web analytics

Archive for the ‘Apache’ Category

Hardening guide for Apache 2.0 on Solaris 10 platform

  1. Login to the server using Root account.
  2. Create a new account:

    groupadd apache
    useradd -g apache -d /dev/null -s /bin/false apache
    passwd apache
    passwd -l apache
  3. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  4. Run the command bellow to install Apache2 packages:
    pkgadd -d . SUNWapch2r SUNWapch2u
  5. Remove Default Content
    rm -r /var/apache2/htdocs/
    rm -r /var/apache2/cgi-bin/
    rm -r /var/apache2/icons/
  6. Updating Ownership and Permissions on Apache2 folders:
    chown -R root:root /usr/apache2
    chmod -R 770 /usr/apache2/bin
    chown -R root:root /etc/apache2
    chmod -R go-r /etc/apache2
    chmod -R 770 /etc/apache2
    chown -R root:root /var/apache2/logs
    chmod -R 700 /var/apache2/logs
  7. Create folder for the web content:
    mkdir -p /www
  8. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  9. Copy the configuration file in-order to edit it:
    cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
  10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
    From:
    # LockFile /var/apache2/logs/accept.lockTo:
    LockFile /var/apache2/logs/accept.lock

    From:
    User webservdTo:
    User apache
    From:
    Group webservdTo:
    Group apache

    From:
    PidFile /var/run/apache2/httpd.pidTo:
    PidFile /var/apache2/logs/httpd.pid

    From:
    DocumentRoot "/var/apache2/htdocs"To:
    DocumentRoot "/www"

    From:
    ServerSignature OnTo:
    ServerSignature Off
    HostnameLookups Off

    From:
    # ServerTokensTo:
    ServerTokens Prod

    From:
    ServerAdmin [email protected]To:
    ServerAdmin [email protected]yourcompany.com

    From:
    ServerName 127.0.0.1To:
    ServerName Server_FQDN

    From:
    Timeout 300To:
    Timeout 60

    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    IndexOptions FancyIndexing VersionSortTo:
    # IndexOptions FancyIndexing VersionSort

    From:
    ReadmeName README.htmlTo:
    # ReadmeName README.html

    From:
    HeaderName HEADER.htmlTo:
    # HeaderName HEADER.html

    From:
    AddIconTo:
    # AddIcon

    From:
    DefaultIcon /icons/unknown.gifTo:
    # DefaultIcon /icons/unknown.gif

    From:
    Alias /icons/ "/var/apache2/icons/"To:
    # Alias /icons/ "/var/apache2/icons/"

    From:
    AliasMatchTo:
    # AliasMatch

    From:
    ScriptAliasTo:
    # ScriptAlias

    From:
    LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo:
    # LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

    From
    LoadModule imap_module libexec/mod_imap.soTo:
    # LoadModule imap_module libexec/mod_imap.so

    From:
    LoadModule cgi_module libexec/mod_cgi.soTo:
    # LoadModule cgi_module libexec/mod_cgi.so

    From:
    LoadModule suexec_module libexec/mod_suexec.soTo:
    # LoadModule suexec_module libexec/mod_suexec.so

    From:
    LoadModule autoindex_module libexec/mod_autoindex.soTo:
    # LoadModule autoindex_module libexec/mod_autoindex.so

    From:
    LoadModule info_module libexec/mod_info.soTo:
    # LoadModule info_module libexec/mod_info.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule userdir_module libexec/mod_userdir.soTo:
    # LoadModule userdir_module libexec/mod_userdir.so

    From:
    LoadModule cern_meta_module modules/mod_cern_meta.soTo:
    # LoadModule cern_meta_module modules/mod_cern_meta.so

    From:
    LoadModule dav_module modules/mod_dav.soTo:
    # LoadModule dav_module modules/mod_dav.so

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Order deny,allow
    deny from all
    </Directory>

    From:
    <Directory "/var/apache2/htdocs">To:
    <Directory "/www">
    <Limitexcept GET POST>
    deny from all
    </Limitexcept>

    From:
    Options Indexes FollowSymLinksTo:
    Options -FollowSymLinks -Includes -Indexes -MultiViews

  11. Add the following sections to the end of the httpd.conf file:
    LimitRequestBody 10000
    LimitRequestFields 40
    LimitRequestFieldSize 100
    LimitRequestLine 500
  12. Remove the sections bellow from the file httpd.conf
    <Directory "/usr/apache2/manual">
    <Directory "/var/apache2/cgi-bin">
  13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"
    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"
  14. Starting Apache from command line:
    /usr/apache2/bin/apachectl start
  15. Run the command bellow to start the Apache service at server start-up:
    svcadm enable apache2

How to implement SSL on Tomcat 5.5

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform

SSL implementation phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /var/apache/tomcat55/conf/ssl.crt
  3. Create folder for the SSL private key:
    mkdir -p /var/apache/tomcat55/conf/ssl.key
  4. Change ownership of all server files to the tomcat user:
    chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
  5. Run the command bellow to generate a key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
    Note: The command above should be written as one line.
    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
    Note: The command above should be written as one line.
  6. Run the command bellow to generate a CSR (certificate request):
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
    Note: The command above should be written as one line.
    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
    Note: The command above should be written as one line.
  7. Send the file /tmp/tomcat.csr to a Certificate Authority server.
  8. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  9. Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
  10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  11. Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
  12. Run the command bellow to import the trusted root CA public certificate:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
    Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
    Note: The command above should be written as one line.

  13. Run the command bellow to import the signed public key into the key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
    Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
    Note: The command above should be written as one line.

  14. Stop the Tomcat service:
    /etc/init.d/tomcat stop
  15. Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
    <Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="SSLv3"
    keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
    keystorePass="ComplexPassword"
    truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
    truststorePass="changeit"
    ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
    tcpNoDelay="true" />
  16. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
    <user-data-constraint>
    <description>
    Constrain the user data transport for the whole application
    </description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  17. Start the Tomcat service:
    /etc/init.d/tomcat start -security