Security and Cloud 24/7

Archive for the ‘Apache’ Category

This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:
• X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
• TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0

Pre-Requirements
• policycoreutils-python-* package installed
• setools-libs-* package installed
• libcgroup-* package installed
• audit-libs-python-* package installed
• libsemanage-python-* package installed
• setools-libs-python-* package installed
• gcc* package installed
• gcc-c++* package installed
• autoconf* package installed
• automake* package installed

Installation Phase
1. Login to the server using Root account
2. Upgrade the Openssl build:
   rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

   yum --enablerepo=axivo update openssl -y

3. Download Apache source file into /tmp, from:
   http://httpd.apache.org/download.cgi
4. Download APR and APR-Util source files into /tmp, from:
   https://apr.apache.org/download.cgi
5. Download PCRE source file into /tmp, from:
   http://sourceforge.net/projects/pcre/files/pcre/
6. Compile PCRE from source file:
   
   tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp

   mv /tmp/pcre-8.33 /usr/local/pcre

   cd /usr/local/pcre

   ./configure --prefix=/usr/local/pcre

   make

   make install

7. Extract Apache source files:
   cd /tmp

   tar zxvf httpd-2.4.6.tar.gz

   cd httpd-2.4.6/srclib/

   tar zxvf ../../apr-1.4.8.tar.gz

   ln -s apr-1.4.8/ apr

   tar zxvf ../../apr-util-1.5.2.tar.gz

   ln -s apr-util-1.5.2/ apr-util

8. Compile the Apache from source files:
   cd /tmp/httpd-2.4.6

   ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre

   make

   make install

9. Remove the source files:
   rm -rf /tmp/apr-1.4.8.tar.gz

   rm -rf /tmp/apr-util-1.5.2.tar.gz

   rm -rf /tmp/httpd-2.4.6.tar.gz

   rm -rf /tmp/httpd-2.4.6

   rm -rf /tmp/pcre-8.33.tar.gz

10. Remove Default Content:
    rm -rf /opt/httpd/cgi-bin

    rm -rf /opt/httpd/htdocs

    rm -rf /opt/httpd/icons

    rm -rf /opt/httpd/man

    rm -rf /opt/httpd/manual

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-default.conf

    rm -rf /opt/httpd/conf/extra/httpd-default.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-info.conf

    rm -rf /opt/httpd/conf/extra/httpd-info.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in

    rm -rf /opt/httpd/conf/extra/proxy-html.conf

    rm -rf /opt/httpd/conf/extra/proxy-html.conf.in

    rm -rf /opt/httpd/conf/original

11. Updating Ownership and Permissions on Apache folders:
    chown root:root /opt/httpd/bin/apachectl

    chown root:root /opt/httpd/bin/httpd

    chmod 770 /opt/httpd/bin/apachectl

    chmod 770 /opt/httpd/bin/httpd

    chown -R root:root /opt/httpd

    chmod -R go-r /opt/httpd

    chown -R root:root /opt/httpd/logs

    chmod -R 700 /opt/httpd/logs

12. Create folder for the web content:
    mkdir -p /www
13. Updating Ownership and Permissions on the web content folder:
    chown -R root /www

    chmod -R 775 /www

14. Fix the SELinux security context on the new web folder:
    semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"

    restorecon -F -R -v /www

15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    Listen 80To:
    Listen Server_FQDN:80
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerAdmin root@localhostTo:
    ServerAdmin webmaster@mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    #ServerName www.example.com:80To:
    ServerName Server_FQDN
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"To:
    # ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"

    From:
    <Directory />
Options FollowSymLinks
AllowOverride None
</Directory>To:
    <Directory />
Options None
AllowOverride None
Require all denied
Order deny,allow
deny from all
<LimitExcept GET POST>
deny from all
</limitexcept>
</Directory>

    From:
    <Directory "/opt/httpd/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
</Directory>To:
    <Directory "/www">
Options None
AllowOverride None
Require all granted
Order allow,deny
Allow from all
<LimitExcept GET POST>
deny from all
</limitexcept>
</Directory>

16. Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
    ScriptAlias

    IndexOptions

    AddIconByEncoding

    AddIconByType

    AddIcon

    DefaultIcon

    ReadmeName

    HeaderName

    IndexIgnore

    LanguagePriority

    ForceLanguagePriority

17. Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
    LoadModule cgi_module modules/mod_cgi.so

    LoadModule status_module modules/mod_status.so

    LoadModule info_module modules/mod_info.so

    LoadModule autoindex_module modules/mod_autoindex.so

    LoadModule include_module modules/mod_include.so

    LoadModule userdir_module modules/mod_userdir.so

    LoadModule env_module modules/mod_env.so

    LoadModule negotiation_module modules/mod_negotiation.so

    LoadModule actions_module modules/mod_actions.so

18. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
19. Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
    # Configure custom error message:
ErrorDocument 400 "The requested URL was not found on this server."
ErrorDocument 401 "The requested URL was not found on this server."
ErrorDocument 403 "The requested URL was not found on this server."
ErrorDocument 404 "The requested URL was not found on this server."
ErrorDocument 405 "The requested URL was not found on this server."
ErrorDocument 408 "The requested URL was not found on this server."
ErrorDocument 410 "The requested URL was not found on this server."
ErrorDocument 411 "The requested URL was not found on this server."
ErrorDocument 412 "The requested URL was not found on this server."
ErrorDocument 413 "The requested URL was not found on this server."
ErrorDocument 414 "The requested URL was not found on this server."
ErrorDocument 415 "The requested URL was not found on this server."
ErrorDocument 500 "The requested URL was not found on this server."
# Configure Server Tokens
ServerTokens Prod
# Disable Server Signature
ServerSignature Off
# Disable Tracing
TraceEnable Off
# Maximum size of the request body.
LimitRequestBody 25000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4000
# Maximum size of the request line.
LimitRequestLine 4000
MaxRequestsPerChild 10000
# Configure clickjacking protection
Header always append X-Frame-Options SAMEORIGIN
20. Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"

    From:
    #define AP_SERVER_BASEPROJECT "Apache HTTP Server"To:
    #define AP_SERVER_BASEPROJECT "Secure Web Server"

    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"

21. Download the Apache boot script into /tmp from:
    http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2
22. Extract and install the Apache boot script:
    cd /tmp/

    tar xvjf blfs-bootscripts-20131023.tar.bz2

    cd /tmp/blfs-bootscripts-20131023

    make install-httpd

23. Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
    From:
    /usr/sbin/apachectlTo:
    /opt/httpd/bin/apachectl

    From:
    log_info_msgTo:
    echo

    From:
    evaluate_retvalTo:
    #evaluate_retval

24. Configure the Apache to start automatically:
    chkconfig httpd on
25. Configure IPTables:
    service iptables stop

    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

26. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
    Note: Replace 10.0.0.0/8 with the internal segment and subnet mask
27. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
28. Save the IPTables settings:
    service iptables save
29. Start the Apache daemon:
    service httpd start

SSL Configuration Phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /opt/httpd/conf/ssl

   chmod 600 /opt/httpd/conf/ssl

3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
   Note: Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
   Note: The command above should be written as one line.
5. Send the file /tmp/apache.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
   From:
   Listen Server_FQDN:80To:
   Listen Server_FQDN:443
   Note: Replace Server_FQDN with the actual DNS name.

   From:
   ServerName Server_FQDNTo:
   ServerName Server_FQDN:443
   Note: Replace Server_FQDN with the actual DNS name.

   From:
   #Include conf/extra/httpd-ssl.confTo:
   Include conf/extra/httpd-ssl.conf

   From:
   #LoadModule socache_shmcb_module modules/mod_socache_shmcb.soTo:
   LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

9. Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
   From:
   SSLCertificateFile "/opt/httpd/conf/server.crt"To:
   SSLCertificateFile /opt/httpd/conf/ssl/server.crt

   From:
   SSLCertificateKeyFile "/opt/httpd/conf/server.key"To:
   SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key

   From:
   #SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"To:
   SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt

   From:
   SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To:
   SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

   From:
   #SSLHonorCipherOrder onTo:
   SSLHonorCipherOrder On

   From:
   Listen @@SSLPort@@To:
   Listen Server_FQDN:443
   Note: Replace Server_FQDN with the actual DNS name.

   From:
   DocumentRoot "/opt/httpd/htdocs"To:
   DocumentRoot "/www"

   From:
   ServerName www.example.com:@@SSLPort@@To:
   #ServerName www.example.com:@@SSLPort@@

   From:
   ServerAdmin [email protected]To:
   ServerAdmin webmaster@mycompany.com
   Note: Replace mycompany.com with the actual Company DNS name.

   From:
   <VirtualHost _default_:@@SSLPort@@>To:
   <VirtualHost _default_:443>

10. Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
    # Disable SSLv2
SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
# Disable SSL Compression
SSLCompression Off
11. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
12. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
13. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
14. Save the IPTables settings:
    service iptables save
15. Restart the Apache service:
    service httpd restart

Pre-installation notes
The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

PHP installation phase

1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
   rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
rpm -ivh libjpeg-devel-6b-37.i386.rpm

3. Download MySQL development RPM from:
   http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
4. Download PHP 5.3.8 source files from:
   http://php.net/downloads.php
5. Download the latest libxml2 for PHP from:
   http://xmlsoft.org/sources/
6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
8. Move to /tmp
   cd /tmp
9. Install the MySQL development RPM:
   rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
10. Remove MySQL development RPM:
    rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
11. Extract the php-5.3.8.tar.gz file:
    tar -zxvf php-5.3.8.tar.gz
12. Extract the libxml2 source file:
    tar -zxvf libxml2-2.7.7.tar.gz
13. Move the libxml2-2.7.7 folder:
    cd /tmp/libxml2-2.7.7
14. Run the commands bellow to compile the libxml2:
    ./configuremakemake install
15. Move to the PHP source folder:
    cd /tmp/php-5.3.8
16. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftpmakemake install
17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php
    Replace the line from:
    DirectoryIndex index.htmlTo:
    DirectoryIndex index.php index.html index.htm
    Replace the value of the string, from:
    LimitRequestBody 10000To:
    LimitRequestBody 600000
18. Copy the PHP.ini file
    cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
19. Change the permissions on the php.ini file:
    chmod 640 /etc/php.ini
20. Edit using VI, the file /etc/php.ini
    Replace the value of the string, from:
    mysql.default_host =To:
    mysql.default_host = 127.0.0.1:3306Replace the value of the string, from:
    pdo_mysql.default_socket=To:
    pdo_mysql.default_socket=127.0.0.1Replace the value of the string, from:
    allow_url_fopen = OnTo:
    allow_url_fopen = OffReplace the value of the string, from:
    expose_php = OnTo:
    expose_php = OffReplace the value of the string, from:
    memory_limit = 128MTo:
    memory_limit = 64MReplace the value of the string, from:
    ;open_basedir =To:
    open_basedir = "/www"Replace the value of the string, from:
    post_max_size = 8MTo:
    post_max_size = 2MReplace the value of the string, from:
    disable_functions =To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidReplace the value of the string, from:
    ;include_path = ".:/php/includes"To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"Replace the value of the string, from:
    display_errors = OnTo:
    display_errors = OffReplace the value of the string, from:
    display_startup_errors = OnTo:
    display_startup_errors = Off

    Replace the value of the string, from:
    ;gd.jpeg_ignore_warning = 0To:
    gd.jpeg_ignore_warning = 1

21. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
22. Remove the PHP source and test files:
    rm -f /tmp/php-5.3.8.tar.gz
rm -f /tmp/libxml2-2.7.7.tar.gz
rm -rf /tmp/php-5.3.8
rm -rf /tmp/libxml2-2.7.7
rm -rf /tmp/pear
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test


Drupal installation phase

1. Login to the server using Root account.
2. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
3. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE Z5J6Dw1;
GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quitNote 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “Z5J6Dw1” with your own Drupal database name.
4. Download Drupal 7.7 from:
   http://drupal.org/project/drupal
5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
6. Move to /www
   cd /www
7. Extract the file bellow:
   tar -zxvf drupal-7.7.tar.gz
8. Remove Drupal source file:
   rm -f /www/drupal-7.7.tar.gz
9. Rename the Drupal folder:
   mv /www/drupal-7.7 /www/drupal
10. Remove default content:
    rm -f /www/drupal/CHANGELOG.txt
rm -f /www/drupal/COPYRIGHT.txt
rm -f /www/drupal/INSTALL.pgsql.txt
rm -f /www/drupal/LICENSE.txt
rm -f /www/drupal/UPGRADE.txt
rm -f /www/drupal/INSTALL.mysql.txt
rm -f /www/drupal/INSTALL.sqlite.txt
rm -f /www/drupal/INSTALL.txt
rm -f /www/drupal/MAINTAINERS.txt
rm -f /www/drupal/sites/example.sites.php

11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Replace the line from:
    DocumentRoot "/www"To:
    DocumentRoot "/www/drupal"
12. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
13. Create the following folders:
    mkdir /www/drupal/sites/default/filesmkdir /www/private
14. Copy the settings.php file:
    cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
15. Change permissions on the settings.php file:
    chmod a+w /www/drupal/sites/default/settings.phpchmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private
16. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/install.php
17. Select “Standard” installation and click “Save and continue”.
18. Choose the default “English” and click “Save and continue”.
19. Specify the following details:
    • Database type: MySQL
    • Database name: Z5J6Dw1
    • Database username: blgusr
    • Database password: password2
    • Click on Advanced Options
    • Database host: 127.0.0.1
    • Table prefix: Z5J6Dw1_

    Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).

20. Click “Save and Continue”.
21. Specify the following information:
    • Site name
    • Site e-mail address (for automated e-mails, such as registration information)
    • Username (for the default administrator account)
    • E-mail address
    • Password
22. Select “Default country” and “Default time zone”.
23. Unselect the “Update Notifications” checkboxes.
24. Click “Save and Continue”.
25. Close the web browser.
26. Create using VI the file /www/config.php with the following content:
    <?php
$databases = array (
'default' =>
array (
'default' =>
array (
'driver' => 'mysql',
'database' => 'Z5J6Dw1',
'username' => 'blgusr',
'password' => 'password2',
'host' => '127.0.0.1',
'port' => '',
'prefix' => 'Z5J6Dw1_',
),
),
);
?>Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “Z5J6Dw1” with your own Drupal database name.
27. Edit using VI, the file /www/drupal/sites/default/settings.php
    Add the following line:
    include('/www/config.php');Remove the following section:
    $databases = array (
'default' =>
array (
'default' =>
array (
'driver' => 'mysql',
'database' => 'Z5J6Dw1',
'username' => 'blgusr',
'password' => 'password2',
'host' => '127.0.0.1',
'port' => '',
'prefix' => 'Z5J6Dw1_',
),
),
);Replace the string from:
    ini_set('session.cookie_lifetime', 2000000);To:
    ini_set('session.cookie_lifetime', 0);
28. Change permissions on the settings.php file:
    chmod a-w /www/drupal/sites/default/settings.php
29. Add the following lines to the /www/drupal/.htaccess file:
    # Block any file that starts with "."
<FilesMatch "^\..*$">
Order allow,deny
</FilesMatch>
<FilesMatch "^.*\..*$">
Order allow,deny
</FilesMatch>
# Allow "." files with safe content types
<FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$">
Order deny,allow
</FilesMatch>
30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
    chmod 444 /www/drupal/.htaccess
31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
    • Drupal Firewall – http://drupal.org/project/dfw
    • SpamSpan filter – http://drupal.org/project/spamspan
    • Content Security Policy – http://drupal.org/project/content_security_policy
    • GoAway – http://drupal.org/project/goaway
    • IP anonymize – http://drupal.org/project/ip_anon
    • Flood control – http://drupal.org/project/flood_control
    • Password policy – http://drupal.org/project/password_policy
    • Persistent Login – http://drupal.org/project/persistent_login
    • Secure Permissions – http://drupal.org/project/secure_permissions
    • Security Review – http://drupal.org/project/security_review
    • System Permissions – http://drupal.org/project/system_perm
    • Block anonymous links – http://drupal.org/project/blockanonymouslinks
32. From SSH session, move to the folder /www/drupal/sites/all/modules.
33. Extract the downloaded above modules:
    tar zxvf dfw-7.x-1.1.tar.gztar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gztar zxvf security_review-7.x-1.x-dev.tar.gztar zxvf system_perm-7.x-1.x-dev.tar.gztar zxvf blockanonymouslinks-7.x-1.1.tar.gz
34. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gzrm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gzrm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

35. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/?q=user/login
36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
40. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Drupal firewall
    • SpamSpan
    • Content Security Policy
    • Content Security Policy Reporting
    • GoAway
    • IP anonymize
    • Flood control
    • Password change tab
    • Password policy
    • Persistent Login
    • Secure Permissions
    • Security Review
    • System Perms
    • BlockAnonymousLinks
41. Click on Save configuration.

Drupal SSL configuration phase

1. Add the following line to the /www/drupal/sites/default/settings.php file:
   $conf['https'] = TRUE;
2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
   • Secure Pages – http://drupal.org/project/securepages
   • Secure Login – http://drupal.org/project/securelogin
3. From SSH session, move to the folder /www/drupal/sites/all/modules.
4. Extract the downloaded above modules:
   tar zxvf securepages-7.x-1.x-dev.tar.gztar zxvf securelogin-7.x-1.2.tar.gz
5. Remove the modules source files:
   rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz
6. Open a web browser from a client machine, and enter the URL bellow:
   https://Server_FQDN/?q=user/login
7. From the upper menu, click on Modules -> from the main page, select the following modules:
   • Secure Login
   • Secure Pages
8. Click on Save configuration.
9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

1. Install OpenSSL.
2. Run the command bellow to generate a new key store called “server.key”
   openssl genrsa -des3 -out /tmp/server.key 1024
3. Run the commands bellow to request a new SSL certificate:
   openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

   openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

4. Run the command bellow to backup the key store file that has a password:
   cp /tmp/server.key /tmp/server.key.bak
5. Run the command bellow to generate a new key store without a password:
   openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
   cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
   openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:

• server.key – Key store file
• server.crt – Server SSL public key file
• no.pwd.server.key – Key store file (without a password)
• no.pwd.server.pem – Key store file + server SSL public key file (without a password)
• server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html

Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html

Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

Pre-installation notes
The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase

1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
   groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount

3. Run the commands bellow to switch to the SSH account:
   su sshaccount

4. Run the command bellow to generate SSH keys:
   ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
   cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys

6. Change permissions for the SSH keys:
   chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*

7. Exit the SSH account shell and return to the Root account:
   exit

8. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 3.0 from:
    http://wordpress.org/download
11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
12. Move to /www
    cd /www
13. Extract the wordpress-3.0.zip file:
    unzip wordpress-3.0.zip
14. Remove WordPress source file:
    rm -f /www/wordpress-3.0.zip
15. Create using VI the file /www/config.php with the following content:
    <?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “m6gf42s” with your own WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
    cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
    Add the following line:
    include('/www/config.php');

    Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

18. Remove default content:
    rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php

19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
    Replace the value of the string, from:
    DocumentRoot "/www"To:
    DocumentRoot "/www/wordpress"

    Replace the value of the string, from:
    LimitRequestBody 10000To:
    LimitRequestBody 200000

20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
    • Site Title
    • Username – replace the default “admin“
    • Password
    • E-mail
23. Click on “Install WordPress” button, and close the web browser.
24. Create using VI the file /www/wordpress/.htaccess with the following content:
    <files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address.
    Note 2: Replace Server_FQDN with the server FQDN (DNS name).
25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> Note: Replace 1.1.1.0 with the internal network IP address.
26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 Note: Replace 1.1.1.0 with the internal network IP address.
27. Create the following folders:
    mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade

28. Change the file permissions:
    chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
29. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
30. Download “Limit Login” plugin from:
    http://wordpress.org/extend/plugins/limit-login-attempts/
31. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
32. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
33. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
34. Download “WordPress Database Backup” plugin from:
    http://austinmatzko.com/wordpress-plugins/wp-db-backup/
35. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
36. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
37. Create a folder for the “WordPress Database Backup” plugin:
    mkdir -p /www/wordpress/wp-content/backup-ed602
38. Set permissions for the “WordPress Database Backup” plugin:
    chmod 777 /www/wordpress/wp-content/backup-ed602
39. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php
40. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
41. From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
    wp-content/uploads
42. Click on “Save changes”.
43. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
44. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php

45. Click “Submit”.
46. From the upper pane, click on “Log Out”.
47. Delete the file /wp-admin/install.php
48. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
    define('FORCE_SSL_LOGIN', true);

Pre-installation notes
The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
• Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase

1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
   groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account:
   su sshaccount
4. Run the command bellow to generate SSH keys:
   ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
   cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys:
   chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*

7. Exit the SSH account shell and return to the Root account:
   exit
8. Run the command bellow to login to the MySQL:
   /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
   CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
   Note 1: Replace “blgusr” with your own MySQL account to access the database.
   Note 2: Replace “password2” with complex password (at least 14 characters).
   Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 2.9.2 from:
    http://wordpress.org/download
11. Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
12. Move to /www
    cd /www
13. Extract the wordpress-2.9.2.tar.gz file:
    tar -zxvf wordpress-2.9.2.tar.gz
14. Remove WordPress source file:
    rm -f /www/wordpress-2.9.2.tar.gz
15. Create using VI the file /www/config.php with the following content:
    <?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “m6gf42s” with your own WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
    cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
    Add the following line:
    include('/www/config.php');Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
18. Remove default content:
    rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php

19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
    Replace the value of the string, from:
    DocumentRoot "/www"
To:
    DocumentRoot "/www/wordpress"
Replace the value of the string, from:
    LimitRequestBody 10000
To:
    LimitRequestBody 200000

20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
    • Blog Title
    • E-Mail
23. Click on “Install WordPress” button, and close the web browser.
24. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
25. Run the following commands from the MySQL prompt:
    use m6gf42s;
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “m6gf42s” with your own WordPress database name.
    Note 1: Replace “johnd” with your own new WordPress admin.
    Note 2: Replace “password3” with complex password (at least 14 characters).
26. Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
    'timeout' => apply_filters( 'http_request_timeout', 5),
To:
    'timeout' => apply_filters( 'http_request_timeout', 30),
27. Create using VI the file /www/wordpress/.htaccess with the following content:
    <files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address.
    Note 2: Replace Server_FQDN with the server FQDN (DNS name).
28. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> Note: Replace 1.1.1.0 with the internal network IP address.
29. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0Note: Replace 1.1.1.0 with the internal network IP address.
30. Create the following folders:
    mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade

31. Change the file permissions:
    chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
32. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
33. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
34. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
35. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
36. Download “WordPress Database Backup” plugin from:
    http://austinmatzko.com/wordpress-plugins/wp-db-backup/
37. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
38. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
39. Create a folder for the “WordPress Database Backup” plugin:
    mkdir -p /www/wordpress/wp-content/backup-ed602

40. Set permissions for the “WordPress Database Backup” plugin:
    chmod 777 /www/wordpress/wp-content/backup-ed602

41. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php

42. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
43. From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
    wp-content/uploads

44. Click on “Save changes”.
45. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
46. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php

47. Click “Submit”.
48. From the upper pane, click on “Log Out”.
49. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
    define('FORCE_SSL_LOGIN', true);

Pre-installation notes
The guide bellow is based on the previous guides:

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
• Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

Installation and configuration phase

1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
   rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm

3. Download MySQL development RPM from:
   http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
4. Download PHP 5.3.2 source files from:
   http://php.net/downloads.php
5. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
6. Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
   cd /tmp
8. Install the MySQL development RPM:
   rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
9. Remove MySQL development RPM:
   rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
10. Extract the php-5.3.2.tar.gz file:
    tar -zxvf php-5.3.2.tar.gz
11. Move to the PHP source folder:
    cd /tmp/php-5.3.2
12. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib

    make

    make install

13. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Make sure the following string exists at the end of the LoadModule section:
    LoadModule php5_module modules/libphp5.so
    Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php
    Replace the line from:
    DirectoryIndex index.htmlTo:
    DirectoryIndex index.php index.html index.htm
14. Copy the PHP.ini file
    cp /tmp/php-5.3.2/php.ini-development /etc/php.ini
15. Change the permissions on the php.ini file:
    chmod 640 /etc/php.ini
16. Edit using VI, the file /etc/php.ini and replace the following values:
    From:
    mysql.default_host =To:
    mysql.default_host = 127.0.0.1:3306

    From:
    allow_url_fopen = OnTo:
    allow_url_fopen = Off

    From:
    expose_php = OnTo:
    expose_php = Off

    From:
    memory_limit = 128MTo:
    memory_limit = 8M

    From:
    ;open_basedir =To:
    open_basedir = "/www"

    From:
    post_max_size = 8MTo:
    post_max_size = 2M

    From:
    upload_max_filesize = 2MTo:
    upload_max_filesize = 1M

    From:
    disable_functions =To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

    From:
    ;include_path = ".:/php/includes"To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

    From:
    display_errors = OnTo:
    display_errors = Off

    From:
    display_startup_errors = OnTo:
    display_startup_errors = Off

17. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start

18. Remove the PHP source and test files:
    rm -rf /tmp/php-5.3.2
rm -f /tmp/php-5.3.2.tar.gz
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test

19. Uninstall the following RPM:
    rpm -e libxml2-devel-2.6.26-2.1.2.8
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Pre-installation notes
The guide bellow is based on the previous guide

• Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /usr/local/apache2/ssl
chmod 600 /usr/local/apache2/ssl
3. Run the command bellow to generate a key pair:
   /usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
5. Send the file /tmp/apache.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
7. Copy the file “server.crt” using SCP into /usr/local/apache2/ssl/
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file “ca-bundle.crt” using SCP into /usr/local/apache2/ssl/
10. Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
    Listen Server_FQDN:443
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
SSLCertificateFile /usr/local/apache2/ssl/server.crt
SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
11. Restart the Apache services:
    /usr/local/apache2/bin/apachectl restart
12. Backup the file /usr/local/apache2/ssl/server.key

1. Login to the server using Root account.
2. Create a new account:
   groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache

3. Mount RHEL 5.4 DVD, and move to the RPM folder:
   mount /dev/hdc /media
cd /media/Server

4. Before compiling the Apache environment, install the following RPM:
   rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm

5. Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
6. Move to /tmp
   cd /tmp
7. Extract the httpd-2.2.15.tar.gz file:
   tar -zxvf httpd-2.2.15.tar.gz
8. Move to the Apache source folder:
   cd httpd-2.2.15
9. Run the commands bellow to compile the Apache environment:
   ./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl

   make

   make install


10. Remove the Apache source files:
    rm -rf /tmp/httpd-2.2.15rm -f /tmp/httpd-2.2.15.tar.gz
11. Remove Default Content
    rm -rf /usr/local/apache2/cgi-bin
rm -rf /usr/local/apache2/htdocs
rm -rf /usr/local/apache2/icons
rm -rf /usr/local/apache2/man
rm -rf /usr/local/apache2/manual
rm -rf /usr/local/apache2/conf/extra
rm -rf /usr/local/apache2/conf/original

12. Updating Ownership and Permissions on Apache2 folders:
    chown root:root /usr/local/apache2/bin/apachectl
chown root:root /usr/local/apache2/bin/httpd*
chmod 770 /usr/local/apache2/bin/apachectl
chmod 770 /usr/local/apache2/bin/httpd*
chown -R root:root /usr/local/apache2
chmod -R go-r /usr/local/apache2
chown -R root:root /usr/local/apache2/logs
chmod -R 700 /usr/local/apache2/logs
13. Create folder for the web content:
    mkdir -p /www
14. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
chmod -R 775 /www

15. Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
    From:
    DocumentRoot "/var/www/html"To:
    DocumentRoot "/www"

    From:
    Listen 80To:
    Listen Server_FQDN:80

    From:
    ServerAdmin root@localhost To:
    ServerAdmin webmaster@mycompany.com

    From:
    #ServerName www.example.com:80To:
    ServerName Server_FQDN

    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"To:
    # ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

    From:
    <Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>To:
    <Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>


    From:
    <Directory "/usr/local/apache2/htdocs">To:
    <Directory "/www">
<LimitExcept GET POST>
deny from all
</limitexcept>


    From:
    Options Indexes FollowSymLinksTo:
    Options -FollowSymLinks -Includes -Indexes -MultiViews

16. Add the following sections to the end of the httpd.conf file:
    ServerSignature Off
ServerTokens Prod
Timeout 60
# Maximum size of the request body.
LimitRequestBody 10000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4094
# Maximum size of the request line.
LimitRequestLine 500
17. Remove the sections bellow from the file httpd.conf
    <Directory "/usr/local/apache2/cgi-bin">
18. Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"

    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"

19. Starting Apache from command line:
    /usr/local/apache2/bin/apachectl start
20. To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
    /usr/local/apache2/bin/apachectl start
21. Uninstall the following RPM:
    rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Previous guides:

• Hardening guide for Apache 2.0 on Solaris 10 platform
• How to implement SSL on Apache 2.0

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.0 on Solaris 10 platform

SSL implementation phase

1. Login to the server using Root account.
2. Mount Solaris 10 DVD, and move to the packages folder:
   cd /cdrom/sol_10_1008_x86/Solaris_10/Product
3. Run the command bellow to install OpenSSL packages:
   pkgadd -d . SUNWopensslr SUNWopenssl-commands SUNWopenssl-include SUNWopenssl-libraries
4. Create folder for the SSL certificate files:
   mkdir -p /etc/apache2/ssl.crt
5. Create folder for the SSL private key:
   mkdir -p /etc/apache2/ssl.key
6. Run the command bellow to generate a key pair:
   /usr/sfw/bin/openssl genrsa -des3 -out /etc/apache2/ssl.key/server.key 1024
   Specify a complex pass phrase for the private key (and document it)
7. Change the permissions on the private key file:
   chmod 600 /etc/apache2/ssl.key/server.key
8. Run the command bellow to generate the CSR:
   /usr/sfw/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/apache2/ssl.key/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
9. Send the file /tmp/apache.csr to a Certificate Authority server.
10. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
11. Copy the file “server.crt” using SCP into /etc/apache2/ssl.crt/
12. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
13. Copy the file “ca-bundle.crt” using SCP into /etc/apache2/ssl.crt/
14. Edit using VI the file /etc/apache2/ssl.conf and change the following strings:
    From:
    SSLSessionCache dbm:/var/run/apache2/ssl_scacheTo:
    SSLSessionCache dbm:/var/ apache2/ssl_scache

    From:
    SSLMutex file:/var/run/apache2/ssl_mutexTo:
    SSLMutex file:/var/apache2/ssl_mutex

    From:
    ServerName 127.0.0.1:443To:
    ServerName Server_FQDN:443

    From:
    DocumentRoot "/var/apache2/htdocs"To:
    DocumentRoot "/www"

    From:
    #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crtTo:
    SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

    From:
    SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLTo:
    SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

15. Remove the section bellow:
    <Directory "/var/apache2/cgi-bin">
16. Stopping Apache from command line:
    /usr/apache2/bin/apachectl stop
17. Starting Apache from command line:
    /usr/apache2/bin/apachectl startssl