Archive for the ‘SSL’ Category
Hardening guide for WordPress 3.0 for hosted web sites
Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.
- Request from your hosting provider access through SSH.
- Login to the hosted server using SSH.
- Edit using VI the file ~/html/wp-config.php and write down the data of the following values:
- DB_NAME
- DB_USER
- DB_PASSWORD
- Create using VI the file ~/config.php with the following content:
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.< ?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
?>
Note 2: Replace “blgusr” with the MySQL account to access the database.
Note 3: Replace “password2” with the MySQL account password.
Note 4: Replace “m6gf42s” with the WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Edit using VI, the file ~/html/wp-config.php
Add the following line:
include('/path/config.php');
Note: Replace /path/ with the full path to the config.php file.Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here'); - Remove default content:
rm -f ~/html/license.txt
rm -f ~/html/readme.html
rm -f ~/html/wp-config-sample.php
rm -f ~/html/wp-content/plugins/hello.php - Create using VI the file ~/html/.htaccess with the following content:
< files wp-config.php>
Order deny,allow
deny from all
< /files>
< Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
< /Files> - Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic - Create the following folders:
mkdir -p ~/html/wp-content/cache
mkdir -p ~/html/wp-content/uploads
mkdir -p ~/html/wp-content/upgrade
- Change the file permissions:
chmod -R 777 ~/html/wp-content/cache
chmod -R 777 ~/html/wp-content/uploads
chmod -R 777 ~/html/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “Limit Login” plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/ - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /html/wp-content/plugins
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php - From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
- Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php - Click “Submit”.
- From the upper pane, click on “Log Out”.
- Delete the file /wp-admin/install.php
- In-case the server was configured with SSL certificate, add the following line to the config.php file:
define('FORCE_SSL_LOGIN', true);
Hardening guide for WordPress 3.0
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Installation and configuration phase
- Login to the server using Root account.
- Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
- Run the commands bellow to switch to the SSH account:
su sshaccount
- Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
- Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
- Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
- Exit the SSH account shell and return to the Root account:
exit
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
Note 1: Replace “blgusr” with your own MySQL account to access the database.
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name. - Download WordPress 3.0 from:
http://wordpress.org/download - Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
- Move to /www
cd /www
- Extract the wordpress-3.0.zip file:
unzip wordpress-3.0.zip
- Remove WordPress source file:
rm -f /www/wordpress-3.0.zip
- Create using VI the file /www/config.php with the following content:
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
< ?php‘ tag or after a closing ‘?> ‘ tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
- Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here'); - Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
- Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
- Restart the Apache service.
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
- Specify the following information:
- Site Title
- Username – replace the default “admin“
- Password
- Click on “Install WordPress” button, and close the web browser.
- Create using VI the file /www/wordpress/.htaccess with the following content:
Note 1: Replace 1.1.1.0 with the internal network IP address.< files wp-config.php>
Order deny,allow
deny from all
< /files>
< Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
< /Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 2: Replace Server_FQDN with the server FQDN (DNS name). - Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
< LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
< /LIMIT>
< IfModule mod_security.c>
SecFilterInheritance Off
< /IfModule> - Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 - Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
- Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “Limit Login” plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/ - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Database Backup” plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
- Create a folder for the “WordPress Database Backup” plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
- Set permissions for the “WordPress Database Backup” plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
- From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> put a new value inside the “Tagline” field -> click on “Save changes”.
- From WordPress dashboard, click on “settings” -> click on “Media” -> “Store uploads in this folder” -> specify:
wp-content/uploads
- Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
- Click “Submit”.
- From the upper pane, click on “Log Out”.
- Delete the file /wp-admin/install.php
- In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);
Hardening guide for VSFTPD on RHEL 5.4
The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.
Installation phase
- Login to the server using Root account.
- Install from the RHEL 5.4 DVD the following RPM:
rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
- Create a group for FTP users:
groupadd ftp-users
- Create folder for the FTP:
mkdir -p /ftp
- Change ownership and permissions on the FTP folder:
chown root:ftp-users /ftp
chmod 777 -R /ftp - Example of user creation:
useradd -g ftp-users -d /ftp user1
passwd user1
- Edit using VI, the file /etc/vsftpd/vsftpd.conf
Change from:
anonymous_enable=YES
To:
anonymous_enable=NO
Change from:
xferlog_std_format=YES
To:
xferlog_std_format=NO
Change from:
#tftpd_banner=Welcome to blah FTP service.
To:
tftpd_banner=Secure FTP server
Add the lines bellow:
local_root=/ftp
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
vsftpd_log_file=/var/log/vsftpd.log
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
rsa_cert_file=/etc/vsftpd/vsftpd.pem
- Run the command bellow to create VSFTP SSL key:
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Note: The command above should written as one line.
- Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
- Run the command bellow to manually start the VSFTP service:
/etc/init.d/vsftpd start
- Run the command bellow to configure the VSFTP to start at server startup:
chkconfig vsftpd on
How to implement SSL on Nginx 0.7.65
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
- Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
Note: The command above should be written as one line.
- Send the file /tmp/nginx.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /usr/local/nginx/ssl
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/nginx/ssl
- Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
Note: The command above should be written as one line.
- Remove the original server.crt and ca-bundle.crt files:
rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt
- Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
# HTTPS server
To:
#
#server {
# listen 443;
# server_name localhost;# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
# ssl_prefer_server_ciphers on;# location / {
# root html;
# index index.html index.htm;
# }
#}
server {
listen 443;
server_name Server_FQDN;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /www;
index index.html index.htm;
}
}
- Restart the Nginx service:
/etc/init.d/nginx restart
How to implement SSL on Lighttpd 1.4.26
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /etc/lighttpd/ssl
chmod 600 /etc/lighttpd/ssl
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
Note: Specify a complex pass phrase for the private key (and document it)
- Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
Note: The command above should be written as one line.
- Send the file /tmp/lighttpd.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /etc/lighttpd/ssl/
- Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pem
Note: The command above should be written as one line. - Remove the original server.crt file:
rm -f /etc/lighttpd/ssl/server.crt
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /etc/lighttpd/ssl
- Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
$SERVER["socket"] == "Server_FQDN:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
server.name = "Server_FQDN"
server.document-root = "/www"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
ssl.use-sslv2 = "disable"
ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
} - Restart the Lighttpd service.
Hardening guide for WordPress 2.9.2
Pre-installation notes
The guide bellow is based on the previous guides:
- Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
- Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)
Installation and configuration phase
- Login to the server using Root account.
- Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount - Run the commands bellow to switch to the SSH account:
su sshaccount
- Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
- Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
- Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
- Exit the SSH account shell and return to the Root account:
exit
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name. - Download WordPress 2.9.2 from:
http://wordpress.org/download - Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
- Move to /www
cd /www
- Extract the wordpress-2.9.2.tar.gz file:
tar -zxvf wordpress-2.9.2.tar.gz
- Remove WordPress source file:
rm -f /www/wordpress-2.9.2.tar.gz
- Create using VI the file /www/config.php with the following content:
<?php
Note 1: Make sure there are no spaces, newlines, or other strings before an opening ‘< ?php‘ tag or after a closing ‘?>‘ tag.
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/ - Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
- Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here'); - Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
- Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
- Restart the Apache service.
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
- Specify the following information:
- Blog Title
- Click on “Install WordPress” button, and close the web browser.
- Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
- Run the following commands from the MySQL prompt:
use m6gf42s;
Note 1: Replace “m6gf42s” with your own WordPress database name.
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “johnd” with your own new WordPress admin.
Note 2: Replace “password3” with complex password (at least 14 characters). - Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
'timeout' => apply_filters( 'http_request_timeout', 5),
To:
'timeout' => apply_filters( 'http_request_timeout', 30),
- Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Note 1: Replace 1.1.1.0 with the internal network IP address.
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 2: Replace Server_FQDN with the server FQDN (DNS name). - Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule> - Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
Note: Replace 1.1.1.0 with the internal network IP address.
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0 - Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
- Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade - Download “Login Lockdown” plugin from:
http://www.bad-neighborhood.com/login-lockdown.html - Download “WP-Secure Remove WordPress Version” plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ - Download “WP Security Scan” plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/ - Download “KB Robots.txt” plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/ - Download “WordPress Database Backup” plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/ - Download “WordPress Firewall” plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo - Copy the “WordPress Firewall” plugin file “wordpress-firewall.php” using PSCP (or SCP) into /www/wordpress/wp-content/plugins
- Create a folder for the “WordPress Database Backup” plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
- Set permissions for the “WordPress Database Backup” plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
- Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
- From WordPress dashboard, click on “settings” -> make sure that “Anyone can register” is left unchecked -> click on “Save changes”.
- From WordPress dashboard, click on “settings” -> click on “Miscellaneous” -> “Store uploads in this folder” -> specify:
wp-content/uploads
- Click on “Save changes”.
- From WordPress dashboard, click on “Plugins” -> Add New -> choose “Upload” -> click Browse to locate the plugin -> click “Install Now” -> click “Proceed” -> click on “Activate Plugin”.
Note: Install and activate all the above downloaded plugins. - From WordPress dashboard, click on “settings” -> click on “KB Robots.txt” -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
- Click “Submit”.
- From the upper pane, click on “Log Out”.
- In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);
How to implement SSL on Apache 2.2.15
Pre-installation notes
The guide bellow is based on the previous guide
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /usr/local/apache2/ssl
chmod 600 /usr/local/apache2/ssl - Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it) - Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
- Send the file /tmp/apache.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /usr/local/apache2/ssl/
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/apache2/ssl/
- Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
Listen Server_FQDN:443
Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
SSLCertificateFile /usr/local/apache2/ssl/server.crt
SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
- Restart the Apache services:
/usr/local/apache2/bin/apachectl restart
- Backup the file /usr/local/apache2/ssl/server.key
How to implement SSL on Apache 2.0
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.0 on Solaris 10 platform
SSL implementation phase
- Login to the server using Root account.
- Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
- Run the command bellow to install OpenSSL packages:
pkgadd -d . SUNWopensslr SUNWopenssl-commands SUNWopenssl-include SUNWopenssl-libraries
- Create folder for the SSL certificate files:
mkdir -p /etc/apache2/ssl.crt
- Create folder for the SSL private key:
mkdir -p /etc/apache2/ssl.key
- Run the command bellow to generate a key pair:
/usr/sfw/bin/openssl genrsa -des3 -out /etc/apache2/ssl.key/server.key 1024
Specify a complex pass phrase for the private key (and document it) - Change the permissions on the private key file:
chmod 600 /etc/apache2/ssl.key/server.key
- Run the command bellow to generate the CSR:
/usr/sfw/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/apache2/ssl.key/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
- Send the file /tmp/apache.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /etc/apache2/ssl.crt/
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /etc/apache2/ssl.crt/
- Edit using VI the file /etc/apache2/ssl.conf and change the following strings:
From:
SSLSessionCache dbm:/var/run/apache2/ssl_scache
To:
SSLSessionCache dbm:/var/ apache2/ssl_scache
From:
SSLMutex file:/var/run/apache2/ssl_mutex
To:
SSLMutex file:/var/apache2/ssl_mutex
From:
ServerName 127.0.0.1:443
To:
ServerName Server_FQDN:443
From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"
From:
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
To:
SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
From:
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
To:
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
- Remove the section bellow:
<Directory "/var/apache2/cgi-bin">
- Stopping Apache from command line:
/usr/apache2/bin/apachectl stop
- Starting Apache from command line:
/usr/apache2/bin/apachectl startssl
How to implement SSL on Tomcat 5.5
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform
SSL implementation phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /var/apache/tomcat55/conf/ssl.crt
- Create folder for the SSL private key:
mkdir -p /var/apache/tomcat55/conf/ssl.key
- Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
- Run the command bellow to generate a key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
- Run the command bellow to generate a CSR (certificate request):
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
- Send the file /tmp/tomcat.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
- Run the command bellow to import the trusted root CA public certificate:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.
- Run the command bellow to import the signed public key into the key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.
- Stop the Tomcat service:
/etc/init.d/tomcat stop
- Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3"
keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
keystorePass="ComplexPassword"
truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
truststorePass="changeit"
ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
tcpNoDelay="true" /> - Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
<user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
- Start the Tomcat service:
/etc/init.d/tomcat start -security