Tuesday, December 29, 2009

Hardening guide for Apache 2.0 on Solaris 10 platform

Blog Has Moved

Link to the same post in the new blog: Hardening guide for Apache 2.0 on Solaris 10 platform

1. Login to the server using Root account.
2. Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
passwd apache
passwd -l apache
3. Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
4. Run the command bellow to install Apache2 packages:
pkgadd -d . SUNWapch2r SUNWapch2u
5. Remove Default Content
rm -r /var/apache2/htdocs/
rm -r /var/apache2/cgi-bin/
rm -r /var/apache2/icons/
6. Updating Ownership and Permissions on Apache2 folders:
chown -R root:root /usr/apache2
chmod -R 770 /usr/apache2/bin
chown -R root:root /etc/apache2
chmod -R go-r /etc/apache2
chmod -R 770 /etc/apache2
chown -R root:root /var/apache2/logs
chmod -R 700 /var/apache2/logs
7. Create folder for the web content:
mkdir -p /www
8. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www

9. Copy the configuration file in-order to edit it:
cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
From:
# LockFile /var/apache2/logs/accept.lock
To:
LockFile /var/apache2/logs/accept.lock

From:
User webservd
To:
User apache

From:
Group webservd
To:
Group apache

From:
PidFile /var/run/apache2/httpd.pid
To:
PidFile /var/apache2/logs/httpd.pid

From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"

From:
ServerSignature On
To:
ServerSignature Off
HostnameLookups Off

From:
# ServerTokens
To:
ServerTokens Prod

From:
ServerAdmin you@yourhost.com
To:
ServerAdmin webmaster@yourcompany.com

From:
ServerName 127.0.0.1
To:
ServerName Server_FQDN

From:
Timeout 300
To:
Timeout 60

From:
LogLevel warn
To:
LogLevel notice

From:
IndexOptions FancyIndexing VersionSort
To:
# IndexOptions FancyIndexing VersionSort

From:
ReadmeName README.html
To:
# ReadmeName README.html

From:
HeaderName HEADER.html
To:
# HeaderName HEADER.html

From:
AddIcon
To:
# AddIcon

From:
DefaultIcon /icons/unknown.gif
To:
# DefaultIcon /icons/unknown.gif

From:
Alias /icons/ "/var/apache2/icons/"
To:
# Alias /icons/ "/var/apache2/icons/"

From:
AliasMatch
To:
# AliasMatch

From:
ScriptAlias
To:
# ScriptAlias

From:
LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
To:
# LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

From
LoadModule imap_module libexec/mod_imap.so
To:
# LoadModule imap_module libexec/mod_imap.so

From:
LoadModule cgi_module libexec/mod_cgi.so
To:
# LoadModule cgi_module libexec/mod_cgi.so

From:
LoadModule suexec_module libexec/mod_suexec.so
To:
# LoadModule suexec_module libexec/mod_suexec.so

From:
LoadModule autoindex_module libexec/mod_autoindex.so
To:
# LoadModule autoindex_module libexec/mod_autoindex.so

From:
LoadModule info_module libexec/mod_info.so
To:
# LoadModule info_module libexec/mod_info.so

From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so

From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so

From:
LoadModule userdir_module libexec/mod_userdir.so
To:
# LoadModule userdir_module libexec/mod_userdir.so

From:
LoadModule cern_meta_module modules/mod_cern_meta.so
To:
# LoadModule cern_meta_module modules/mod_cern_meta.so

From:
LoadModule dav_module modules/mod_dav.so
To:
# LoadModule dav_module modules/mod_dav.so

From:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
To:
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>

From:
<Directory "/var/apache2/htdocs">
To:
<Directory "/www">
<Limitexcept GET POST>
deny from all
</Limitexcept>

From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews

11. Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
12. Remove the sections bellow from the file httpd.conf
<Directory "/usr/apache2/manual">
<Directory "/var/apache2/cgi-bin">


13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"

From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
14. Starting Apache from command line:
/usr/apache2/bin/apachectl start
15. Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2

Labels: ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home