Hardening guide for Apache 2.0 on Solaris 10 platform
Blog Has Moved
Link to the same post in the new blog: Hardening guide for Apache 2.0 on Solaris 10 platform
1. Login to the server using Root account.
2. Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
passwd apache
passwd -l apache
3. Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
4. Run the command bellow to install Apache2 packages:
pkgadd -d . SUNWapch2r SUNWapch2u
5. Remove Default Content
rm -r /var/apache2/htdocs/
rm -r /var/apache2/cgi-bin/
rm -r /var/apache2/icons/
6. Updating Ownership and Permissions on Apache2 folders:
chown -R root:root /usr/apache2
chmod -R 770 /usr/apache2/bin
chown -R root:root /etc/apache2
chmod -R go-r /etc/apache2
chmod -R 770 /etc/apache2
chown -R root:root /var/apache2/logs
chmod -R 700 /var/apache2/logs
7. Create folder for the web content:
mkdir -p /www
8. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
9. Copy the configuration file in-order to edit it:
cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
From:
# LockFile /var/apache2/logs/accept.lock
To:
LockFile /var/apache2/logs/accept.lock
From:
User webservd
To:
User apache
From:
Group webservd
To:
Group apache
From:
PidFile /var/run/apache2/httpd.pid
To:
PidFile /var/apache2/logs/httpd.pid
From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"
From:
ServerSignature On
To:
ServerSignature Off
HostnameLookups Off
From:
# ServerTokens
To:
ServerTokens Prod
From:
ServerAdmin you@yourhost.com
To:
ServerAdmin webmaster@yourcompany.com
From:
ServerName 127.0.0.1
To:
ServerName Server_FQDN
From:
Timeout 300
To:
Timeout 60
From:
LogLevel warn
To:
LogLevel notice
From:
IndexOptions FancyIndexing VersionSort
To:
# IndexOptions FancyIndexing VersionSort
From:
ReadmeName README.html
To:
# ReadmeName README.html
From:
HeaderName HEADER.html
To:
# HeaderName HEADER.html
From:
AddIcon
To:
# AddIcon
From:
DefaultIcon /icons/unknown.gif
To:
# DefaultIcon /icons/unknown.gif
From:
Alias /icons/ "/var/apache2/icons/"
To:
# Alias /icons/ "/var/apache2/icons/"
From:
AliasMatch
To:
# AliasMatch
From:
ScriptAlias
To:
# ScriptAlias
From:
LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
To:
# LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
From
LoadModule imap_module libexec/mod_imap.so
To:
# LoadModule imap_module libexec/mod_imap.so
From:
LoadModule cgi_module libexec/mod_cgi.so
To:
# LoadModule cgi_module libexec/mod_cgi.so
From:
LoadModule suexec_module libexec/mod_suexec.so
To:
# LoadModule suexec_module libexec/mod_suexec.so
From:
LoadModule autoindex_module libexec/mod_autoindex.so
To:
# LoadModule autoindex_module libexec/mod_autoindex.so
From:
LoadModule info_module libexec/mod_info.so
To:
# LoadModule info_module libexec/mod_info.so
From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so
From:
LoadModule userdir_module libexec/mod_userdir.so
To:
# LoadModule userdir_module libexec/mod_userdir.so
From:
LoadModule cern_meta_module modules/mod_cern_meta.so
To:
# LoadModule cern_meta_module modules/mod_cern_meta.so
From:
LoadModule dav_module modules/mod_dav.so
To:
# LoadModule dav_module modules/mod_dav.so
From:
Options FollowSymLinks
AllowOverride None
To:
Options None
AllowOverride None
Order deny,allow
deny from all
From:
To:
deny from all
From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews
11. Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
12. Remove the sections bellow from the file httpd.conf
13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"
From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
14. Starting Apache from command line:
/usr/apache2/bin/apachectl start
15. Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2