Archive for August, 2010

Cloud computing vision

Cloud computing is the latest buzz on the Internet this days.
What does it mean to us and where does the future of Cloud computing goes?

Some background
In the mid 90’s, we had Citrix, with its vision for server based-computing.
Works similar to the Mainframe idea who came couple of decades before – you put all your resources on one server, and thin clients connect to receive resources.
Couple of years later, we had new buzz, called ASP (Application service provider), which according to Wikipedia is a business that provides computer-based services to customers over a network.
Few years later, ASP changed its name to SaaS (Software as a service), which also referred to as software on demand.
In between, we had VMware who presented to world (at least the most famous) server virtualization.

What is Cloud Computing?
According to Wikipedia, Cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid.
The idea of Cloud computing, enables the customers to avoid investing money on hardware and network equipment, and instead, renting usage from third-party provider.

Cloud computing has the following key features:

  • Agility improves with users’ ability to rapidly and inexpensively re-provision technological infrastructure resources.
  • Cost is claimed to be greatly reduced.
  • Device and location independence enable users to access systems using a web browser regardless of their location or what device they are using (e.g., PC, mobile).
  • Multi-tenancy enables sharing of resources and costs across a large pool of users.
  • Reliability is improved if multiple redundant sites are used, which makes well designed cloud computing suitable for business continuity and disaster recovery.
  • Scalability via dynamic (“on-demand”) provisioning of resources on a fine-grained, self-service basis near real-time, without users having to engineer for peak loads.
  • Maintenance cloud computing applications are easier to maintain, since they don’t have to be installed on each user’s computer.
  • Metering cloud computing resources usage should be measurable and should be metered per client and application on daily, weekly, monthly, and annual basis.

The confusion point and vision
People tend to confuse between companies moving their data-centers and applications toward the cloud, and actual Cloud computing providers.
A real Cloud computing provider is built from large-scale data centers around the world.
Each rack is built from cheap (to manufacture) hot-swappable hardware – it’s time to say goodbye to 1U-4U servers from all major vendors (HP, IBM, DELL, SUN, etc).
Each blade has many core CPU (4-core, 6-core and above), with allot of memory (as much as the hardware supports).
Each blade is connected to large-scale storage grid.
Everything must be redundant – you must be able to add new racks on-demand, without affecting any customer.
Servers, network equipment and storage devices must be configured in active-active clusters.
Data should be replicated on the fly between data centers across the world, in-order to provide 24/7 availability.
Guest operating system must be able to move between physical servers, transparently, as VMware introduced in its VMotion technology.
Server maintenance should be performed on schedule basis – since everything is transparent to the customer, firmware upgrades, patch management and software/application upgrades will not affect any customer.
The hardware/network/storage layer should be separated from the application layer, so that current SaaS companies will be able to integrate their current applications to the cloud era, and work transparently with Cloud computing infrastructure.

Cloud computing Achilles
The thing that drives most people off the cloud is security.
Customers can’t physically protect their hardware, since they don’t own it.
Customers having troubles protecting their data, since everything is built on virtual machines, connected to shared virtual storage.
I hope that in the near future information security professionals will be able to close this gap, and enable customers transparent, cheap and secure solutions.

Generating self-signed SSL certificate using OpenSSL

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

  1. Install OpenSSL.
  2. Run the command bellow to generate a new key store called “server.key
    openssl genrsa -des3 -out /tmp/server.key 1024
  3. Run the commands bellow to request a new SSL certificate:
    openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

    openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

  4. Run the command bellow to backup the key store file that has a password:
    cp /tmp/server.key /tmp/server.key.bak
  5. Run the command bellow to generate a new key store without a password:
    openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
  6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
    cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
  7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
    openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:

  • server.key – Key store file
  • server.crt – Server SSL public key file
  • no.pwd.server.key – Key store file (without a password)
  • no.pwd.server.pem – Key store file + server SSL public key file (without a password)
  • server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

Security Vulnerability Assessment Process and Policy

Overview:
In order to maintain high security standards, identify potential vulnerabilities and evaluate the effectiveness of various security controls that were implemented within the infrastructure, it is crucial to perform periodic security assessments.

Goal:
This procedure defines the controls and steps that are required for identifying security vulnerabilities and ensuring reasonable level of security for the infrastructure and application levels.

Process:

External Facing:

  1. Perform automated external application level scans on a daily basis for website and application. (e.g. McAfee Secure, Acunetix).
  2. Perform automated external network level scans on a weekly basis (e.g. McAfee Secure)
  3. Perform in-house, half automated scans with a vulnerability assessment tool (e.g. Qualys)
  4. Execute a dedicated application level and network penetration test by a professional third party.
    This should be executed twice a year or on every major application release.

Internal:

  1. Discovery: run NMAP scan on all VLANs to identify all the devices and create an asset inventory that outlines devices and services. [weekly / monthly]
  2. Network and Infra vulnerabilities: Run a weekly scan with NESSUS or similar tool to identify infrastructure gap and non hardened devices.
  3. Purchase and run vulnerability scanner (such as Qualys or NetIQ) – every week.
  4. Patch Management:
    • Install Microsoft WSUS server to maintain security patches for Windows infrastructure.
    • Install Linux YUM server to maintain security patches for RedHat infrastructure.
    • Generate reports on weekly basis to find vulnerable systems.
  5. Penetration test: run an annual internal pen-test to identify internal gaps with orientation to threats from within the organization.

Implement a Production Change Management policy that includes a hardening and implementation clearance process for new devices (e.g. addition of new network device, operating system, web server, DB server, etc).

How to implement SSL on Resin 4.0.8

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

  1. Login to the server using Root account.
  2. Change permissions on the keys folder:
    chmod 640 /usr/local/resin/keys
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csrNote: The command above should be written as one line.
  5. Send the file /tmp/resin.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /usr/local/resin/keys/
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /usr/local/resin/keys/
  10. Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from:
    <!-- SSL port configuration: -->
    <http address="*" port="8443">
    <jsse-ssl self-signed-certificate-name="[email protected]"/>
    </http>
    To:
    <http address="Server_DNS_Name" port="443">
    <openssl>
    <certificate-key-file>/usr/local/resin/keys/server.key</certificate-key-file>
    <certificate-file>/usr/local/resin/keys/server.crt</certificate-file>
    <certificate-chain-file>/usr/local/resin/keys/ca-bundle.crt</certificate-chain-file>
    <password>my-password</password>
    </openssl>
    </http>
    Note: Replace “my-password” with the password for the “server.key” file.
  11. Restart the Resin services:
    /etc/init.d/resin restart
  12. Backup the file
    /usr/local/resin/keys/server.key

Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

Pre-requirements:

  • JDK 1.6 source file
  • Resin Professional 4.0.8 source file

Installation phase

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd resin
    useradd -g resin -d /home/resin -s /bin/bash resin
  3. Create folder for the web content:
    mkdir -p /www
  4. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  5. Copy JDK 1.6 into /tmp
  6. Change the permissions on the JDK 1.6:
    chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin
  7. Run the command bellow to install JDK 1.6:
    /tmp/jdk-6u20-linux-i586-rpm.bin
  8. Remove the JDK 1.6 source files:
    rm -f /tmp/jdk-6u20-linux-i586-rpm.bin
    rm -f /usr/java/jdk1.6.0_20/src.zip
    rm -rf /usr/java/jdk1.6.0_20/demo
    rm -rf /usr/java/jdk1.6.0_20/sample
    rm -rf /opt/sun/javadb/demo
    rm -rf /opt/sun/javadb/docs
  9. Before compiling the Resin environment, install the following RPM from the RHEL DVD:
    rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm
    rpm -ivh glibc-headers-2.5-42.i386.rpm
    rpm -ivh glibc-devel-2.5-42.i386.rpm
    rpm -ivh gmp-4.1.4-10.el5.i386.rpm
    rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
    rpm -ivh gcc-4.1.2-46.el5.i386.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm
    rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm
    rpm -ivh zlib-devel-1.2.3-3.i386.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm
  10. Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp
  11. Move to /tmp
    cd /tmp
  12. Extract the resin-pro-4.0.8.tar.gz file:
    tar -zxvf resin-pro-4.0.8.tar.gz
  13. Move to the Resin 4.0.8 source folder:
    cd /tmp/resin-pro-4.0.8
  14. Run the commands bellow to compile the Resin 4.0.8 environment:
    ./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20
    Note: The command above should be written as one line.

    make
    make install

  15. Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow:
    From:
    <resin:if test="${resin.userName == 'root'}">To:
    <resin:if test="${resin.userName == 'resin'}">

    From:
    <user-name>www-data</user-name>To:
    <user-name>resin</user-name>

    From:
    <group-name>www-data</group-name>To:
    <group-name>resin</group-name>

    From:
    <server id="" address="127.0.0.1" port="6800">To:
    <server id="" address="Server_DNS_Name" port="6800">

    From:
    <http address="*" port="8080"/>To:
    <http address="Server_DNS_Name" port="8080"/>

    From:
    <dependency-check-interval>2s</dependency-check-interval>To:
    <dependency-check-interval>600s</dependency-check-interval>

    From:
    <host id="" root-directory=".">To:
    <host id="Server_DNS_Name" root-directory="/www">

    From:
    <root-directory>.</root-directory>To:
    <root-directory>/www</root-directory>

    From:
    <resin:set var="resin_admin_external" value="false"/>To:
    <resin:set var="resin_admin_external" value="true"/>

  16. Change the ownership on the folder bellow:
    chown resin:root -R /www/*
  17. Manually start the Resin service:
    /usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin
  18. Manually stop the Resin service:
    /usr/local/resin/bin/resin.sh stop
  19. Copy the Resin license file into
    /usr/local/resin/licenses
  20. Change the ownership and permissions on the folders bellow:
    chmod 664 -R /www/watchdog-data/
    chmod 777 /www/watchdog-data/default/
    chown resin:root -R /www/watchdog-data/*
  21. Remove the Resin 4.0.8 source folder:
    rm -rf /tmp/resin-pro-4.0.8
  22. Remove default documents:
    rm -rf /www/doc/resin-doc
  23. To start Resin service at server start-up, run the commands bellow:
    chkconfig --add resin
    chkconfig resin on
    /etc/init.d/resin start
  24. From a client machine, open an internet browser and login to the address:
    http://Server_DNS_Name:8080/resin-admin/
  25. Enter a username and password in the lower half of the page, then click “Create Configuration File”. The recommended username is “admin“.
  26. Rename the admin-users.xml file:
    mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml
  27. Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.

IPv6 – Problem and some solutions

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html

Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html

Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

Windows 2008 R2 Certification Authority installation guide

This step-by-step guide explains how to install and configure public key infrastructure, based on:

  • Windows 2008 R2 Server core – offline Root CA
  • Windows 2008 R2 domain controller
  • Windows 2008 R2 enterprise edition – Subordinate Enterprise CA server

Offline Root CA – OS installation phase

  1. Boot the server using Windows 2008 R2 bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  9. From the command prompt window, run the command bellow:
    sconfig.cmd
  10. Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
  11. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  12. From the command prompt window, run the command bellow:
    sconfig.cmd
  13. Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
  14. Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
  15. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  16. From the command prompt window, run the command bellow:
    sconfig.cmd
  17. In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
  18. Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
  19. Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
  20. Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.

Offline Root CA – Certificate Authority server installation phase

  1. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  2. Install Certificate services:
    start /w ocsetup.exe CertificateServices /norestart /quiet
  3. To check that the installation completed, run the command:
    oclist find /i "CertificateServices"
  4. Download the file “setupca.vbs” from:
    http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
    To:
    C:\Windows\system32
  5. Run the command bellow to configure the Root CA:
    Cscript /nologo C:\Windows\System32\setupca.vbs /is /sn <ca_server_name> /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256
  6. In-order to verify that the installation completed successfully, open using Notepad, the file “_SetupCA.log” located in the current running directory, and make sure the last line is:
    Install complete! Passed
  7. Run the command bellow to enable remote management of the Root CA:
    netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes
  8. Run the command bellow to stop the CertSvc service:
    Net stop CertSvc
  9. Run the command bellow to change new certificate validity period time:
    reg add HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<rootca_netbios_name> /v ValidityPeriodUnits /t REG_DWORD /d 5 /fNote: The command above should be written in one line.
  10. Run the command bellow to start the CertSvc service:
    Net start CertSvc

Enterprise Subordinate CA – OS installation phase
Pre-requirements:

  • Active Directory (Forest functional level – Windows 2008 R2)
  • Add “A” record for the Root CA to the Active Directory DNS.
  1. Boot the server using Windows 2008 R2 Enterprise Edition bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 Enterprise Edition Full installation” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  9. From the “Initial Configuration Tasks” window, configure the following settings:
    • Set time zone
    • Configure networking – specify static IP address, netmask, gateway, DNS
    • Provide computer name and domain – add the server to the domain
    • Enable Remote Desktop
  10. In-order to be able to remotely manage the Root CA, run the command bellow:
    cmdkey /add:<RootCA_Hostname> /user:Administrator /pass:<RootCA_Admin_Password>

Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:

  • DNS CNAME record named “wwwca” for the Enterprise Subordinate CA.
  1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
  2. Start -> Administrative Tools -> Server Manager.
  3. From the left pane, right click on Roles -> Add Roles -> Next -> select “Web Server (IIS)” -> click Next twice -> select the following role services:
    • Web Server
    • Common HTTP Features
    • Static Content
    • Default Document
    • Directory Browsing
    • HTTP Errors
    • HTTP Redirection
    • Application Development
    • .NET Extensibility
    • ASP
    • ISAPI Extensions
    • Health and Diagnostics
    • HTTP Logging
    • Logging Tools
    • Tracing
    • Request Monitor
    • Security
    • Windows Authentication
    • Client Certificate Mapping Authentication
    • IIS Client Certificate Mapping Authentication
    • Request Filtering
    • Performance
    • Static Content Compression
    • Management Tools
    • IIS Management Console
    • IIS Management Scripts and Tools
    • IIS 6 Management Compatibility
    • IIS 6 Metabase Compatibility
  4. Click Next -> click Install -> click Close.
  5. From the left pane, right click on Features -> Add Features -> Next -> expand “Windows Process Activation Service” -> select “.NET Environment” and “Configuration APIs” -> select the feature “.NET Framework 3.5.1 Features” -> click Next -> click Install -> click Close.
  6. From the left pane, right click on Roles -> Add Roles -> Next -> select “Active Directory Certificate Services” -> click Next twice -> select the following role services:
    • Certification Authority
    • Certification Authority Web Enrollment
    • Certificate Enrollment Policy Web Service
  7. Click Next.
  8. Configure the following settings:
    • Specify Setup Type: Enterprise
    • CA Type: Subordinate CA
    • Private Key: Create a new private key
    • Cryptography:
      Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
      Key length: 2048
      Hash algorithm SHA256
    • CA Name:
      Common name: specify here the subordinate server NetBIOS name
      Distinguished name suffix: leave the default domain settings
    • Certificate Request: Save a certificate to file and manually send it later
    • Certificate Database: leave the default settings
    • Authentication Type: Windows Integrated Authentication
    • Server Authentication Certificate: Choose and assign a certificate for SSL later
  9. Click Next twice -> click Install -> click Close.
  10. Close the Server Manager.
  11. Start -> Administrative Tools -> Certification Authority
  12. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
  13. Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
    • Uncheck “Publish Delta CRLs to this location”.
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crl
    • Click on the line begins with “HTTP”, and make sure the only option checked is: “Include in CDP extension of issued certificates”.
    • Click on the line begins with “C:\Windows”, and make sure the only option checked is: “Publish CRLs to this location”
  14. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crt
  15. Click OK and allow the CA server to restart its services.
  16. From the “Certification Authority” left pane, right click on “Revoked certificates”-> Properties:
    • CRL publication interval: 180 days
    • Make sure “Publish Delta CRLs” is not checked
    • Click OK
  17. Right click on the CA name -> All tasks -> Stop service
  18. Right click on the CA name -> All tasks -> Start service
  19. Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
    certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=mycompany,DC=com"
    certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"
    Note: Replace “DC=mycompany,DC=com” according to your domain name.
  20. From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
  21. Close the “Certification Authority” snap-in and logoff the subordinate CA server.
  22. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
  23. Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  24. Start -> Administrative Tools -> Group Policy Management.
  25. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
  26. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA -> click Open -> click Next twice -> click Finish -> click OK.
  27. Logoff the domain controller.
  28. Return to the subordinate enterprise CA server.
  29. Start -> Administrative Tools -> Certification Authority.
  30. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
  31. Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
  32. Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
  33. From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID -> right click on the request -> All Tasks -> “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary data to a file” -> click OK -> specify location and the file name – <subordinate_ca_server_name_signed_certificate>.p7b -> click Save.
  34. Run the command bellow from command line to avoid offline CRL errors:
    Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
  35. From the left pane, right click on “Certificate Authority” -> “Retarget Certification Authority” -> choose “Local computer” -> click Finish.
  36. Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b -> click Open.
  37. Right click on the subordinate CA server name -> All Tasks -> Start Service.
  38. Right click on the subordinate CA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<subordinate_CA_Server_Name>.crl
    • Click on the line begins with “HTTP”, and make sure the following options are checked: “Include in CRLs” and “Include in the CDP”.
  39. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<SubordinateCA-FQDN_Subordinate_NetBIOS_Name>.crt
    • Example: http://wwwca/CertEnroll/MyCA.mydomain.com_MyCA.crt

    • Click on the line begins with “HTTP”, and make sure the following option is checked: “Include in the AIA”.
  40. Click OK and allow the CA server to restart its services.
  41. From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
  42. Close the “Certification Authority” snap-in
  43. Copy the files bellow from the Root CA to the subordinate CA (same location):
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  44. Logoff the subordinate CA server.
  45. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
  46. Copy the file bellow from the subordinate CA server to a temporary folder on the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt – copy the newest file
  47. Start -> Administrative Tools -> Group Policy Management.
  48. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
  49. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
  50. Logoff the domain controller.

Hardening guide for WordPress 3.0 for hosted web sites

Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.

  1. Request from your hosting provider access through SSH.
  2. Login to the hosted server using SSH.
  3. Edit using VI the file ~/html/wp-config.php and write down the data of the following values:
    • DB_NAME
    • DB_USER
    • DB_PASSWORD
  4. Create using VI the file ~/config.php with the following content:
    <?php
    define('DB_NAME', 'm6gf42s');
    define('DB_USER', 'blgusr');
    define('DB_PASSWORD', 'password2');
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    define('AUTH_SALT', 'put your unique phrase here');
    define('SECURE_AUTH_SALT', 'put your unique phrase here');
    define('LOGGED_IN_SALT', 'put your unique phrase here');
    define('NONCE_SALT', 'put your unique phrase here');
    ?>
    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with the MySQL account to access the database.
    Note 3: Replace “password2” with the MySQL account password.
    Note 4: Replace “m6gf42s” with the WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
  5. Edit using VI, the file ~/html/wp-config.php
    Add the following line:
    include('/path/config.php');Note: Replace /path/ with the full path to the config.php file.

    Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
    define('DB_USER', 'usernamehere');
    define('DB_PASSWORD', 'yourpasswordhere');
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    define('AUTH_SALT', 'put your unique phrase here');
    define('SECURE_AUTH_SALT', 'put your unique phrase here');
    define('LOGGED_IN_SALT', 'put your unique phrase here');
    define('NONCE_SALT', 'put your unique phrase here');

  6. Remove default content:
    rm -f ~/html/license.txt
    rm -f ~/html/readme.html
    rm -f ~/html/wp-config-sample.php
    rm -f ~/html/wp-content/plugins/hello.php
  7. Create using VI the file ~/html/.htaccess with the following content:
    <files wp-config.php>
    Order deny,allow
    deny from all
    </files>
    <Files wp-login.php>
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    </Files>
  8. Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
  9. Create the following folders:
    mkdir -p ~/html/wp-content/cache
    mkdir -p ~/html/wp-content/uploads
    mkdir -p ~/html/wp-content/upgrade
  10. Change the file permissions:
    chmod -R 777 ~/html/wp-content/cache
    chmod -R 777 ~/html/wp-content/uploads
    chmod -R 777 ~/html/wp-content/upgrade
  11. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
  12. Download “Limit Login” plugin from:
    http://wordpress.org/extend/plugins/limit-login-attempts/
  13. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
  14. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
  15. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
  16. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
  17. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /html/wp-content/plugins
  18. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php
  19. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
  20. Click on “Save changes”.
  21. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
  22. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins
    Disallow: /wp-content/cache
    Disallow: /wp-content/themes
    Disallow: /wp-login.php
    Disallow: /wp-register.php
  23. Click “Submit”.
  24. From the upper pane, click on “Log Out”.
  25. Delete the file /wp-admin/install.php
  26. In-case the server was configured with SSL certificate, add the following line to the config.php file:
    define('FORCE_SSL_LOGIN', true);

Hardening guide for WordPress 3.0

Pre-installation notes
The guide bellow is based on the previous guides:

Installation and configuration phase

  1. Login to the server using Root account.
  2. Create a new account for uploading files using SSH:
    groupadd sshaccount
    useradd -g sshaccount -d /home/sshaccount -m sshaccount
  3. Run the commands bellow to switch to the SSH account:
    su sshaccount
  4. Run the command bellow to generate SSH keys:
    ssh-keygen
    Note: Leave deafult values for the ssh-keygen.
  5. Copy the SSH keys:
    cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
  6. Change permissions for the SSH keys:
    chmod 755 /home/sshaccount/.ssh
    chmod 644 /home/sshaccount/.ssh/*
  7. Exit the SSH account shell and return to the Root account:
    exit
  8. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
    Note: Replace the string “new-password” with the actual password for the root account.
  9. Run the following commands from the MySQL prompt:
    CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
    SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
    CREATE DATABASE m6gf42s;
    GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
    FLUSH PRIVILEGES;
    quit
    Note 1: Replace “blgusr” with your own MySQL account to access the database.
    Note 2: Replace “password2” with complex password (at least 14 characters).
    Note 3: Replace “m6gf42s” with your own WordPress database name.
  10. Download WordPress 3.0 from:
    http://wordpress.org/download
  11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
  12. Move to /www
    cd /www
  13. Extract the wordpress-3.0.zip file:
    unzip wordpress-3.0.zip
  14. Remove WordPress source file:
    rm -f /www/wordpress-3.0.zip
  15. Create using VI the file /www/config.php with the following content:
    <?php
    define('DB_NAME', 'm6gf42s');
    define('DB_USER', 'blgusr');
    define('DB_PASSWORD', 'password2');
    define('DB_HOST', '127.0.0.1');
    $table_prefix = 'm6gf42s_';
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    define('AUTH_SALT', 'put your unique phrase here');
    define('SECURE_AUTH_SALT', 'put your unique phrase here');
    define('LOGGED_IN_SALT', 'put your unique phrase here');
    define('NONCE_SALT', 'put your unique phrase here');
    define('FS_METHOD', 'direct');
    define('FS_CHMOD_DIR', 0777);
    define('FS_CHMOD_FILE', 0777);
    define('FTP_BASE', '/www/wordpress/');
    define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
    define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
    define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
    define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
    define('FTP_USER', 'sshaccount');
    define('FTP_HOST', '127.0.0.1:22');
    ?>
    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “m6gf42s” with your own WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
  16. Copy the wp-config.php file:
    cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
  17. Edit using VI, the file /www/wordpress/wp-config.php
    Add the following line:
    include('/www/config.php');

    Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
    define('DB_USER', 'usernamehere');
    define('DB_PASSWORD', 'yourpasswordhere');
    define('DB_HOST', 'localhost');
    $table_prefix = 'wp_';
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    define('AUTH_SALT', 'put your unique phrase here');
    define('SECURE_AUTH_SALT', 'put your unique phrase here');
    define('LOGGED_IN_SALT', 'put your unique phrase here');
    define('NONCE_SALT', 'put your unique phrase here');

  18. Remove default content:
    rm -f /www/wordpress/license.txt
    rm -f /www/wordpress/readme.html
    rm -f /www/wordpress/wp-config-sample.php
    rm -f /www/wordpress/wp-content/plugins/hello.php
  19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
    Replace the value of the string, from:
    DocumentRoot "/www"To:
    DocumentRoot "/www/wordpress"

    Replace the value of the string, from:
    LimitRequestBody 10000To:
    LimitRequestBody 200000

  20. Restart the Apache service.
  21. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-admin/install.php
  22. Specify the following information:
    • Site Title
    • Username – replace the default “admin
    • Password
    • E-mail
  23. Click on “Install WordPress” button, and close the web browser.
  24. Create using VI the file /www/wordpress/.htaccess with the following content:
    <files wp-config.php>
    Order deny,allow
    deny from all
    </files>
    <Files wp-login.php>
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    Order deny,allow
    Deny from All
    Allow from 1.1.1.0
    </Files>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    Note 1: Replace 1.1.1.0 with the internal network IP address.
    Note 2: Replace Server_FQDN with the server FQDN (DNS name).
  25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Access Control”
    AuthType Basic
    <LIMIT GET POST>
    order deny,allow
    deny from all
    Allow from 1.1.1.0
    </LIMIT>
    <IfModule mod_security.c>
    SecFilterInheritance Off
    </IfModule>
    Note: Replace 1.1.1.0 with the internal network IP address.
  26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    Order deny,allow
    Deny from All
    Allow from 1.1.1.0
    Note: Replace 1.1.1.0 with the internal network IP address.
  27. Create the following folders:
    mkdir -p /www/wordpress/wp-content/cache
    mkdir -p /www/wordpress/wp-content/uploads
    mkdir -p /www/wordpress/wp-content/upgrade
  28. Change the file permissions:
    chown -R root:root /www/wordpress
    chown daemon:root /www/wordpress/wp-content/plugins
    chmod 644 /www/config.php
    chmod 644 /www/wordpress/wp-config.php
    chmod 644 /www/wordpress/.htaccess
    chmod 644 /www/wordpress/wp-admin/.htaccess
    chmod 644 /www/wordpress/wp-content/plugins/.htaccess
    chmod -R 777 /www/wordpress/wp-content/cache
    chmod -R 777 /www/wordpress/wp-content/uploads
    chmod -R 777 /www/wordpress/wp-content/upgrade
  29. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
  30. Download “Limit Login” plugin from:
    http://wordpress.org/extend/plugins/limit-login-attempts/
  31. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
  32. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
  33. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
  34. Download “WordPress Database Backup” plugin from:
    http://austinmatzko.com/wordpress-plugins/wp-db-backup/
  35. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
  36. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
  37. Create a folder for the “WordPress Database Backup” plugin:
    mkdir -p /www/wordpress/wp-content/backup-ed602
  38. Set permissions for the “WordPress Database Backup” plugin:
    chmod 777 /www/wordpress/wp-content/backup-ed602
  39. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php
  40. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
  41. From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
    wp-content/uploads
  42. Click on “Save changes”.
  43. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
  44. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins
    Disallow: /wp-content/cache
    Disallow: /wp-content/themes
    Disallow: /wp-login.php
    Disallow: /wp-register.php
  45. Click “Submit”.
  46. From the upper pane, click on “Log Out”.
  47. Delete the file /wp-admin/install.php
  48. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
    define('FORCE_SSL_LOGIN', true);

Hardening guide for VSFTPD on RHEL 5.4

The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

Installation phase

  1. Login to the server using Root account.
  2. Install from the RHEL 5.4 DVD the following RPM:
    rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
  3. Create a group for FTP users:
    groupadd ftp-users
  4. Create folder for the FTP:
    mkdir -p /ftp
  5. Change ownership and permissions on the FTP folder:
    chown root:ftp-users /ftp
    chmod 777 -R /ftp
  6. Example of user creation:
    useradd -g ftp-users -d /ftp user1
    passwd user1
  7. Edit using VI, the file /etc/vsftpd/vsftpd.conf
    Change from:
    anonymous_enable=YESTo:
    anonymous_enable=NO

    Change from:
    xferlog_std_format=YESTo:
    xferlog_std_format=NO

    Change from:
    #tftpd_banner=Welcome to blah FTP service.To:
    tftpd_banner=Secure FTP server

    Add the lines bellow:
    local_root=/ftp
    userlist_file=/etc/vsftpd/user_list
    userlist_deny=NO
    vsftpd_log_file=/var/log/vsftpd.log
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=NO
    ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    rsa_cert_file=/etc/vsftpd/vsftpd.pem

  8. Run the command bellow to create VSFTP SSL key:
    openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
    Note: The command above should written as one line.
  9. Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
  10. Run the command bellow to manually start the VSFTP service:
    /etc/init.d/vsftpd start
  11. Run the command bellow to configure the VSFTP to start at server startup:
    chkconfig vsftpd on