Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd apache
    useradd -g apache -d /dev/null -s /bin/false apache
  3. Mount RHEL 5.4 DVD, and move to the RPM folder:
    mount /dev/hdc /media
    cd /media/Server
  4. Before compiling the Apache environment, install the following RPM:
    rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
    rpm -ivh glibc-headers-2.5-42.x86_64.rpm
    rpm -ivh glibc-devel-2.5-42.x86_64.rpm
    rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
    rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
    rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
    rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
    rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
  5. Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
  6. Move to /tmp
    cd /tmp
  7. Extract the httpd-2.2.15.tar.gz file:
    tar -zxvf httpd-2.2.15.tar.gz
  8. Move to the Apache source folder:
    cd httpd-2.2.15
  9. Run the commands bellow to compile the Apache environment:
    ./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl

    make

    make install

  10. Remove the Apache source files:
    rm -rf /tmp/httpd-2.2.15rm -f /tmp/httpd-2.2.15.tar.gz
  11. Remove Default Content
    rm -rf /usr/local/apache2/cgi-bin
    rm -rf /usr/local/apache2/htdocs
    rm -rf /usr/local/apache2/icons
    rm -rf /usr/local/apache2/man
    rm -rf /usr/local/apache2/manual
    rm -rf /usr/local/apache2/conf/extra
    rm -rf /usr/local/apache2/conf/original
  12. Updating Ownership and Permissions on Apache2 folders:
    chown root:root /usr/local/apache2/bin/apachectl
    chown root:root /usr/local/apache2/bin/httpd*
    chmod 770 /usr/local/apache2/bin/apachectl
    chmod 770 /usr/local/apache2/bin/httpd*
    chown -R root:root /usr/local/apache2
    chmod -R go-r /usr/local/apache2
    chown -R root:root /usr/local/apache2/logs
    chmod -R 700 /usr/local/apache2/logs
  13. Create folder for the web content:
    mkdir -p /www
  14. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  15. Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
    From:
    DocumentRoot "/var/www/html"To:
    DocumentRoot "/www"

    From:
    Listen 80To:
    Listen Server_FQDN:80

    From:
    ServerAdmin [email protected] To:
    ServerAdmin [email protected]mycompany.com

    From:
    #ServerName www.example.com:80To:
    ServerName Server_FQDN

    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"To:
    # ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Order deny,allow
    deny from all
    </Directory>

    From:
    <Directory "/usr/local/apache2/htdocs">To:
    <Directory "/www">
    <LimitExcept GET POST>
    deny from all
    </limitexcept>

    From:
    Options Indexes FollowSymLinksTo:
    Options -FollowSymLinks -Includes -Indexes -MultiViews

  16. Add the following sections to the end of the httpd.conf file:
    ServerSignature Off
    ServerTokens Prod
    Timeout 60
    # Maximum size of the request body.
    LimitRequestBody 10000
    # Maximum number of request headers in a request.
    LimitRequestFields 40
    # Maximum size of request header lines.
    LimitRequestFieldSize 4094
    # Maximum size of the request line.
    LimitRequestLine 500
  17. Remove the sections bellow from the file httpd.conf
    <Directory "/usr/local/apache2/cgi-bin">
  18. Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"

    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"

  19. Starting Apache from command line:
    /usr/local/apache2/bin/apachectl start
  20. To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
    /usr/local/apache2/bin/apachectl start
  21. Uninstall the following RPM:
    rpm -e gcc-4.1.2-46.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-42
    rpm -e glibc-headers-2.5-42
    rpm -e kernel-headers-2.6.18-164.el5

Previous guides:

3 Responses to “Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)”

Leave a Reply