• Visitor Count
    RSS Security Google Group
    RSS Security Patch Management

    Hardening guide for Apache 2.0 on Solaris 10 platform

    PostDateIcon July 22nd, 2010 | PostAuthorIcon Author: eyalestrin
    1. Login to the server using Root account.
    2. Create a new account:

      groupadd apache
      useradd -g apache -d /dev/null -s /bin/false apache
      passwd apache
      passwd -l apache
    3. Mount Solaris 10 DVD, and move to the packages folder:
      cd /cdrom/sol_10_1008_x86/Solaris_10/Product
    4. Run the command bellow to install Apache2 packages:
      pkgadd -d . SUNWapch2r SUNWapch2u
    5. Remove Default Content
      rm -r /var/apache2/htdocs/
      rm -r /var/apache2/cgi-bin/
      rm -r /var/apache2/icons/
    6. Updating Ownership and Permissions on Apache2 folders:
      chown -R root:root /usr/apache2
      chmod -R 770 /usr/apache2/bin
      chown -R root:root /etc/apache2
      chmod -R go-r /etc/apache2
      chmod -R 770 /etc/apache2
      chown -R root:root /var/apache2/logs
      chmod -R 700 /var/apache2/logs
    7. Create folder for the web content:
      mkdir -p /www
    8. Updating Ownership and Permissions on the web content folder:
      chown -R root /www
      chmod -R 775 /www
    9. Copy the configuration file in-order to edit it:
      cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
    10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
      From:
      # LockFile /var/apache2/logs/accept.lockTo:
      LockFile /var/apache2/logs/accept.lock

      From:
      User webservdTo:
      User apache
      From:
      Group webservdTo:
      Group apache

      From:
      PidFile /var/run/apache2/httpd.pidTo:
      PidFile /var/apache2/logs/httpd.pid

      From:
      DocumentRoot "/var/apache2/htdocs"To:
      DocumentRoot "/www"

      From:
      ServerSignature OnTo:
      ServerSignature Off
      HostnameLookups Off

      From:
      # ServerTokensTo:
      ServerTokens Prod

      From:
      ServerAdmin you@yourhost.comTo:
      ServerAdmin webmaster@yourcompany.com

      From:
      ServerName 127.0.0.1To:
      ServerName Server_FQDN

      From:
      Timeout 300To:
      Timeout 60

      From:
      LogLevel warnTo:
      LogLevel notice

      From:
      IndexOptions FancyIndexing VersionSortTo:
      # IndexOptions FancyIndexing VersionSort

      From:
      ReadmeName README.htmlTo:
      # ReadmeName README.html

      From:
      HeaderName HEADER.htmlTo:
      # HeaderName HEADER.html

      From:
      AddIconTo:
      # AddIcon

      From:
      DefaultIcon /icons/unknown.gifTo:
      # DefaultIcon /icons/unknown.gif

      From:
      Alias /icons/ "/var/apache2/icons/"To:
      # Alias /icons/ "/var/apache2/icons/"

      From:
      AliasMatchTo:
      # AliasMatch

      From:
      ScriptAliasTo:
      # ScriptAlias

      From:
      LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo:
      # LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

      From
      LoadModule imap_module libexec/mod_imap.soTo:
      # LoadModule imap_module libexec/mod_imap.so

      From:
      LoadModule cgi_module libexec/mod_cgi.soTo:
      # LoadModule cgi_module libexec/mod_cgi.so

      From:
      LoadModule suexec_module libexec/mod_suexec.soTo:
      # LoadModule suexec_module libexec/mod_suexec.so

      From:
      LoadModule autoindex_module libexec/mod_autoindex.soTo:
      # LoadModule autoindex_module libexec/mod_autoindex.so

      From:
      LoadModule info_module libexec/mod_info.soTo:
      # LoadModule info_module libexec/mod_info.so

      From:
      LoadModule status_module libexec/mod_status.soTo:
      # LoadModule status_module libexec/mod_status.so

      From:
      LoadModule status_module libexec/mod_status.soTo:
      # LoadModule status_module libexec/mod_status.so

      From:
      LoadModule userdir_module libexec/mod_userdir.soTo:
      # LoadModule userdir_module libexec/mod_userdir.so

      From:
      LoadModule cern_meta_module modules/mod_cern_meta.soTo:
      # LoadModule cern_meta_module modules/mod_cern_meta.so

      From:
      LoadModule dav_module modules/mod_dav.soTo:
      # LoadModule dav_module modules/mod_dav.so

      From:
      <Directory />
      Options FollowSymLinks
      AllowOverride None
      </Directory>
      To:
      <Directory />
      Options None
      AllowOverride None
      Order deny,allow
      deny from all
      </Directory>

      From:
      <Directory "/var/apache2/htdocs">To:
      <Directory "/www">
      <Limitexcept GET POST>
      deny from all
      </Limitexcept>

      From:
      Options Indexes FollowSymLinksTo:
      Options -FollowSymLinks -Includes -Indexes -MultiViews

    11. Add the following sections to the end of the httpd.conf file:
      LimitRequestBody 10000
      LimitRequestFields 40
      LimitRequestFieldSize 100
      LimitRequestLine 500
    12. Remove the sections bellow from the file httpd.conf
      <Directory "/usr/apache2/manual">
      <Directory "/var/apache2/cgi-bin">
    13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
      From:
      #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
      #define AP_SERVER_BASEVENDOR "Restricted server"
      From:
      #define AP_SERVER_BASEPRODUCT "Apache"To:
      #define AP_SERVER_BASEPRODUCT "Secure Web Server"
    14. Starting Apache from command line:
      /usr/apache2/bin/apachectl start
    15. Run the command bellow to start the Apache service at server start-up:
      svcadm enable apache2
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in Apache, Solaris

    One Response to “Hardening guide for Apache 2.0 on Solaris 10 platform”

    Leave a Reply

    Search This Blog
    Blog Archive
    Labels
    NetworkedBlogs

    Log in
    Copyright © 2013 Security 24/7. All Rights Reserved.

    Powered by Wordpress.org, WP Theme Design Powered by playstation wordpress templates and free provided by nixcheckcashing.com.