Security 24/7

Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

August 9th, 2010 |

Author: eyalestrin

Pre-requirements:

JDK 1.6 source file
Resin Professional 4.0.8 source file

Installation phase

Login to the server using Root account.
Create a new account:
groupadd resin useradd -g resin -d /home/resin -s /bin/bash resin
Create folder for the web content:
mkdir -p /www
Updating Ownership and Permissions on the web content folder:
chown -R root /www chmod -R 775 /www
Copy JDK 1.6 into /tmp
Change the permissions on the JDK 1.6:
chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin
Run the command bellow to install JDK 1.6:
/tmp/jdk-6u20-linux-i586-rpm.bin
Remove the JDK 1.6 source files:
rm -f /tmp/jdk-6u20-linux-i586-rpm.bin rm -f /usr/java/jdk1.6.0_20/src.zip rm -rf /usr/java/jdk1.6.0_20/demo rm -rf /usr/java/jdk1.6.0_20/sample rm -rf /opt/sun/javadb/demo rm -rf /opt/sun/javadb/docs
Before compiling the Resin environment, install the following RPM from the RHEL DVD:
rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm rpm -ivh glibc-headers-2.5-42.i386.rpm rpm -ivh glibc-devel-2.5-42.i386.rpm rpm -ivh gmp-4.1.4-10.el5.i386.rpm rpm -ivh libgomp-4.4.0-6.el5.i386.rpm rpm -ivh gcc-4.1.2-46.el5.i386.rpm rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm rpm -ivh zlib-devel-1.2.3-3.i386.rpm rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm
Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp
Move to /tmp
cd /tmp
Extract the resin-pro-4.0.8.tar.gz file:
tar -zxvf resin-pro-4.0.8.tar.gz
Move to the Resin 4.0.8 source folder:
cd /tmp/resin-pro-4.0.8
Run the commands bellow to compile the Resin 4.0.8 environment:
./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20Note: The command above should be written as one line.

make make install
Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow:
From:
<resin:if test="${resin.userName == 'root'}">To:
<resin:if test="${resin.userName == 'resin'}">

From:
<user-name>www-data</user-name>To:
<user-name>resin</user-name>

From:
<group-name>www-data</group-name>To:
<group-name>resin</group-name>

From:
<server id="" address="127.0.0.1" port="6800">To:
<server id="" address="Server_DNS_Name" port="6800">

From:
<http address="*" port="8080"/>To:
<http address="Server_DNS_Name" port="8080"/>

From:
<dependency-check-interval>2s</dependency-check-interval>To:
<dependency-check-interval>600s</dependency-check-interval>

From:
<host id="" root-directory=".">To:
<host id="Server_DNS_Name" root-directory="/www">

From:
<root-directory>.</root-directory>To:
<root-directory>/www</root-directory>

From:
<resin:set var="resin_admin_external" value="false"/>To:
<resin:set var="resin_admin_external" value="true"/>
Change the ownership on the folder bellow:
chown resin:root -R /www/*
Manually start the Resin service:
/usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin
Manually stop the Resin service:
/usr/local/resin/bin/resin.sh stop
Copy the Resin license file into
/usr/local/resin/licenses
Change the ownership and permissions on the folders bellow:
chmod 664 -R /www/watchdog-data/ chmod 777 /www/watchdog-data/default/ chown resin:root -R /www/watchdog-data/*
Remove the Resin 4.0.8 source folder:
rm -rf /tmp/resin-pro-4.0.8
Remove default documents:
rm -rf /www/doc/resin-doc
To start Resin service at server start-up, run the commands bellow:
chkconfig --add resin chkconfig resin on /etc/init.d/resin start
From a client machine, open an internet browser and login to the address:
http://Server_DNS_Name:8080/resin-admin/
Enter a username and password in the lower half of the page, then click “Create Configuration File”. The recommended username is “admin“.
Rename the admin-users.xml file:
mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml
Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.

Print

PDF

Posted in RedHat, Resin |

2 Comments »

IPv6 – Problem and some solutions

August 9th, 2010 |

Author: eyalestrin

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html

Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html

Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

Print

PDF

Posted in Apache, Cisco, IPv6, Nginx, RedHat, Solaris, Windows 2008 |

No Comments »

Windows 2008 R2 Certification Authority installation guide

August 9th, 2010 |

Author: eyalestrin

This step-by-step guide explains how to install and configure public key infrastructure, based on:

Windows 2008 R2 Server core – offline Root CA
Windows 2008 R2 domain controller
Windows 2008 R2 enterprise edition – Subordinate Enterprise CA server

Offline Root CA – OS installation phase

Boot the server using Windows 2008 R2 bootable DVD.
Specify the product ID -> click Next.
From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
Accept the license agreement -> click Next.
Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
Allow the installation phase to continue and restart the server automatically.
To login to the server for the first time, press CTRL+ALT+DELETE
Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
From the command prompt window, run the command bellow:
sconfig.cmd
Press “2″ to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
From the command prompt window, run the command bellow:
sconfig.cmd
Press “5″ to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
Press “6″ to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
From the command prompt window, run the command bellow:
sconfig.cmd
In-case you need to use RDP to access and manage the server, press “7″ to enable “Remote Desktop” -> choose “E” to enable -> choose either “1″ or “2″ according to your client settings -> Press OK.
Press “8″ to configure “Network settings” -> select the network adapter by its Index number -> press “1″ to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2″ to configure the DNS servers -> click OK -> press “4″ to return to the main menu.
Press “9″ to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
Press “11″ to restart the server to make sure all settings take effect -> click “Yes” to restart the server.

Offline Root CA – Certificate Authority server installation phase

To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
Install Certificate services:
start /w ocsetup.exe CertificateServices /norestart /quiet
To check that the installation completed, run the command:
oclist find /i "CertificateServices"
Download the file “setupca.vbs” from:
http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
To:
C:\Windows\system32
Run the command bellow to configure the Root CA:
Cscript /nologo C:\Windows\System32\setupca.vbs /is /sn <ca_server_name> /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256
In-order to verify that the installation completed successfully, open using Notepad, the file “_SetupCA.log” located in the current running directory, and make sure the last line is:
Install complete! Passed
Run the command bellow to enable remote management of the Root CA:
netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes
Run the command bellow to stop the CertSvc service:
Net stop CertSvc
Run the command bellow to change new certificate validity period time:
reg add HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<rootca_netbios_name> /v ValidityPeriodUnits /t REG_DWORD /d 5 /fNote: The command above should be written in one line.
Run the command bellow to start the CertSvc service:
Net start CertSvc

Enterprise Subordinate CA – OS installation phase
Pre-requirements:

Active Directory (Forest functional level – Windows 2008 R2)
Add “A” record for the Root CA to the Active Directory DNS.

Boot the server using Windows 2008 R2 Enterprise Edition bootable DVD.
Specify the product ID -> click Next.
From the installation option, choose “Windows Server 2008 R2 Enterprise Edition Full installation” -> click Next.
Accept the license agreement -> click Next.
Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
Allow the installation phase to continue and restart the server automatically.
To login to the server for the first time, press CTRL+ALT+DELETE
Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
From the “Initial Configuration Tasks” window, configure the following settings:
- Set time zone
- Configure networking – specify static IP address, netmask, gateway, DNS
- Provide computer name and domain – add the server to the domain
- Enable Remote Desktop
In-order to be able to remotely manage the Root CA, run the command bellow:
cmdkey /add:<RootCA_Hostname> /user:Administrator /pass:<RootCA_Admin_Password>

Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:

DNS CNAME record named “wwwca” for the Enterprise Subordinate CA.

To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
Start -> Administrative Tools -> Server Manager.
From the left pane, right click on Roles -> Add Roles -> Next -> select “Web Server (IIS)” -> click Next twice -> select the following role services:
- Web Server
- Common HTTP Features
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- Application Development
- .NET Extensibility
- ASP
- ISAPI Extensions
- Health and Diagnostics
- HTTP Logging
- Logging Tools
- Tracing
- Request Monitor
- Security
- Windows Authentication
- Client Certificate Mapping Authentication
- IIS Client Certificate Mapping Authentication
- Request Filtering
- Performance
- Static Content Compression
- Management Tools
- IIS Management Console
- IIS Management Scripts and Tools
- IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
Click Next -> click Install -> click Close.
From the left pane, right click on Features -> Add Features -> Next -> expand “Windows Process Activation Service” -> select “.NET Environment” and “Configuration APIs” -> select the feature “.NET Framework 3.5.1 Features” -> click Next -> click Install -> click Close.
From the left pane, right click on Roles -> Add Roles -> Next -> select “Active Directory Certificate Services” -> click Next twice -> select the following role services:
- Certification Authority
- Certification Authority Web Enrollment
- Certificate Enrollment Policy Web Service
Click Next.
Configure the following settings:
- Specify Setup Type: Enterprise
- CA Type: Subordinate CA
- Private Key: Create a new private key
- Cryptography:
  Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
  Key length: 2048
  Hash algorithm SHA256
- CA Name:
  Common name: specify here the subordinate server NetBIOS name
  Distinguished name suffix: leave the default domain settings
- Certificate Request: Save a certificate to file and manually send it later
- Certificate Database: leave the default settings
- Authentication Type: Windows Integrated Authentication
- Server Authentication Certificate: Choose and assign a certificate for SSL later
Click Next twice -> click Install -> click Close.
Close the Server Manager.
Start -> Administrative Tools -> Certification Authority
From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
- Uncheck “Publish Delta CRLs to this location”.
- Mark the line begins with “LDAP”, and click remove.
- Mark the line begins with “HTTP”, and click remove.
- Mark the line begins with “file”, and click remove.
- Click on Add -> on the location, put:
  http://wwwca/CertEnroll/<RootCA_Server_Name>.crl
- Click on the line begins with “HTTP”, and make sure the only option checked is: “Include in CDP extension of issued certificates”.
- Click on the line begins with “C:\Windows”, and make sure the only option checked is: “Publish CRLs to this location”
Extensions tab -> extension type: Authority Information Access (AIA):
- Mark the line begins with “LDAP”, and click remove.
- Mark the line begins with “HTTP”, and click remove.
- Mark the line begins with “file”, and click remove.
- Click on Add -> on the location, put:
  http://wwwca/CertEnroll/<RootCA_Server_Name>.crt
Click OK and allow the CA server to restart its services.
From the “Certification Authority” left pane, right click on “Revoked certificates”-> Properties:
- CRL publication interval: 180 days
- Make sure “Publish Delta CRLs” is not checked
- Click OK
Right click on the CA name -> All tasks -> Stop service
Right click on the CA name -> All tasks -> Start service
Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=mycompany,DC=com" certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"Note: Replace “DC=mycompany,DC=com” according to your domain name.
From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
Close the “Certification Authority” snap-in and logoff the subordinate CA server.
Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
Start -> Administrative Tools -> Group Policy Management.
From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA -> click Open -> click Next twice -> click Finish -> click OK.
Logoff the domain controller.
Return to the subordinate enterprise CA server.
Start -> Administrative Tools -> Certification Authority.
From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID -> right click on the request -> All Tasks -> “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary data to a file” -> click OK -> specify location and the file name – <subordinate_ca_server_name_signed_certificate>.p7b -> click Save.
Run the command bellow from command line to avoid offline CRL errors:
Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
From the left pane, right click on “Certificate Authority” -> “Retarget Certification Authority” -> choose “Local computer” -> click Finish.
Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b -> click Open.
Right click on the subordinate CA server name -> All Tasks -> Start Service.
Right click on the subordinate CA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
- Mark the line begins with “HTTP” -> click Remove -> click Yes.
- Mark the line begins with “file” -> click Remove -> click Yes.
- Click on Add -> on the location, put:
  http://wwwca/CertEnroll/<subordinate_CA_Server_Name>.crl
- Click on the line begins with “HTTP”, and make sure the following options are checked: “Include in CRLs” and “Include in the CDP”.
Extensions tab -> extension type: Authority Information Access (AIA):
- Mark the line begins with “HTTP” -> click Remove -> click Yes.
- Mark the line begins with “file” -> click Remove -> click Yes.
- Click on Add -> on the location, put:
  http://wwwca/CertEnroll/<SubordinateCA-FQDN_Subordinate_NetBIOS_Name>.crt
- Click on the line begins with “HTTP”, and make sure the following option is checked: “Include in the AIA”.
Click OK and allow the CA server to restart its services.
From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
Close the “Certification Authority” snap-in
Copy the files bellow from the Root CA to the subordinate CA (same location):
C:\Windows\System32\CertSrv\CertEnroll\*.crl C:\Windows\System32\CertSrv\CertEnroll\*.crt
Logoff the subordinate CA server.
Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
Copy the file bellow from the subordinate CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt – copy the newest file
Start -> Administrative Tools -> Group Policy Management.
From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
Logoff the domain controller.

Print

PDF

Posted in Certificate Authority, IIS 7.5, Server Core, Windows 2008 |

17 Comments »

Hardening guide for WordPress 3.0 for hosted web sites

August 9th, 2010 |

Author: eyalestrin

Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.

Request from your hosting provider access through SSH.
Login to the hosted server using SSH.
Edit using VI the file ~/html/wp-config.php and write down the data of the following values:
- DB_NAME
- DB_USER
- DB_PASSWORD
Create using VI the file ~/config.php with the following content:
<?php define('DB_NAME', 'm6gf42s'); define('DB_USER', 'blgusr'); define('DB_PASSWORD', 'password2'); define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); ?>Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
Note 2: Replace “blgusr” with the MySQL account to access the database.
Note 3: Replace “password2” with the MySQL account password.
Note 4: Replace “m6gf42s” with the WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
Edit using VI, the file ~/html/wp-config.php
Add the following line:
include('/path/config.php');Note: Replace /path/ with the full path to the config.php file.

Remove the following sections:
define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
Remove default content:
rm -f ~/html/license.txt rm -f ~/html/readme.html rm -f ~/html/wp-config-sample.php rm -f ~/html/wp-content/plugins/hello.php
Create using VI the file ~/html/.htaccess with the following content:
<files wp-config.php> Order deny,allow deny from all </files> <Files wp-login.php> AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic </Files>
Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic
Create the following folders:
mkdir -p ~/html/wp-content/cache mkdir -p ~/html/wp-content/uploads mkdir -p ~/html/wp-content/upgrade
Change the file permissions:
chmod -R 777 ~/html/wp-content/cache chmod -R 777 ~/html/wp-content/uploads chmod -R 777 ~/html/wp-content/upgrade
Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
Download “Limit Login” plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/
Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /html/wp-content/plugins
Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
Click on “Save changes”.
From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins.
From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-* Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /wp-login.php Disallow: /wp-register.php
Click “Submit”.
From the upper pane, click on “Log Out”.
Delete the file /wp-admin/install.php
In-case the server was configured with SSL certificate, add the following line to the config.php file:
define('FORCE_SSL_LOGIN', true);

Print

PDF

Posted in MySQL, SSL, WordPress |

2 Comments »

Hardening guide for WordPress 3.0

August 9th, 2010 |

Author: eyalestrin

Pre-installation notes
The guide bellow is based on the previous guides:

Installation and configuration phase

Login to the server using Root account.
Create a new account for uploading files using SSH:
groupadd sshaccount useradd -g sshaccount -d /home/sshaccount -m sshaccount
Run the commands bellow to switch to the SSH account:
su sshaccount
Run the command bellow to generate SSH keys:
ssh-keygenNote: Leave deafult values for the ssh-keygen.
Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh chmod 644 /home/sshaccount/.ssh/*
Exit the SSH account shell and return to the Root account:
exit
Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2'); CREATE DATABASE m6gf42s; GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2"; FLUSH PRIVILEGES; quitNote 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name.
Download WordPress 3.0 from:
http://wordpress.org/download
Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
Move to /www
cd /www
Extract the wordpress-3.0.zip file:
unzip wordpress-3.0.zip
Remove WordPress source file:
rm -f /www/wordpress-3.0.zip
Create using VI the file /www/config.php with the following content:
<?php define('DB_NAME', 'm6gf42s'); define('DB_USER', 'blgusr'); define('DB_PASSWORD', 'password2'); define('DB_HOST', '127.0.0.1'); $table_prefix = 'm6gf42s_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); define('FS_METHOD', 'direct'); define('FS_CHMOD_DIR', 0777); define('FS_CHMOD_FILE', 0777); define('FTP_BASE', '/www/wordpress/'); define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/'); define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/'); define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub'); define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa'); define('FTP_USER', 'sshaccount'); define('FTP_HOST', '127.0.0.1:22'); ?>Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');

Remove the following sections:
define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('DB_HOST', 'localhost'); $table_prefix = 'wp_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
Remove default content:
rm -f /www/wordpress/license.txt rm -f /www/wordpress/readme.html rm -f /www/wordpress/wp-config-sample.php rm -f /www/wordpress/wp-content/plugins/hello.php
Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"To:
DocumentRoot "/www/wordpress"

Replace the value of the string, from:
LimitRequestBody 10000To:
LimitRequestBody 200000
Restart the Apache service.
Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
Specify the following information:
- Site Title
- Username – replace the default “admin“
- Password
- E-mail
Click on “Install WordPress” button, and close the web browser.
Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php> Order deny,allow deny from all </files> <Files wp-login.php> AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0 </Files> RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address.
Note 2: Replace Server_FQDN with the server FQDN (DNS name).
Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Access Control” AuthType Basic <LIMIT GET POST> order deny,allow deny from all Allow from 1.1.1.0 </LIMIT> <IfModule mod_security.c> SecFilterInheritance Off </IfModule>Note: Replace 1.1.1.0 with the internal network IP address.
Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0Note: Replace 1.1.1.0 with the internal network IP address.
Create the following folders:
mkdir -p /www/wordpress/wp-content/cache mkdir -p /www/wordpress/wp-content/uploads mkdir -p /www/wordpress/wp-content/upgrade
Change the file permissions:
chown -R root:root /www/wordpress chown daemon:root /www/wordpress/wp-content/plugins chmod 644 /www/config.php chmod 644 /www/wordpress/wp-config.php chmod 644 /www/wordpress/.htaccess chmod 644 /www/wordpress/wp-admin/.htaccess chmod 644 /www/wordpress/wp-content/plugins/.htaccess chmod -R 777 /www/wordpress/wp-content/cache chmod -R 777 /www/wordpress/wp-content/uploads chmod -R 777 /www/wordpress/wp-content/upgrade
Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
Download “Limit Login” plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/
Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
Download “WordPress Database Backup” plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/
Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
Create a folder for the “WordPress Database Backup” plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
Set permissions for the “WordPress Database Backup” plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
wp-content/uploads
Click on “Save changes”.
From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins.
From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-* Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /wp-login.php Disallow: /wp-register.php
Click “Submit”.
From the upper pane, click on “Log Out”.
Delete the file /wp-admin/install.php
In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);

Print

PDF

Posted in Apache, MySQL, PHP, RedHat, SSL, WordPress |

No Comments »

Hardening guide for VSFTPD on RHEL 5.4

August 9th, 2010 |

Author: eyalestrin

The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

Installation phase

Login to the server using Root account.
Install from the RHEL 5.4 DVD the following RPM:
rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
Create a group for FTP users:
groupadd ftp-users
Create folder for the FTP:
mkdir -p /ftp
Change ownership and permissions on the FTP folder:
chown root:ftp-users /ftp chmod 777 -R /ftp
Example of user creation:
useradd -g ftp-users -d /ftp user1 passwd user1
Edit using VI, the file /etc/vsftpd/vsftpd.conf
Change from:
anonymous_enable=YESTo:
anonymous_enable=NO

Change from:
xferlog_std_format=YESTo:
xferlog_std_format=NO

Change from:
#tftpd_banner=Welcome to blah FTP service.To:
tftpd_banner=Secure FTP server

Add the lines bellow:
local_root=/ftp userlist_file=/etc/vsftpd/user_list userlist_deny=NO vsftpd_log_file=/var/log/vsftpd.log ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP rsa_cert_file=/etc/vsftpd/vsftpd.pem
Run the command bellow to create VSFTP SSL key:
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pemNote: The command above should written as one line.
Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
Run the command bellow to manually start the VSFTP service:
/etc/init.d/vsftpd start
Run the command bellow to configure the VSFTP to start at server startup:
chkconfig vsftpd on

Print

PDF

Posted in FTP, RedHat, SFTP, SSL, VSFTP |

No Comments »

Hardening guide for Cisco Firewall (PIX, ASA, FWSM)

August 9th, 2010 |

Author: eyalestrin

Important note
The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM).
Not all commands will work on every device series or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX):
aaa authentication enable console LOCAL

Configure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX):
aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL

Configure Local Password (ASA, FWSM, PIX):
passwd <login_password> encrypted

Configure ASDM Access Control (ASA, FWSM, PIX):
http <remote_ip_address> <remote_subnet_mask> <interface_name>

Configuring SSH (ASA, FWSM, PIX):
hostname <device_hostname> domain-name <domain-name> crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access (ASA, PIX):
no telnet 0.0.0.0 0.0.0.0 <interface_name> ssh <remote_ip_address> <remote_subnet_mask> <interface_name> ssh version 2

Configure Timeout for Login Sessions (ASA, FWSM, PIX):
console timeout 10 ssh timeout 10

Configure Local User and Encrypted Password (ASA, FWSM, PIX):
username <local_username> password <local_password> encrypted

Configure Enable Password (ASA, FWSM, PIX):
enable password <enable_password> encrypted

Disable SNMP Read Access (ASA, FWSM, PIX):
clear configure snmp-server no snmp-server host <interface_name> <remote_ip_address>

Disable SNMP Traps (ASA, FWSM, PIX):
no snmp-server enable traps all

Configure Clock Time Zone (ASA, PIX):
clock timezone GMT <hours offset>

Disable DHCP Server Service (ASA, FWSM, PIX):
clear configure dhcpd no dhcpd enable <interface_name>

Disable HTTP Service (ASA, FWSM, PIX) – in-case not in use:
no http server enable <port>

Configure Console Logging Severity Level (ASA, FWSM, PIX):
logging console critical

Configure Timestamps in Log Messages (ASA, FWSM, PIX):
logging timestamp

Configure AAA Flood Guard (FWSM, PIX):
floodguard enable

Configure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX):
fragment chain 1 <interface_name>

Configure Protocol Inspection (FWSM, PIX):
fixup protocol ftp <port> fixup protocol http <port> fixup protocol smtp <port>

Configure Protocol Inspection (ASA):
inspect ftp [map_name] inspect http [map_name] inspect esmtp [map_name]

Configure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX):
interface <interface_id> ip verify reverse-path interface <interface_name> exit

Save the changes:
wr

Print PDF

Posted in ASA, Cisco, Firewall, FWSM, PIX | 3 Comments »

Hardening guide for Cisco Routers and Switches

August 8th, 2010 |

Author: eyalestrin

Important note
The guide bellow instructs how to secure Cisco router/switch.
Not all commands will work on every device series (router/switch) or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA service:
aaa new-model

Configure AAA Authentication for Login:
aaa authentication login default local-case

Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable

Configure AAA Authentication for Local Console Line:
line console 0 login authentication default exit

Configure AAA Authentication for VTY Lines:
line vty 0 4 login authentication default exit line vty 5 15 login authentication default exit

Set and secure passwords:
service password-encryption enable secret 0 <password>

Configure Local User and Encrypted Password:
username <username> password <password>Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T:
username <username> secret <password>

Configure SSH:
hostname <device_hostname> domain-name <domain-name> crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access:
ip ssh timeout 60 ip ssh authentication-retries 3

Configure VTY Transport SSH:
line console 0 transport input ssh exit line vty 0 4 transport input ssh exit line vty 5 15 transport input ssh exit

Configure Timeout for Login Sessions:
line vty 0 4 exec-timeout 5 0 exit line vty 5 15 exec-timeout 5 0 exit

Disable Auxiliary Port:
line aux 0 no exec exec-timeout 0 10 transport input none exit

Disable SNMP server (in-case not in use):
no snmp-server

Disable SNMP Community Strings private and public:
no snmp-server community private no snmp-server community public

Configure Clock Timezone – GMT:
clock timezone GMT <hours>

Disable Router Name and DNS Name Resolution (in-case not in use):
no ip domain-lookup

Disable CDP Run Globally:
no cdp run

Disable PAD service (in-case not in use):
no service pad

Disable Finger Service:
no service finger

Disable Maintenance Operations Protocol (MOP):
interface <interface-id> no mop enabled exit

Disable DHCP server (in-case not in use):
no service dhcp

Disable IP BOOTP server (in-case not in use):
no ip bootp server

Disable Identification Service:
no identd

Disable IP HTTP Server (in-case not in use):
no ip http server

Disable Remote Startup Configuration:
no boot network no service config

Configure TCP keepalives Services:
service tcp-keepalives-in service tcp-keepalives-out

Disable small-servers:
no service tcp-small-servers no service udp-small-servers

Disable TFTP Server:
no tftp-server

Configure Logging:
logging on logging buffered 16000 logging console critical

Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime service timestamps log datetime msec show-timezone localtime

Disable IP source-route:
no ip source-route

Disable Directed Broadcast:
interface <interface-id> no ip directed-broadcast exit

Configure Unicast Reverse-Path Forwarding:
interface <interface-id> ip verify unicast reverse-path exit

Disable IP Proxy ARP:
interface <interface-id> no ip proxy-arp exit

Disable Gratuitous-Arps:
no ip gratuitous-arps

Configure switch port-security:
switchport port-security switchport port-security violation shutdown switchport port-security maximum 1 switchport port-security mac-address sticky

Save the changes:
wr

Print

PDF

Posted in Cisco, Router, Switch |

No Comments »

How to implement SSL on Nginx 0.7.65

August 8th, 2010 |

Author: eyalestrin

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

SSL implementation phase

Login to the server using Root account.
Create folder for the SSL certificate files:
mkdir -p /usr/local/nginx/ssl chmod 600 /usr/local/nginx/ssl
Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024Specify a complex pass phrase for the private key (and document it)
Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csrNote: The command above should be written as one line.
Send the file /tmp/nginx.csr to a Certificate Authority server.
As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pemNote: The command above should be written as one line.
Remove the original server.crt and ca-bundle.crt files:
rm -f /usr/local/nginx/ssl/server.crt rm -f /usr/local/nginx/ssl/ca-bundle.crt
Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
# HTTPS server # #server { # listen 443; # server_name localhost; # ssl on; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_timeout 5m; # ssl_protocols SSLv2 SSLv3 TLSv1; # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; # ssl_prefer_server_ciphers on;
# location / { # root html; # index index.html index.htm; # } #}To:
server { listen 443; server_name Server_FQDN; ssl on; ssl_certificate /usr/local/nginx/ssl/server.pem; ssl_certificate_key /usr/local/nginx/ssl/server.key; ssl_session_timeout 5m; ssl_protocols SSLv3; ssl_ciphers HIGH:!ADH:!MD5; ssl_prefer_server_ciphers on; location / { root /www; index index.html index.htm; } }
Restart the Nginx service:
/etc/init.d/nginx restart

Print

PDF

Posted in Certificate Authority, Nginx, SSL |

No Comments »

Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

August 8th, 2010 |

Author: eyalestrin

Login to the server using Root account.
Create a new account:
groupadd nginx useradd -g nginx -d /dev/null -s /sbin/nologin nginx
Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media cd /media/Server
Before compiling the Nginx environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm rpm -ivh glibc-headers-2.5-42.x86_64.rpm rpm -ivh glibc-devel-2.5-42.x86_64.rpm rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
Download Nginx 0.7.65 from:
http://wiki.nginx.org/NginxInstall
Copy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp
Move to /tmp
cd /tmp
Extract the nginx-0.7.65.tar.gz file:
tar -zxvf nginx-0.7.65.tar.gz
Move to the Nginx source folder:
cd /tmp/nginx-0.7.65
Edit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from:
static char ngx_http_server_string[] = "Server: nginx" CRLF; static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;To:
static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF; static char ngx_http_server_full_string[] = "Server: Secure Web Server" CRLF;
Run the commands bellow to compile the Nginx environment:
./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module make
make install
Remove the Nginx source files:
rm -rf /tmp/nginx-0.7.65 rm -f /tmp/nginx-0.7.65.tar.gz
Remove Default Content
rm -rf /usr/local/nginx/html
Updating Ownership and Permissions on Nginx folders:
chown -R root:root /usr/local/nginx chmod 750 /usr/local/nginx/sbin/nginx chmod -R 640 /usr/local/nginx/conf chmod -R 770 /usr/local/nginx/logs
Create folder for the web content:
mkdir -p /www
Updating Ownership and Permissions on the web content folder:
chown -R root /www chmod -R 775 /www
Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
From:
#user nobody;To:
user nginx nginx;

From:
#error_log logs/error.log notice;To:
error_log logs/error.log notice;

From:
server_name localhost;To:
server_name Server_FQDN;

From:
root html;To:
root /www;
Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file:
server_tokens off; client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k; client_body_timeout 10; client_header_timeout 10; send_timeout 10;
Create using VI, the file /etc/init.d/nginx with the following content:
#!/bin/sh # # nginx - this script starts and stops the nginx daemon # # chkconfig: - 85 15 # description: Nginx is an HTTP(S) server, HTTP(S) reverse \ # proxy and IMAP/POP3 proxy server # processname: nginx # config: /etc/nginx/nginx.conf # config: /etc/sysconfig/nginx # pidfile: /var/run/nginx.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ "$NETWORKING" = "no" ] && exit 0 nginx="/usr/local/nginx/sbin/nginx" prog=$(basename $nginx) NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf" [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx lockfile=/var/lock/subsys/nginx start() { [ -x $nginx ] exit 5 [ -f $NGINX_CONF_FILE ] exit 6 echo -n $"Starting $prog: " daemon $nginx -c $NGINX_CONF_FILE retval=$? echo [ $retval -eq 0 ] && touch $lockfile return $retval } stop() { echo -n $"Stopping $prog: " killproc $prog -QUIT retval=$? echo [ $retval -eq 0 ] && rm -f $lockfile return $retval } restart() { configtest return $? stop sleep 1 start } reload() { configtest return $? echo -n $"Reloading $prog: " killproc $nginx -HUP RETVAL=$? echo } force_reload() { restart } configtest() { $nginx -t -c $NGINX_CONF_FILE } rh_status() { status $prog } rh_status_q() { rh_status >/dev/null 2>&1 }
case "$1" in start) rh_status_q && exit 0 $1 ;; stop) rh_status_q exit 0 $1 ;; restartconfigtest) $1 ;; reload) rh_status_q exit 7 $1 ;; force-reload) force_reload ;; status) rh_status ;; condrestarttry-restart) rh_status_q exit 0 ;; *) echo $"Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}" exit 2 esac
Change the permissions of the file /etc/init.d/nginx
chmod +x /etc/init.d/nginx
To start Nginx service at server start-up, run the command:
chkconfig nginx on
To manually start the Nginx service, use the command:
/etc/init.d/nginx start
Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5 rpm -e libgomp-4.4.0-6.el5 rpm -e gmp-4.1.4-10.el5 rpm -e glibc-devel-2.5-42 rpm -e glibc-headers-2.5-42 rpm -e kernel-headers-2.6.18-164.el5

Print

PDF

Posted in Nginx, RedHat |

2 Comments »