Hardening guide for Resin Professional 4.0.8 on RHEL 5.4
Blog Has Moved
Link to the same post in the new blog: Hardening guide for Resin Professional 4.0.8 on RHEL 5.4
Pre-requirements:
• JDK 1.6 source file
• Resin Professional 4.0.8 source file
Installation phase
1. Login to the server using Root account.
2. Create a new account:
groupadd resin
useradd -g resin -d /home/resin -s /bin/bash resin
3. Create folder for the web content:
mkdir -p /www
4. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
5. Copy JDK 1.6 into /tmp
6. Change the permissions on the JDK 1.6:
chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin
7. Run the command bellow to install JDK 1.6:
/tmp/jdk-6u20-linux-i586-rpm.bin
8. Remove the JDK 1.6 source files:
rm -f /tmp/jdk-6u20-linux-i586-rpm.bin
rm -f /usr/java/jdk1.6.0_20/src.zip
rm -rf /usr/java/jdk1.6.0_20/demo
rm -rf /usr/java/jdk1.6.0_20/sample
rm -rf /opt/sun/javadb/demo
rm -rf /opt/sun/javadb/docs
9. Before compiling the Resin environment, install the following RPM from the RHEL DVD:
rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm
rpm -ivh glibc-headers-2.5-42.i386.rpm
rpm -ivh glibc-devel-2.5-42.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-46.el5.i386.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm
10. Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp
11. Move to /tmp
cd /tmp
12. Extract the resin-pro-4.0.8.tar.gz file:
tar -zxvf resin-pro-4.0.8.tar.gz
13. Move to the Resin 4.0.8 source folder:
cd /tmp/resin-pro-4.0.8
14. Run the commands bellow to compile the Resin 4.0.8 environment:
./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20
Note: The command above should be written as one line.
make
make install
15. Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow:
From:
To:
From:
To:
From:
To:
From:
To:
From:
To:
From:
From:
To:
From:
To:
From:
To:
16. Change the ownership on the folder bellow:
chown resin:root -R /www/*
17. Manually start the Resin service:
/usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin
18. Manually stop the Resin service:
/usr/local/resin/bin/resin.sh stop
19. Copy the Resin license file into /usr/local/resin/licenses
20. Change the ownership and permissions on the folders bellow:
chmod 664 -R /www/watchdog-data/
chmod 777 /www/watchdog-data/default/
chown resin:root -R /www/watchdog-data/*
21. Remove the Resin 4.0.8 source folder:
rm -rf /tmp/resin-pro-4.0.8
22. Remove default documents:
rm -rf /www/doc/resin-doc
23. To start Resin service at server start-up, run the commands bellow:
chkconfig --add resin
chkconfig resin on
/etc/init.d/resin start
24. From a client machine, open an internet browser and login to the address:
http://Server_DNS_Name:8080/resin-admin/
25. Enter a username and password in the lower half of the page, then click "Create Configuration File". The recommended username is "admin".
26. Rename the admin-users.xml file:
mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml
27. Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.
posted by Eyal Estrin @ 9:43 PM
0 Comments
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home