web analytics

Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd lighttpd
    useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd
  3. Mount RHEL 5.4 DVD, and move to the RPM folder:
    mount /dev/hdc /media
    cd /media/Server
  4. Before compiling the Lighttpd environment, install the following RPM:
    rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm
    rpm -ivh glibc-headers-2.5-49.x86_64.rpm
    rpm -ivh glibc-devel-2.5-49.x86_64.rpm
    rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
    rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
    rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
    rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
    rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm
  5. Download Lighttpd 1.4.26 from:
    http://www.lighttpd.net/download/
  6. Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp
  7. Move to /tmp
    cd /tmp
  8. Extract the lighttpd-1.4.26.tar.gz file:
    tar -zxvf lighttpd-1.4.26.tar.gz
  9. Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c
  10. Move to the Lighttpd source folder:
    cd /tmp/lighttpd-1.4.26
  11. Run the commands bellow to compile the Lighttpd environment:
    ./configure --with-openssl --without-bzip2

    make

    make install

  12. Create the following folders:
    mkdir -p /etc/lighttpd
    mkdir -p /var/log/lighttpd
    mkdir -p /var/cache/lighttpd/compress
  13. Copy the lighttpd.conf file:
    cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
  14. Updating Ownership and Permissions on Lighttpd folders:
    chown lighttpd:lighttpd /var/log/lighttpd
    chown lighttpd:root /etc/lighttpd/lighttpd.conf
    chown lighttpd:lighttpd /var/cache/lighttpd/compress
    chmod o-r /etc/lighttpd/lighttpd.conf
    chmod -R o-r /var/log/lighttpd
  15. Create folder for the web content:
    mkdir -p /www
  16. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  17. Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings:
    From:
    server.document-root = "/srv/www/htdocs/"To:
    server.document-root = "/www"

    From:
    #server.bind = "127.0.0.1"To:
    server.bind = "Server_FQDN"

    From:
    # server.tag = "lighttpd"To:
    server.tag = "Secure Web Server"

    From:
    #server.username = "wwwrun"To:
    server.username = "lighttpd"

    From:
    #server.groupname = "wwwrun"To:
    server.groupname = "lighttpd"

    From:
    #dir-listing.activate = "enable"To:
    dir-listing.activate = "disable"

  18. Create using VI, a file called /etc/sysconfig/lighttpd with the following content:
    LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf
  19. To manually start Lighttpd use the command:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
  20. To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
  21. Remove the Lighttpd source files:
    rm -rf /tmp/lighttpd-1.4.26
    rm -f /tmp/lighttpd-1.4.26.tar.gz
  22. Uninstall the following RPM:
    rpm -e gcc-4.1.2-48.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-49
    rpm -e glibc-headers-2.5-49
    rpm -e kernel-headers-2.6.18-194.el5

One Response to “Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)”

Leave a Reply