Archive for the ‘RedHat’ Category
Hardening guide for WordPress 2.9.2
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Installation and configuration phase
- Login to the server using Root account.
- Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount - Run the commands bellow to switch to the SSH account:
su sshaccount
- Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
- Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
- Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
- Exit the SSH account shell and return to the Root account:
exit
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name. - Download WordPress 2.9.2 from:
http://wordpress.org/download - Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
- Move to /www
cd /www
- Extract the wordpress-2.9.2.tar.gz file:
tar -zxvf wordpress-2.9.2.tar.gz
- Remove WordPress source file:
rm -f /www/wordpress-2.9.2.tar.gz
- Create using VI the file /www/config.php with the following content:
<?php
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
- Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here'); - Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
- Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
- Restart the Apache service.
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
- Specify the following information:
- Blog Title
- Click on “Install WordPress” button, and close the web browser.
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
use m6gf42s;
Note 1: Replace “m6gf42s” with your own WordPress database name.
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “johnd” with your own new WordPress admin.
Note 2: Replace “password3” with complex password (at least 14 characters). - Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
'timeout' => apply_filters( 'http_request_timeout', 5),
To:
'timeout' => apply_filters( 'http_request_timeout', 30),
- Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Note 1: Replace 1.1.1.0 with the internal network IP address.
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 2: Replace Server_FQDN with the server FQDN (DNS name). - Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> - Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 - Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
- Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Database Backup” plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
- Create a folder for the “WordPress Database Backup” plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
- Set permissions for the “WordPress Database Backup” plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
- From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
- From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
wp-content/uploads
- Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
- Click “Submit”.
- From the upper pane, click on “Log Out”.
- In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);
Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
Installation and configuration phase
- Login to the server using Root account.
- Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm
- Download MySQL development RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/ - Download PHP 5.3.2 source files from:
http://php.net/downloads.php - Copy the MySQL development RPM using PSCP (or SCP) into /tmp
- Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Install the MySQL development RPM:
rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
- Remove MySQL development RPM:
rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
- Extract the php-5.3.2.tar.gz file:
tar -zxvf php-5.3.2.tar.gz
- Move to the PHP source folder:
cd /tmp/php-5.3.2
- Run the commands bellow to compile the PHP environment:
./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib
make
make install
- Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Make sure the following string exists at the end of the LoadModule section:
LoadModule php5_module modules/libphp5.so
Add the following string, to the end of the AddType section:
AddType application/x-httpd-php .php
Replace the line from:
DirectoryIndex index.html
To:
DirectoryIndex index.php index.html index.htm
- Copy the PHP.ini file
cp /tmp/php-5.3.2/php.ini-development /etc/php.ini
- Change the permissions on the php.ini file:
chmod 640 /etc/php.ini
- Edit using VI, the file /etc/php.ini and replace the following values:
From:
mysql.default_host =
To:
mysql.default_host = 127.0.0.1:3306
From:
allow_url_fopen = On
To:
allow_url_fopen = Off
From:
expose_php = On
To:
expose_php = Off
From:
memory_limit = 128M
To:
memory_limit = 8M
From:
;open_basedir =
To:
open_basedir = "/www"
From:
post_max_size = 8M
To:
post_max_size = 2M
From:
upload_max_filesize = 2M
To:
upload_max_filesize = 1M
From:
disable_functions =
To:
disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid
From:
;include_path = ".:/php/includes"
To:
include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"
From:
display_errors = On
To:
display_errors = Off
From:
display_startup_errors = On
To:
display_startup_errors = Off
- Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
- Remove the PHP source and test files:
rm -rf /tmp/php-5.3.2
rm -f /tmp/php-5.3.2.tar.gz
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test
- Uninstall the following RPM:
rpm -e libxml2-devel-2.6.26-2.1.2.8
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Login to the server using Root account.
- Create a new account:
groupadd mysql
useradd -d /dev/null -g mysql -s /bin/false mysql
- Download MySQL server and client RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/ - Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Install the MySQL packages:
rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
- Delete the MySQL source files:
rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
- Run the commands bellow to set ownership and permissions:
chown -R root /usr/bin/mysql*
chown -R mysql:root /var/lib/mysql
chmod -R go-rwx /var/lib/mysql
mkdir -p /var/log/mysql
chown -R mysql:root /var/log/mysql
- Run the command bellow to copy the main configuration file:
cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
- Run the commands bellow to remove default folder:
rm -rf /var/lib/mysql/test
rm -f /usr/share/mysql/*.cnf
- Run the command bellow to set ownership and permissions for my.cnf file:
chown root /etc/my.cnf
chmod 644 /etc/my.cnf
- Edit using VI, the file /etc/my.cnf
Add the strings bellow under the [mysqld] section
pid-file = /var/lib/mysql/mysqld.pid
Add the section bellow:
log = /var/log/mysql/mysql.log
bind-address = 127.0.0.1
[safe_mysqld]
err-log = /var/log/mysql/mysql.err
- Run the command bellow to restart the target server:
reboot
- Login to the server using Root account.
- Run the commands bellow to set password for the MySQL root user:
/usr/bin/mysqladmin -u root password 'new-password'
Note 1: Specify complex password (at least 14 characters) and document it.
/usr/bin/mysqladmin -u root -h hostname password 'new-password'
Note 2: Replace “hostname” with the server FQDN (DNS name) - Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
use mysql;
DELETE FROM mysql.user WHERE user = '';
DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
DROP DATABASE test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;
quit
- Run the command bellow to stop the MySQL service:
/etc/init.d/mysql stop
- Run the command bellow to start the MySQL service:
/etc/init.d/mysql start
How to implement SSL on Apache 2.2.15
Pre-installation notes
The guide bellow is based on the previous guide
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /usr/local/apache2/ssl
chmod 600 /usr/local/apache2/ssl - Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it) - Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
- Send the file /tmp/apache.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /usr/local/apache2/ssl/
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/apache2/ssl/
- Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
Listen Server_FQDN:443
Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
SSLCertificateFile /usr/local/apache2/ssl/server.crt
SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
- Restart the Apache services:
/usr/local/apache2/bin/apachectl restart
- Backup the file /usr/local/apache2/ssl/server.key
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Login to the server using Root account.
- Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
- Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
- Before compiling the Apache environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
- Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Extract the httpd-2.2.15.tar.gz file:
tar -zxvf httpd-2.2.15.tar.gz
- Move to the Apache source folder:
cd httpd-2.2.15
- Run the commands bellow to compile the Apache environment:
./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl
make
make install
- Remove the Apache source files:
rm -rf /tmp/httpd-2.2.15rm -f /tmp/httpd-2.2.15.tar.gz
- Remove Default Content
rm -rf /usr/local/apache2/cgi-bin
rm -rf /usr/local/apache2/htdocs
rm -rf /usr/local/apache2/icons
rm -rf /usr/local/apache2/man
rm -rf /usr/local/apache2/manual
rm -rf /usr/local/apache2/conf/extra
rm -rf /usr/local/apache2/conf/original
- Updating Ownership and Permissions on Apache2 folders:
chown root:root /usr/local/apache2/bin/apachectl
chown root:root /usr/local/apache2/bin/httpd*
chmod 770 /usr/local/apache2/bin/apachectl
chmod 770 /usr/local/apache2/bin/httpd*
chown -R root:root /usr/local/apache2
chmod -R go-r /usr/local/apache2
chown -R root:root /usr/local/apache2/logs
chmod -R 700 /usr/local/apache2/logs - Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
- Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
From:
DocumentRoot "/var/www/html"
To:
DocumentRoot "/www"
From:
Listen 80
To:
Listen Server_FQDN:80
From:
ServerAdmin root@localhost
To:
ServerAdmin webmaster@mycompany.com
From:
#ServerName www.example.com:80
To:
ServerName Server_FQDN
From:
LogLevel warn
To:
LogLevel notice
From:
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
To:
# ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
From:
<Directory />
To:
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>
From:
<Directory "/usr/local/apache2/htdocs">
To:
<Directory "/www">
<LimitExcept GET POST>
deny from all
</limitexcept>
From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews
- Add the following sections to the end of the httpd.conf file:
ServerSignature Off
ServerTokens Prod
Timeout 60
# Maximum size of the request body.
LimitRequestBody 10000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4094
# Maximum size of the request line.
LimitRequestLine 500 - Remove the sections bellow from the file httpd.conf
<Directory "/usr/local/apache2/cgi-bin">
- Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"
From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
- Starting Apache from command line:
/usr/local/apache2/bin/apachectl start
- To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/apache2/bin/apachectl start
- Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5
Previous guides: