Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
- Login to the server using Root account.
- Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
- Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
- Before compiling the Apache environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
- Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Extract the httpd-2.2.15.tar.gz file:
tar -zxvf httpd-2.2.15.tar.gz
- Move to the Apache source folder:
cd httpd-2.2.15
- Run the commands bellow to compile the Apache environment:
./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl
make
make install
- Remove the Apache source files:
rm -rf /tmp/httpd-2.2.15rm -f /tmp/httpd-2.2.15.tar.gz
- Remove Default Content
rm -rf /usr/local/apache2/cgi-bin
rm -rf /usr/local/apache2/htdocs
rm -rf /usr/local/apache2/icons
rm -rf /usr/local/apache2/man
rm -rf /usr/local/apache2/manual
rm -rf /usr/local/apache2/conf/extra
rm -rf /usr/local/apache2/conf/original
- Updating Ownership and Permissions on Apache2 folders:
chown root:root /usr/local/apache2/bin/apachectl
chown root:root /usr/local/apache2/bin/httpd*
chmod 770 /usr/local/apache2/bin/apachectl
chmod 770 /usr/local/apache2/bin/httpd*
chown -R root:root /usr/local/apache2
chmod -R go-r /usr/local/apache2
chown -R root:root /usr/local/apache2/logs
chmod -R 700 /usr/local/apache2/logs - Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
- Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
From:
DocumentRoot "/var/www/html"
To:
DocumentRoot "/www"
From:
Listen 80
To:
Listen Server_FQDN:80
From:
ServerAdmin root@localhost
To:
ServerAdmin webmaster@mycompany.com
From:
#ServerName www.example.com:80
To:
ServerName Server_FQDN
From:
LogLevel warn
To:
LogLevel notice
From:
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
To:
# ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
From:
<Directory />
To:
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>
From:
<Directory "/usr/local/apache2/htdocs">
To:
<Directory "/www">
<LimitExcept GET POST>
deny from all
</limitexcept>
From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews
- Add the following sections to the end of the httpd.conf file:
ServerSignature Off
ServerTokens Prod
Timeout 60
# Maximum size of the request body.
LimitRequestBody 10000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4094
# Maximum size of the request line.
LimitRequestLine 500 - Remove the sections bellow from the file httpd.conf
<Directory "/usr/local/apache2/cgi-bin">
- Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"
From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
- Starting Apache from command line:
/usr/local/apache2/bin/apachectl start
- To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/apache2/bin/apachectl start
- Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5
Previous guides: