Archive for the ‘CentOS’ Category

Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)

      This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
      Some of the features explained in this document are supported by only some of the Internet browsers:

    • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
    • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Pre-Requirements

    • policycoreutils-python-* package installed
    • setools-libs-* package installed
    • libcgroup-* package installed
    • audit-libs-python-* package installed
    • libsemanage-python-* package installed
    • setools-libs-python-* package installed
    • gcc* package installed
    • gcc-c++* package installed
    • autoconf* package installed
    • automake* package installed
    Installation Phase

  1. Login to the server using Root account
  2. Upgrade the Openssl build:
    rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

    yum --enablerepo=axivo update openssl -y

  3. Download Apache source file into /tmp, from:
    http://httpd.apache.org/download.cgi
  4. Download APR and APR-Util source files into /tmp, from:
    https://apr.apache.org/download.cgi
  5. Download PCRE source file into /tmp, from:
    http://sourceforge.net/projects/pcre/files/pcre/
  6. Compile PCRE from source file:

    tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp

    mv /tmp/pcre-8.33 /usr/local/pcre

    cd /usr/local/pcre

    ./configure --prefix=/usr/local/pcre

    make

    make install

  7. Extract Apache source files:
    cd /tmp

    tar zxvf httpd-2.4.6.tar.gz

    cd httpd-2.4.6/srclib/

    tar zxvf ../../apr-1.4.8.tar.gz

    ln -s apr-1.4.8/ apr

    tar zxvf ../../apr-util-1.5.2.tar.gz

    ln -s apr-util-1.5.2/ apr-util

  8. Compile the Apache from source files:
    cd /tmp/httpd-2.4.6

    ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre

    make

    make install

  9. Remove the source files:
    rm -rf /tmp/apr-1.4.8.tar.gz

    rm -rf /tmp/apr-util-1.5.2.tar.gz

    rm -rf /tmp/httpd-2.4.6.tar.gz

    rm -rf /tmp/httpd-2.4.6

    rm -rf /tmp/pcre-8.33.tar.gz

  10. Remove Default Content:
    rm -rf /opt/httpd/cgi-bin

    rm -rf /opt/httpd/htdocs

    rm -rf /opt/httpd/icons

    rm -rf /opt/httpd/man

    rm -rf /opt/httpd/manual

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-default.conf

    rm -rf /opt/httpd/conf/extra/httpd-default.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-info.conf

    rm -rf /opt/httpd/conf/extra/httpd-info.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in

    rm -rf /opt/httpd/conf/extra/proxy-html.conf

    rm -rf /opt/httpd/conf/extra/proxy-html.conf.in

    rm -rf /opt/httpd/conf/original

  11. Updating Ownership and Permissions on Apache folders:
    chown root:root /opt/httpd/bin/apachectl

    chown root:root /opt/httpd/bin/httpd

    chmod 770 /opt/httpd/bin/apachectl

    chmod 770 /opt/httpd/bin/httpd

    chown -R root:root /opt/httpd

    chmod -R go-r /opt/httpd

    chown -R root:root /opt/httpd/logs

    chmod -R 700 /opt/httpd/logs

  12. Create folder for the web content:
    mkdir -p /www
  13. Updating Ownership and Permissions on the web content folder:
    chown -R root /www

    chmod -R 775 /www

  14. Fix the SELinux security context on the new web folder:
    semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"

    restorecon -F -R -v /www

  15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    Listen 80To:
    Listen Server_FQDN:80
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerAdmin [email protected]To:
    ServerAdmin [email protected]mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    #ServerName www.example.com:80To:
    ServerName Server_FQDN
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"To:
    # ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Require all denied
    Order deny,allow
    deny from all
    <LimitExcept GET POST>
    deny from all
    </limitexcept>
    </Directory>

    From:
    <Directory "/opt/httpd/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory "/www">
    Options None
    AllowOverride None
    Require all granted
    Order allow,deny
    Allow from all
    <LimitExcept GET POST>
    deny from all
    </limitexcept>
    </Directory>

  16. Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
    ScriptAlias

    IndexOptions

    AddIconByEncoding

    AddIconByType

    AddIcon

    DefaultIcon

    ReadmeName

    HeaderName

    IndexIgnore

    LanguagePriority

    ForceLanguagePriority

  17. Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
    LoadModule cgi_module modules/mod_cgi.so

    LoadModule status_module modules/mod_status.so

    LoadModule info_module modules/mod_info.so

    LoadModule autoindex_module modules/mod_autoindex.so

    LoadModule include_module modules/mod_include.so

    LoadModule userdir_module modules/mod_userdir.so

    LoadModule env_module modules/mod_env.so

    LoadModule negotiation_module modules/mod_negotiation.so

    LoadModule actions_module modules/mod_actions.so

  18. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
  19. Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
    # Configure custom error message:
    ErrorDocument 400 "The requested URL was not found on this server."
    ErrorDocument 401 "The requested URL was not found on this server."
    ErrorDocument 403 "The requested URL was not found on this server."
    ErrorDocument 404 "The requested URL was not found on this server."
    ErrorDocument 405 "The requested URL was not found on this server."
    ErrorDocument 408 "The requested URL was not found on this server."
    ErrorDocument 410 "The requested URL was not found on this server."
    ErrorDocument 411 "The requested URL was not found on this server."
    ErrorDocument 412 "The requested URL was not found on this server."
    ErrorDocument 413 "The requested URL was not found on this server."
    ErrorDocument 414 "The requested URL was not found on this server."
    ErrorDocument 415 "The requested URL was not found on this server."
    ErrorDocument 500 "The requested URL was not found on this server."
    # Configure Server Tokens
    ServerTokens Prod
    # Disable Server Signature
    ServerSignature Off
    # Disable Tracing
    TraceEnable Off
    # Maximum size of the request body.
    LimitRequestBody 25000
    # Maximum number of request headers in a request.
    LimitRequestFields 40
    # Maximum size of request header lines.
    LimitRequestFieldSize 4000
    # Maximum size of the request line.
    LimitRequestLine 4000
    MaxRequestsPerChild 10000
    # Configure clickjacking protection
    Header always append X-Frame-Options SAMEORIGIN
  20. Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"

    From:
    #define AP_SERVER_BASEPROJECT "Apache HTTP Server"To:
    #define AP_SERVER_BASEPROJECT "Secure Web Server"

    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"

  21. Download the Apache boot script into /tmp from:
    http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2
  22. Extract and install the Apache boot script:
    cd /tmp/

    tar xvjf blfs-bootscripts-20131023.tar.bz2

    cd /tmp/blfs-bootscripts-20131023

    make install-httpd

  23. Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
    From:
    /usr/sbin/apachectlTo:
    /opt/httpd/bin/apachectl

    From:
    log_info_msgTo:
    echo

    From:
    evaluate_retvalTo:
    #evaluate_retval

  24. Configure the Apache to start automatically:
    chkconfig httpd on
  25. Configure IPTables:
    service iptables stop

    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  26. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
    Note: Replace 10.0.0.0/8 with the internal segment and subnet mask
  27. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  28. Save the IPTables settings:
    service iptables save
  29. Start the Apache daemon:
    service httpd start
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /opt/httpd/conf/ssl

    chmod 600 /opt/httpd/conf/ssl

  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
    Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
    Note: The command above should be written as one line.
  5. Send the file /tmp/apache.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
  7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
  8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    Listen Server_FQDN:80To:
    Listen Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerName Server_FQDNTo:
    ServerName Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    #Include conf/extra/httpd-ssl.confTo:
    Include conf/extra/httpd-ssl.conf

    From:
    #LoadModule socache_shmcb_module modules/mod_socache_shmcb.soTo:
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

  9. Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
    From:
    SSLCertificateFile "/opt/httpd/conf/server.crt"To:
    SSLCertificateFile /opt/httpd/conf/ssl/server.crt

    From:
    SSLCertificateKeyFile "/opt/httpd/conf/server.key"To:
    SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key

    From:
    #SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"To:
    SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt

    From:
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To:
    SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

    From:
    #SSLHonorCipherOrder onTo:
    SSLHonorCipherOrder On

    From:
    Listen @@[email protected]@To:
    Listen Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    ServerName www.example.com:@@[email protected]@To:
    #ServerName www.example.com:@@[email protected]@

    From:
    ServerAdmin [email protected]To:
    ServerAdmin [email protected]mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    <VirtualHost _default_:@@[email protected]@>To:
    <VirtualHost _default_:443>

  10. Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
    # Disable SSLv2
    SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
    # Disable SSL Compression
    SSLCompression Off
  11. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
  12. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  13. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  14. Save the IPTables settings:
    service iptables save
  15. Restart the Apache service:
    service httpd restart

Hardening guide for Drupal 7.7

Pre-installation notes
The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15

The guide bellow is based on the previous guides:

PHP installation phase

  1. Login to the server using Root account.
  2. Before compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder:
    rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
    rpm -ivh glibc-headers-2.5-49.i386.rpm
    rpm -ivh glibc-devel-2.5-49.i386.rpm
    rpm -ivh gmp-4.1.4-10.el5.i386.rpm
    rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
    rpm -ivh gcc-4.1.2-48.el5.i386.rpm
    rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm
    rpm -ivh zlib-devel-1.2.3-3.i386.rpm
    rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm
    rpm -ivh pkgconfig-0.21-2.el5.i386.rpm
    rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm
    rpm -ivh libjpeg-devel-6b-37.i386.rpm
  3. Download MySQL development RPM from:
    http://download.softagency.net/MySQL/Downloads/MySQL-5.5/
  4. Download PHP 5.3.8 source files from:
    http://php.net/downloads.php
  5. Download the latest libxml2 for PHP from:
    http://xmlsoft.org/sources/
  6. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
  7. Copy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp
  8. Move to /tmp
    cd /tmp
  9. Install the MySQL development RPM:
    rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm
  10. Remove MySQL development RPM:
    rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm
  11. Extract the php-5.3.8.tar.gz file:
    tar -zxvf php-5.3.8.tar.gz
  12. Extract the libxml2 source file:
    tar -zxvf libxml2-2.7.7.tar.gz
  13. Move the libxml2-2.7.7 folder:
    cd /tmp/libxml2-2.7.7
  14. Run the commands bellow to compile the libxml2:
    ./configuremakemake install
  15. Move to the PHP source folder:
    cd /tmp/php-5.3.8
  16. Run the commands bellow to compile the PHP environment:
    ./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftpmakemake install
  17. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Add the following string, to the end of the AddType section:
    AddType application/x-httpd-php .php
    Replace the line from:
    DirectoryIndex index.htmlTo:
    DirectoryIndex index.php index.html index.htm
    Replace the value of the string, from:
    LimitRequestBody 10000To:
    LimitRequestBody 600000
  18. Copy the PHP.ini file
    cp /tmp/php-5.3.8/php.ini-development /etc/php.ini
  19. Change the permissions on the php.ini file:
    chmod 640 /etc/php.ini
  20. Edit using VI, the file /etc/php.ini
    Replace the value of the string, from:
    mysql.default_host =To:
    mysql.default_host = 127.0.0.1:3306Replace the value of the string, from:
    pdo_mysql.default_socket=To:
    pdo_mysql.default_socket=127.0.0.1Replace the value of the string, from:
    allow_url_fopen = OnTo:
    allow_url_fopen = OffReplace the value of the string, from:
    expose_php = OnTo:
    expose_php = OffReplace the value of the string, from:
    memory_limit = 128MTo:
    memory_limit = 64MReplace the value of the string, from:
    ;open_basedir =To:
    open_basedir = "/www"Replace the value of the string, from:
    post_max_size = 8MTo:
    post_max_size = 2MReplace the value of the string, from:
    disable_functions =To:
    disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidReplace the value of the string, from:
    ;include_path = ".:/php/includes"To:
    include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"Replace the value of the string, from:
    display_errors = OnTo:
    display_errors = OffReplace the value of the string, from:
    display_startup_errors = OnTo:
    display_startup_errors = Off

    Replace the value of the string, from:
    ;gd.jpeg_ignore_warning = 0To:
    gd.jpeg_ignore_warning = 1

  21. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
  22. Remove the PHP source and test files:
    rm -f /tmp/php-5.3.8.tar.gz
    rm -f /tmp/libxml2-2.7.7.tar.gz
    rm -rf /tmp/php-5.3.8
    rm -rf /tmp/libxml2-2.7.7
    rm -rf /tmp/pear
    rm -rf /usr/local/apache2/lib/php/test
    rm -rf /usr/local/lib/php/test

Drupal installation phase

  1. Login to the server using Root account.
  2. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.
  3. Run the following commands from the MySQL prompt:
    CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
    SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
    CREATE DATABASE Z5J6Dw1;
    GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
    FLUSH PRIVILEGES;
    quit
    Note 1: Replace “blgusr” with your own MySQL account to access the database.
    Note 2: Replace “password2” with complex password (at least 14 characters).
    Note 3: Replace “Z5J6Dw1” with your own Drupal database name.
  4. Download Drupal 7.7 from:
    http://drupal.org/project/drupal
  5. Copy the Drupal 7.7 source files using PSCP (or SCP) into /www
  6. Move to /www
    cd /www
  7. Extract the file bellow:
    tar -zxvf drupal-7.7.tar.gz
  8. Remove Drupal source file:
    rm -f /www/drupal-7.7.tar.gz
  9. Rename the Drupal folder:
    mv /www/drupal-7.7 /www/drupal
  10. Remove default content:
    rm -f /www/drupal/CHANGELOG.txt
    rm -f /www/drupal/COPYRIGHT.txt
    rm -f /www/drupal/INSTALL.pgsql.txt
    rm -f /www/drupal/LICENSE.txt
    rm -f /www/drupal/UPGRADE.txt
    rm -f /www/drupal/INSTALL.mysql.txt
    rm -f /www/drupal/INSTALL.sqlite.txt
    rm -f /www/drupal/INSTALL.txt
    rm -f /www/drupal/MAINTAINERS.txt
    rm -f /www/drupal/sites/example.sites.php
  11. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
    Replace the line from:
    DocumentRoot "/www"To:
    DocumentRoot "/www/drupal"
  12. Run the commands bellow to restart the Apache service:
    /usr/local/apache2/bin/apachectl stop/usr/local/apache2/bin/apachectl start
  13. Create the following folders:
    mkdir /www/drupal/sites/default/filesmkdir /www/private
  14. Copy the settings.php file:
    cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php
  15. Change permissions on the settings.php file:
    chmod a+w /www/drupal/sites/default/settings.phpchmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private
  16. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/install.php
  17. Select “Standard” installation and click “Save and continue”.
  18. Choose the default “English” and click “Save and continue”.
  19. Specify the following details:
    • Database type: MySQL
    • Database name: Z5J6Dw1
    • Database username: blgusr
    • Database password: password2
    • Click on Advanced Options
    • Database host: 127.0.0.1
    • Table prefix: Z5J6Dw1_

    Note 1: Replace “Z5J6Dw1” with your own Drupal database name.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).

  20. Click “Save and Continue”.
  21. Specify the following information:
    • Site name
    • Site e-mail address (for automated e-mails, such as registration information)
    • Username (for the default administrator account)
    • E-mail address
    • Password
  22. Select “Default country” and “Default time zone”.
  23. Unselect the “Update Notifications” checkboxes.
  24. Click “Save and Continue”.
  25. Close the web browser.
  26. Create using VI the file /www/config.php with the following content:
    <?php
    $databases = array (
    'default' =>
    array (
    'default' =>
    array (
    'driver' => 'mysql',
    'database' => 'Z5J6Dw1',
    'username' => 'blgusr',
    'password' => 'password2',
    'host' => '127.0.0.1',
    'port' => '',
    'prefix' => 'Z5J6Dw1_',
    ),
    ),
    );
    ?>
    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php’ tag or after a closing ‘?>’ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “Z5J6Dw1” with your own Drupal database name.
  27. Edit using VI, the file /www/drupal/sites/default/settings.php
    Add the following line:
    include('/www/config.php');Remove the following section:
    $databases = array (
    'default' =>
    array (
    'default' =>
    array (
    'driver' => 'mysql',
    'database' => 'Z5J6Dw1',
    'username' => 'blgusr',
    'password' => 'password2',
    'host' => '127.0.0.1',
    'port' => '',
    'prefix' => 'Z5J6Dw1_',
    ),
    ),
    );
    Replace the string from:
    ini_set('session.cookie_lifetime', 2000000);To:
    ini_set('session.cookie_lifetime', 0);
  28. Change permissions on the settings.php file:
    chmod a-w /www/drupal/sites/default/settings.php
  29. Add the following lines to the /www/drupal/.htaccess file:
    # Block any file that starts with "."
    <FilesMatch "^\..*$">
    Order allow,deny
    </FilesMatch>
    <FilesMatch "^.*\..*$">
    Order allow,deny
    </FilesMatch>
    # Allow "." files with safe content types
    <FilesMatch "^.*\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$">
    Order deny,allow
    </FilesMatch>
  30. Run the command bellow to change permissions on the /www/drupal/.htaccess file:
    chmod 444 /www/drupal/.htaccess
  31. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
  32. From SSH session, move to the folder /www/drupal/sites/all/modules.
  33. Extract the downloaded above modules:
    tar zxvf dfw-7.x-1.1.tar.gztar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gztar zxvf security_review-7.x-1.x-dev.tar.gztar zxvf system_perm-7.x-1.x-dev.tar.gztar zxvf blockanonymouslinks-7.x-1.1.tar.gz
  34. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gzrm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gzrm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz

    rm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz

  35. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/?q=user/login
  36. From the upper menu, click on Configuration -> People -> Account Settings -> “Who can register accounts”: select Administrators only -> click on “Save configuration”.
  37. From the upper menu, click on Configuration -> Media -> File system -> “Private file system path”: specify /www/private -> click on “Save configuration”.
  38. From the upper menu, click on Configuration -> Development -> Logging and errors -> “Error messages to display”: select None -> click on “Save configuration”.
  39. From the upper menu, click on Modules -> from the list of modules, select “Update manager” -> click on “Save configuration”.
  40. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Drupal firewall
    • SpamSpan
    • Content Security Policy
    • Content Security Policy Reporting
    • GoAway
    • IP anonymize
    • Flood control
    • Password change tab
    • Password policy
    • Persistent Login
    • Secure Permissions
    • Security Review
    • System Perms
    • BlockAnonymousLinks
  41. Click on Save configuration.

Drupal SSL configuration phase

  1. Add the following line to the /www/drupal/sites/default/settings.php file:
    $conf['https'] = TRUE;
  2. Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow:
  3. From SSH session, move to the folder /www/drupal/sites/all/modules.
  4. Extract the downloaded above modules:
    tar zxvf securepages-7.x-1.x-dev.tar.gztar zxvf securelogin-7.x-1.2.tar.gz
  5. Remove the modules source files:
    rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz
  6. Open a web browser from a client machine, and enter the URL bellow:
    https://Server_FQDN/?q=user/login
  7. From the upper menu, click on Modules -> from the main page, select the following modules:
    • Secure Login
    • Secure Pages
  8. Click on Save configuration.
  9. From the upper menu, click on Configuration -> from the main page, click on the link Secure Pages -> under Enable Secure Pages -> choose Enabled -> click on Save configuration.

Kickstart installation guide for CentOS 5.5

This guide explain how to install and configure kickstart server for network based deployments of CentOS, from an NFS share.
The instructions should work the same on RedHat and Fedora.

Pre-requirement

  • CentOS 5.5 DVD
  • Static IP address for the Kickstart/DHCP server
  • /data partition
  • In case using CISCO switches, “Spanning tree port fast” must be enabled.

Installation phase

  1. Login to the CentOS server using Root account.
  2. Mount the CentOS DVD:
    mount /dev/cdrom /media
  3. Move to the CentOS RPM folder inside the DVD:
    cd /media/CentOS
  4. Run the command bellow to install the TFTP-Server:

    rpm -ivh xinetd-2.3.14-10.el5.i386.rpm
    rpm -ivh tftp-server-0.49-2.el5.centos.i386.rpm
  5. Run the command bellow to install the DHCP server:
    rpm -ivh dhcp-3.0.5-23.el5.i386.rpm
  6. Create new folder for the Kickstart server:
    mkdir -p /data/kickstart
  7. Edit using VI, the file /etc/xinetd.d/tftp and change the following settings:
    From:
    disable = yesTo:
    disable = noFrom:
    server_args = -s /tftpbootTo:
    server_args = -s /data/kickstart
  8. Run the command bellow to start the TFTP server:
    /sbin/service xinetd start
  9. Run the command bellow to start the TFTP server run at startup:
    chkconfig xinetd on
  10. Edit using VI, the file /etc/dhcpd.conf and add the following lines:
    ddns-update-style none;
    allow bootp;
    allow booting;
    subnet 10.1.1.0 netmask 255.255.255.0 {
    option routers 10.1.1.254;
    option domain-name-servers 10.1.1.2;
    next-server 10.1.1.1;
    filename "pxelinux.0";
    range dynamic-bootp 10.1.1.200 10.1.1.210;
    }
    Note 1: Replace 10.1.1.0 with the correct network ID.
    Note 2: Replace 255.255.255.0 with the correct subnet mask.
    Note 3: Replace 10.1.1.254 with the correct default gateway.
    Note 4: Replace 10.1.1.1 with the Kickstart server IP address.
    Note 5: Replace 10.1.1.200 with the first IP of the DHCP pool.
    Note 6: Replace 10.1.1.210 with the last IP of the DHCP pool.
    Note 7: Replace 10.1.1.2 with the correct DNS server.
  11. Start the DHCP server
    service dhcpd start
  12. Run the command bellow to start the DHCP server run at startup:
    chkconfig dhcpd on
  13. Copy Boot Files
    cp /usr/lib/syslinux/{pxelinux.0,menu.c32,memdisk,mboot.c32,chain.c32} /data/kickstart
  14. Create a folder for the PXE menu files:
    mkdir -p /data/kickstart/pxelinux.cfg
  15. Move to the CentOS DVD root folder:
    cd /media
  16. Copy vmlinuz and initrd.img from the DVD to the images directory:
    cp /media/images/pxeboot/{vmlinuz,initrd.img} /data/kickstart/images
  17. Create the CentOS DVD structure:
    cp -r CentOS /data/kickstart/
    cp -r isolinux /data/kickstart/
    cp -r repodata /data/kickstart/
    cp -r images /data/kickstart/
  18. Create using VI, the file /data/kickstart/pxelinux.cfg/default with the following content:
    default menu.c32
    prompt 0
    MENU TITLE PXE Menu
    LABEL CentOS
    MENU LABEL CentOS
    KERNEL images/vmlinuz
    append initrd=images/initrd.img vga=normal network ks=nfs:10.1.1.1:/data/kickstart/ks.cfg text
    Note: Replace 10.1.1.1 with the Kickstart server IP address.
  19. Create an unattended installation script /data/kickstart/ks.cfg
    Note: Make sure the file starts with the following lines:
    install
    nfs --server=10.1.1.1 --dir=/data/kickstart
    Note 1: Replace 10.1.1.1 with the Kickstart server IP address.
    Note 2: Make sure the lines beginning with “cdrom” and “url” does not exist on the file.
    Note 3: To review ks.cfg file options, see the link:
    http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/s1-kickstart2-options.html
  20. Edit using VI, the file /etc/exports and add the following line:
    /data/kickstart *(ro,no_root_squash)
  21. Start the NFS service:
    service portmap start
    service nfs start
    chkconfig nfs on