Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

Pre-requirements:

  • JDK 1.6 source file
  • Resin Professional 4.0.8 source file

Installation phase

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd resin
    useradd -g resin -d /home/resin -s /bin/bash resin
  3. Create folder for the web content:
    mkdir -p /www
  4. Updating Ownership and Permissions on the web content folder:
    chown -R root /www
    chmod -R 775 /www
  5. Copy JDK 1.6 into /tmp
  6. Change the permissions on the JDK 1.6:
    chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin
  7. Run the command bellow to install JDK 1.6:
    /tmp/jdk-6u20-linux-i586-rpm.bin
  8. Remove the JDK 1.6 source files:
    rm -f /tmp/jdk-6u20-linux-i586-rpm.bin
    rm -f /usr/java/jdk1.6.0_20/src.zip
    rm -rf /usr/java/jdk1.6.0_20/demo
    rm -rf /usr/java/jdk1.6.0_20/sample
    rm -rf /opt/sun/javadb/demo
    rm -rf /opt/sun/javadb/docs
  9. Before compiling the Resin environment, install the following RPM from the RHEL DVD:
    rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm
    rpm -ivh glibc-headers-2.5-42.i386.rpm
    rpm -ivh glibc-devel-2.5-42.i386.rpm
    rpm -ivh gmp-4.1.4-10.el5.i386.rpm
    rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
    rpm -ivh gcc-4.1.2-46.el5.i386.rpm
    rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm
    rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm
    rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm
    rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm
    rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm
    rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm
    rpm -ivh zlib-devel-1.2.3-3.i386.rpm
    rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm
  10. Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp
  11. Move to /tmp
    cd /tmp
  12. Extract the resin-pro-4.0.8.tar.gz file:
    tar -zxvf resin-pro-4.0.8.tar.gz
  13. Move to the Resin 4.0.8 source folder:
    cd /tmp/resin-pro-4.0.8
  14. Run the commands bellow to compile the Resin 4.0.8 environment:
    ./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20
    Note: The command above should be written as one line.

    make
    make install

  15. Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow:
    From:
    <resin:if test="${resin.userName == 'root'}">To:
    <resin:if test="${resin.userName == 'resin'}">

    From:
    <user-name>www-data</user-name>To:
    <user-name>resin</user-name>

    From:
    <group-name>www-data</group-name>To:
    <group-name>resin</group-name>

    From:
    <server id="" address="127.0.0.1" port="6800">To:
    <server id="" address="Server_DNS_Name" port="6800">

    From:
    <http address="*" port="8080"/>To:
    <http address="Server_DNS_Name" port="8080"/>

    From:
    <dependency-check-interval>2s</dependency-check-interval>To:
    <dependency-check-interval>600s</dependency-check-interval>

    From:
    <host id="" root-directory=".">To:
    <host id="Server_DNS_Name" root-directory="/www">

    From:
    <root-directory>.</root-directory>To:
    <root-directory>/www</root-directory>

    From:
    <resin:set var="resin_admin_external" value="false"/>To:
    <resin:set var="resin_admin_external" value="true"/>

  16. Change the ownership on the folder bellow:
    chown resin:root -R /www/*
  17. Manually start the Resin service:
    /usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin
  18. Manually stop the Resin service:
    /usr/local/resin/bin/resin.sh stop
  19. Copy the Resin license file into
    /usr/local/resin/licenses
  20. Change the ownership and permissions on the folders bellow:
    chmod 664 -R /www/watchdog-data/
    chmod 777 /www/watchdog-data/default/
    chown resin:root -R /www/watchdog-data/*
  21. Remove the Resin 4.0.8 source folder:
    rm -rf /tmp/resin-pro-4.0.8
  22. Remove default documents:
    rm -rf /www/doc/resin-doc
  23. To start Resin service at server start-up, run the commands bellow:
    chkconfig --add resin
    chkconfig resin on
    /etc/init.d/resin start
  24. From a client machine, open an internet browser and login to the address:
    http://Server_DNS_Name:8080/resin-admin/
  25. Enter a username and password in the lower half of the page, then click “Create Configuration File”. The recommended username is “admin“.
  26. Rename the admin-users.xml file:
    mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml
  27. Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.

2 Responses to “Hardening guide for Resin Professional 4.0.8 on RHEL 5.4”

Leave a Reply