web analytics

Archive for the ‘RedHat’ Category

Hardening guide for Tomcat 8 on RedHat 6.5 (64bit edition)

This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from
BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:

  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Installation phase

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd tomcat
    useradd -g tomcat -d /home/tomcat -s /bin/sh tomcat
  3. Download the lastest JDK8 for Linux from:
    http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
  4. Upgrade to the latest build of Oracle JDK:
    rpm -Uvh /tmp/jdk-8u45-linux-x64.rpm
  5. Delete the JDK8 source files:
    rm -rf /tmp/jdk-8u45-linux-x64.rpm
    rm -rf /usr/java/jdk1.8.0_45/src.zip
  6. Download the latest Tomcat 8 source files:
    cd /opt
    wget http://apache.spd.co.il/tomcat/tomcat-8/v8.0.21/bin/apache-tomcat-8.0.21.tar.gz
  7. Extract Tomcat source files:
    tar zxf /opt/apache-tomcat-8.0.21.tar.gz -C /opt
  8. Rename the Tomcat folder:
    mv /opt/apache-tomcat-8.0.21 /opt/tomcat
  9. Remove default content:
    rm -rf /opt/apache-tomcat-8.0.21.tar.gz
    rm -rf /opt/tomcat/webapps/docs
    rm -rf /opt/tomcat/webapps/examples
    rm -rf /opt/tomcat/webapps/ROOT/RELEASE-NOTES.txt
    rm -rf /opt/tomcat/webapps/host-manager
    rm -rf /opt/tomcat/webapps/manager
    rm -rf /opt/tomcat/work/Catalina/localhost/docs
    rm -rf /opt/tomcat/work/Catalina/localhost/examples
    rm -rf /opt/tomcat/work/Catalina/localhost/host-manager
    rm -rf /opt/tomcat/work/Catalina/localhost/manager
  10. Change folder ownership and permissions:
    chown -R tomcat.tomcat /opt/tomcat
    chmod g-w,o-rwx /opt/tomcat
    chmod g-w,o-rwx /opt/tomcat/conf
    chmod o-rwx /opt/tomcat/logs
    chmod o-rwx /opt/tomcat/temp
    chmod g-w,o-rwx /opt/tomcat/bin
    chmod g-w,o-rwx /opt/tomcat/webapps
    chmod 770 /opt/tomcat/conf/catalina.policy
    chmod g-w,o-rwx /opt/tomcat/conf/catalina.properties
    chmod g-w,o-rwx /opt/tomcat/conf/context.xml
    chmod g-w,o-rwx /opt/tomcat/conf/logging.properties
    chmod g-w,o-rwx /opt/tomcat/conf/server.xml
    chmod g-w,o-rwx /opt/tomcat/conf/tomcat-users.xml
    chmod g-w,o-rwx /opt/tomcat/conf/web.xml
  11. Move to the folder /opt/tomcat/lib
    cd /opt/tomcat/lib
  12. Extract the file catalina.jar
    jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
  13. Edit using VI, the file /opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties
    Replace the string below from:
    server.infoerver.info=Apache Tomcat/8.0.21
    To:
    server.infoerver.info=Secure Web serverReplace the string below from:
    server.number=8.0.21.0
    To:
    server.number=1.0.0.0Replace the string below from:
    server.built=Mar 23 2015 14:11:21 UTC
    To:
    server.built=Jan 01 2000 00:00:00 UTC
  14. Move to the folder /opt/tomcat/lib
    cd /opt/tomcat/lib
  15. Repackage the file catalina.jar
    jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
  16. Remove the folder below:
    rm -rf /opt/tomcat/lib/org
  17. Edit using VI, the file /opt/tomcat/conf/server.xml and make the following changes:
    Replace the:
    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443" />

    To:
    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    xpoweredBy="false"
    allowTrace="false"
    redirectPort="8443" />
    Replace the:
    <Server port="8005" shutdown="SHUTDOWN">
    To:
    <Server port="-1" shutdown="SHUTDOWN">Replace the:
    autoDeploy="true"
    To:
    autoDeploy="false"
  18. Create using VI, the file error.jsp inside the application directory (example: /opt/tomcat/webapps/ROOT/error.jsp) with the following content:
    <html>
    <head>
    <title>404-Page Not Found</title>
    </head>
    <body> The requested URL was not found on this server. </body>
    </html>
  19. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <error-page>
    <error-code>400</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>401</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-page>
    <error-code>403</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-code>404</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>405</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>410</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>411</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>412</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>413</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>408</error-code>
    <location>/error.jsp</location>
    </error-page>
    <error-page>
    <error-code>500</error-code>
    <location>/error.jsp </error-page><!-- Define a Security Constraint on this Application -->
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>HTMLManger and Manager command</web-resource-name>
    <url-pattern>/jmxproxy/*</url-pattern>
    <url-pattern>/html/*</url-pattern>
    <url-pattern>/list</url-pattern>
    <url-pattern>/sessions</url-pattern>
    <url-pattern>/start</url-pattern>
    <url-pattern>/stop</url-pattern>
    <url-pattern>/install</url-pattern>
    <url-pattern>/remove</url-pattern>
    <url-pattern>/deploy</url-pattern>
    <url-pattern>/undeploy</url-pattern>
    <url-pattern>/reload</url-pattern>
    <url-pattern>/save</url-pattern>
    <url-pattern>/serverinfo</url-pattern>
    <url-pattern>/status/*</url-pattern>
    <url-pattern>/roles</url-pattern>
    <url-pattern>/resources</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</role-name>
    </auth-constraint>
    </security-constraint>
  20. Create using VI, the file /etc/init.d/tomcat, with the following content:
    #!/bin/bash
    # description: Tomcat Start Stop Restart
    # processname: tomcat
    # chkconfig: 234 20 80
    JAVA_HOME=/usr/java/jdk1.8.0_45
    export JAVA_HOME
    PATH=$JAVA_HOME/bin:$PATH
    export PATH
    CATALINA_HOME=/opt/tomcat/bin
    case $1 in
    start)
    /bin/su tomcat $CATALINA_HOME/startup.sh
    ;;
    stop)
    /bin/su tomcat $CATALINA_HOME/shutdown.sh
    ;;
    restart)
    /bin/su tomcat $CATALINA_HOME/shutdown.sh
    /bin/su tomcat $CATALINA_HOME/startup.sh
    ;;
    esac
    exit 0
    Note: Update the “JAVA_HOME” path according to the install JDK build.
  21. Change the permission on the tomcat script:
    chmod 755 /etc/init.d/tomcat
  22. To start Tomcat service at server start-up, run the command:
    chkconfig tomcat on
  23. To manually start the Tomcat service, use the command:
    service tomcat start
  24. Configure IPTables:
    service iptables stop
    iptables -P INPUT DROP
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  25. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
  26. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  27. Save the IPTables settings:
    service iptables save
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /opt/tomcat/ssl
    chown -R tomcat:tomcat /opt/tomcat/ssl
    chmod -R 755 /opt/tomcat/ssl
  3. Run the command below to generate a key store:
    /usr/java/jdk1.8.0_45/bin/keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -validity 1095 -alias "FQDN_Name"Note 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  4. Run the command below to generate a CSR (certificate request):
    /usr/java/jdk1.8.0_45/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -alias "FQDN_Name"Note 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  5. Send the file /tmp/tomcat.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt
  7. Copy the file “server.crt” using SCP into /opt/tomcat/ssl
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /opt/tomcat/ssl
  10. Run the command below to import the trusted root CA public certificate:
    /usr/java/jdk1.8.0_45/bin/keytool -import -alias "FQDN_Name" -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/ca-bundle.crtNote 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
    Note 3: Replace “FQDN_Name” with the server DNS name.
  11. Run the command below to import the signed public key into the key store:
    /usr/java/jdk1.8.0_45/bin/keytool -import -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/server.crtNote 1: The command above should be written as one line.
    Note 2: Replace ComplexPassword with your own complex password.
  12. Stop the Tomcat service:
    service tomcat stop
  13. Edit using VI, the file /opt/tomcat/conf/server.xml and add the section below:
    <Connector port="8443"
    protocol="HTTP/1.1"
    maxThreads="150"
    xpoweredBy="false"
    allowTrace="false"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="/opt/tomcat/ssl/server.key"
    keystorePass="ComplexPassword"
    keyAlias="FQDN_Name"
    clientAuth="false"
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"
    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />
    Note 1: Replace ComplexPassword with your own complex password.
    Note 2: Replace “FQDN_Name” with the server DNS name.
  14. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <user-data-constraint>
    <description>
    Constrain the user data transport for the whole application
    </description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  15. Edit using VI, the file /opt/tomcat/conf/context.xml and add the following parameter inside the context tag:
    usehttponly="true"
  16. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  17. Save the IPTables settings:
    service iptables save
  18. To manually start the Tomcat service, use the command:
    service tomcat start

Hardening guide for NGINX 1.5.8 on RedHat 6.4 (64bit edition)

This document explains the process of installation, configuration and hardening of NGINX server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack

Some of the features explained in this document are supported by only some of the Internet browsers:

  • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Installation Phase

  1. Login to the server using Root account
  2. Install pre-requirement packages:
    yum install policycoreutils-python-* -y
    yum install setools-libs-* -y
    yum install libcgroup-* -y
    yum install audit-libs-python-* -y
    yum install libsemanage-python-* -y
    yum install setools-libs-python-* -y
    yum install gcc* -y
  3. Create a new account:
    groupadd nginx
    useradd -g nginx -d /dev/null -s /sbin/nologin nginx
  4. Upgrade the Openssl build:
    rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
    yum --enablerepo=axivo update openssl -y
  5. Download Openssl source files:
    cd /opt
    wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
  6. Extract Openssl source files:
    tar zxvf /opt/openssl-1.0.1e.tar.gz -C /opt
  7. Remove Openssl source file:
    rm -rf /opt/openssl-1.0.1e.tar.gz
  8. Download PCRE source file into /tmp, from:
    http://sourceforge.net/projects/pcre/files/pcre/
  9. Compile PCRE from source file:
    tar zxvf /tmp/pcre-8.34.tar.gz -C /tmp
    mv /tmp/pcre-8.34 /usr/local/pcre
    cd /usr/local/pcre
    ./configure --prefix=/usr/local/pcre
    make
    make install
  10. Remove PCRE package:
    rm -rf /tmp/pcre-8.34.tar.gz
  11. Download Nginx 1.5.8:
    cd /tmp
    wget http://nginx.org/download/nginx-1.5.8.tar.gz
  12. Extract the nginx-1.5.8.tar.gz file:
    tar -zxvf /tmp/nginx-1.5.8.tar.gz -C /tmp
  13. Move to the Nginx source folder:
    cd /tmp/nginx-1.5.8
  14. Edit using VI, the file
    /tmp/nginx-1.5.8/src/http/ngx_http_header_filter_module.c and replace the following section, from:
    static char ngx_http_server_string[] = "Server: nginx" CRLF;
    static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
    To:
    static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
    static char ngx_http_server_full_string[] = "Server: Secure Web Server" NGINX_VER CRLF;
  15. Run the commands bellow to compile the Nginx environment:
    ./configure --with-openssl=/opt/openssl-1.0.1e --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --with-pcre=/usr/local/pcreNote: The command above should be written as one line.
    make
    make install
  16. Remove the Nginx source files:
    cd /
    rm -rf /tmp/nginx-1.5.8
    rm -f /tmp/nginx-1.5.8.tar.gz
  17. Remove Default Content
    rm -rf /usr/local/nginx/html
  18. Updating Ownership and Permissions on Nginx folders:
    chown -R root:root /usr/local/nginx
    chmod 750 /usr/local/nginx/sbin/nginx
    chmod -R 640 /usr/local/nginx/conf
    chmod -R 770 /usr/local/nginx/logs
  19. Create folder for the web content:
    mkdir -p /www
  20. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  21. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
    From:
    #user nobody;To:
    user nginx nginx;From:
    #error_log logs/error.log notice;To:
    error_log logs/error.log notice;From:
    server_name localhost;To:
    server_name Server_FQDN;Note: Replace Server_FQDN with the actual server DNS name.

    From:
    root html;To:
    root /www;

  22. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file (before the last “}” character):
    ## turn off nginx version number ##
    server_tokens off;
    ## Size Limits & Buffer Overflows ##
    client_body_buffer_size 1K;
    client_header_buffer_size 1k;
    client_max_body_size 1k;
    large_client_header_buffers 2 2k;
    ## Timeouts ##
    client_body_timeout 10;
    client_header_timeout 10;
    send_timeout 10;
  23. Create using VI, the file /etc/init.d/nginx with the following content:
    #!/bin/sh
    #
    # nginx - this script starts and stops the nginx daemon
    #
    # chkconfig: - 85 15
    # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
    # proxy and IMAP/POP3 proxy server
    # processname: nginx
    # config: /usr/local/nginx/conf/nginx.conf
    # config: /etc/sysconfig/nginx
    # pidfile: /var/run/nginx.pid
    # Source function library.
    . /etc/rc.d/init.d/functions
    # Source networking configuration.
    . /etc/sysconfig/network

    # Check that networking is up.
    [ "$NETWORKING" = "no" ] && exit 0

    nginx="/usr/local/nginx/sbin/nginx"
    prog=$(basename $nginx)

    NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

    [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

    lockfile=/var/lock/subsys/nginx

    start() {
    [ -x $nginx ] || exit 5
    [ -f $NGINX_CONF_FILE ] || exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
    }

    stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
    }

    restart() {
    configtest || return $?
    stop
    sleep 1
    start
    }

    reload() {
    configtest || return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
    }

    force_reload() {
    restart
    }

    configtest() {
    $nginx -t -c $NGINX_CONF_FILE
    }

    rh_status() {
    status $prog
    }

    rh_status_q() {
    rh_status >/dev/null 2>&1
    }

    case "$1" in
    start)
    rh_status_q && exit 0
    $1
    ;;
    stop)
    rh_status_q || exit 0
    $1
    ;;
    restart|configtest)
    $1
    ;;
    reload)
    rh_status_q || exit 7
    $1
    ;;
    force-reload)
    force_reload
    ;;
    status)
    rh_status
    ;;
    condrestart|try-restart)
    rh_status_q || exit 0
    ;;
    *)
    echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
    exit 2
    esac

  24. Change the permissions of the file /etc/init.d/nginx
    chmod +x /etc/init.d/nginx
  25. To start Nginx service at server start-up, run the command:
    chkconfig nginx on
  26. To manually start the Nginx service, use the command:
    /etc/init.d/nginx start
  27. Configure IPTables:
    service iptables stop
    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  28. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask.
  29. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name.
  30. Save the IPTables settings:
    service iptables save
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /usr/local/nginx/ssl
    chmod 600 /usr/local/nginx/ssl
  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -aes256 -out /usr/local/nginx/ssl/server-sec.key 2048Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -days 1095 -key /usr/local/nginx/ssl/server-sec.key -out /tmp/server.csrNote: The command above should be written as one line.
  5. Send the file /tmp/server.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt”
  7. Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
  8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
  9. Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
  10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
    cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pemNote: The command above should be written as one line.
  11. Remove the key store passphrase:
    /usr/bin/openssl rsa -in /usr/local/nginx/ssl/server-sec.key -out /usr/local/nginx/ssl/server.keyNote: The command above should be written as one line.
  12. Remove the original “server.crt”, “server.csr” and “ca-bundle.crt” files:
    rm -f /tmp/server.csr
    rm -f /usr/local/nginx/ssl/server.crt
    rm -f /usr/local/nginx/ssl/ca-bundle.crt
  13. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
    # HTTPS server
    #
    #server {
    # listen 443 ssl;
    # server_name localhost;
    # ssl_certificate cert.pem;
    # ssl_certificate_key cert.key;
    # ssl_session_cache shared:SSL:1m;
    # ssl_session_timeout 5m;
    # ssl_ciphers HIGH:!aNULL:!MD5;
    # ssl_prefer_server_ciphers on;
    # location / {
    # root html;
    # index index.html index.htm;
    # }
    #}
    To:
    # HTTPS server
    #
    server {
    listen 443;
    server_name Server_FQDN;
    ssl on;
    ssl_certificate /usr/local/nginx/ssl/server.pem;
    ssl_certificate_key /usr/local/nginx/ssl/server.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    ssl_prefer_server_ciphers on;
    # HTTP Strict Transport Security #
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # X-Frame-Options header #
    add_header X-Frame-Options SAMEORIGIN;
    location / {
    root /www;
    index index.html index.htm;
    }
    }
    Note: Replace Server_FQDN with the actual server DNS name.
  14. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
  15. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name
  16. Save the IPTables settings:
    service iptables save
  17. Restart the nginx:
    service nginx restart

Hardening guide for Postfix 2.x

  1. Make sure the Postfix is running with non-root account:
    ps aux | grep postfix | grep -v '^root'
  2. Change permissions and ownership on the destinations below:
    chmod 755 /etc/postfix
    chmod 644 /etc/postfix/*.cf
    chmod 755 /etc/postfix/postfix-script*
    chmod 755 /var/spool/postfix
    chown root:root /var/log/mail*
    chmod 600 /var/log/mail*
  3. Edit using VI, the file /etc/postfix/main.cf and add make the following changes:
    • Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
      myhostname = myserver.example.com
    • Configure network interface addresses that the Postfix service should listen on, for example:
      inet_interfaces = 192.168.1.1
    • Configure Trusted Networks, for example:
      mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
    • Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
      myorigin = example.com

    • Configure the SMTP domain destination, for example:
      mydomain = example.com
    • Configure to which SMTP domains to relay messages to, for example:
      relay_domains = example.com
    • Configure SMTP Greeting Banner:
      smtpd_banner = $myhostname
    • Limit Denial of Service Attacks:
      default_process_limit = 100
      smtpd_client_connection_count_limit = 10
      smtpd_client_connection_rate_limit = 30
      queue_minfree = 20971520
      header_size_limit = 51200
      message_size_limit = 10485760
      smtpd_recipient_limit = 100
  4. Restart the Postfix daemon:
    service postfix restart

Generating self-signed SSL certificate using OpenSSL

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

  1. Install OpenSSL.
  2. Run the command bellow to generate a new key store called “server.key
    openssl genrsa -des3 -out /tmp/server.key 1024
  3. Run the commands bellow to request a new SSL certificate:
    openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

    openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info

  4. Run the command bellow to backup the key store file that has a password:
    cp /tmp/server.key /tmp/server.key.bak
  5. Run the command bellow to generate a new key store without a password:
    openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
  6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
    cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
  7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
    openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:

  • server.key – Key store file
  • server.crt – Server SSL public key file
  • no.pwd.server.key – Key store file (without a password)
  • no.pwd.server.pem – Key store file + server SSL public key file (without a password)
  • server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

Pre-requirements:

  • JDK 1.6 source file
  • Resin Professional 4.0.8 source file

Installation phase

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd resin
    useradd -g resin -d /home/resin -s /bin/bash resin
  3. Create folder for the web content:
    mkdir -p /www
  4. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  5. Copy JDK 1.6 into /tmp
  6. Change the permissions on the JDK 1.6:
    chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin
  7. Run the command bellow to install JDK 1.6:
    /tmp/jdk-6u20-linux-i586-rpm.bin
  8. Remove the JDK 1.6 source files:
    rm -f /tmp/jdk-6u20-linux-i586-rpm.bin
    rm -f /usr/java/jdk1.6.0_20/src.zip
    rm -rf /usr/java/jdk1.6.0_20/demo
    rm -rf /usr/java/jdk1.6.0_20/sample
    rm -rf /opt/sun/javadb/demo
    rm -rf /opt/sun/javadb/docs
  9. Before compiling the Resin environment, install the following RPM from the RHEL DVD:
    rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm
    rpm -ivh glibc-headers-2.5-42.i386.rpm
    rpm -ivh glibc-devel-2.5-42.i386.rpm
    rpm -ivh gmp-4.1.4-10.el5.i386.rpm
    rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
    rpm -ivh gcc-4.1.2-46.el5.i386.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm
    rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm
    rpm -ivh zlib-devel-1.2.3-3.i386.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm
  10. Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp
  11. Move to /tmp
    cd /tmp
  12. Extract the resin-pro-4.0.8.tar.gz file:
    tar -zxvf resin-pro-4.0.8.tar.gz
  13. Move to the Resin 4.0.8 source folder:
    cd /tmp/resin-pro-4.0.8
  14. Run the commands bellow to compile the Resin 4.0.8 environment:
    ./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20
    Note: The command above should be written as one line.

    make
    make install

  15. Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow:
    From:
    <resin:if test="${resin.userName == 'root'}">To:
    <resin:if test="${resin.userName == 'resin'}">

    From:
    <user-name>www-data</user-name>To:
    <user-name>resin</user-name>

    From:
    <group-name>www-data</group-name>To:
    <group-name>resin</group-name>

    From:
    <server id="" address="127.0.0.1" port="6800">To:
    <server id="" address="Server_DNS_Name" port="6800">

    From:
    <http address="*" port="8080"/>To:
    <http address="Server_DNS_Name" port="8080"/>

    From:
    <dependency-check-interval>2s</dependency-check-interval>To:
    <dependency-check-interval>600s</dependency-check-interval>

    From:
    <host id="" root-directory=".">To:
    <host id="Server_DNS_Name" root-directory="/www">

    From:
    <root-directory>.</root-directory>To:
    <root-directory>/www</root-directory>

    From:
    <resin:set var="resin_admin_external" value="false"/>To:
    <resin:set var="resin_admin_external" value="true"/>

  16. Change the ownership on the folder bellow:
    chown resin:root -R /www/*
  17. Manually start the Resin service:
    /usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin
  18. Manually stop the Resin service:
    /usr/local/resin/bin/resin.sh stop
  19. Copy the Resin license file into
    /usr/local/resin/licenses
  20. Change the ownership and permissions on the folders bellow:
    chmod 664 -R /www/watchdog-data/
    chmod 777 /www/watchdog-data/default/
    chown resin:root -R /www/watchdog-data/*
  21. Remove the Resin 4.0.8 source folder:
    rm -rf /tmp/resin-pro-4.0.8
  22. Remove default documents:
    rm -rf /www/doc/resin-doc
  23. To start Resin service at server start-up, run the commands bellow:
    chkconfig --add resin
    chkconfig resin on
    /etc/init.d/resin start
  24. From a client machine, open an internet browser and login to the address:
    http://Server_DNS_Name:8080/resin-admin/
  25. Enter a username and password in the lower half of the page, then click “Create Configuration File”. The recommended username is “admin“.
  26. Rename the admin-users.xml file:
    mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml
  27. Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.

IPv6 – Problem and some solutions

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html

Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html

Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

Hardening guide for WordPress 3.0

Pre-installation notes
The guide bellow is based on the previous guides:

Installation and configuration phase

  1. Login to the server using Root account.
  2. Create a new account for uploading files using SSH:
    groupadd sshaccount
    useradd -g sshaccount -d /home/sshaccount -m sshaccount
  3. Run the commands bellow to switch to the SSH account:
    su sshaccount
  4. Run the command bellow to generate SSH keys:
    ssh-keygen
    Note: Leave deafult values for the ssh-keygen.
  5. Copy the SSH keys:
    cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
  6. Change permissions for the SSH keys:
    chmod 755 /home/sshaccount/.ssh
    chmod 644 /home/sshaccount/.ssh/*
  7. Exit the SSH account shell and return to the Root account:
    exit
  8. Run the command bellow to login to the MySQL:
    /usr/bin/mysql -uroot -pnew-password
    Note: Replace the string “new-password” with the actual password for the root account.
  9. Run the following commands from the MySQL prompt:
    CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
    SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
    CREATE DATABASE m6gf42s;
    GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
    FLUSH PRIVILEGES;
    quit
    Note 1: Replace “blgusr” with your own MySQL account to access the database.
    Note 2: Replace “password2” with complex password (at least 14 characters).
    Note 3: Replace “m6gf42s” with your own WordPress database name.
  10. Download WordPress 3.0 from:
    http://wordpress.org/download
  11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
  12. Move to /www
    cd /www
  13. Extract the wordpress-3.0.zip file:
    unzip wordpress-3.0.zip
  14. Remove WordPress source file:
    rm -f /www/wordpress-3.0.zip
  15. Create using VI the file /www/config.php with the following content:
    <?php
    define('DB_NAME', 'm6gf42s');
    define('DB_USER', 'blgusr');
    define('DB_PASSWORD', 'password2');
    define('DB_HOST', '127.0.0.1');
    $table_prefix = 'm6gf42s_';
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    define('AUTH_SALT', 'put your unique phrase here');
    define('SECURE_AUTH_SALT', 'put your unique phrase here');
    define('LOGGED_IN_SALT', 'put your unique phrase here');
    define('NONCE_SALT', 'put your unique phrase here');
    define('FS_METHOD', 'direct');
    define('FS_CHMOD_DIR', 0777);
    define('FS_CHMOD_FILE', 0777);
    define('FTP_BASE', '/www/wordpress/');
    define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
    define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
    define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
    define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
    define('FTP_USER', 'sshaccount');
    define('FTP_HOST', '127.0.0.1:22');
    ?>
    Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
    Note 2: Replace “blgusr” with your own MySQL account to access the database.
    Note 3: Replace “password2” with complex password (at least 14 characters).
    Note 4: Replace “m6gf42s” with your own WordPress database name.
    Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
    http://api.wordpress.org/secret-key/1.1/
  16. Copy the wp-config.php file:
    cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
  17. Edit using VI, the file /www/wordpress/wp-config.php
    Add the following line:
    include('/www/config.php');

    Remove the following sections:
    define('DB_NAME', 'putyourdbnamehere');
    define('DB_USER', 'usernamehere');
    define('DB_PASSWORD', 'yourpasswordhere');
    define('DB_HOST', 'localhost');
    $table_prefix = 'wp_';
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    define('AUTH_SALT', 'put your unique phrase here');
    define('SECURE_AUTH_SALT', 'put your unique phrase here');
    define('LOGGED_IN_SALT', 'put your unique phrase here');
    define('NONCE_SALT', 'put your unique phrase here');

  18. Remove default content:
    rm -f /www/wordpress/license.txt
    rm -f /www/wordpress/readme.html
    rm -f /www/wordpress/wp-config-sample.php
    rm -f /www/wordpress/wp-content/plugins/hello.php
  19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
    Replace the value of the string, from:
    DocumentRoot "/www"To:
    DocumentRoot "/www/wordpress"

    Replace the value of the string, from:
    LimitRequestBody 10000To:
    LimitRequestBody 200000

  20. Restart the Apache service.
  21. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-admin/install.php
  22. Specify the following information:
    • Site Title
    • Username – replace the default “admin
    • Password
    • E-mail
  23. Click on “Install WordPress” button, and close the web browser.
  24. Create using VI the file /www/wordpress/.htaccess with the following content:
    <files wp-config.php>
    Order deny,allow
    deny from all
    </files>
    <Files wp-login.php>
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    Order deny,allow
    Deny from All
    Allow from 1.1.1.0
    </Files>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    Note 1: Replace 1.1.1.0 with the internal network IP address.
    Note 2: Replace Server_FQDN with the server FQDN (DNS name).
  25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Access Control”
    AuthType Basic
    <LIMIT GET POST>
    order deny,allow
    deny from all
    Allow from 1.1.1.0
    </LIMIT>
    <IfModule mod_security.c>
    SecFilterInheritance Off
    </IfModule>
    Note: Replace 1.1.1.0 with the internal network IP address.
  26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    Order deny,allow
    Deny from All
    Allow from 1.1.1.0
    Note: Replace 1.1.1.0 with the internal network IP address.
  27. Create the following folders:
    mkdir -p /www/wordpress/wp-content/cache
    mkdir -p /www/wordpress/wp-content/uploads
    mkdir -p /www/wordpress/wp-content/upgrade
  28. Change the file permissions:
    chown -R root:root /www/wordpress
    chown daemon:root /www/wordpress/wp-content/plugins
    chmod 644 /www/config.php
    chmod 644 /www/wordpress/wp-config.php
    chmod 644 /www/wordpress/.htaccess
    chmod 644 /www/wordpress/wp-admin/.htaccess
    chmod 644 /www/wordpress/wp-content/plugins/.htaccess
    chmod -R 777 /www/wordpress/wp-content/cache
    chmod -R 777 /www/wordpress/wp-content/uploads
    chmod -R 777 /www/wordpress/wp-content/upgrade
  29. Download “Login Lockdown” plugin from:
    http://www.bad-neighborhood.com/login-lockdown.html
  30. Download “Limit Login” plugin from:
    http://wordpress.org/extend/plugins/limit-login-attempts/
  31. Download “WP-Secure Remove WordPress Version” plugin from:
    http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
  32. Download “WP Security Scan” plugin from:
    http://wordpress.org/extend/plugins/wp-security-scan/
  33. Download “KB Robots.txt” plugin from:
    http://wordpress.org/extend/plugins/kb-robotstxt/
  34. Download “WordPress Database Backup” plugin from:
    http://austinmatzko.com/wordpress-plugins/wp-db-backup/
  35. Download “WordPress Firewall” plugin from:
    http://www.seoegghead.com/software/wordpress-firewall.seo
  36. Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
  37. Create a folder for the “WordPress Database Backup” plugin:
    mkdir -p /www/wordpress/wp-content/backup-ed602
  38. Set permissions for the “WordPress Database Backup” plugin:
    chmod 777 /www/wordpress/wp-content/backup-ed602
  39. Open a web browser from a client machine, and enter the URL bellow:
    http://Server_FQDN/wp-login.php
  40. From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
  41. From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
    wp-content/uploads
  42. Click on “Save changes”.
  43. From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
    Note: Install and activate all the above downloaded plugins.
  44. From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
    Disallow: /wp-*
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins
    Disallow: /wp-content/cache
    Disallow: /wp-content/themes
    Disallow: /wp-login.php
    Disallow: /wp-register.php
  45. Click “Submit”.
  46. From the upper pane, click on “Log Out”.
  47. Delete the file /wp-admin/install.php
  48. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
    define('FORCE_SSL_LOGIN', true);

Hardening guide for VSFTPD on RHEL 5.4

The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

Installation phase

  1. Login to the server using Root account.
  2. Install from the RHEL 5.4 DVD the following RPM:
    rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
  3. Create a group for FTP users:
    groupadd ftp-users
  4. Create folder for the FTP:
    mkdir -p /ftp
  5. Change ownership and permissions on the FTP folder:
    chown root:ftp-users /ftp
    chmod 777 -R /ftp
  6. Example of user creation:
    useradd -g ftp-users -d /ftp user1
    passwd user1
  7. Edit using VI, the file /etc/vsftpd/vsftpd.conf
    Change from:
    anonymous_enable=YESTo:
    anonymous_enable=NO

    Change from:
    xferlog_std_format=YESTo:
    xferlog_std_format=NO

    Change from:
    #tftpd_banner=Welcome to blah FTP service.To:
    tftpd_banner=Secure FTP server

    Add the lines bellow:
    local_root=/ftp
    userlist_file=/etc/vsftpd/user_list
    userlist_deny=NO
    vsftpd_log_file=/var/log/vsftpd.log
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=NO
    ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    rsa_cert_file=/etc/vsftpd/vsftpd.pem

  8. Run the command bellow to create VSFTP SSL key:
    openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
    Note: The command above should written as one line.
  9. Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
  10. Run the command bellow to manually start the VSFTP service:
    /etc/init.d/vsftpd start
  11. Run the command bellow to configure the VSFTP to start at server startup:
    chkconfig vsftpd on

Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd nginx
    useradd -g nginx -d /dev/null -s /sbin/nologin nginx
  3. Mount RHEL 5.4 DVD, and move to the RPM folder:
    mount /dev/hdc /media
    cd /media/Server
  4. Before compiling the Nginx environment, install the following RPM:
    rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
    rpm -ivh glibc-headers-2.5-42.x86_64.rpm
    rpm -ivh glibc-devel-2.5-42.x86_64.rpm
    rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
    rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
    rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
    rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
    rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
  5. Download Nginx 0.7.65 from:
    http://wiki.nginx.org/NginxInstall
  6. Copy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp
  7. Move to /tmp
    cd /tmp
  8. Extract the nginx-0.7.65.tar.gz file:
    tar -zxvf nginx-0.7.65.tar.gz
  9. Move to the Nginx source folder:
    cd /tmp/nginx-0.7.65
  10. Edit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from:
    static char ngx_http_server_string[] = "Server: nginx" CRLF;
    static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
    To:
    static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
    static char ngx_http_server_full_string[] = "Server: Secure Web Server" CRLF;
  11. Run the commands bellow to compile the Nginx environment:
    ./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module

    make

    make install

  12. Remove the Nginx source files:
    rm -rf /tmp/nginx-0.7.65
    rm -f /tmp/nginx-0.7.65.tar.gz
  13. Remove Default Content
    rm -rf /usr/local/nginx/html
  14. Updating Ownership and Permissions on Nginx folders:
    chown -R root:root /usr/local/nginx
    chmod 750 /usr/local/nginx/sbin/nginx
    chmod -R 640 /usr/local/nginx/conf
    chmod -R 770 /usr/local/nginx/logs
  15. Create folder for the web content:
    mkdir -p /www
  16. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  17. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
    From:
    #user nobody;To:
    user nginx nginx;

    From:
    #error_log logs/error.log notice;To:
    error_log logs/error.log notice;

    From:
    server_name localhost;To:
    server_name Server_FQDN;

    From:
    root html;To:
    root /www;

  18. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file:
    server_tokens off;
    client_body_buffer_size 1K;
    client_header_buffer_size 1k;
    client_max_body_size 1k;
    large_client_header_buffers 2 1k;
    client_body_timeout 10;
    client_header_timeout 10;
    send_timeout 10;
  19. Create using VI, the file /etc/init.d/nginx with the following content:
    #!/bin/sh
    #
    # nginx - this script starts and stops the nginx daemon
    #
    # chkconfig: - 85 15
    # description: Nginx is an HTTP(S) server, HTTP(S) reverse \
    # proxy and IMAP/POP3 proxy server
    # processname: nginx
    # config: /etc/nginx/nginx.conf
    # config: /etc/sysconfig/nginx
    # pidfile: /var/run/nginx.pid

    # Source function library.
    . /etc/rc.d/init.d/functions

    # Source networking configuration.
    . /etc/sysconfig/network

    # Check that networking is up.
    [ "$NETWORKING" = "no" ] && exit 0

    nginx="/usr/local/nginx/sbin/nginx"
    prog=$(basename $nginx)

    NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

    [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

    lockfile=/var/lock/subsys/nginx

    start() {
    [ -x $nginx ] exit 5
    [ -f $NGINX_CONF_FILE ] exit 6
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
    }

    stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
    }

    restart() {
    configtest return $?
    stop
    sleep 1
    start
    }

    reload() {
    configtest return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
    }

    force_reload() {
    restart
    }

    configtest() {
    $nginx -t -c $NGINX_CONF_FILE
    }

    rh_status() {
    status $prog
    }

    rh_status_q() {
    rh_status >/dev/null 2>&1
    }

    case "$1" in
    start)
    rh_status_q && exit 0
    $1
    ;;
    stop)
    rh_status_q exit 0
    $1
    ;;
    restartconfigtest)
    $1
    ;;
    reload)
    rh_status_q exit 7
    $1
    ;;
    force-reload)
    force_reload
    ;;
    status)
    rh_status
    ;;
    condrestarttry-restart)
    rh_status_q exit 0
    ;;
    *)
    echo $"Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}"
    exit 2
    esac

  20. Change the permissions of the file /etc/init.d/nginx
    chmod +x /etc/init.d/nginx
  21. To start Nginx service at server start-up, run the command:
    chkconfig nginx on
  22. To manually start the Nginx service, use the command:
    /etc/init.d/nginx start
  23. Uninstall the following RPM:
    rpm -e gcc-4.1.2-46.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-42
    rpm -e glibc-headers-2.5-42
    rpm -e kernel-headers-2.6.18-164.el5

Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd lighttpd
    useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd
  3. Mount RHEL 5.4 DVD, and move to the RPM folder:
    mount /dev/hdc /media
    cd /media/Server
  4. Before compiling the Lighttpd environment, install the following RPM:
    rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm
    rpm -ivh glibc-headers-2.5-49.x86_64.rpm
    rpm -ivh glibc-devel-2.5-49.x86_64.rpm
    rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
    rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
    rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
    rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
    rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm
  5. Download Lighttpd 1.4.26 from:
    http://www.lighttpd.net/download/
  6. Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp
  7. Move to /tmp
    cd /tmp
  8. Extract the lighttpd-1.4.26.tar.gz file:
    tar -zxvf lighttpd-1.4.26.tar.gz
  9. Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c
  10. Move to the Lighttpd source folder:
    cd /tmp/lighttpd-1.4.26
  11. Run the commands bellow to compile the Lighttpd environment:
    ./configure --with-openssl --without-bzip2

    make

    make install

  12. Create the following folders:
    mkdir -p /etc/lighttpd
    mkdir -p /var/log/lighttpd
    mkdir -p /var/cache/lighttpd/compress
  13. Copy the lighttpd.conf file:
    cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
  14. Updating Ownership and Permissions on Lighttpd folders:
    chown lighttpd:lighttpd /var/log/lighttpd
    chown lighttpd:root /etc/lighttpd/lighttpd.conf
    chown lighttpd:lighttpd /var/cache/lighttpd/compress
    chmod o-r /etc/lighttpd/lighttpd.conf
    chmod -R o-r /var/log/lighttpd
  15. Create folder for the web content:
    mkdir -p /www
  16. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  17. Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings:
    From:
    server.document-root = "/srv/www/htdocs/"To:
    server.document-root = "/www"

    From:
    #server.bind = "127.0.0.1"To:
    server.bind = "Server_FQDN"

    From:
    # server.tag = "lighttpd"To:
    server.tag = "Secure Web Server"

    From:
    #server.username = "wwwrun"To:
    server.username = "lighttpd"

    From:
    #server.groupname = "wwwrun"To:
    server.groupname = "lighttpd"

    From:
    #dir-listing.activate = "enable"To:
    dir-listing.activate = "disable"

  18. Create using VI, a file called /etc/sysconfig/lighttpd with the following content:
    LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf
  19. To manually start Lighttpd use the command:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
  20. To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
    /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
  21. Remove the Lighttpd source files:
    rm -rf /tmp/lighttpd-1.4.26
    rm -f /tmp/lighttpd-1.4.26.tar.gz
  22. Uninstall the following RPM:
    rpm -e gcc-4.1.2-48.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-49
    rpm -e glibc-headers-2.5-49
    rpm -e kernel-headers-2.6.18-194.el5