure Pages
8. Click on Save configuration.
9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

Pre-requirement

• CentOS 5.5 DVD
• Static IP address for the Kickstart/DHCP server
• /data partition
• In case using CISCO switches, “Spanning tree port fast” must be enabled.

Installation phase

1. Login to the CentOS server using Root account.
2. Mount the CentOS DVD:
   mount /dev/cdrom /media
3. Move to the CentOS RPM folder inside the DVD:
   cd /media/CentOS
4. Run the command bellow to install the TFTP-Server:
   
rpm -ivh xinetd-2.3.14-10.el5.i386.rpm
rpm -ivh tftp-server-0.49-2.el5.centos.i386.rpm
5. Run the command bellow to install the DHCP server:
   rpm -ivh dhcp-3.0.5-23.el5.i386.rpm
6. Create new folder for the Kickstart server:
   mkdir -p /data/kickstart
7. Edit using VI, the file /etc/xinetd.d/tftp and change the following settings:
   From:
   disable = yesTo:
   disable = noFrom:
   server_args = -s /tftpbootTo:
   server_args = -s /data/kickstart
8. Run the command bellow to start the TFTP server:
   /sbin/service xinetd start
9. Run the command bellow to start the TFTP server run at startup:
   chkconfig xinetd on
10. Edit using VI, the file /etc/dhcpd.conf and add the following lines:
    ddns-update-style none;
allow bootp;
allow booting;
subnet 10.1.1.0 netmask 255.255.255.0 {
option routers 10.1.1.254;
option domain-name-servers 10.1.1.2;
next-server 10.1.1.1;
filename "pxelinux.0";
range dynamic-bootp 10.1.1.200 10.1.1.210;
}Note 1: Replace 10.1.1.0 with the correct network ID.
    Note 2: Replace 255.255.255.0 with the correct subnet mask.
    Note 3: Replace 10.1.1.254 with the correct default gateway.
    Note 4: Replace 10.1.1.1 with the Kickstart server IP address.
    Note 5: Replace 10.1.1.200 with the first IP of the DHCP pool.
    Note 6: Replace 10.1.1.210 with the last IP of the DHCP pool.
    Note 7: Replace 10.1.1.2 with the correct DNS server.
11. Start the DHCP server
    service dhcpd start
12. Run the command bellow to start the DHCP server run at startup:
    chkconfig dhcpd on
13. Copy Boot Files
    cp /usr/lib/syslinux/{pxelinux.0,menu.c32,memdisk,mboot.c32,chain.c32} /data/kickstart
14. Create a folder for the PXE menu files:
    mkdir -p /data/kickstart/pxelinux.cfg
15. Move to the CentOS DVD root folder:
    cd /media
16. Copy vmlinuz and initrd.img from the DVD to the images directory:
    cp /media/images/pxeboot/{vmlinuz,initrd.img} /data/kickstart/images
17. Create the CentOS DVD structure:
    cp -r CentOS /data/kickstart/
cp -r isolinux /data/kickstart/
cp -r repodata /data/kickstart/
cp -r images /data/kickstart/
18. Create using VI, the file /data/kickstart/pxelinux.cfg/default with the following content:
    default menu.c32
prompt 0
MENU TITLE PXE Menu
LABEL CentOS
MENU LABEL CentOS
KERNEL images/vmlinuz
append initrd=images/initrd.img vga=normal network ks=nfs:10.1.1.1:/data/kickstart/ks.cfg textNote: Replace 10.1.1.1 with the Kickstart server IP address.
19. Create an unattended installation script /data/kickstart/ks.cfg
    Note: Make sure the file starts with the following lines:
    install
nfs --server=10.1.1.1 --dir=/data/kickstartNote 1: Replace 10.1.1.1 with the Kickstart server IP address.
    Note 2: Make sure the lines beginning with “cdrom” and “url” does not exist on the file.
    Note 3: To review ks.cfg file options, see the link:
    http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/s1-kickstart2-options.html
20. Edit using VI, the file /etc/exports and add the following line:
    /data/kickstart *(ro,no_root_squash)
21. Start the NFS service:
    service portmap start
service nfs start
chkconfig nfs on