Hardening guide for Apache 2.0 on Solaris 10 platform

1. Login to the server using Root account.
2. Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
passwd apache
passwd -l apache
3. Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
4. Run the command bellow to install Apache2 packages:
pkgadd -d . SUNWapch2r SUNWapch2u
5. Remove Default Content
rm -r /var/apache2/htdocs/
rm -r /var/apache2/cgi-bin/
rm -r /var/apache2/icons/
6. Updating Ownership and Permissions on Apache2 folders:
chown -R root:root /usr/apache2
chmod -R 770 /usr/apache2/bin
chown -R root:root /etc/apache2
chmod -R go-r /etc/apache2
chmod -R 770 /etc/apache2
chown -R root:root /var/apache2/logs
chmod -R 700 /var/apache2/logs
7. Create folder for the web content:
mkdir -p /www
8. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
9. Copy the configuration file in-order to edit it:
cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
From:
# LockFile /var/apache2/logs/accept.lock
To:
LockFile /var/apache2/logs/accept.lock

From:
User webservd
To:
User apache

From:
Group webservd
To:
Group apache

From:
PidFile /var/run/apache2/httpd.pid
To:
PidFile /var/apache2/logs/httpd.pid

From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"

From:
ServerSignature On
To:
ServerSignature Off
HostnameLookups Off

From:
# ServerTokens
To:
ServerTokens Prod

From:
ServerAdmin you@yourhost.com
To:
ServerAdmin webmaster@yourcompany.com

From:
ServerName 127.0.0.1
To:
ServerName Server_FQDN

From:
Timeout 300
To:
Timeout 60

From:
LogLevel warn
To:
LogLevel notice

From:
IndexOptions FancyIndexing VersionSort
To:
# IndexOptions FancyIndexing VersionSort

From:
ReadmeName README.html
To:
# ReadmeName README.html

From:
HeaderName HEADER.html
To:
# HeaderName HEADER.html

From:
AddIcon
To:
# AddIcon

From:
DefaultIcon /icons/unknown.gif
To:
# DefaultIcon /icons/unknown.gif

From:
Alias /icons/ "/var/apache2/icons/"
To:
# Alias /icons/ "/var/apache2/icons/"

From:
AliasMatch
To:
# AliasMatch

From:
ScriptAlias
To:
# ScriptAlias

From:
LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
To:
# LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

From
LoadModule imap_module libexec/mod_imap.so
To:
# LoadModule imap_module libexec/mod_imap.so

From:
LoadModule cgi_module libexec/mod_cgi.so
To:
# LoadModule cgi_module libexec/mod_cgi.so

From:
LoadModule suexec_module libexec/mod_suexec.so
To:
# LoadModule suexec_module libexec/mod_suexec.so

From:
LoadModule autoindex_module libexec/mod_autoindex.so
To:
# LoadModule autoindex_module libexec/mod_autoindex.so

From:
LoadModule info_module libexec/mod_info.so
To:
# LoadModule info_module libexec/mod_info.so

From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so

From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so

From:
LoadModule userdir_module libexec/mod_userdir.so
To:
# LoadModule userdir_module libexec/mod_userdir.so

From:
LoadModule cern_meta_module modules/mod_cern_meta.so
To:
# LoadModule cern_meta_module modules/mod_cern_meta.so

From:
LoadModule dav_module modules/mod_dav.so
To:
# LoadModule dav_module modules/mod_dav.so

From:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
To:
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>

From:
<Directory "/var/apache2/htdocs">
To:
<Directory "/www">
<Limitexcept GET POST>
deny from all
</Limitexcept>

From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews

11. Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
12. Remove the sections bellow from the file httpd.conf
<Directory "/usr/apache2/manual">
<Directory "/var/apache2/cgi-bin">

13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"

From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
14. Starting Apache from command line:
/usr/apache2/bin/apachectl start
15. Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2

How to implement SSL on Tomcat 5.5

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform

SSL implementation phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
mkdir -p /var/apache/tomcat55/conf/ssl.crt
3. Create folder for the SSL private key:
mkdir -p /var/apache/tomcat55/conf/ssl.key
4. Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
5. Run the command bellow to generate a key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
7. Run the command bellow to generate a CSR (certificate request):
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
8. Send the file /tmp/tomcat.csr to a Certificate Authority server.
9. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
10. Copy the file "server.crt" using SCP into /var/apache/tomcat55/conf/ssl.crt
11. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
12. Copy the file "ca-bundle.crt" using SCP into /var/apache/tomcat55/conf/ssl.crt
13. Run the command bellow to import the trusted root CA public certificate:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

14. Run the command bellow to import the signed public key into the key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

15. Stop the Tomcat service:
/etc/init.d/tomcat stop
16. Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3"
keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
keystorePass="ComplexPassword"
truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
truststorePass="changeit"
ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
tcpNoDelay="true" />
17. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
<user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
18. Start the Tomcat service:
/etc/init.d/tomcat start -security

Hardening guide for Tomcat 5.5 on Solaris 10 platform

Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.

Installation phase
1. Login to the server using Root account.
2. Make sure the folder /usr/jdk exists:
ls /ad /usr/jdk
3. If the folder /usr/jdk doesn’t exists, manually create it:
mkdir /usr/jdk
4. Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
5. Move to /usr/jdk folder
cd /usr/jdk
6. Change the permissions on the JDK 1.6 (32bit) script:
chmod +x jdk-6u15-solaris-i586.sh
7. Run the command bellow to install JDK 1.6 (32bit):
./jdk-6u15-solaris-i586.sh
8. Change the permissions on the JDK 1.6 (x64) script:
chmod +x jdk-6u15-solaris-x64.sh
9. Run the command bellow to install JDK 1.6 (x64):
./jdk-6u15-solaris-x64.sh
10. Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
rm /usr/jdk/jdk-6u15-solaris-i586.sh
rm /usr/jdk/jdk-6u15-solaris-x64.sh
rm /usr/jdk/jdk1.6.0_15/src.zip
rm -r /usr/jdk/jdk1.6.0_15/demo
rm -r /usr/jdk/jdk1.6.0_15/sample
11. Remove the link for the Java
rm /usr/bin/java
12. Create new link for the Java (for x64 servers):
ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
13. Reload the links into memory:
rehash
14. Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
15. Run the command bellow to install Tomcat packages:
pkgadd -d . SUNWtcatr SUNWtcatu
16. Remove the following default folders:
rm -r /usr/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
rm -r /var/apache/tomcat55/webapps/jsp-examples
rm -r /var/apache/tomcat55/webapps/servlets-examples
rm -r /var/apache/tomcat55/webapps/webdav
rm -r /var/apache/tomcat55/webapps/balancer
17. Copy the server.xml configuration file:
cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xml
Note: The above command should be written as one line.
18. Edit using VI, the file /var/apache/tomcat55/conf/server.xml
• Uncomment the section bellow:
org.apache.catalina.valves.AccessLogValve
• Replace the non-SSL HTTP/1.1 Connector:
From:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />
To:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" />
19. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</ROLE-NAME>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>

<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role>
20. Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
<role rolename="admin">
<role rolename="manager">
<user roles="admin,manager" password="adminpass" username="admin">
Note: Specify complex password for the admin account (and document it).
21. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
• Uncomment the section bellow:
org.apache.catalina.valves.RemoteAddrValve
• Replace the data of the value bellow:
From:
allow="127.0.0.1"
To:
allow="172.16.*.*"
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow="128.117.140.62, 128.117.140.63, 128.117.140.99"
22. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
• Inside the “Context” section, add the following line:
<valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow="128.117.140.62, 128.117.140.63, 128.117.140.99"
23. Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
24. Extract the file catalina.jar
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
25. Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.properties
• Replace the string bellow from:
server.infoerver.info=Apache Tomcat/5.5.26
To:
server.infoerver.info=Secure Web server
• Replace the string bellow from:
server.number=5.5.26.0
To:
server.number=1.0.0.0
26. Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
27. Repackage the file catalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
28. Remove the folder bellow:
rm -r /usr/apache/tomcat55/server/lib/org
29. Create a user account for the Tomcat service:
mkdir /home/tomcat
groupadd tomcat
useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
chown tomcat:tomcat /home/tomcat/
passwd tomcat
passwd -l tomcat
30. Create using VI, the file /etc/init.d/tomcat with the following content:
#!/bin/sh
#
# Startup script for Tomcat
#
case "$1" in
start)
echo -n "Starting Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
;;
stop)
echo -n "Stopping Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {startstoprestart}"
exit 1
esac

exit 0
31. Change the permissions on the file /etc/init.d/tomcat
chmod u+x /etc/init.d/tomcat
32. Create soft link/symoblic links for system level startup
ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat
33. Reload the links into memory:
rehash
34. Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/*
chown -R tomcat:tomcat /usr/apache/tomcat55/*

Protecting your backup

One of the things many companies fail to put enough attention is proper protection to their backups.
I recently read an article about large American bank that sent a notification to its customers of losing a backup-tape, with customer's personal information.
I guess the only reason the bank reveal the information about the security breach is because he had to do so, under a federal law - just think about how many companies keep this sort of information to themselves in-order to avoid lawsuits.

Almost every company perform backup of its data. It can be using commercial software, file copy to a remote site, backup to tape, and now it is becoming more and more common to perform backup to disk, into a large storage device.

Usually, when performing backup to tape, most companies use to move the tapes into offsite storage, such as remote site.
While moving the backup to remote site might be considered as a good security practice against site disaster, there are 2 important things to think about.
The first thing is physical protection during the move, and while storing them on a safe at the remote site.
In this case I strongly recommend document the process - document the labels and dates of the tapes, and maybe even have the person transporting the tapes sign a form, so you'll have more confidence that the tapes were actually being transported to their destination.

Another thing you should consider is encryption to the data itself.
You don't want to be in a situation where somebody steals a suitcase full of backup tapes, where all your data is in clear text.
I guess most commercial products allow you to encrypt your backups, but it raises a question about maintaining the encryption.
If you encrypt your backups using the same password or passphrase year after year, and some ex-employee knows the password, it can harm the whole idea behind encryption.
On the other hand, if you change the password from time to time, you need to manage a list of old passwords against list of dates of backup-tape labels, which might become a headache since it is another thing to maintain.

Today more and more companies are moving to backup-to-disk, because the cost of hard disks is very low, and it's a fast media.
While performing backup to a remote site, you need to consider moving the data over secure or encrypted VPN lines in-order to avoid someone intercepting the data and stealing sensitive files.
Another good practice is to store the data on an encrypted file system. This way you don't need to worry about some will be able to review your files, but you will have the overhead of maintaining the encryption key, and the copy to the encrypted file system might become a little bit slower on slow machines or slow storage devices.

Remember, keeping your backup safe and secure, enables you to overcome site disaster while protecting from data breach and law suites.