web analytics

Archive for the ‘encryption’ Category

Data and Web Security in Business

Not all businesses are aware of just how much of their data is potentially at risk within their own systems and even their website; there simply isn’t the education in place to identify the flaws in one’s system before it’s too late in most cases, which results in compromised data, stolen data, loss of trust from customers and potentially a loss of funds or profits for the business in question; usually because of issues that could have easily been avoided.

First of all you need to secure the internal workings of your business; which means users and data storage. One of the biggest threats to your computer and data security systems is actually the people that you give access to those systems; the human element is less predictable so be sure to take the necessary precautions that will prevent or limit damages should an employee choose to act maliciously. Start by ensuring logins are required and are unique to each user, this allows you to control exactly what each person has access to, and means that it is easier to trace who is responsible if damage is caused. You should also be very careful about providing permissions to these users; consider what they absolutely must have access to, and why, and consider whether or not they really need access to everything they can access. Limitations are the first step towards protection.

Once you have this much protected you can start to think about how to avoid unauthorised access; password protecting everything is a good start, and encrypting sensitive information can be a fantastic way to avoid giving away data that is particularly valuable to your company. These are generally very easy systems to implement, and most security organisations you may choose to work with will help you to set up systems for encryption, data recovery, remote destruction (allowing you to delete data on a stolen device), as well as other aspects of data protections that can be very important to your business. These are important if your business handles a great deal of sensitive information, and of course if that is the case and security is of particularly importance you will want to get a security firm to help you protect it, however in a lot of cases your own IT department can set up the encryption, passwords, firewalls and defences needed to protect basic levels of data against reasonably tough attacks.

Of course your online systems can require something a little different in order to keep them safe, and this is true of your website as well as any online content management, project management or other systems you might be using in the day to day running of your business. Again it is important that everything is password protected to keep things safe and secure as far as your users and their access levels are concerned, but you should also ensure that the development of the websites and tools are done with a certain level of security in mind. There are some rules to this, but in general it isn’t too difficult if you can already develop a website.

No WordPress. If you want a secure website to handle lots of valuable data then WordPress isn’t for you, no matter how easy you think it makes your life. The problem with WordPress is that literally anyone can get it, and they all get the same version. Within a short time the vulnerabilities of that version will have been discovered and likely shared among hackers and other such people, meaning that you can either update or remain vulnerable – your only hope is that WordPress and you update often enough to stay one step ahead of the hackers. This is an issue that exists with a variety of similar platforms and would be difficult to keep yourself secure using these platforms – the best option is to use a secure platform and your own web development team or company.

The variations in the programming that come from using your own team help to create diversity online, which means that it is much harder for hackers and malicious users to find the ways into your system; thus keeping you protected for longer. Of course even with your own website you are likely to be working with systems like Magento for database integration and content management, which will need to be updated every so often but are considerably more secure than systems like WordPress, and you will have to keep certificates up to date, particularly your SSL certificates.

 

Kate Critchlow is a freelance writer with a passionate interest for technology covering everything from web development to IT security services.

Hardening guide for NGINX 1.5.8 on RedHat 6.4 (64bit edition)

This document explains the process of installation, configuration and hardening of NGINX server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack

Some of the features explained in this document are supported by only some of the Internet browsers:

  • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Installation Phase

  1. Login to the server using Root account
  2. Install pre-requirement packages:
    yum install policycoreutils-python-* -y
    yum install setools-libs-* -y
    yum install libcgroup-* -y
    yum install audit-libs-python-* -y
    yum install libsemanage-python-* -y
    yum install setools-libs-python-* -y
    yum install gcc* -y
  3. Create a new account:
    groupadd nginx
    useradd -g nginx -d /dev/null -s /sbin/nologin nginx
  4. Upgrade the Openssl build:
    rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
    yum --enablerepo=axivo update openssl -y
  5. Download Openssl source files:
    cd /opt
    wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
  6. Extract Openssl source files:
    tar zxvf /opt/openssl-1.0.1e.tar.gz -C /opt
  7. Remove Openssl source file:
    rm -rf /opt/openssl-1.0.1e.tar.gz
  8. Download PCRE source file into /tmp, from:
    http://sourceforge.net/projects/pcre/files/pcre/
  9. Compile PCRE from source file:
    tar zxvf /tmp/pcre-8.34.tar.gz -C /tmp
    mv /tmp/pcre-8.34 /usr/local/pcre
    cd /usr/local/pcre
    ./configure --prefix=/usr/local/pcre
    make
    make install
  10. Remove PCRE package:
    rm -rf /tmp/pcre-8.34.tar.gz
  11. Download Nginx 1.5.8:
    cd /tmp
    wget http://nginx.org/download/nginx-1.5.8.tar.gz
  12. Extract the nginx-1.5.8.tar.gz file:
    tar -zxvf /tmp/nginx-1.5.8.tar.gz -C /tmp
  13. Move to the Nginx source folder:
    cd /tmp/nginx-1.5.8
  14. Edit using VI, the file
    /tmp/nginx-1.5.8/src/http/ngx_http_header_filter_module.c and replace the following section, from:
    static char ngx_http_server_string[] = "Server: nginx" CRLF;
    static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
    To:
    static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
    static char ngx_http_server_full_string[] = "Server: Secure Web Server" NGINX_VER CRLF;
  15. Run the commands bellow to compile the Nginx environment:
    ./configure --with-openssl=/opt/openssl-1.0.1e --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --with-pcre=/usr/local/pcreNote: The command above should be written as one line.
    make
    make install
  16. Remove the Nginx source files:
    cd /
    rm -rf /tmp/nginx-1.5.8
    rm -f /tmp/nginx-1.5.8.tar.gz
  17. Remove Default Content
    rm -rf /usr/local/nginx/html
  18. Updating Ownership and Permissions on Nginx folders:
    chown -R root:root /usr/local/nginx
    chmod 750 /usr/local/nginx/sbin/nginx
    chmod -R 640 /usr/local/nginx/conf
    chmod -R 770 /usr/local/nginx/logs
  19. Create folder for the web content:
    mkdir -p /www
  20. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  21. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
    From:
    #user nobody;To:
    user nginx nginx;From:
    #error_log logs/error.log notice;To:
    error_log logs/error.log notice;From:
    server_name localhost;To:
    server_name Server_FQDN;Note: Replace Server_FQDN with the actual server DNS name.

    From:
    root html;To:
    root /www;

  22. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file (before the last “}” character):
    ## turn off nginx version number ##
    server_tokens off;
    ## Size Limits & Buffer Overflows ##
    client_body_buffer_size 1K;
    client_header_buffer_size 1k;
    client_max_body_size 1k;
    large_client_header_buffers 2 2k;
    ## Timeouts ##
    client_body_timeout 10;
    client_header_timeout 10;
    send_timeout 10;
  23. Create using VI, the file /etc/init.d/nginx with the following content:
    #!/bin/sh
    #
    # nginx - this script starts and stops the nginx daemon
    #
    # chkconfig: - 85 15
    # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
    # proxy and IMAP/POP3 proxy server
    # processname: nginx
    # config: /usr/local/nginx/conf/nginx.conf
    # config: /etc/sysconfig/nginx
    # pidfile: /var/run/nginx.pid
    # Source function library.
    . /etc/rc.d/init.d/functions
    # Source networking configuration.
    . /etc/sysconfig/network

    # Check that networking is up.
    [ "$NETWORKING" = "no" ] && exit 0

    nginx="/usr/local/nginx/sbin/nginx"
    prog=$(basename $nginx)

    NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

    [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

    lockfile=/var/lock/subsys/nginx

    start() {
    [ -x $nginx ] || exit 5
    [ -f $NGINX_CONF_FILE ] || exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
    }

    stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
    }

    restart() {
    configtest || return $?
    stop
    sleep 1
    start
    }

    reload() {
    configtest || return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
    }

    force_reload() {
    restart
    }

    configtest() {
    $nginx -t -c $NGINX_CONF_FILE
    }

    rh_status() {
    status $prog
    }

    rh_status_q() {
    rh_status >/dev/null 2>&1
    }

    case "$1" in
    start)
    rh_status_q && exit 0
    $1
    ;;
    stop)
    rh_status_q || exit 0
    $1
    ;;
    restart|configtest)
    $1
    ;;
    reload)
    rh_status_q || exit 7
    $1
    ;;
    force-reload)
    force_reload
    ;;
    status)
    rh_status
    ;;
    condrestart|try-restart)
    rh_status_q || exit 0
    ;;
    *)
    echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
    exit 2
    esac

  24. Change the permissions of the file /etc/init.d/nginx
    chmod +x /etc/init.d/nginx
  25. To start Nginx service at server start-up, run the command:
    chkconfig nginx on
  26. To manually start the Nginx service, use the command:
    /etc/init.d/nginx start
  27. Configure IPTables:
    service iptables stop
    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  28. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
  29. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  30. Save the IPTables settings:
    service iptables save
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /usr/local/nginx/ssl
    chmod 600 /usr/local/nginx/ssl
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -aes256 -out /usr/local/nginx/ssl/server-sec.key 2048Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -days 1095 -key /usr/local/nginx/ssl/server-sec.key -out /tmp/server.csrNote: The command above should be written as one line.
  5. Send the file /tmp/server.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
  7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
  10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
    cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pemNote: The command above should be written as one line.
  11. Remove the key store passphrase:
    /usr/bin/openssl rsa -in /usr/local/nginx/ssl/server-sec.key -out /usr/local/nginx/ssl/server.keyNote: The command above should be written as one line.
  12. Remove the original “server.crt”, “server.csr” and “ca-bundle.crt” files:
    rm -f /tmp/server.csr
    rm -f /usr/local/nginx/ssl/server.crt
    rm -f /usr/local/nginx/ssl/ca-bundle.crt
  13. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
    # HTTPS server
    #
    #server {
    # listen 443 ssl;
    # server_name localhost;
    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;
    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout 5m;
    # ssl_ciphers HIGH:!aNULL:!MD5;
    # ssl_prefer_server_ciphers on;
    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}
    To:
    # HTTPS server
    #
    server {
    listen 443;
    server_name Server_FQDN;
    ssl on;
    ssl_certificate /usr/local/nginx/ssl/server.pem;
    ssl_certificate_key /usr/local/nginx/ssl/server.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    ssl_prefer_server_ciphers on;
    # HTTP Strict Transport Security #
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # X-Frame-Options header #
    add_header X-Frame-Options SAMEORIGIN;
    location / {
    root /www;
    index index.html index.htm;
    }
    }
    Note: Replace Server_FQDN with the actual server DNS name.
  14. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
  15. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
  16. Save the IPTables settings:
    service iptables save
  17. Restart the nginx:
    service nginx restart

Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)

      This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
      Some of the features explained in this document are supported by only some of the Internet browsers:

    • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
    • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Pre-Requirements

    • policycoreutils-python-* package installed
    • setools-libs-* package installed
    • libcgroup-* package installed
    • audit-libs-python-* package installed
    • libsemanage-python-* package installed
    • setools-libs-python-* package installed
    • gcc* package installed
    • gcc-c++* package installed
    • autoconf* package installed
    • automake* package installed
    Installation Phase

  1. Login to the server using Root account
  2. Upgrade the Openssl build:
    rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

    yum --enablerepo=axivo update openssl -y

  3. Download Apache source file into /tmp, from:
    http://httpd.apache.org/download.cgi
  4. Download APR and APR-Util source files into /tmp, from:
    https://apr.apache.org/download.cgi
  5. Download PCRE source file into /tmp, from:
    http://sourceforge.net/projects/pcre/files/pcre/
  6. Compile PCRE from source file:

    tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp

    mv /tmp/pcre-8.33 /usr/local/pcre

    cd /usr/local/pcre

    ./configure --prefix=/usr/local/pcre

    make

    make install

  7. Extract Apache source files:
    cd /tmp

    tar zxvf httpd-2.4.6.tar.gz

    cd httpd-2.4.6/srclib/

    tar zxvf ../../apr-1.4.8.tar.gz

    ln -s apr-1.4.8/ apr

    tar zxvf ../../apr-util-1.5.2.tar.gz

    ln -s apr-util-1.5.2/ apr-util

  8. Compile the Apache from source files:
    cd /tmp/httpd-2.4.6

    ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre

    make

    make install

  9. Remove the source files:
    rm -rf /tmp/apr-1.4.8.tar.gz

    rm -rf /tmp/apr-util-1.5.2.tar.gz

    rm -rf /tmp/httpd-2.4.6.tar.gz

    rm -rf /tmp/httpd-2.4.6

    rm -rf /tmp/pcre-8.33.tar.gz

  10. Remove Default Content:
    rm -rf /opt/httpd/cgi-bin

    rm -rf /opt/httpd/htdocs

    rm -rf /opt/httpd/icons

    rm -rf /opt/httpd/man

    rm -rf /opt/httpd/manual

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-default.conf

    rm -rf /opt/httpd/conf/extra/httpd-default.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-info.conf

    rm -rf /opt/httpd/conf/extra/httpd-info.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in

    rm -rf /opt/httpd/conf/extra/proxy-html.conf

    rm -rf /opt/httpd/conf/extra/proxy-html.conf.in

    rm -rf /opt/httpd/conf/original

  11. Updating Ownership and Permissions on Apache folders:
    chown root:root /opt/httpd/bin/apachectl

    chown root:root /opt/httpd/bin/httpd

    chmod 770 /opt/httpd/bin/apachectl

    chmod 770 /opt/httpd/bin/httpd

    chown -R root:root /opt/httpd

    chmod -R go-r /opt/httpd

    chown -R root:root /opt/httpd/logs

    chmod -R 700 /opt/httpd/logs

  12. Create folder for the web content:
    mkdir -p /www
  13. Updating Ownership and Permissions on the web content folder:
    chown -R root /www

    chmod -R 775 /www

  14. Fix the SELinux security context on the new web folder:
    semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"

    restorecon -F -R -v /www

  15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    Listen 80To:
    Listen Server_FQDN:80
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerAdmin [email protected]To:
    ServerAdmin [email protected]mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    #ServerName www.example.com:80To:
    ServerName Server_FQDN
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"To:
    # ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Require all denied
    Order deny,allow
    deny from all
    <LimitExcept GET POST>
    deny from all
    </limitexcept>
    </Directory>

    From:
    <Directory "/opt/httpd/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory "/www">
    Options None
    AllowOverride None
    Require all granted
    Order allow,deny
    Allow from all
    <LimitExcept GET POST>
    deny from all
    </limitexcept>
    </Directory>

  16. Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
    ScriptAlias

    IndexOptions

    AddIconByEncoding

    AddIconByType

    AddIcon

    DefaultIcon

    ReadmeName

    HeaderName

    IndexIgnore

    LanguagePriority

    ForceLanguagePriority

  17. Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
    LoadModule cgi_module modules/mod_cgi.so

    LoadModule status_module modules/mod_status.so

    LoadModule info_module modules/mod_info.so

    LoadModule autoindex_module modules/mod_autoindex.so

    LoadModule include_module modules/mod_include.so

    LoadModule userdir_module modules/mod_userdir.so

    LoadModule env_module modules/mod_env.so

    LoadModule negotiation_module modules/mod_negotiation.so

    LoadModule actions_module modules/mod_actions.so

  18. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
  19. Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
    # Configure custom error message:
    ErrorDocument 400 "The requested URL was not found on this server."
    ErrorDocument 401 "The requested URL was not found on this server."
    ErrorDocument 403 "The requested URL was not found on this server."
    ErrorDocument 404 "The requested URL was not found on this server."
    ErrorDocument 405 "The requested URL was not found on this server."
    ErrorDocument 408 "The requested URL was not found on this server."
    ErrorDocument 410 "The requested URL was not found on this server."
    ErrorDocument 411 "The requested URL was not found on this server."
    ErrorDocument 412 "The requested URL was not found on this server."
    ErrorDocument 413 "The requested URL was not found on this server."
    ErrorDocument 414 "The requested URL was not found on this server."
    ErrorDocument 415 "The requested URL was not found on this server."
    ErrorDocument 500 "The requested URL was not found on this server."
    # Configure Server Tokens
    ServerTokens Prod
    # Disable Server Signature
    ServerSignature Off
    # Disable Tracing
    TraceEnable Off
    # Maximum size of the request body.
    LimitRequestBody 25000
    # Maximum number of request headers in a request.
    LimitRequestFields 40
    # Maximum size of request header lines.
    LimitRequestFieldSize 4000
    # Maximum size of the request line.
    LimitRequestLine 4000
    MaxRequestsPerChild 10000
    # Configure clickjacking protection
    Header always append X-Frame-Options SAMEORIGIN
  20. Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"

    From:
    #define AP_SERVER_BASEPROJECT "Apache HTTP Server"To:
    #define AP_SERVER_BASEPROJECT "Secure Web Server"

    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"

  21. Download the Apache boot script into /tmp from:
    http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2
  22. Extract and install the Apache boot script:
    cd /tmp/

    tar xvjf blfs-bootscripts-20131023.tar.bz2

    cd /tmp/blfs-bootscripts-20131023

    make install-httpd

  23. Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
    From:
    /usr/sbin/apachectlTo:
    /opt/httpd/bin/apachectl

    From:
    log_info_msgTo:
    echo

    From:
    evaluate_retvalTo:
    #evaluate_retval

  24. Configure the Apache to start automatically:
    chkconfig httpd on
  25. Configure IPTables:
    service iptables stop

    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  26. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
    Note: Replace 10.0.0.0/8 with the internal segment and subnet mask
  27. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  28. Save the IPTables settings:
    service iptables save
  29. Start the Apache daemon:
    service httpd start
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /opt/httpd/conf/ssl

    chmod 600 /opt/httpd/conf/ssl

  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
    Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
    Note: The command above should be written as one line.
  5. Send the file /tmp/apache.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
  7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
  8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    Listen Server_FQDN:80To:
    Listen Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerName Server_FQDNTo:
    ServerName Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    #Include conf/extra/httpd-ssl.confTo:
    Include conf/extra/httpd-ssl.conf

    From:
    #LoadModule socache_shmcb_module modules/mod_socache_shmcb.soTo:
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

  9. Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
    From:
    SSLCertificateFile "/opt/httpd/conf/server.crt"To:
    SSLCertificateFile /opt/httpd/conf/ssl/server.crt

    From:
    SSLCertificateKeyFile "/opt/httpd/conf/server.key"To:
    SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key

    From:
    #SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"To:
    SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt

    From:
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To:
    SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

    From:
    #SSLHonorCipherOrder onTo:
    SSLHonorCipherOrder On

    From:
    Listen @@[email protected]@To:
    Listen Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    ServerName www.example.com:@@[email protected]@To:
    #ServerName www.example.com:@@[email protected]@

    From:
    ServerAdmin [email protected]To:
    ServerAdmin [email protected]mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    <VirtualHost _default_:@@[email protected]@>To:
    <VirtualHost _default_:443>

  10. Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
    # Disable SSLv2
    SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
    # Disable SSL Compression
    SSLCompression Off
  11. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
  12. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  13. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  14. Save the IPTables settings:
    service iptables save
  15. Restart the Apache service:
    service httpd restart

Protecting your backup

One of the things many companies fail to put enough attention is proper protection to their backups.
I recently read an article about large American bank that sent a notification to its customers of losing a backup-tape, with customer’s personal information.
I guess the only reason the bank reveal the information about the security breach is because he had to do so, under a federal law – just think about how many companies keep this sort of information to themselves in-order to avoid lawsuits.

Almost every company perform backup of its data. It can be using commercial software, file copy to a remote site, backup to tape, and now it is becoming more and more common to perform backup to disk, into a large storage device.

Usually, when performing backup to tape, most companies use to move the tapes into offsite storage, such as remote site.
While moving the backup to remote site might be considered as a good security practice against site disaster, there are 2 important things to think about.
The first thing is physical protection during the move, and while storing them on a safe at the remote site.
In this case I strongly recommend document the process – document the labels and dates of the tapes, and maybe even have the person transporting the tapes sign a form, so you’ll have more confidence that the tapes were actually being transported to their destination.

Another thing you should consider is encryption to the data itself.
You don’t want to be in a situation where somebody steals a suitcase full of backup tapes, where all your data is in clear text.
I guess most commercial products allow you to encrypt your backups, but it raises a question about maintaining the encryption.
If you encrypt your backups using the same password or passphrase year after year, and some ex-employee knows the password, it can harm the whole idea behind encryption.
On the other hand, if you change the password from time to time, you need to manage a list of old passwords against list of dates of backup-tape labels, which might become a headache since it is another thing to maintain.

Today more and more companies are moving to backup-to-disk, because the cost of hard disks is very low, and it’s a fast media.
While performing backup to a remote site, you need to consider moving the data over secure or encrypted VPN lines in-order to avoid someone intercepting the data and stealing sensitive files.
Another good practice is to store the data on an encrypted file system. This way you don’t need to worry about some will be able to review your files, but you will have the overhead of maintaining the encryption key, and the copy to the encrypted file system might become a little bit slower on slow machines or slow storage devices.

Remember, keeping your backup safe and secure, enables you to overcome site disaster while protecting from data breach and law suites.