Security and Cloud 24/7

Archive for the ‘Apache’ Category

1. Login to the server using Root account.
2. Create a new account:
   
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
passwd apache
passwd -l apache

3. Mount Solaris 10 DVD, and move to the packages folder:
   cd /cdrom/sol_10_1008_x86/Solaris_10/Product

4. Run the command bellow to install Apache2 packages:
   pkgadd -d . SUNWapch2r SUNWapch2u
5. Remove Default Content
   rm -r /var/apache2/htdocs/
rm -r /var/apache2/cgi-bin/
rm -r /var/apache2/icons/

6. Updating Ownership and Permissions on Apache2 folders:
   chown -R root:root /usr/apache2
chmod -R 770 /usr/apache2/bin
chown -R root:root /etc/apache2
chmod -R go-r /etc/apache2
chmod -R 770 /etc/apache2
chown -R root:root /var/apache2/logs
chmod -R 700 /var/apache2/logs

7. Create folder for the web content:
   mkdir -p /www
8. Updating Ownership and Permissions on the web content folder:
   chown -R root /www
chmod -R 775 /www
9. Copy the configuration file in-order to edit it:
   cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
    From:
    # LockFile /var/apache2/logs/accept.lockTo:
    LockFile /var/apache2/logs/accept.lock

    From:
    User webservdTo:
    User apache
    From:
    Group webservdTo:
    Group apache

    From:
    PidFile /var/run/apache2/httpd.pidTo:
    PidFile /var/apache2/logs/httpd.pid

    From:
    DocumentRoot "/var/apache2/htdocs"To:
    DocumentRoot "/www"

    From:
    ServerSignature OnTo:
    ServerSignature Off
HostnameLookups Off


    From:
    # ServerTokensTo:
    ServerTokens Prod

    From:
    ServerAdmin [email protected]To:
    ServerAdmin webmaster@yourcompany.com

    From:
    ServerName 127.0.0.1To:
    ServerName Server_FQDN

    From:
    Timeout 300To:
    Timeout 60

    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    IndexOptions FancyIndexing VersionSortTo:
    # IndexOptions FancyIndexing VersionSort

    From:
    ReadmeName README.htmlTo:
    # ReadmeName README.html

    From:
    HeaderName HEADER.htmlTo:
    # HeaderName HEADER.html

    From:
    AddIconTo:
    # AddIcon

    From:
    DefaultIcon /icons/unknown.gifTo:
    # DefaultIcon /icons/unknown.gif

    From:
    Alias /icons/ "/var/apache2/icons/"To:
    # Alias /icons/ "/var/apache2/icons/"

    From:
    AliasMatchTo:
    # AliasMatch

    From:
    ScriptAliasTo:
    # ScriptAlias

    From:
    LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo:
    # LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

    From
    LoadModule imap_module libexec/mod_imap.soTo:
    # LoadModule imap_module libexec/mod_imap.so

    From:
    LoadModule cgi_module libexec/mod_cgi.soTo:
    # LoadModule cgi_module libexec/mod_cgi.so

    From:
    LoadModule suexec_module libexec/mod_suexec.soTo:
    # LoadModule suexec_module libexec/mod_suexec.so

    From:
    LoadModule autoindex_module libexec/mod_autoindex.soTo:
    # LoadModule autoindex_module libexec/mod_autoindex.so

    From:
    LoadModule info_module libexec/mod_info.soTo:
    # LoadModule info_module libexec/mod_info.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule userdir_module libexec/mod_userdir.soTo:
    # LoadModule userdir_module libexec/mod_userdir.so

    From:
    LoadModule cern_meta_module modules/mod_cern_meta.soTo:
    # LoadModule cern_meta_module modules/mod_cern_meta.so

    From:
    LoadModule dav_module modules/mod_dav.soTo:
    # LoadModule dav_module modules/mod_dav.so

    From:
    <Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
To:
    <Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>


    From:
    <Directory "/var/apache2/htdocs">To:
    <Directory "/www">
<Limitexcept GET POST>
deny from all
</Limitexcept>


    From:
    Options Indexes FollowSymLinksTo:
    Options -FollowSymLinks -Includes -Indexes -MultiViews

11. Add the following sections to the end of the httpd.conf file:
    LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500

12. Remove the sections bellow from the file httpd.conf
    <Directory "/usr/apache2/manual">
<Directory "/var/apache2/cgi-bin">
13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"
    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"
14. Starting Apache from command line:
    /usr/apache2/bin/apachectl start
15. Run the command bellow to start the Apache service at server start-up:
    svcadm enable apache2

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /var/apache/tomcat55/conf/ssl.crt
3. Create folder for the SSL private key:
   mkdir -p /var/apache/tomcat55/conf/ssl.key
4. Change ownership of all server files to the tomcat user:
   chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
5. Run the command bellow to generate a key store:
   For 32bit operating system:
   /usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
   For x64 operating system:
   /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
6. Run the command bellow to generate a CSR (certificate request):
   For 32bit operating system:
   /usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
   For x64 operating system:
   /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
7. Send the file /tmp/tomcat.csr to a Certificate Authority server.
8. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
9. Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
11. Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
12. Run the command bellow to import the trusted root CA public certificate:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

13. Run the command bellow to import the signed public key into the key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

14. Stop the Tomcat service:
    /etc/init.d/tomcat stop
15. Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
    <Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3"
keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
keystorePass="ComplexPassword"
truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
truststorePass="changeit"
ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
tcpNoDelay="true" />
16. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
    <user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

17. Start the Tomcat service:
    /etc/init.d/tomcat start -security