web analytics

Archive for August, 2010

Hardening guide for Cisco Firewall (PIX, ASA, FWSM)

Important note
The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM).
Not all commands will work on every device series or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX):
aaa authentication enable console LOCAL

Configure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX):
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

Configure Local Password (ASA, FWSM, PIX):
passwd <login_password> encrypted

Configure ASDM Access Control (ASA, FWSM, PIX):
http <remote_ip_address> <remote_subnet_mask> <interface_name>

Configuring SSH (ASA, FWSM, PIX):
hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access (ASA, PIX):
no telnet 0.0.0.0 0.0.0.0 <interface_name>
ssh <remote_ip_address> <remote_subnet_mask> <interface_name>
ssh version 2

Configure Timeout for Login Sessions (ASA, FWSM, PIX):
console timeout 10
ssh timeout 10

Configure Local User and Encrypted Password (ASA, FWSM, PIX):
username <local_username> password <local_password> encrypted

Configure Enable Password (ASA, FWSM, PIX):
enable password <enable_password> encrypted

Disable SNMP Read Access (ASA, FWSM, PIX):
clear configure snmp-server
no snmp-server host <interface_name> <remote_ip_address>

Disable SNMP Traps (ASA, FWSM, PIX):
no snmp-server enable traps all

Configure Clock Time Zone (ASA, PIX):
clock timezone GMT <hours offset>

Disable DHCP Server Service (ASA, FWSM, PIX):
clear configure dhcpd
no dhcpd enable <interface_name>

Disable HTTP Service (ASA, FWSM, PIX) – in-case not in use:
no http server enable <port>

Configure Console Logging Severity Level (ASA, FWSM, PIX):
logging console critical

Configure Timestamps in Log Messages (ASA, FWSM, PIX):
logging timestamp

Configure AAA Flood Guard (FWSM, PIX):
floodguard enable

Configure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX):
fragment chain 1 <interface_name>

Configure Protocol Inspection (FWSM, PIX):
fixup protocol ftp <port>
fixup protocol http <port>
fixup protocol smtp <port>

Configure Protocol Inspection (ASA):
inspect ftp [map_name]
inspect http [map_name]
inspect esmtp [map_name]

Configure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX):
interface <interface_id>
ip verify reverse-path interface <interface_name>
exit

Save the changes:
wr

Hardening guide for Cisco Routers and Switches

Important note
The guide bellow instructs how to secure Cisco router/switch.
Not all commands will work on every device series (router/switch) or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA service:
aaa new-model

Configure AAA Authentication for Login:
aaa authentication login default local-case

Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable

Configure AAA Authentication for Local Console Line:
line console 0
login authentication default
exit

Configure AAA Authentication for VTY Lines:
line vty 0 4
login authentication default
exit
line vty 5 15
login authentication default
exit

Set and secure passwords:
service password-encryption
enable secret 0 <password>

Configure Local User and Encrypted Password:
username <username> password <password>
Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T:
username <username> secret <password>

Configure SSH:
hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access:
ip ssh timeout 60
ip ssh authentication-retries 3

Configure VTY Transport SSH:
line console 0
transport input ssh
exit
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit

Configure Timeout for Login Sessions:
line vty 0 4
exec-timeout 5 0
exit
line vty 5 15
exec-timeout 5 0
exit

Disable Auxiliary Port:
line aux 0
no exec
exec-timeout 0 10
transport input none
exit

Disable SNMP server (in-case not in use):
no snmp-server

Disable SNMP Community Strings private and public:
no snmp-server community private
no snmp-server community public

Configure Clock Timezone – GMT:
clock timezone GMT <hours>

Disable Router Name and DNS Name Resolution (in-case not in use):
no ip domain-lookup

Disable CDP Run Globally:
no cdp run

Disable PAD service (in-case not in use):
no service pad

Disable Finger Service:
no service finger

Disable Maintenance Operations Protocol (MOP):
interface <interface-id>
no mop enabled
exit

Disable DHCP server (in-case not in use):
no service dhcp

Disable IP BOOTP server (in-case not in use):
no ip bootp server

Disable Identification Service:
no identd

Disable IP HTTP Server (in-case not in use):
no ip http server

Disable Remote Startup Configuration:
no boot network
no service config

Configure TCP keepalives Services:
service tcp-keepalives-in
service tcp-keepalives-out

Disable small-servers:
no service tcp-small-servers
no service udp-small-servers

Disable TFTP Server:
no tftp-server

Configure Logging:
logging on
logging buffered 16000
logging console critical

Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime

Disable IP source-route:
no ip source-route

Disable Directed Broadcast:
interface <interface-id>
no ip directed-broadcast
exit

Configure Unicast Reverse-Path Forwarding:
interface <interface-id>
ip verify unicast reverse-path
exit

Disable IP Proxy ARP:
interface <interface-id>
no ip proxy-arp
exit

Disable Gratuitous-Arps:
no ip gratuitous-arps

Configure switch port-security:
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky

Save the changes:
wr

How to implement SSL on Nginx 0.7.65

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

SSL implementation phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /usr/local/nginx/ssl
    chmod 600 /usr/local/nginx/ssl
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
    Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
    Note: The command above should be written as one line.
  5. Send the file /tmp/nginx.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
  10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
    cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
    Note: The command above should be written as one line.
  11. Remove the original server.crt and ca-bundle.crt files:
    rm -f /usr/local/nginx/ssl/server.crt
    rm -f /usr/local/nginx/ssl/ca-bundle.crt
  12. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
    # HTTPS server
    #
    #server {
    # listen 443;
    # server_name localhost;

    # ssl on;
    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;

    # ssl_session_timeout 5m;

    # ssl_protocols SSLv2 SSLv3 TLSv1;
    # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    # ssl_prefer_server_ciphers on;

    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}
    To:
    server {
    listen 443;
    server_name Server_FQDN;
    ssl on;
    ssl_certificate /usr/local/nginx/ssl/server.pem;
    ssl_certificate_key /usr/local/nginx/ssl/server.key;
    ssl_session_timeout 5m;
    ssl_protocols SSLv3;
    ssl_ciphers HIGH:!ADH:!MD5;
    ssl_prefer_server_ciphers on;
    location / {
    root /www;
    index index.html index.htm;
    }
    }

  13. Restart the Nginx service:
    /etc/init.d/nginx restart

Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd nginx
    useradd -g nginx -d /dev/null -s /sbin/nologin nginx
  3. Mount RHEL 5.4 DVD, and move to the RPM folder:
    mount /dev/hdc /media
    cd /media/Server
  4. Before compiling the Nginx environment, install the following RPM:
    rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
    rpm -ivh glibc-headers-2.5-42.x86_64.rpm
    rpm -ivh glibc-devel-2.5-42.x86_64.rpm
    rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
    rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
    rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
    rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
    rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
  5. Download Nginx 0.7.65 from:
    http://wiki.nginx.org/NginxInstall
  6. Copy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp
  7. Move to /tmp
    cd /tmp
  8. Extract the nginx-0.7.65.tar.gz file:
    tar -zxvf nginx-0.7.65.tar.gz
  9. Move to the Nginx source folder:
    cd /tmp/nginx-0.7.65
  10. Edit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from:
    static char ngx_http_server_string[] = "Server: nginx" CRLF;
    static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
    To:
    static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
    static char ngx_http_server_full_string[] = "Server: Secure Web Server" CRLF;
  11. Run the commands bellow to compile the Nginx environment:
    ./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module

    make

    make install

  12. Remove the Nginx source files:
    rm -rf /tmp/nginx-0.7.65
    rm -f /tmp/nginx-0.7.65.tar.gz
  13. Remove Default Content
    rm -rf /usr/local/nginx/html
  14. Updating Ownership and Permissions on Nginx folders:
    chown -R root:root /usr/local/nginx
    chmod 750 /usr/local/nginx/sbin/nginx
    chmod -R 640 /usr/local/nginx/conf
    chmod -R 770 /usr/local/nginx/logs
  15. Create folder for the web content:
    mkdir -p /www
  16. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  17. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
    From:
    #user nobody;To:
    user nginx nginx;

    From:
    #error_log logs/error.log notice;To:
    error_log logs/error.log notice;

    From:
    server_name localhost;To:
    server_name Server_FQDN;

    From:
    root html;To:
    root /www;

  18. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file:
    server_tokens off;
    client_body_buffer_size 1K;
    client_header_buffer_size 1k;
    client_max_body_size 1k;
    large_client_header_buffers 2 1k;
    client_body_timeout 10;
    client_header_timeout 10;
    send_timeout 10;
  19. Create using VI, the file /etc/init.d/nginx with the following content:
    #!/bin/sh
    #
    # nginx - this script starts and stops the nginx daemon
    #
    # chkconfig: - 85 15
    # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
    # proxy and IMAP/POP3 proxy server
    # processname: nginx
    # config: /etc/nginx/nginx.conf
    # config: /etc/sysconfig/nginx
    # pidfile: /var/run/nginx.pid

    # Source function library.
    . /etc/rc.d/init.d/functions

    # Source networking configuration.
    . /etc/sysconfig/network

    # Check that networking is up.
    [ "$NETWORKING" = "no" ] && exit 0

    nginx="/usr/local/nginx/sbin/nginx"
    prog=$(basename $nginx)

    NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

    [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

    lockfile=/var/lock/subsys/nginx

    start() {
    [ -x $nginx ] exit 5
    [ -f $NGINX_CONF_FILE ] exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
    }

    stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
    }

    restart() {
    configtest return $?
    stop
    sleep 1
    start
    }

    reload() {
    configtest return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
    }

    force_reload() {
    restart
    }

    configtest() {
    $nginx -t -c $NGINX_CONF_FILE
    }

    rh_status() {
    status $prog
    }

    rh_status_q() {
    rh_status >/dev/null 2>&1
    }

    case "$1" in
    start)
    rh_status_q && exit 0
    $1
    ;;
    stop)
    rh_status_q exit 0
    $1
    ;;
    restartconfigtest)
    $1
    ;;
    reload)
    rh_status_q exit 7
    $1
    ;;
    force-reload)
    force_reload
    ;;
    status)
    rh_status
    ;;
    condrestarttry-restart)
    rh_status_q exit 0
    ;;
    *)
    echo $"Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}"
    exit 2
    esac

  20. Change the permissions of the file /etc/init.d/nginx
    chmod +x /etc/init.d/nginx
  21. To start Nginx service at server start-up, run the command:
    chkconfig nginx on
  22. To manually start the Nginx service, use the command:
    /etc/init.d/nginx start
  23. Uninstall the following RPM:
    rpm -e gcc-4.1.2-46.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-42
    rpm -e glibc-headers-2.5-42
    rpm -e kernel-headers-2.6.18-164.el5

How to implement SSL on Lighttpd 1.4.26

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

SSL implementation phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /etc/lighttpd/ssl
    chmod 600 /etc/lighttpd/ssl
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
    Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
    Note: The command above should be written as one line.
  5. Send the file /tmp/lighttpd.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /etc/lighttpd/ssl/
  8. Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
    cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pemNote: The command above should be written as one line.
  9. Remove the original server.crt file:
    rm -f /etc/lighttpd/ssl/server.crt
  10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  11. Copy the file “ca-bundle.crt” using SCP into /etc/lighttpd/ssl
  12. Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
    $SERVER["socket"] == "Server_FQDN:443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
    ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
    server.name = "Server_FQDN"
    server.document-root = "/www"
    server.errorlog = "/var/log/lighttpd/serror.log"
    accesslog.filename = "/var/log/lighttpd/saccess.log"
    ssl.use-sslv2 = "disable"
    ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
    }
  13. Restart the Lighttpd service.

Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd lighttpd
    useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd
  3. Mount RHEL 5.4 DVD, and move to the RPM folder:
    mount /dev/hdc /media
    cd /media/Server
  4. Before compiling the Lighttpd environment, install the following RPM:
    rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm
    rpm -ivh glibc-headers-2.5-49.x86_64.rpm
    rpm -ivh glibc-devel-2.5-49.x86_64.rpm
    rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
    rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
    rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
    rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
    rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm
  5. Download Lighttpd 1.4.26 from:
    http://www.lighttpd.net/download/
  6. Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp
  7. Move to /tmp
    cd /tmp
  8. Extract the lighttpd-1.4.26.tar.gz file:
    tar -zxvf lighttpd-1.4.26.tar.gz
  9. Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c
  10. Move to the Lighttpd source folder:
    cd /tmp/lighttpd-1.4.26
  11. Run the commands bellow to compile the Lighttpd environment:
    ./configure --with-openssl --without-bzip2

    make

    make install

  12. Create the following folders:
    mkdir -p /etc/lighttpd
    mkdir -p /var/log/lighttpd
    mkdir -p /var/cache/lighttpd/compress
  13. Copy the lighttpd.conf file:
    cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
  14. Updating Ownership and Permissions on Lighttpd folders:
    chown lighttpd:lighttpd /var/log/lighttpd
    chown lighttpd:root /etc/lighttpd/lighttpd.conf
    chown lighttpd:lighttpd /var/cache/lighttpd/compress
    chmod o-r /etc/lighttpd/lighttpd.conf
    chmod -R o-r /var/log/lighttpd
  15. Create folder for the web content:
    mkdir -p /www
  16. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  17. Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings:
    From:
    server.document-root = "/srv/www/htdocs/"To:
    server.document-root = "/www"

    From:
    #server.bind = "127.0.0.1"To:
    server.bind = "Server_FQDN"

    From:
    # server.tag = "lighttpd"To:
    server.tag = "Secure Web Server"

    From:
    #server.username = "wwwrun"To:
    server.username = "lighttpd"

    From:
    #server.groupname = "wwwrun"To:
    server.groupname = "lighttpd"

    From:
    #dir-listing.activate = "enable"To:
    dir-listing.activate = "disable"

  18. Create using VI, a file called /etc/sysconfig/lighttpd with the following content:
    LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf
  19. To manually start Lighttpd use the command:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
  20. To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
  21. Remove the Lighttpd source files:
    rm -rf /tmp/lighttpd-1.4.26
    rm -f /tmp/lighttpd-1.4.26.tar.gz
  22. Uninstall the following RPM:
    rpm -e gcc-4.1.2-48.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-49
    rpm -e glibc-headers-2.5-49
    rpm -e kernel-headers-2.6.18-194.el5