Hardening guide for Apache 2.0 on Solaris 10 platform

  1. Login to the server using Root account.
  2. Create a new account:

    groupadd apache
    useradd -g apache -d /dev/null -s /bin/false apache
    passwd apache
    passwd -l apache
  3. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
  4. Run the command bellow to install Apache2 packages:
    pkgadd -d . SUNWapch2r SUNWapch2u
  5. Remove Default Content
    rm -r /var/apache2/htdocs/
    rm -r /var/apache2/cgi-bin/
    rm -r /var/apache2/icons/
  6. Updating Ownership and Permissions on Apache2 folders:
    chown -R root:root /usr/apache2
    chmod -R 770 /usr/apache2/bin
    chown -R root:root /etc/apache2
    chmod -R go-r /etc/apache2
    chmod -R 770 /etc/apache2
    chown -R root:root /var/apache2/logs
    chmod -R 700 /var/apache2/logs
  7. Create folder for the web content:
    mkdir -p /www
  8. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  9. Copy the configuration file in-order to edit it:
    cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
  10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
    From:
    # LockFile /var/apache2/logs/accept.lockTo:
    LockFile /var/apache2/logs/accept.lock

    From:
    User webservdTo:
    User apache
    From:
    Group webservdTo:
    Group apache

    From:
    PidFile /var/run/apache2/httpd.pidTo:
    PidFile /var/apache2/logs/httpd.pid

    From:
    DocumentRoot "/var/apache2/htdocs"To:
    DocumentRoot "/www"

    From:
    ServerSignature OnTo:
    ServerSignature Off
    HostnameLookups Off

    From:
    # ServerTokensTo:
    ServerTokens Prod

    From:
    ServerAdmin [email protected]To:
    ServerAdmin [email protected]yourcompany.com

    From:
    ServerName 127.0.0.1To:
    ServerName Server_FQDN

    From:
    Timeout 300To:
    Timeout 60

    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    IndexOptions FancyIndexing VersionSortTo:
    # IndexOptions FancyIndexing VersionSort

    From:
    ReadmeName README.htmlTo:
    # ReadmeName README.html

    From:
    HeaderName HEADER.htmlTo:
    # HeaderName HEADER.html

    From:
    AddIconTo:
    # AddIcon

    From:
    DefaultIcon /icons/unknown.gifTo:
    # DefaultIcon /icons/unknown.gif

    From:
    Alias /icons/ "/var/apache2/icons/"To:
    # Alias /icons/ "/var/apache2/icons/"

    From:
    AliasMatchTo:
    # AliasMatch

    From:
    ScriptAliasTo:
    # ScriptAlias

    From:
    LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo:
    # LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

    From
    LoadModule imap_module libexec/mod_imap.soTo:
    # LoadModule imap_module libexec/mod_imap.so

    From:
    LoadModule cgi_module libexec/mod_cgi.soTo:
    # LoadModule cgi_module libexec/mod_cgi.so

    From:
    LoadModule suexec_module libexec/mod_suexec.soTo:
    # LoadModule suexec_module libexec/mod_suexec.so

    From:
    LoadModule autoindex_module libexec/mod_autoindex.soTo:
    # LoadModule autoindex_module libexec/mod_autoindex.so

    From:
    LoadModule info_module libexec/mod_info.soTo:
    # LoadModule info_module libexec/mod_info.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule status_module libexec/mod_status.soTo:
    # LoadModule status_module libexec/mod_status.so

    From:
    LoadModule userdir_module libexec/mod_userdir.soTo:
    # LoadModule userdir_module libexec/mod_userdir.so

    From:
    LoadModule cern_meta_module modules/mod_cern_meta.soTo:
    # LoadModule cern_meta_module modules/mod_cern_meta.so

    From:
    LoadModule dav_module modules/mod_dav.soTo:
    # LoadModule dav_module modules/mod_dav.so

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Order deny,allow
    deny from all
    </Directory>

    From:
    <Directory "/var/apache2/htdocs">To:
    <Directory "/www">
    <Limitexcept GET POST>
    deny from all
    </Limitexcept>

    From:
    Options Indexes FollowSymLinksTo:
    Options -FollowSymLinks -Includes -Indexes -MultiViews

  11. Add the following sections to the end of the httpd.conf file:
    LimitRequestBody 10000
    LimitRequestFields 40
    LimitRequestFieldSize 100
    LimitRequestLine 500
  12. Remove the sections bellow from the file httpd.conf
    <Directory "/usr/apache2/manual">
    <Directory "/var/apache2/cgi-bin">
  13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"
    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"
  14. Starting Apache from command line:
    /usr/apache2/bin/apachectl start
  15. Run the command bellow to start the Apache service at server start-up:
    svcadm enable apache2

2 Responses to “Hardening guide for Apache 2.0 on Solaris 10 platform”

Leave a Reply