Hardening guide for Resin Professional 4.0.8 on RHEL 5.4
Pre-requirements:
- JDK 1.6 source file
- Resin Professional 4.0.8 source file
Installation phase
- Login to the server using Root account.
- Create a new account:
groupadd resin
useradd -g resin -d /home/resin -s /bin/bash resin
- Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
- Copy JDK 1.6 into /tmp
- Change the permissions on the JDK 1.6:
chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin
- Run the command bellow to install JDK 1.6:
/tmp/jdk-6u20-linux-i586-rpm.bin
- Remove the JDK 1.6 source files:
rm -f /tmp/jdk-6u20-linux-i586-rpm.bin
rm -f /usr/java/jdk1.6.0_20/src.zip
rm -rf /usr/java/jdk1.6.0_20/demo
rm -rf /usr/java/jdk1.6.0_20/sample
rm -rf /opt/sun/javadb/demo
rm -rf /opt/sun/javadb/docs
- Before compiling the Resin environment, install the following RPM from the RHEL DVD:
rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm
rpm -ivh glibc-headers-2.5-42.i386.rpm
rpm -ivh glibc-devel-2.5-42.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-46.el5.i386.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm - Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp
- Move to /tmp
cd /tmp
- Extract the resin-pro-4.0.8.tar.gz file:
tar -zxvf resin-pro-4.0.8.tar.gz
- Move to the Resin 4.0.8 source folder:
cd /tmp/resin-pro-4.0.8
- Run the commands bellow to compile the Resin 4.0.8 environment:
./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20
Note: The command above should be written as one line.
make
make install - Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow:
From:
To:< resin:if test="${resin.userName == 'root'}">
< resin:if test="${resin.userName == 'resin'}"> From:
To:< user-name> www-data< /user-name>
< user-name> resin< /user-name> From:
To:< group-name> www-data< /group-name>
< group-name> resin < /group-name> From:
To:< server id="" address="127.0.0.1" port="6800">
< server id="" address="Server_DNS_Name" port="6800"> From:
To:< http address="*" port="8080"/>
< http address="Server_DNS_Name" port="8080"/> From:
To:< dependency-check-interval > 2s< /dependency-check-interval>
< dependency-check-interval> 600s< /dependency-check-interval> From:
To:< host id="" root-directory=".">
< host id="Server_DNS_Name" root-directory="/www"> From:
To:< root-directory> .< /root-directory>
< root-directory> /www< /root-directory> From:
To:< resin:set var="resin_admin_external" value="false"/>
< resin:set var="resin_admin_external" value="true"/> - Change the ownership on the folder bellow:
chown resin:root -R /www/*
- Manually start the Resin service:
/usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin
- Manually stop the Resin service:
/usr/local/resin/bin/resin.sh stop
- Copy the Resin license file into
/usr/local/resin/licenses
- Change the ownership and permissions on the folders bellow:
chmod 664 -R /www/watchdog-data/
chmod 777 /www/watchdog-data/default/
chown resin:root -R /www/watchdog-data/*
- Remove the Resin 4.0.8 source folder:
rm -rf /tmp/resin-pro-4.0.8
- Remove default documents:
rm -rf /www/doc/resin-doc
- To start Resin service at server start-up, run the commands bellow:
chkconfig --add resin
chkconfig resin on
/etc/init.d/resin start
- From a client machine, open an internet browser and login to the address:
http://Server_DNS_Name:8080/resin-admin/
- Enter a username and password in the lower half of the page, then click “Create Configuration File”. The recommended username is “admin“.
- Rename the admin-users.xml file:
mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml
- Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.
This Hardening guide for Resin Professional info is much more useful for us.Thank you so much for sharing your blog.