Hardening guide for WordPress 3.0

Pre-installation notes
The guide bellow is based on the previous guides:
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase
1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account:
su sshaccount
4. Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
7. Exit the SSH account shell and return to the Root account:
exit
8. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 3.0 from:
http://wordpress.org/download
11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
12. Move to /www
cd /www
13. Extract the wordpress-3.0.zip file:
unzip wordpress-3.0.zip
14. Remove WordPress source file:
rm -f /www/wordpress-3.0.zip
15. Create using VI the file /www/config.php with the following content:
<?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening '< ?php' tag or after a closing '?>' tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
18. Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
• Site Title
• Username - replace the default "admin"
• Password
• E-mail
23. Click on “Install WordPress” button, and close the web browser.
24. Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 1: Replace 1.1.1.0 with the internal network IP address.
Note 2: Replace Server_FQDN with the server FQDN (DNS name).
25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule>
Note: Replace 1.1.1.0 with the internal network IP address.
26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
Note: Replace 1.1.1.0 with the internal network IP address.
27. Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
28. Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
29. Download "Login Lockdown" plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
30. Download "Limit Login" plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/
31. Download "WP-Secure Remove Wordpress Version" plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
32. Download "WP Security Scan" plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
33. Download "KB Robots.txt" plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
34. Download "WordPress Database Backup" plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/
35. Download "WordPress Firewall" plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
36. Copy the "WordPress Firewall" plugin file "wordpress-firewall.php" using PSCP (or SCP) into /www/wordpress/wp-content/plugins
37. Create a folder for the "WordPress Database Backup" plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
38. Set permissions for the "WordPress Database Backup" plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
39. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
40. From WordPress dashboard, click on "settings" -> make sure that "Anyone can register" is left unchecked -> put a new value inside the "Tagline" field -> click on "Save changes".
41. From WordPress dashboard, click on "settings" -> click on "Media" -> "Store uploads in this folder" -> specify:
wp-content/uploads
42. Click on "Save changes".
43. From WordPress dashboard, click on "Plugins" -> Add New -> choose "Upload" -> click Browse to locate the plugin -> click "Install Now" -> click "Proceed" -> click on "Activate Plugin".
Note: Install and activate all the above downloaded plugins.
44. From WordPress dashboard, click on "settings" -> click on "KB Robots.txt" -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
45. Click "Submit".
46. From the upper pane, click on "Log Out".
47. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);

Hardening guide for VSFTPD on RHEL 5.4

The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

Installation phase
1. Login to the server using Root account.
2. Install from the RHEL 5.4 DVD the following RPM:
rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
3. Create a group for FTP users:
groupadd ftp-users
4. Create folder for the FTP:
mkdir -p /ftp
5. Change ownership and permissions on the FTP folder:
chown root:ftp-users /ftp
chmod 777 -R /ftp
6. Example of user creation:
useradd -g ftp-users -d /ftp user1
passwd user1
7. Edit using VI, the file /etc/vsftpd/vsftpd.conf
Change from:
anonymous_enable=YES
To:
anonymous_enable=NO

Change from:
xferlog_std_format=YES
To:
xferlog_std_format=NO

Change from:
#tftpd_banner=Welcome to blah FTP service.
To:
tftpd_banner=Secure FTP server

Add the lines bellow:
local_root=/ftp
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
vsftpd_log_file=/var/log/vsftpd.log
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
rsa_cert_file=/etc/vsftpd/vsftpd.pem

8. Run the command bellow to create VSFTP SSL key:
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Note: The command above should written as one line.
9. Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
10. Run the command bellow to manually start the VSFTP service:
/etc/init.d/vsftpd start
11. Run the command bellow to configure the VSFTP to start at server startup:
chkconfig vsftpd on

Hardening guide for Cisco Firewall (PIX, ASA, FWSM)

Important note
The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM).
Not all commands will work on every device series or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX):
aaa authentication enable console LOCAL

Configure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX):
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

Configure Local Password (ASA, FWSM, PIX):
passwd <login_password> encrypted

Configure ASDM Access Control (ASA, FWSM, PIX):
http <remote_ip_address> <remote_subnet_mask> <interface_name>

Configuring SSH (ASA, FWSM, PIX):
hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access (ASA, PIX):
no telnet 0.0.0.0 0.0.0.0 <interface_name>
ssh <remote_ip_address> <remote_subnet_mask> <interface_name>
ssh version 2

Configure Timeout for Login Sessions (ASA, FWSM, PIX):
console timeout 10
ssh timeout 10

Configure Local User and Encrypted Password (ASA, FWSM, PIX):
username <local_username> password <local_password> encrypted

Configure Enable Password (ASA, FWSM, PIX):
enable password <enable_password> encrypted

Disable SNMP Read Access (ASA, FWSM, PIX):
clear configure snmp-server
no snmp-server host <interface_name> <remote_ip_address>

Disable SNMP Traps (ASA, FWSM, PIX):
no snmp-server enable traps all

Configure Clock Time Zone (ASA, PIX):
clock timezone GMT <hours offset>

Disable DHCP Server Service (ASA, FWSM, PIX):
clear configure dhcpd
no dhcpd enable <interface_name>

Disable HTTP Service (ASA, FWSM, PIX) - in-case not in use:
no http server enable port>

Configure Console Logging Severity Level (ASA, FWSM, PIX):
logging console critical

Configure Timestamps in Log Messages (ASA, FWSM, PIX):
logging timestamp

Configure AAA Flood Guard (FWSM, PIX):
floodguard enable

Configure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX):
fragment chain 1 <interface_name>

Configure Protocol Inspection (FWSM, PIX):
fixup protocol ftp <port>
fixup protocol http <port>
fixup protocol smtp <port>

Configure Protocol Inspection (ASA):
inspect ftp [map_name]
inspect http [map_name]
inspect esmtp [map_name]

Configure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX):
interface <interface_id>
ip verify reverse-path interface <interface_name>
exit

Save the changes:
wr

Hardening guide for Cisco Routers and Switches

Important note
The guide bellow instructs how to secure Cisco router/switch.
Not all commands will work on every device series (router/switch) or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA service:
aaa new-model

Configure AAA Authentication for Login:
aaa authentication login default local-case

Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable

Configure AAA Authentication for Local Console Line:
line console 0
login authentication default
exit

Configure AAA Authentication for VTY Lines:
line vty 0 4
login authentication default
exit
line vty 5 15
login authentication default
exit

Set and secure passwords:
service password-encryption
enable secret 0 <password>

Configure Local User and Encrypted Password:
username <username> password <password>
Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T:
username <username> secret <password>

Configure SSH:
hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access:
ip ssh timeout 60
ip ssh authentication-retries 3

Configure VTY Transport SSH:
line console 0
transport input ssh
exit
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit

Configure Timeout for Login Sessions:
line vty 0 4
exec-timeout 5 0
exit
line vty 5 15
exec-timeout 5 0
exit

Disable Auxiliary Port:
line aux 0
no exec
exec-timeout 0 10
transport input none
exit

Disable SNMP server (in-case not in use):
no snmp-server

Disable SNMP Community Strings private and public:
no snmp-server community private
no snmp-server community public

Configure Clock Timezone - GMT:
clock timezone GMT <hours>

Disable Router Name and DNS Name Resolution (in-case not in use):
no ip domain-lookup

Disable CDP Run Globally:
no cdp run

Disable PAD service (in-case not in use):
no service pad

Disable Finger Service:
no service finger

Disable Maintenance Operations Protocol (MOP):
interface <interface-id>
no mop enabled
exit

Disable DHCP server (in-case not in use):
no service dhcp

Disable IP BOOTP server (in-case not in use):
no ip bootp server

Disable Identification Service:
no identd

Disable IP HTTP Server (in-case not in use):
no ip http server

Disable Remote Startup Configuration:
no boot network
no service config

Configure TCP keepalives Services:
service tcp-keepalives-in
service tcp-keepalives-out

Disable small-servers:
no service tcp-small-servers
no service udp-small-servers

Disable TFTP Server:
no tftp-server

Configure Logging:
logging on
logging buffered 16000
logging console critical

Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime

Disable IP source-route:
no ip source-route

Disable Directed Broadcast:
interface <interface-id>
no ip directed-broadcast
exit

Configure Unicast Reverse-Path Forwarding:
interface <interface-id>
ip verify unicast reverse-path
exit

Disable IP Proxy ARP:
interface <interface-id>
no ip proxy-arp
exit

Disable Gratuitous-Arps:
no ip gratuitous-arps

Configure switch port-security:
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky

Save the changes:
wr

How to implement SSL on Apache 2.2.15

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

SSL implementation phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
mkdir -p /usr/local/apache2/ssl
chmod 600 /usr/local/apache2/ssl
3. Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
5. Send the file /tmp/apache.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
7. Copy the file "server.crt" using SCP into /usr/local/apache2/ssl/
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file "ca-bundle.crt" using SCP into /usr/local/apache2/ssl/
10. Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
Listen Server_FQDN:443
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
SSLCertificateFile /usr/local/apache2/ssl/server.crt
SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
11. Restart the Apache services:
/usr/local/apache2/bin/apachectl restart
12. Backup the file /usr/local/apache2/ssl/server.key