How to implement SSL on Nginx 0.7.65

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

SSL implementation phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl
3. Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
Note: The command above should be written as one line.
5. Send the file /tmp/nginx.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
7. Copy the file "server.crt" using SCP into /usr/local/nginx/ssl
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file "ca-bundle.crt" using SCP into /usr/local/nginx/ssl
10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
Note: The command above should be written as one line.
11. Remove the original server.crt and ca-bundle.crt files:
rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt
12. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
# HTTPS server
#
#server {
# listen 443;
# server_name localhost;

# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;

# ssl_session_timeout 5m;

# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
# ssl_prefer_server_ciphers on;

# location / {
# root html;
# index index.html index.htm;
# }
#}
To:
server {
listen 443;
server_name Server_FQDN;

ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;

location / {
root /www;
index index.html index.htm;
}
}
13. Restart the Nginx service:
/etc/init.d/nginx restart

Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

1. Login to the server using Root account.
2. Create a new account:
groupadd nginx
useradd -g nginx -d /dev/null -s /sbin/nologin nginx
3. Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
4. Before compiling the Nginx environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
5. Download Nginx 0.7.65 from:
http://wiki.nginx.org/NginxInstall
6. Copy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
cd /tmp
8. Extract the nginx-0.7.65.tar.gz file:
tar -zxvf nginx-0.7.65.tar.gz
9. Move to the Nginx source folder:
cd /tmp/nginx-0.7.65
10. Edit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from:
static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
To:
static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Secure Web Server" CRLF;
11. Run the commands bellow to compile the Nginx environment:
./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module

make

make install
12. Remove the Nginx source files:
rm -rf /tmp/nginx-0.7.65
rm -f /tmp/nginx-0.7.65.tar.gz
13. Remove Default Content
rm -rf /usr/local/nginx/html
14. Updating Ownership and Permissions on Nginx folders:
chown -R root:root /usr/local/nginx
chmod 750 /usr/local/nginx/sbin/nginx
chmod -R 640 /usr/local/nginx/conf
chmod -R 770 /usr/local/nginx/logs
15. Create folder for the web content:
mkdir -p /www
16. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
17. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
From:
#user nobody;
To:
user nginx nginx;

From:
#error_log logs/error.log notice;
To:
error_log logs/error.log notice;

From:
server_name localhost;
To:
server_name Server_FQDN;

From:
root html;
To:
root /www;

18. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file:
server_tokens off;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 10;
19. Create using VI, the file /etc/init.d/nginx with the following content:
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)

NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

lockfile=/var/lock/subsys/nginx

start() {
[ -x $nginx ] exit 5
[ -f $NGINX_CONF_FILE ] exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}

stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}

restart() {
configtest return $?
stop
sleep 1
start
}

reload() {
configtest return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}

force_reload() {
restart
}

configtest() {
$nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
status $prog
}

rh_status_q() {
rh_status >/dev/null 2>&1
}

case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q exit 0
$1
;;
restartconfigtest)
$1
;;
reload)
rh_status_q exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestarttry-restart)
rh_status_q exit 0
;;
*)
echo $"Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}"
exit 2
esac
20. Change the permissions of the file /etc/init.d/nginx
chmod +x /etc/init.d/nginx
21. To start Nginx service at server start-up, run the command:
chkconfig nginx on
22. To manually start the Nginx service, use the command:
/etc/init.d/nginx start
23. Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

How to implement SSL on Lighttpd 1.4.26

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

SSL implementation phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
mkdir -p /etc/lighttpd/ssl
chmod 600 /etc/lighttpd/ssl
3. Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
Note: Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
Note: The command above should be written as one line.
5. Send the file /tmp/lighttpd.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
7. Copy the file "server.crt" using SCP into /etc/lighttpd/ssl/
8. Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pem
Note: The command above should be written as one line.
9. Remove the original server.crt file:
rm -f /etc/lighttpd/ssl/server.crt
10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
11. Copy the file "ca-bundle.crt" using SCP into /etc/lighttpd/ssl
12. Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
$SERVER["socket"] == "Server_FQDN:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
server.name = "Server_FQDN"
server.document-root = "/www"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
ssl.use-sslv2 = "disable"
ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
}
13. Restart the Lighttpd service.

Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

1. Login to the server using Root account.
2. Create a new account:
groupadd lighttpd
useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd
3. Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
4. Before compiling the Lighttpd environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-49.x86_64.rpm
rpm -ivh glibc-devel-2.5-49.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm
5. Download Lighttpd 1.4.26 from:
http://www.lighttpd.net/download/
6. Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
cd /tmp
8. Extract the lighttpd-1.4.26.tar.gz file:
tar -zxvf lighttpd-1.4.26.tar.gz
9. Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c
10. Move to the Lighttpd source folder:
cd /tmp/lighttpd-1.4.26
11. Run the commands bellow to compile the Lighttpd environment:
./configure --with-openssl --without-bzip2
make
make install
12. Create the following folders:
mkdir -p /etc/lighttpd
mkdir -p /var/log/lighttpd
mkdir -p /var/cache/lighttpd/compress
13. Copy the lighttpd.conf file:
cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
14. Updating Ownership and Permissions on Lighttpd folders:
chown lighttpd:lighttpd /var/log/lighttpd
chown lighttpd:root /etc/lighttpd/lighttpd.conf
chown lighttpd:lighttpd /var/cache/lighttpd/compress
chmod o-r /etc/lighttpd/lighttpd.conf
chmod -R o-r /var/log/lighttpd
15. Create folder for the web content:
mkdir -p /www
16. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
17. Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings:
From:
server.document-root = "/srv/www/htdocs/"
To:
server.document-root = "/www"

From:
#server.bind = "127.0.0.1"
To:
server.bind = "Server_FQDN"

From:
# server.tag = "lighttpd"
To:
server.tag = "Secure Web Server"

From:
#server.username = "wwwrun"
To:
server.username = "lighttpd"

From:
#server.groupname = "wwwrun"
To:
server.groupname = "lighttpd"

From:
#dir-listing.activate = "enable"
To:
dir-listing.activate = "disable"

18. Create using VI, a file called /etc/sysconfig/lighttpd with the following content:
LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf
19. To manually start Lighttpd use the command:
/usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
20. To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
21. Remove the Lighttpd source files:
rm -rf /tmp/lighttpd-1.4.26
rm -f /tmp/lighttpd-1.4.26.tar.gz
22. Uninstall the following RPM:
rpm -e gcc-4.1.2-48.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-49
rpm -e glibc-headers-2.5-49
rpm -e kernel-headers-2.6.18-194.el5

Hardening guide for WordPress 2.9.2

Pre-installation notes
The guide bellow is based on the previous guides:
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase
1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account:
su sshaccount
4. Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
7. Exit the SSH account shell and return to the Root account:
exit
8. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 2.9.2 from:
http://wordpress.org/download
11. Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
12. Move to /www
cd /www
13. Extract the wordpress-2.9.2.tar.gz file:
tar -zxvf wordpress-2.9.2.tar.gz
14. Remove WordPress source file:
rm -f /www/wordpress-2.9.2.tar.gz
15. Create using VI the file /www/config.php with the following content:
<?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening '< ?php' tag or after a closing '?>' tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
18. Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
• Blog Title
• E-Mail
23. Click on “Install WordPress” button, and close the web browser.
24. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
25. Run the following commands from the MySQL prompt:
use m6gf42s;
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “m6gf42s” with your own WordPress database name.
Note 1: Replace “johnd” with your own new WordPress admin.
Note 2: Replace “password3” with complex password (at least 14 characters).
26. Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
'timeout' => apply_filters( 'http_request_timeout', 5),
To:
'timeout' => apply_filters( 'http_request_timeout', 30),
27. Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 1: Replace 1.1.1.0 with the internal network IP address.
Note 2: Replace Server_FQDN with the server FQDN (DNS name).
28. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule>
Note: Replace 1.1.1.0 with the internal network IP address.
29. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
Note: Replace 1.1.1.0 with the internal network IP address.
30. Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
31. Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
32. Download "Login Lockdown" plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
33. Download "WP-Secure Remove Wordpress Version" plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
34. Download "WP Security Scan" plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
35. Download "KB Robots.txt" plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
36. Download "WordPress Database Backup" plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/
37. Download "WordPress Firewall" plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
38. Copy the "WordPress Firewall" plugin file "wordpress-firewall.php" using PSCP (or SCP) into /www/wordpress/wp-content/plugins
39. Create a folder for the "WordPress Database Backup" plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
40. Set permissions for the "WordPress Database Backup" plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
41. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
42. From WordPress dashboard, click on "settings" -> make sure that "Anyone can register" is left unchecked -> click on "Save changes".
43. From WordPress dashboard, click on "settings" -> click on "Miscellaneous" -> "Store uploads in this folder" -> specify:
wp-content/uploads
44. Click on "Save changes".
45. From WordPress dashboard, click on "Plugins" -> Add New -> choose "Upload" -> click Browse to locate the plugin -> click "Install Now" -> click "Proceed" -> click on "Activate Plugin".
Note: Install and activate all the above downloaded plugins.
46. From WordPress dashboard, click on "settings" -> click on "KB Robots.txt" -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
47. Click "Submit".
48. From the upper pane, click on "Log Out".
49. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);

Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Pre-installation notes
The guide bellow is based on the previous guides:
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

Installation and configuration phase
1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm
3. Download MySQL development RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
4. Download PHP 5.3.2 source files from:
http://php.net/downloads.php
5. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
6. Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
cd /tmp
8. Install the MySQL development RPM:
rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
9. Remove MySQL development RPM:
rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
10. Extract the php-5.3.2.tar.gz file:
tar -zxvf php-5.3.2.tar.gz
11. Move to the PHP source folder:
cd /tmp/php-5.3.2
Run the commands bellow to compile the PHP environment:
./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib

make

make install
12. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Make sure the following string exists at the end of the LoadModule section:
LoadModule php5_module modules/libphp5.so
Add the following string, to the end of the AddType section:
AddType application/x-httpd-php .php
Replace the line from:
DirectoryIndex index.html
To:
DirectoryIndex index.php index.html index.htm
13. Copy the PHP.ini file
cp /tmp/php-5.3.2/php.ini-development /etc/php.ini
14. Change the permissions on the php.ini file:
chmod 640 /etc/php.ini
15. Edit using VI, the file /etc/php.ini and replace the following values:
From:
mysql.default_host =
To:
mysql.default_host = 127.0.0.1:3306

From:
allow_url_fopen = On
To:
allow_url_fopen = Off

From:
expose_php = On
To:
expose_php = Off

From:
memory_limit = 128M
To:
memory_limit = 8M

From:
;open_basedir =
To:
open_basedir = "/www"

From:
post_max_size = 8M
To:
post_max_size = 2M

From:
upload_max_filesize = 2M
To:
upload_max_filesize = 1M

From:
disable_functions =
To:
disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

From:
;include_path = ".:/php/includes"
To:
include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

From:
display_errors = On
To:
display_errors = Off

From:
display_startup_errors = On
To:
display_startup_errors = Off

16. Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
17. Remove the PHP source and test files:
rm -rf /tmp/php-5.3.2
rm -f /tmp/php-5.3.2.tar.gz
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test
18. Uninstall the following RPM:
rpm -e libxml2-devel-2.6.26-2.1.2.8
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

1. Login to the server using Root account.
2. Create a new account:
groupadd mysql
useradd -d /dev/null -g mysql -s /bin/false mysql
3. Download MySQL server and client RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
4. Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
5. Move to /tmp
cd /tmp
6. Install the MySQL packages:
rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
7. Delete the MySQL source files:
rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
8. Run the commands bellow to set ownership and permissions:
chown -R root /usr/bin/mysql*
chown -R mysql:root /var/lib/mysql
chmod -R go-rwx /var/lib/mysql
mkdir -p /var/log/mysql
chown -R mysql:root /var/log/mysql
9. Run the command bellow to copy the main configuration file:
cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
10. Run the commands bellow to remove default folder:
rm -rf /var/lib/mysql/test
rm -f /usr/share/mysql/*.cnf
11. Run the command bellow to set ownership and permissions for my.cnf file:
chown root /etc/my.cnf
chmod 644 /etc/my.cnf
12. Edit using VI, the file /etc/my.cnf
Add the strings bellow under the [mysqld] section
pid-file = /var/lib/mysql/mysqld.pid
log = /var/log/mysql/mysql.log
bind-address = 127.0.0.1
Add the section bellow:
[safe_mysqld]
err-log = /var/log/mysql/mysql.err
13. Run the command bellow to restart the target server:
reboot
14. Login to the server using Root account.
15. Run the commands bellow to set password for the MySQL root user:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h hostname password 'new-password'
Note 1: Specify complex password (at least 14 characters) and document it.
Note 2: Replace “hostname” with the server FQDN (DNS name)
16. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
17. Run the following commands from the MySQL prompt:
use mysql;
DELETE FROM mysql.user WHERE user = '';
DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
DROP DATABASE test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;
quit
18. Run the command bellow to stop the MySQL service:
/etc/init.d/mysql stop
19. Run the command bellow to start the MySQL service:
/etc/init.d/mysql start

Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

1. Login to the server using Root account.
2. Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
3. Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
4. Before compiling the Apache environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
5. Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
6. Move to /tmp
cd /tmp
7. Extract the httpd-2.2.15.tar.gz file:
tar -zxvf httpd-2.2.15.tar.gz
8. Move to the Apache source folder:
cd httpd-2.2.15
9. Run the commands bellow to compile the Apache environment:
./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl

make

make install
10. Remove the Apache source files:
rm -rf /tmp/httpd-2.2.15
rm -f /tmp/httpd-2.2.15.tar.gz
11. Remove Default Content
rm -rf /usr/local/apache2/cgi-bin
rm -rf /usr/local/apache2/htdocs
rm -rf /usr/local/apache2/icons
rm -rf /usr/local/apache2/man
rm -rf /usr/local/apache2/manual
rm -rf /usr/local/apache2/conf/extra
rm -rf /usr/local/apache2/conf/original
12. Updating Ownership and Permissions on Apache2 folders:
chown root:root /usr/local/apache2/bin/apachectl
chown root:root /usr/local/apache2/bin/httpd*
chmod 770 /usr/local/apache2/bin/apachectl
chmod 770 /usr/local/apache2/bin/httpd*
chown -R root:root /usr/local/apache2
chmod -R go-r /usr/local/apache2
chown -R root:root /usr/local/apache2/logs
chmod -R 700 /usr/local/apache2/logs
13. Create folder for the web content:
mkdir -p /www
14. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
15. Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
From:
DocumentRoot "/var/www/html"
To:
DocumentRoot "/www"

From:
Listen 80
To:
Listen Server_FQDN:80

From:
ServerAdmin root@localhost
To:
ServerAdmin webmaster@mycompany.com

From:
#ServerName www.example.com:80
To:
ServerName Server_FQDN

From:
LogLevel warn
To:
LogLevel notice

From:
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
To:
# ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

From:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
To:
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>

From:
<Directory "/usr/local/apache2/htdocs">
To:
<Directory "/www">
<LimitExcept GET POST>
deny from all
</limitexcept>

From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews

16. Add the following sections to the end of the httpd.conf file:
ServerSignature Off
ServerTokens Prod
Timeout 60
# Maximum size of the request body.
LimitRequestBody 10000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4094
# Maximum size of the request line.
LimitRequestLine 500
17. Remove the sections bellow from the file httpd.conf
<Directory "/usr/local/apache2/cgi-bin">
18. Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"

From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"

19. Starting Apache from command line:
/usr/local/apache2/bin/apachectl start
20. To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/apache2/bin/apachectl start
21. Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Previous guides:
Hardening guide for Apache 2.0 on Solaris 10 platform
How to implement SSL on Apache 2.0

Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform

OS installation phase
1. Boot the server using Windows 2008 R2 bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose "Windows Server 2008 R2 (Server Core Installation)" -> click Next.
4. Accept the license agreement -> click Next.
5. Choose "Custom (Advanced)" installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose "Administrator" account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the command prompt window, run the command bellow:
sconfig.cmd
10. Press "2" to replace the computer name -> specify new computer name -> click "Yes" to restart the server.
11. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
12. From the command prompt window, run the command bellow:
sconfig.cmd
13. Press "5" to configure "Windows Update Settings" -> select "A" for automatic -> click OK.
14. Press "6" to download and install Windows Updates -> choose "A" to search for all updates -> Choose "A" to download and install all updates -> click "Yes" to restart the server.
15. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
16. From the command prompt window, run the command bellow:
sconfig.cmd
17. In-case you need to use RDP to access and manage the server, press "7" to enable "Remote Desktop" -> choose "E" to enable -> choose either "1" or "2" according to your client settings -> Press OK.
18. Press "8" to configure "Network settings" -> select the network adapter by its Index number -> press "1" to configure the IP settings -> choose "S" for static IP address -> specify the IP address, subnet mask and default gateway -> press "2" to configure the DNS servers -> click OK -> press "4" to return to the main menu.
19. Press "9" to configure "Date and Time" -> choose the correct "date/time" and "time zone" -> click OK
20. Press "11" to restart the server to make sure all settings take effect -> click "Yes" to restart the server.

Web server installation phase
1. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
2. For minimal installation of IIS7.5 features, run the command bellow from command prompt:
start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
3. For full installation of IIS7.5 (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
4. For full installation of IIS7.5, including .NET framework (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64
5. Create a new folder for the WWW content, in a different partition then the operating system, for example:
md D:\WWW
6. Copy the content of the web site to the newly created folder.
7. Use the Cacls.exe command to configure the required NTFS permissions for the new WWW folder (according to the principle of least privilege).
8. Run the command bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW
9. Create a new folder for the LogFiles content, in a different partition then the operating system, for example:
md D:\LogFiles
10. Use the Cacls.exe command to configure the required NTFS permissions for the new LogFiles folder (according to the principle of least privilege).
11. Run the commands bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"

%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"D:\LogFiles"

%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles"
12. Run the command bellow to configure the newly created WWW folder for service packs and other installers:
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW