Security 24/7

Cloud computing vision

2010-08-22T22:22:00.004+03:00

Cloud computing is the latest buzz on the Internet this days.
What does it mean to us and where does the future of Cloud computing goes?

Some background
In the mid 90's, we had Citrix, with its vision for server based-computing.
Works similar to the Mainframe idea who came couple of decades before - you put all your resources on one server, and thin clients connect to receive resources.
Couple of years later, we had new buzz, called ASP (Application service provider), which according to Wikipedia is a business that provides computer-based services to customers over a network.
Few years later, ASP changed its name to SaaS (Software as a service), which also referred to as software on demand.
In between, we had VMware who presented to world (at least the most famous) server virtualization.

What is Cloud Computing?
According to Wikipedia, Cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid.
The idea of Cloud computing, enables the customers to avoid investing money on hardware and network equipment, and instead, renting usage from third-party provider.
Cloud computing has the following key features:
* Agility improves with users' ability to rapidly and inexpensively re-provision technological infrastructure resources.
* Cost is claimed to be greatly reduced.
* Device and location independence enable users to access systems using a web browser regardless of their location or what device they are using (e.g., PC, mobile).
* Multi-tenancy enables sharing of resources and costs across a large pool of users.
* Reliability is improved if multiple redundant sites are used, which makes well designed cloud computing suitable for business continuity and disaster recovery.
* Scalability via dynamic ("on-demand") provisioning of resources on a fine-grained, self-service basis near real-time, without users having to engineer for peak loads.
* Maintenance cloud computing applications are easier to maintain, since they don't have to be installed on each user's computer.
* Metering cloud computing resources usage should be measurable and should be metered per client and application on daily, weekly, monthly, and annual basis.

The confusion point and vision
People tend to confuse between companies moving their data-centers and applications toward the cloud, and actual Cloud computing providers.
A real Cloud computing provider is built from large-scale data centers around the world.
Each rack is built from cheap (to manufacture) hot-swappable hardware - it's time to say goodbye to 1U-4U servers from all major vendors (HP, IBM, DELL, SUN, etc).
Each blade has many core CPU (4-core, 6-core and above), with allot of memory (as much as the hardware supports).
Each blade is connected to large-scale storage grid.
Everything must be redundant - you must be able to add new racks on-demand, without affecting any customer.
Servers, network equipment and storage devices must be configured in active-active clusters.
Data should be replicated on the fly between data centers across the world, in-order to provide 24/7 availability.
Guest operating system must be able to move between physical servers, transparently, as VMware introduced in its VMotion technology.
Server maintenance should be performed on schedule basis - since everything is transparent to the customer, firmware upgrades, patch management and software/application upgrades will not affect any customer.
The hardware/network/storage layer should be separated from the application layer, so that current SaaS companies will be able to integrate their current applications to the cloud era, and work transparently with Cloud computing infrastructure.

Cloud computing Achilles
The thing that drives most people off the cloud is security.
Customers can't physically protect their hardware, since they don't own it.
Customers having troubles protecting their data, since everything is built on virtual machines, connected to shared virtual storage.
I hope that in the near future information security professionals will be able to close this gap, and enable customers transparent, cheap and secure solutions.

Generating self-signed SSL certificate using OpenSSL

2010-08-13T17:15:00.003+03:00

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.
Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/

1. Install OpenSSL.
2. Run the command bellow to generate a new key store called “server.key”
openssl genrsa -des3 -out /tmp/server.key 1024
3. Run the commands bellow to request a new SSL certificate:
openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt

openssl x509 -noout -fingerprint -text < /tmp/server.crt > /tmp/server.info
4. Run the command bellow to backup the key store file that has a password:
cp /tmp/server.key /tmp/server.key.bak
5. Run the command bellow to generate a new key store without a password:
openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx

Appendix:
server.key - Key store file
server.crt - Server SSL public key file
no.pwd.server.key - Key store file (without a password)
no.pwd.server.pem - Key store file + server SSL public key file (without a password)
server.pfx - Private key + public key, exportable for Windows platform (i.e IIS server)

Security Vulnerability Assessment Process and Policy

2010-08-10T21:30:00.004+03:00

Overview:

In order to maintain high security standards, identify potential vulnerabilities and evaluate the effectiveness of various security controls that were implemented within the infrastructure, it is crucial to perform periodic security assessments.

Goal:

This procedure defines the controls and steps that are required for identifying security vulnerabilities and ensuring reasonable level of security for the infrastructure and application levels.

Process:

External Facing:

1. Perform automated external application level scans on a daily basis for website and application. (e.g. McAfee Secure, Acunetix).
2. Perform automated external network level scans on a weekly basis (e.g. McAfee Secure)
3. Perform in-house, half automated scans with a vulnerability assessment tool (e.g. Qualys)
4. Execute a dedicated application level and network penetration test by a professional third party.
This should be executed twice a year or on every major application release.

Internal:

1. Discovery: run NMAP scan on all VLANs to identify all the devices and create an asset inventory that outlines devices and services. [weekly / monthly]
2. Network and Infra vulnerabilities: Run a weekly scan with NESSUS or similar tool to identify infrastructure gap and non hardened devices.
3. Purchase and run vulnerability scanner (such as Qualys or NetIQ) – every week.
4. Patch Management:
a. Install Microsoft WSUS server to maintain security patches for Windows infrastructure.
b. Install Linux YUM server to maintain security patches for RedHat infrastructure.
c. Generate reports on weekly basis to find vulnerable systems.
5. Penetration test: run an annual internal pen-test to identify internal gaps with orientation to threats from within the organization.

Implement a Production Change Management policy that includes a hardening and implementation clearance process for new devices (e.g. addition of new network device, operating system, web server, DB server, etc).

How to implement SSL on Resin 4.0.8

2010-08-10T21:06:00.003+03:00

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

1. Login to the server using Root account.
2. Change permissions on the keys folder:
chmod 640 /usr/local/resin/keys
3. Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024
Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csr
Note: The command above should be written as one line.
5. Send the file /tmp/resin.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
7. Copy the file "server.crt" using SCP into /usr/local/resin/keys/
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file "ca-bundle.crt" using SCP into /usr/local/resin/keys/
10. Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from:

<http address="*" port="8443">
<jsse-ssl self-signed-certificate-name="resin@localhost"/>
</http>
To:
<http address="Server_DNS_Name" port="443">
<openssl>
<certificate-key-file>/usr/local/resin/keys/server.key</certificate-key-file>
<certificate-file>/usr/local/resin/keys/server.crt</certificate-file>
<certificate-chain-file>/usr/local/resin/keys/ca-bundle.crt</certificate-chain-file>
<password>my-password</password>
</openssl>
</http>

Note: Replace “my-password” with the password for the “server.key” file.
11. Restart the Resin services:
/etc/init.d/resin restart
12. Backup the file /usr/local/resin/keys/server.key

Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

2010-08-09T21:43:00.005+03:00

Pre-requirements:
• JDK 1.6 source file
• Resin Professional 4.0.8 source file

Installation phase
1. Login to the server using Root account.
2. Create a new account:
groupadd resin
useradd -g resin -d /home/resin -s /bin/bash resin
3. Create folder for the web content:
mkdir -p /www
4. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
5. Copy JDK 1.6 into /tmp
6. Change the permissions on the JDK 1.6:
chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin
7. Run the command bellow to install JDK 1.6:
/tmp/jdk-6u20-linux-i586-rpm.bin
8. Remove the JDK 1.6 source files:
rm -f /tmp/jdk-6u20-linux-i586-rpm.bin
rm -f /usr/java/jdk1.6.0_20/src.zip
rm -rf /usr/java/jdk1.6.0_20/demo
rm -rf /usr/java/jdk1.6.0_20/sample
rm -rf /opt/sun/javadb/demo
rm -rf /opt/sun/javadb/docs
9. Before compiling the Resin environment, install the following RPM from the RHEL DVD:
rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm
rpm -ivh glibc-headers-2.5-42.i386.rpm
rpm -ivh glibc-devel-2.5-42.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh gcc-4.1.2-46.el5.i386.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm
rpm -ivh zlib-devel-1.2.3-3.i386.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm
10. Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp
11. Move to /tmp
cd /tmp
12. Extract the resin-pro-4.0.8.tar.gz file:
tar -zxvf resin-pro-4.0.8.tar.gz
13. Move to the Resin 4.0.8 source folder:
cd /tmp/resin-pro-4.0.8
14. Run the commands bellow to compile the Resin 4.0.8 environment:
./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20
Note: The command above should be written as one line.

make

make install
15. Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow:
From:
<resin:if test="${resin.userName == 'root'}">
To:
<resin:if test="${resin.userName == 'resin'}">

From:
<user-name>www-data</user-name>
To:
<user-name>resin</user-name>

From:
<group-name>www-data</group-name>
To:
<group-name>resin</group-name>

From:
<server id="" address="127.0.0.1" port="6800">
To:
<server id="" address="Server_DNS_Name" port="6800">

From:
<http address="*" port="8080"/>
To:
<http address="Server_DNS_Name" port="8080"/>

From:
<dependency-check-interval>2s</dependency-check-interval>
To:
<dependency-check-interval>600s</dependency-check-interval>

From:
<host id="" root-directory=".">
To:
<host id="Server_DNS_Name" root-directory="/www">

From:
<root-directory>.</root-directory>
To:
<root-directory>/www</root-directory>

From:
<resin:set var="resin_admin_external" value="false"/>
To:
<resin:set var="resin_admin_external" value="true"/>
16. Change the ownership on the folder bellow:
chown resin:root -R /www/*
17. Manually start the Resin service:
/usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin
18. Manually stop the Resin service:
/usr/local/resin/bin/resin.sh stop
19. Copy the Resin license file into /usr/local/resin/licenses
20. Change the ownership and permissions on the folders bellow:
chmod 664 -R /www/watchdog-data/
chmod 777 /www/watchdog-data/default/
chown resin:root -R /www/watchdog-data/*
21. Remove the Resin 4.0.8 source folder:
rm -rf /tmp/resin-pro-4.0.8
22. Remove default documents:
rm -rf /www/doc/resin-doc
23. To start Resin service at server start-up, run the commands bellow:
chkconfig --add resin
chkconfig resin on
/etc/init.d/resin start
24. From a client machine, open an internet browser and login to the address:
http://Server_DNS_Name:8080/resin-admin/
25. Enter a username and password in the lower half of the page, then click "Create Configuration File". The recommended username is "admin".
26. Rename the admin-users.xml file:
mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml
27. Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.

Hardening guide for WordPress 3.0 for hosted web sites

2010-07-24T11:29:00.003+03:00

Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.

1. Request from your hosting provider access through SSH.
2. Login to the hosted server using SSH.
3. Edit using VI the file ~/html/wp-config.php and write down the data of the following values:
• DB_NAME
• DB_USER
• DB_PASSWORD
4. Create using VI the file ~/config.php with the following content:
<?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening '< ?php' tag or after a closing '?>' tag.
Note 2: Replace “blgusr” with the MySQL account to access the database.
Note 3: Replace “password2” with the MySQL account password.
Note 4: Replace “m6gf42s” with the WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
5. Edit using VI, the file ~/html/wp-config.php
• Add the following line:
include('/path/config.php');
Note: Replace /path/ with the full path to the config.php file.
• Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
6. Remove default content:
rm -f ~/html/license.txt
rm -f ~/html/readme.html
rm -f ~/html/wp-config-sample.php
rm -f ~/html/wp-content/plugins/hello.php
7. Create using VI the file ~/html/.htaccess with the following content:
<files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
</Files>
8. Create using VI the file ~/html/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
9. Create the following folders:
mkdir -p ~/html/wp-content/cache
mkdir -p ~/html/wp-content/uploads
mkdir -p ~/html/wp-content/upgrade
10. Change the file permissions:
chmod -R 777 ~/html/wp-content/cache
chmod -R 777 ~/html/wp-content/uploads
chmod -R 777 ~/html/wp-content/upgrade
11. Download "Login Lockdown" plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
12. Download "Limit Login" plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/
13. Download "WP-Secure Remove Wordpress Version" plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
14. Download "WP Security Scan" plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
15. Download "KB Robots.txt" plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
16. Download "WordPress Firewall" plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
17. Copy the "WordPress Firewall" plugin file "wordpress-firewall.php" using PSCP (or SCP) into /html/wp-content/plugins
18. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
19. From WordPress dashboard, click on "settings" -> make sure that "Anyone can register" is left unchecked -> put a new value inside the "Tagline" field -> click on "Save changes".
20. Click on "Save changes".
21. From WordPress dashboard, click on "Plugins" -> Add New -> choose "Upload" -> click Browse to locate the plugin -> click "Install Now" -> click "Proceed" -> click on "Activate Plugin".
Note: Install and activate all the above downloaded plugins.
22. From WordPress dashboard, click on "settings" -> click on "KB Robots.txt" -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
23. Click "Submit".
24. From the upper pane, click on "Log Out".
25. In-case the server was configured with SSL certificate, add the following line to the config.php file:
define('FORCE_SSL_LOGIN', true);

IPv6 - Problem and some solutions

2010-07-23T15:56:00.005+03:00

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html
Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html
Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 - Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco - IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

NAC technology

2010-07-19T10:51:00.001+03:00

Here is a good article (in Hebrew) from a colleague of mine, explaining about NAC technology.
The article contains some background about the NAC technology, possible solutions, how to manage the MAC address, Agent Based NAC, Port NAC and summary of the topic.

The article can be found at:
http://www.digitalwhisper.co.il/files/Zines/0x07/DW7-3-NAC.pdf

Roy Horev, the author of the article can be reached at royhorev@gmail.com

3G Mobile Network Security

2010-07-19T10:45:00.004+03:00

Here is a good article (in Hebrew) from a colleague of mine, explaining about 3G Mobile Network Security.
The article contains some background about the cellular technology, how things are working, possible risks and how to deal with the risks.

The article can be found at:
http://www.digitalwhisper.co.il/files/Zines/0x08/DW8-1-3GSecurity.pdf

Roy Horev, the author of the article can be reached at royhorev@gmail.com

Windows 2008 R2 Certification Authority installation guide

2010-07-17T17:56:00.009+03:00

This step-by-step guide explains how to install and configure public key infrastructure, based on:
* Windows 2008 R2 Server core - offline Root CA
* Windows 2008 R2 domain controller
* Windows 2008 R2 enterprise edition - Subordinate Enterprise CA server

Offline Root CA - OS installation phase
1. Boot the server using Windows 2008 R2 bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose "Windows Server 2008 R2 (Server Core Installation)" -> click Next.
4. Accept the license agreement -> click Next.
5. Choose "Custom (Advanced)" installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose "Administrator" account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the command prompt window, run the command bellow:
sconfig.cmd
10. Press "2" to replace the computer name -> specify new computer name -> click "Yes" to restart the server.
11. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
12. From the command prompt window, run the command bellow:
sconfig.cmd
13. Press "5" to configure "Windows Update Settings" -> select "A" for automatic -> click OK.
14. Press "6" to download and install Windows Updates -> choose "A" to search for all updates -> Choose "A" to download and install all updates -> click "Yes" to restart the server.
15. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
16. From the command prompt window, run the command bellow:
sconfig.cmd
17. In-case you need to use RDP to access and manage the server, press "7" to enable "Remote Desktop" -> choose "E" to enable -> choose either "1" or "2" according to your client settings -> Press OK.
18. Press "8" to configure "Network settings" -> select the network adapter by its Index number -> press "1" to configure the IP settings -> choose "S" for static IP address -> specify the IP address, subnet mask and default gateway -> press "2" to configure the DNS servers -> click OK -> press "4" to return to the main menu.
19. Press "9" to configure "Date and Time" -> choose the correct "date/time" and "time zone" -> click OK
20. Press "11" to restart the server to make sure all settings take effect -> click "Yes" to restart the server.

Offline Root CA - Certificate Authority server installation phase
1. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
2. Install Certificate services:
start /w ocsetup.exe CertificateServices /norestart /quiet
3. To check that the installation completed, run the command:
oclist find /i "CertificateServices"
4. Download the file “setupca.vbs” from:
http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
To:
C:\Windows\system32
5. Run the command bellow to configure the Root CA:
Cscript /nologo C:\Windows\System32\setupca.vbs /is /sn <ca_server_name> /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256
6. In-order to verify that the installation completed successfully, open using Notepad, the file “_SetupCA.log” located in the current running directory, and make sure the last line is:
Install complete! Passed
7. Run the command bellow to enable remote management of the Root CA:
netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes
8. Run the command bellow to stop the CertSvc service:
Net stop CertSvc
9. Run the command bellow to change new certificate validity period time:
reg add HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<rootca_netbios_name> /v ValidityPeriodUnits /t REG_DWORD /d 5 /f
Note: The command above should be written in one line.
10. Run the command bellow to start the CertSvc service:
Net start CertSvc

Enterprise Subordinate CA - OS installation phase
Pre-requirements:
• Active Directory (Forest functional level – Windows 2008 R2)
• Add “A” record for the Root CA to the Active Directory DNS.

1. Boot the server using Windows 2008 R2 Enterprise Edition bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose "Windows Server 2008 R2 Enterprise Edition Full installation" -> click Next.
4. Accept the license agreement -> click Next.
5. Choose "Custom (Advanced)" installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose "Administrator" account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the “Initial Configuration Tasks” window, configure the following settings:
o Set time zone
o Configure networking – specify static IP address, netmask, gateway, DNS
o Provide computer name and domain – add the server to the domain
o Enable Remote Desktop
10. In-order to be able to remotely manage the Root CA, run the command bellow:
cmdkey /add:<RootCA_Hostname> /user:Administrator /pass:<RootCA_Admin_Password>

Enterprise Subordinate CA - Certificate Authority server installation phase
Pre-requirements:
• DNS CNAME record named "wwwca" for the Enterprise Subordinate CA.

1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
2. Start -> Administrative Tools -> Server Manager.
3. From the left pane, right click on Roles -> Add Roles -> Next -> select “Web Server (IIS)” -> click Next twice -> select the following role services:
• Web Server
o Common HTTP Features
Static Content
Default Document
Directory Browsing
HTTP Errors
HTTP Redirection
o Application Development
.NET Extensibility
ASP
ISAPI Extensions
o Health and Diagnostics
HTTP Logging
Logging Tools
Tracing
Request Monitor
o Security
Windows Authentication
Client Certificate Mapping Authentication
IIS Client Certificate Mapping Authentication
Request Filtering
o Performance
Static Content Compression
• Management Tools
o IIS Management Console
o IIS Management Scripts and Tools
o IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
4. Click Next -> click Install -> click Close.
5. From the left pane, right click on Features -> Add Features -> Next -> expand “Windows Process Activation Service” -> select “.NET Environment” and “Configuration APIs” -> select the feature “.NET Framework 3.5.1 Features” -> click Next -> click Install -> click Close.
6. From the left pane, right click on Roles -> Add Roles -> Next -> select “Active Directory Certificate Services” -> click Next twice -> select the following role services:
• Certification Authority
• Certification Authority Web Enrollment
• Certificate Enrollment Policy Web Service
7. Click Next.
8. Configure the following settings:
• Specify Setup Type: Enterprise
• CA Type: Subordinate CA
• Private Key: Create a new private key
• Cryptography:
Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
Key length: 2048
Hash algorithm SHA256
• CA Name:
Common name: specify here the subordinate server NetBIOS name
Distinguished name suffix: leave the default domain settings
• Certificate Request: Save a certificate to file and manually send it later
• Certificate Database: leave the default settings
• Authentication Type: Windows Integrated Authentication
• Server Authentication Certificate: Choose and assign a certificate for SSL later
9. Click Next twice -> click Install -> click Close.
10. Close the Server Manager.
11. Start -> Administrative Tools -> Certification Authority
12. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
13. Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
• Uncheck "Publish Delta CRLs to this location".
• Mark the line begins with "LDAP", and click remove.
• Mark the line begins with "HTTP", and click remove.
• Mark the line begins with "file", and click remove.
• Click on Add -> on the location, put:
http://wwwca/CertEnroll/<RootCA_Server_Name>.crl
• Click on the line begins with "HTTP", and make sure the only option checked is: "Include in CDP extension of issued certificates".
• Click on the line begins with "C:\Windows", and make sure the only option checked is: "Publish CRLs to this location"
14. Extensions tab -> extension type: Authority Information Access (AIA):
• Mark the line begins with "LDAP", and click remove.
• Mark the line begins with "HTTP", and click remove.
• Mark the line begins with "file", and click remove.
• Click on Add -> on the location, put:
http://wwwca/CertEnroll/<RootCA_Server_Name>.crt
15. Click OK and allow the CA server to restart its services.
16. From the "Certification Authority" left pane, right click on "Revoked certificates"-> Properties:
• CRL publication interval: 180 days
• Make sure "Publish Delta CRLs" is not checked
• Click OK
17. Right click on the CA name -> All tasks -> Stop service
18. Right click on the CA name -> All tasks -> Start service
19. Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
• certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=mycompany,DC=com"
• certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"
Note: Replace "DC=mycompany,DC=com" according to your domain name.
20. From the "Certification Authority" left pane, right click on "Revoked certificates"-> All tasks -> Publish -> click OK.
21. Close the "Certification Authority" snap-in and logoff the subordinate CA server.
22. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
23. Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller:
• C:\Windows\System32\CertSrv\CertEnroll\*.crt
24. Start -> Administrative Tools -> Group Policy Management.
25. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
26. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA -> click Open -> click Next twice -> click Finish -> click OK.
27. Logoff the domain controller.
28. Return to the subordinate enterprise CA server.
29. Start -> Administrative Tools -> Certification Authority.
30. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
31. Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
32. Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
33. From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID -> right click on the request -> All Tasks -> “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary data to a file” -> click OK -> specify location and the file name - <subordinate_ca_server_name_signed_certificate>.p7b -> click Save.
34. Run the command bellow from command line to avoid offline CRL errors:
Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
35. From the left pane, right click on “Certificate Authority” -> “Retarget Certification Authority” -> choose “Local computer” -> click Finish.
36. Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b -> click Open.
37. Right click on the subordinate CA server name -> All Tasks -> Start Service.
38. Right click on the subordinate CA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
• Mark the line begins with "HTTP" -> click Remove -> click Yes.
• Mark the line begins with "file" -> click Remove -> click Yes.
• Click on Add -> on the location, put:
http://wwwca/CertEnroll/<subordinate_CA_Server_Name>.crl
• Click on the line begins with "HTTP", and make sure the following options are checked: "Include in CRLs" and "Include in the CDP".
39. Extensions tab -> extension type: Authority Information Access (AIA):
• Mark the line begins with "HTTP" -> click Remove -> click Yes.
• Mark the line begins with "file" -> click Remove -> click Yes.
• Click on Add -> on the location, put:
http://wwwca/CertEnroll/<SubordinateCA-FQDN_Subordinate_NetBIOS_Name>.crt
Example: http://wwwca/CertEnroll/MyCA.mydomain.com_MyCA.crt
• Click on the line begins with "HTTP", and make sure the following option is checked: "Include in the AIA".
40. Click OK and allow the CA server to restart its services.
41. From the "Certification Authority" left pane, right click on "Revoked certificates"-> All tasks -> Publish -> click OK.
42. Close the "Certification Authority" snap-in
43. Copy the files bellow from the Root CA to the subordinate CA (same location):
• C:\Windows\System32\CertSrv\CertEnroll\*.crl
• C:\Windows\System32\CertSrv\CertEnroll\*.crt
44. Logoff the subordinate CA server.
45. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
46. Copy the file bellow from the subordinate CA server to a temporary folder on the domain controller:
• C:\Windows\System32\CertSrv\CertEnroll\*.crt – copy the newest file
47. Start -> Administrative Tools -> Group Policy Management.
48. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
49. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
50. Logoff the domain controller.

Hardening guide for WordPress 3.0

2010-06-18T15:26:00.006+03:00

Pre-installation notes
The guide bellow is based on the previous guides:
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase
1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account:
su sshaccount
4. Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
7. Exit the SSH account shell and return to the Root account:
exit
8. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 3.0 from:
http://wordpress.org/download
11. Copy the WordPress 3.0 source files using PSCP (or SCP) into /www
12. Move to /www
cd /www
13. Extract the wordpress-3.0.zip file:
unzip wordpress-3.0.zip
14. Remove WordPress source file:
rm -f /www/wordpress-3.0.zip
15. Create using VI the file /www/config.php with the following content:
<?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening '< ?php' tag or after a closing '?>' tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
18. Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
• Site Title
• Username - replace the default "admin"
• Password
• E-mail
23. Click on “Install WordPress” button, and close the web browser.
24. Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 1: Replace 1.1.1.0 with the internal network IP address.
Note 2: Replace Server_FQDN with the server FQDN (DNS name).
25. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule>
Note: Replace 1.1.1.0 with the internal network IP address.
26. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
Note: Replace 1.1.1.0 with the internal network IP address.
27. Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
28. Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
29. Download "Login Lockdown" plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
30. Download "Limit Login" plugin from:
http://wordpress.org/extend/plugins/limit-login-attempts/
31. Download "WP-Secure Remove Wordpress Version" plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
32. Download "WP Security Scan" plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
33. Download "KB Robots.txt" plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
34. Download "WordPress Database Backup" plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/
35. Download "WordPress Firewall" plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
36. Copy the "WordPress Firewall" plugin file "wordpress-firewall.php" using PSCP (or SCP) into /www/wordpress/wp-content/plugins
37. Create a folder for the "WordPress Database Backup" plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
38. Set permissions for the "WordPress Database Backup" plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
39. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
40. From WordPress dashboard, click on "settings" -> make sure that "Anyone can register" is left unchecked -> put a new value inside the "Tagline" field -> click on "Save changes".
41. From WordPress dashboard, click on "settings" -> click on "Media" -> "Store uploads in this folder" -> specify:
wp-content/uploads
42. Click on "Save changes".
43. From WordPress dashboard, click on "Plugins" -> Add New -> choose "Upload" -> click Browse to locate the plugin -> click "Install Now" -> click "Proceed" -> click on "Activate Plugin".
Note: Install and activate all the above downloaded plugins.
44. From WordPress dashboard, click on "settings" -> click on "KB Robots.txt" -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
45. Click "Submit".
46. From the upper pane, click on "Log Out".
47. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);

Hardening guide for VSFTPD on RHEL 5.4

2010-06-16T15:14:00.005+03:00

The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

Installation phase
1. Login to the server using Root account.
2. Install from the RHEL 5.4 DVD the following RPM:
rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
3. Create a group for FTP users:
groupadd ftp-users
4. Create folder for the FTP:
mkdir -p /ftp
5. Change ownership and permissions on the FTP folder:
chown root:ftp-users /ftp
chmod 777 -R /ftp
6. Example of user creation:
useradd -g ftp-users -d /ftp user1
passwd user1
7. Edit using VI, the file /etc/vsftpd/vsftpd.conf
Change from:
anonymous_enable=YES
To:
anonymous_enable=NO

Change from:
xferlog_std_format=YES
To:
xferlog_std_format=NO

Change from:
#tftpd_banner=Welcome to blah FTP service.
To:
tftpd_banner=Secure FTP server

Add the lines bellow:
local_root=/ftp
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
vsftpd_log_file=/var/log/vsftpd.log
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
rsa_cert_file=/etc/vsftpd/vsftpd.pem

8. Run the command bellow to create VSFTP SSL key:
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Note: The command above should written as one line.
9. Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
10. Run the command bellow to manually start the VSFTP service:
/etc/init.d/vsftpd start
11. Run the command bellow to configure the VSFTP to start at server startup:
chkconfig vsftpd on

Hardening guide for Cisco Firewall (PIX, ASA, FWSM)

2010-06-06T09:52:00.003+03:00

Important note
The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM).
Not all commands will work on every device series or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX):
aaa authentication enable console LOCAL

Configure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX):
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

Configure Local Password (ASA, FWSM, PIX):
passwd <login_password> encrypted

Configure ASDM Access Control (ASA, FWSM, PIX):
http <remote_ip_address> <remote_subnet_mask> <interface_name>

Configuring SSH (ASA, FWSM, PIX):
hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access (ASA, PIX):
no telnet 0.0.0.0 0.0.0.0 <interface_name>
ssh <remote_ip_address> <remote_subnet_mask> <interface_name>
ssh version 2

Configure Timeout for Login Sessions (ASA, FWSM, PIX):
console timeout 10
ssh timeout 10

Configure Local User and Encrypted Password (ASA, FWSM, PIX):
username <local_username> password <local_password> encrypted

Configure Enable Password (ASA, FWSM, PIX):
enable password <enable_password> encrypted

Disable SNMP Read Access (ASA, FWSM, PIX):
clear configure snmp-server
no snmp-server host <interface_name> <remote_ip_address>

Disable SNMP Traps (ASA, FWSM, PIX):
no snmp-server enable traps all

Configure Clock Time Zone (ASA, PIX):
clock timezone GMT <hours offset>

Disable DHCP Server Service (ASA, FWSM, PIX):
clear configure dhcpd
no dhcpd enable <interface_name>

Disable HTTP Service (ASA, FWSM, PIX) - in-case not in use:
no http server enable port>

Configure Console Logging Severity Level (ASA, FWSM, PIX):
logging console critical

Configure Timestamps in Log Messages (ASA, FWSM, PIX):
logging timestamp

Configure AAA Flood Guard (FWSM, PIX):
floodguard enable

Configure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX):
fragment chain 1 <interface_name>

Configure Protocol Inspection (FWSM, PIX):
fixup protocol ftp <port>
fixup protocol http <port>
fixup protocol smtp <port>

Configure Protocol Inspection (ASA):
inspect ftp [map_name]
inspect http [map_name]
inspect esmtp [map_name]

Configure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX):
interface <interface_id>
ip verify reverse-path interface <interface_name>
exit

Save the changes:
wr

Hardening guide for Cisco Routers and Switches

2010-06-03T16:43:00.006+03:00

Important note
The guide bellow instructs how to secure Cisco router/switch.
Not all commands will work on every device series (router/switch) or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA service:
aaa new-model

Configure AAA Authentication for Login:
aaa authentication login default local-case

Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable

Configure AAA Authentication for Local Console Line:
line console 0
login authentication default
exit

Configure AAA Authentication for VTY Lines:
line vty 0 4
login authentication default
exit
line vty 5 15
login authentication default
exit

Set and secure passwords:
service password-encryption
enable secret 0 <password>

Configure Local User and Encrypted Password:
username <username> password <password>
Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T:
username <username> secret <password>

Configure SSH:
hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access:
ip ssh timeout 60
ip ssh authentication-retries 3

Configure VTY Transport SSH:
line console 0
transport input ssh
exit
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit

Configure Timeout for Login Sessions:
line vty 0 4
exec-timeout 5 0
exit
line vty 5 15
exec-timeout 5 0
exit

Disable Auxiliary Port:
line aux 0
no exec
exec-timeout 0 10
transport input none
exit

Disable SNMP server (in-case not in use):
no snmp-server

Disable SNMP Community Strings private and public:
no snmp-server community private
no snmp-server community public

Configure Clock Timezone - GMT:
clock timezone GMT <hours>

Disable Router Name and DNS Name Resolution (in-case not in use):
no ip domain-lookup

Disable CDP Run Globally:
no cdp run

Disable PAD service (in-case not in use):
no service pad

Disable Finger Service:
no service finger

Disable Maintenance Operations Protocol (MOP):
interface <interface-id>
no mop enabled
exit

Disable DHCP server (in-case not in use):
no service dhcp

Disable IP BOOTP server (in-case not in use):
no ip bootp server

Disable Identification Service:
no identd

Disable IP HTTP Server (in-case not in use):
no ip http server

Disable Remote Startup Configuration:
no boot network
no service config

Configure TCP keepalives Services:
service tcp-keepalives-in
service tcp-keepalives-out

Disable small-servers:
no service tcp-small-servers
no service udp-small-servers

Disable TFTP Server:
no tftp-server

Configure Logging:
logging on
logging buffered 16000
logging console critical

Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime

Disable IP source-route:
no ip source-route

Disable Directed Broadcast:
interface <interface-id>
no ip directed-broadcast
exit

Configure Unicast Reverse-Path Forwarding:
interface <interface-id>
ip verify unicast reverse-path
exit

Disable IP Proxy ARP:
interface <interface-id>
no ip proxy-arp
exit

Disable Gratuitous-Arps:
no ip gratuitous-arps

Configure switch port-security:
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky

Save the changes:
wr

How to implement SSL on Apache 2.2.15

2010-06-01T20:04:00.003+03:00

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

SSL implementation phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
mkdir -p /usr/local/apache2/ssl
chmod 600 /usr/local/apache2/ssl
3. Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
5. Send the file /tmp/apache.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
7. Copy the file "server.crt" using SCP into /usr/local/apache2/ssl/
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file "ca-bundle.crt" using SCP into /usr/local/apache2/ssl/
10. Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines:
Listen Server_FQDN:443
SSLEngine on
SSLCertificateKeyFile /usr/local/apache2/ssl/server.key
SSLCertificateFile /usr/local/apache2/ssl/server.crt
SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Note: Replace Server_FQDN with the server DNS name (as written on the certificate).
11. Restart the Apache services:
/usr/local/apache2/bin/apachectl restart
12. Backup the file /usr/local/apache2/ssl/server.key

How to implement SSL on Nginx 0.7.65

2010-05-31T17:19:00.003+03:00

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

SSL implementation phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
mkdir -p /usr/local/nginx/ssl
chmod 600 /usr/local/nginx/ssl
3. Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024
Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr
Note: The command above should be written as one line.
5. Send the file /tmp/nginx.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
7. Copy the file "server.crt" using SCP into /usr/local/nginx/ssl
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file "ca-bundle.crt" using SCP into /usr/local/nginx/ssl
10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file:
cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt > /usr/local/nginx/ssl/server.pem
Note: The command above should be written as one line.
11. Remove the original server.crt and ca-bundle.crt files:
rm -f /usr/local/nginx/ssl/server.crt
rm -f /usr/local/nginx/ssl/ca-bundle.crt
12. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from:
# HTTPS server
#
#server {
# listen 443;
# server_name localhost;

# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;

# ssl_session_timeout 5m;

# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
# ssl_prefer_server_ciphers on;

# location / {
# root html;
# index index.html index.htm;
# }
#}
To:
server {
listen 443;
server_name Server_FQDN;

ssl on;
ssl_certificate /usr/local/nginx/ssl/server.pem;
ssl_certificate_key /usr/local/nginx/ssl/server.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;

location / {
root /www;
index index.html index.htm;
}
}
13. Restart the Nginx service:
/etc/init.d/nginx restart

Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)

2010-05-31T17:06:00.003+03:00

1. Login to the server using Root account.
2. Create a new account:
groupadd nginx
useradd -g nginx -d /dev/null -s /sbin/nologin nginx
3. Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
4. Before compiling the Nginx environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
5. Download Nginx 0.7.65 from:
http://wiki.nginx.org/NginxInstall
6. Copy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
cd /tmp
8. Extract the nginx-0.7.65.tar.gz file:
tar -zxvf nginx-0.7.65.tar.gz
9. Move to the Nginx source folder:
cd /tmp/nginx-0.7.65
10. Edit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from:
static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
To:
static char ngx_http_server_string[] = "Server: Secure Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Secure Web Server" CRLF;
11. Run the commands bellow to compile the Nginx environment:
./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module

make

make install
12. Remove the Nginx source files:
rm -rf /tmp/nginx-0.7.65
rm -f /tmp/nginx-0.7.65.tar.gz
13. Remove Default Content
rm -rf /usr/local/nginx/html
14. Updating Ownership and Permissions on Nginx folders:
chown -R root:root /usr/local/nginx
chmod 750 /usr/local/nginx/sbin/nginx
chmod -R 640 /usr/local/nginx/conf
chmod -R 770 /usr/local/nginx/logs
15. Create folder for the web content:
mkdir -p /www
16. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
17. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings:
From:
#user nobody;
To:
user nginx nginx;

From:
#error_log logs/error.log notice;
To:
error_log logs/error.log notice;

From:
server_name localhost;
To:
server_name Server_FQDN;

From:
root html;
To:
root /www;

18. Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file:
server_tokens off;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 10;
19. Create using VI, the file /etc/init.d/nginx with the following content:
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)

NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"

[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

lockfile=/var/lock/subsys/nginx

start() {
[ -x $nginx ] exit 5
[ -f $NGINX_CONF_FILE ] exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}

stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}

restart() {
configtest return $?
stop
sleep 1
start
}

reload() {
configtest return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}

force_reload() {
restart
}

configtest() {
$nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
status $prog
}

rh_status_q() {
rh_status >/dev/null 2>&1
}

case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q exit 0
$1
;;
restartconfigtest)
$1
;;
reload)
rh_status_q exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestarttry-restart)
rh_status_q exit 0
;;
*)
echo $"Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}"
exit 2
esac
20. Change the permissions of the file /etc/init.d/nginx
chmod +x /etc/init.d/nginx
21. To start Nginx service at server start-up, run the command:
chkconfig nginx on
22. To manually start the Nginx service, use the command:
/etc/init.d/nginx start
23. Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

How to implement SSL on Lighttpd 1.4.26

2010-05-29T23:42:00.003+03:00

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

SSL implementation phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
mkdir -p /etc/lighttpd/ssl
chmod 600 /etc/lighttpd/ssl
3. Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024
Note: Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr
Note: The command above should be written as one line.
5. Send the file /tmp/lighttpd.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
7. Copy the file "server.crt" using SCP into /etc/lighttpd/ssl/
8. Combine the content of both the private key (server.key) and the public key (server.crt) into one file:
cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt > /etc/lighttpd/ssl/server.pem
Note: The command above should be written as one line.
9. Remove the original server.crt file:
rm -f /etc/lighttpd/ssl/server.crt
10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
11. Copy the file "ca-bundle.crt" using SCP into /etc/lighttpd/ssl
12. Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings:
$SERVER["socket"] == "Server_FQDN:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle.crt"
server.name = "Server_FQDN"
server.document-root = "/www"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
ssl.use-sslv2 = "disable"
ssl.cipher-list ="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"
}
13. Restart the Lighttpd service.

Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

2010-05-29T23:29:00.004+03:00

1. Login to the server using Root account.
2. Create a new account:
groupadd lighttpd
useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd
3. Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
4. Before compiling the Lighttpd environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-49.x86_64.rpm
rpm -ivh glibc-devel-2.5-49.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm
rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm
5. Download Lighttpd 1.4.26 from:
http://www.lighttpd.net/download/
6. Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
cd /tmp
8. Extract the lighttpd-1.4.26.tar.gz file:
tar -zxvf lighttpd-1.4.26.tar.gz
9. Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c
10. Move to the Lighttpd source folder:
cd /tmp/lighttpd-1.4.26
11. Run the commands bellow to compile the Lighttpd environment:
./configure --with-openssl --without-bzip2
make
make install
12. Create the following folders:
mkdir -p /etc/lighttpd
mkdir -p /var/log/lighttpd
mkdir -p /var/cache/lighttpd/compress
13. Copy the lighttpd.conf file:
cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf
14. Updating Ownership and Permissions on Lighttpd folders:
chown lighttpd:lighttpd /var/log/lighttpd
chown lighttpd:root /etc/lighttpd/lighttpd.conf
chown lighttpd:lighttpd /var/cache/lighttpd/compress
chmod o-r /etc/lighttpd/lighttpd.conf
chmod -R o-r /var/log/lighttpd
15. Create folder for the web content:
mkdir -p /www
16. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
17. Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings:
From:
server.document-root = "/srv/www/htdocs/"
To:
server.document-root = "/www"

From:
#server.bind = "127.0.0.1"
To:
server.bind = "Server_FQDN"

From:
# server.tag = "lighttpd"
To:
server.tag = "Secure Web Server"

From:
#server.username = "wwwrun"
To:
server.username = "lighttpd"

From:
#server.groupname = "wwwrun"
To:
server.groupname = "lighttpd"

From:
#dir-listing.activate = "enable"
To:
dir-listing.activate = "disable"

18. Create using VI, a file called /etc/sysconfig/lighttpd with the following content:
LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf
19. To manually start Lighttpd use the command:
/usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
20. To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
21. Remove the Lighttpd source files:
rm -rf /tmp/lighttpd-1.4.26
rm -f /tmp/lighttpd-1.4.26.tar.gz
22. Uninstall the following RPM:
rpm -e gcc-4.1.2-48.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-49
rpm -e glibc-headers-2.5-49
rpm -e kernel-headers-2.6.18-194.el5

Hardening guide for WordPress 2.9.2

2010-05-28T17:46:00.003+03:00

Pre-installation notes
The guide bellow is based on the previous guides:
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)
Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Installation and configuration phase
1. Login to the server using Root account.
2. Create a new account for uploading files using SSH:
groupadd sshaccount
useradd -g sshaccount -d /home/sshaccount -m sshaccount
3. Run the commands bellow to switch to the SSH account:
su sshaccount
4. Run the command bellow to generate SSH keys:
ssh-keygen
Note: Leave deafult values for the ssh-keygen.
5. Copy the SSH keys:
cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys
6. Change permissions for the SSH keys:
chmod 755 /home/sshaccount/.ssh
chmod 644 /home/sshaccount/.ssh/*
7. Exit the SSH account shell and return to the Root account:
exit
8. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
9. Run the following commands from the MySQL prompt:
CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2';
SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2');
CREATE DATABASE m6gf42s;
GRANT ALL PRIVILEGES ON m6gf42s.* TO "blgusr"@"localhost" IDENTIFIED BY "password2";
FLUSH PRIVILEGES;
quit
Note 1: Replace “blgusr” with your own MySQL account to access the database.
Note 2: Replace “password2” with complex password (at least 14 characters).
Note 3: Replace “m6gf42s” with your own WordPress database name.
10. Download WordPress 2.9.2 from:
http://wordpress.org/download
11. Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www
12. Move to /www
cd /www
13. Extract the wordpress-2.9.2.tar.gz file:
tar -zxvf wordpress-2.9.2.tar.gz
14. Remove WordPress source file:
rm -f /www/wordpress-2.9.2.tar.gz
15. Create using VI the file /www/config.php with the following content:
<?php
define('DB_NAME', 'm6gf42s');
define('DB_USER', 'blgusr');
define('DB_PASSWORD', 'password2');
define('DB_HOST', '127.0.0.1');
$table_prefix = 'm6gf42s_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0777);
define('FS_CHMOD_FILE', 0777);
define('FTP_BASE', '/www/wordpress/');
define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/');
define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/');
define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub');
define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa');
define('FTP_USER', 'sshaccount');
define('FTP_HOST', '127.0.0.1:22');
?>
Note 1: Make sure there are no spaces, newlines, or other strings before an opening '< ?php' tag or after a closing '?>' tag.
Note 2: Replace “blgusr” with your own MySQL account to access the database.
Note 3: Replace “password2” with complex password (at least 14 characters).
Note 4: Replace “m6gf42s” with your own WordPress database name.
Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow:
http://api.wordpress.org/secret-key/1.1/
16. Copy the wp-config.php file:
cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php
17. Edit using VI, the file /www/wordpress/wp-config.php
Add the following line:
include('/www/config.php');
Remove the following sections:
define('DB_NAME', 'putyourdbnamehere');
define('DB_USER', 'usernamehere');
define('DB_PASSWORD', 'yourpasswordhere');
define('DB_HOST', 'localhost');
$table_prefix = 'wp_';
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
18. Remove default content:
rm -f /www/wordpress/license.txt
rm -f /www/wordpress/readme.html
rm -f /www/wordpress/wp-config-sample.php
rm -f /www/wordpress/wp-content/plugins/hello.php
19. Edit using VI the file /usr/local/apache2/conf/httpd.conf
Replace the value of the string, from:
DocumentRoot "/www"
To:
DocumentRoot "/www/wordpress"
Replace the value of the string, from:
LimitRequestBody 10000
To:
LimitRequestBody 200000
20. Restart the Apache service.
21. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-admin/install.php
22. Specify the following information:
• Blog Title
• E-Mail
23. Click on “Install WordPress” button, and close the web browser.
24. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
25. Run the following commands from the MySQL prompt:
use m6gf42s;
UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin';
UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd';
FLUSH PRIVILEGES;
quit
Note 1: Replace “m6gf42s” with your own WordPress database name.
Note 1: Replace “johnd” with your own new WordPress admin.
Note 2: Replace “password3” with complex password (at least 14 characters).
26. Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from:
'timeout' => apply_filters( 'http_request_timeout', 5),
To:
'timeout' => apply_filters( 'http_request_timeout', 30),
27. Create using VI the file /www/wordpress/.htaccess with the following content:
<files wp-config.php>
Order deny,allow
deny from all
</files>
<Files wp-login.php>
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
</Files>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note 1: Replace 1.1.1.0 with the internal network IP address.
Note 2: Replace Server_FQDN with the server FQDN (DNS name).
28. Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
<LIMIT GET POST>
order deny,allow
deny from all
Allow from 1.1.1.0
</LIMIT>
<IfModule mod_security.c>
SecFilterInheritance Off
</IfModule>
Note: Replace 1.1.1.0 with the internal network IP address.
29. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
Order deny,allow
Deny from All
Allow from 1.1.1.0
Note: Replace 1.1.1.0 with the internal network IP address.
30. Create the following folders:
mkdir -p /www/wordpress/wp-content/cache
mkdir -p /www/wordpress/wp-content/uploads
mkdir -p /www/wordpress/wp-content/upgrade
31. Change the file permissions:
chown -R root:root /www/wordpress
chown daemon:root /www/wordpress/wp-content/plugins
chmod 644 /www/config.php
chmod 644 /www/wordpress/wp-config.php
chmod 644 /www/wordpress/.htaccess
chmod 644 /www/wordpress/wp-admin/.htaccess
chmod 644 /www/wordpress/wp-content/plugins/.htaccess
chmod -R 777 /www/wordpress/wp-content/cache
chmod -R 777 /www/wordpress/wp-content/uploads
chmod -R 777 /www/wordpress/wp-content/upgrade
32. Download "Login Lockdown" plugin from:
http://www.bad-neighborhood.com/login-lockdown.html
33. Download "WP-Secure Remove Wordpress Version" plugin from:
http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/
34. Download "WP Security Scan" plugin from:
http://wordpress.org/extend/plugins/wp-security-scan/
35. Download "KB Robots.txt" plugin from:
http://wordpress.org/extend/plugins/kb-robotstxt/
36. Download "WordPress Database Backup" plugin from:
http://austinmatzko.com/wordpress-plugins/wp-db-backup/
37. Download "WordPress Firewall" plugin from:
http://www.seoegghead.com/software/wordpress-firewall.seo
38. Copy the "WordPress Firewall" plugin file "wordpress-firewall.php" using PSCP (or SCP) into /www/wordpress/wp-content/plugins
39. Create a folder for the "WordPress Database Backup" plugin:
mkdir -p /www/wordpress/wp-content/backup-ed602
40. Set permissions for the "WordPress Database Backup" plugin:
chmod 777 /www/wordpress/wp-content/backup-ed602
41. Open a web browser from a client machine, and enter the URL bellow:
http://Server_FQDN/wp-login.php
42. From WordPress dashboard, click on "settings" -> make sure that "Anyone can register" is left unchecked -> click on "Save changes".
43. From WordPress dashboard, click on "settings" -> click on "Miscellaneous" -> "Store uploads in this folder" -> specify:
wp-content/uploads
44. Click on "Save changes".
45. From WordPress dashboard, click on "Plugins" -> Add New -> choose "Upload" -> click Browse to locate the plugin -> click "Install Now" -> click "Proceed" -> click on "Activate Plugin".
Note: Install and activate all the above downloaded plugins.
46. From WordPress dashboard, click on "settings" -> click on "KB Robots.txt" -> add the following content into the Robots.txt editor field:
Disallow: /wp-*
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /wp-login.php
Disallow: /wp-register.php
47. Click "Submit".
48. From the upper pane, click on "Log Out".
49. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file:
define('FORCE_SSL_LOGIN', true);

Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

2010-05-25T19:55:00.004+03:00

Pre-installation notes
The guide bellow is based on the previous guides:
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

Installation and configuration phase
1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm
3. Download MySQL development RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
4. Download PHP 5.3.2 source files from:
http://php.net/downloads.php
5. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
6. Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
cd /tmp
8. Install the MySQL development RPM:
rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
9. Remove MySQL development RPM:
rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
10. Extract the php-5.3.2.tar.gz file:
tar -zxvf php-5.3.2.tar.gz
11. Move to the PHP source folder:
cd /tmp/php-5.3.2
Run the commands bellow to compile the PHP environment:
./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib

make

make install
12. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Make sure the following string exists at the end of the LoadModule section:
LoadModule php5_module modules/libphp5.so
Add the following string, to the end of the AddType section:
AddType application/x-httpd-php .php
Replace the line from:
DirectoryIndex index.html
To:
DirectoryIndex index.php index.html index.htm
13. Copy the PHP.ini file
cp /tmp/php-5.3.2/php.ini-development /etc/php.ini
14. Change the permissions on the php.ini file:
chmod 640 /etc/php.ini
15. Edit using VI, the file /etc/php.ini and replace the following values:
From:
mysql.default_host =
To:
mysql.default_host = 127.0.0.1:3306

From:
allow_url_fopen = On
To:
allow_url_fopen = Off

From:
expose_php = On
To:
expose_php = Off

From:
memory_limit = 128M
To:
memory_limit = 8M

From:
;open_basedir =
To:
open_basedir = "/www"

From:
post_max_size = 8M
To:
post_max_size = 2M

From:
upload_max_filesize = 2M
To:
upload_max_filesize = 1M

From:
disable_functions =
To:
disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

From:
;include_path = ".:/php/includes"
To:
include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

From:
display_errors = On
To:
display_errors = Off

From:
display_startup_errors = On
To:
display_startup_errors = Off

16. Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
17. Remove the PHP source and test files:
rm -rf /tmp/php-5.3.2
rm -f /tmp/php-5.3.2.tar.gz
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test
18. Uninstall the following RPM:
rpm -e libxml2-devel-2.6.26-2.1.2.8
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

2010-05-21T15:03:00.007+03:00

1. Login to the server using Root account.
2. Create a new account:
groupadd mysql
useradd -d /dev/null -g mysql -s /bin/false mysql
3. Download MySQL server and client RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
4. Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp
5. Move to /tmp
cd /tmp
6. Install the MySQL packages:
rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
7. Delete the MySQL source files:
rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm
rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm
8. Run the commands bellow to set ownership and permissions:
chown -R root /usr/bin/mysql*
chown -R mysql:root /var/lib/mysql
chmod -R go-rwx /var/lib/mysql
mkdir -p /var/log/mysql
chown -R mysql:root /var/log/mysql
9. Run the command bellow to copy the main configuration file:
cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
10. Run the commands bellow to remove default folder:
rm -rf /var/lib/mysql/test
rm -f /usr/share/mysql/*.cnf
11. Run the command bellow to set ownership and permissions for my.cnf file:
chown root /etc/my.cnf
chmod 644 /etc/my.cnf
12. Edit using VI, the file /etc/my.cnf
Add the strings bellow under the [mysqld] section
pid-file = /var/lib/mysql/mysqld.pid
log = /var/log/mysql/mysql.log
bind-address = 127.0.0.1
Add the section bellow:
[safe_mysqld]
err-log = /var/log/mysql/mysql.err
13. Run the command bellow to restart the target server:
reboot
14. Login to the server using Root account.
15. Run the commands bellow to set password for the MySQL root user:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h hostname password 'new-password'
Note 1: Specify complex password (at least 14 characters) and document it.
Note 2: Replace “hostname” with the server FQDN (DNS name)
16. Run the command bellow to login to the MySQL:
/usr/bin/mysql -uroot -pnew-password
Note: Replace the string “new-password” with the actual password for the root account.
17. Run the following commands from the MySQL prompt:
use mysql;
DELETE FROM mysql.user WHERE user = '';
DELETE FROM mysql.user WHERE user = 'root' AND host = '%';
DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';
DROP DATABASE test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;
quit
18. Run the command bellow to stop the MySQL service:
/etc/init.d/mysql stop
19. Run the command bellow to start the MySQL service:
/etc/init.d/mysql start

Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

2010-05-20T21:12:00.010+03:00

1. Login to the server using Root account.
2. Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
3. Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
4. Before compiling the Apache environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm
rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm
rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm
rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm
5. Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
6. Move to /tmp
cd /tmp
7. Extract the httpd-2.2.15.tar.gz file:
tar -zxvf httpd-2.2.15.tar.gz
8. Move to the Apache source folder:
cd httpd-2.2.15
9. Run the commands bellow to compile the Apache environment:
./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl

make

make install
10. Remove the Apache source files:
rm -rf /tmp/httpd-2.2.15
rm -f /tmp/httpd-2.2.15.tar.gz
11. Remove Default Content
rm -rf /usr/local/apache2/cgi-bin
rm -rf /usr/local/apache2/htdocs
rm -rf /usr/local/apache2/icons
rm -rf /usr/local/apache2/man
rm -rf /usr/local/apache2/manual
rm -rf /usr/local/apache2/conf/extra
rm -rf /usr/local/apache2/conf/original
12. Updating Ownership and Permissions on Apache2 folders:
chown root:root /usr/local/apache2/bin/apachectl
chown root:root /usr/local/apache2/bin/httpd*
chmod 770 /usr/local/apache2/bin/apachectl
chmod 770 /usr/local/apache2/bin/httpd*
chown -R root:root /usr/local/apache2
chmod -R go-r /usr/local/apache2
chown -R root:root /usr/local/apache2/logs
chmod -R 700 /usr/local/apache2/logs
13. Create folder for the web content:
mkdir -p /www
14. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
15. Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
From:
DocumentRoot "/var/www/html"
To:
DocumentRoot "/www"

From:
Listen 80
To:
Listen Server_FQDN:80

From:
ServerAdmin root@localhost
To:
ServerAdmin webmaster@mycompany.com

From:
#ServerName www.example.com:80
To:
ServerName Server_FQDN

From:
LogLevel warn
To:
LogLevel notice

From:
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
To:
# ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

From:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
To:
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>

From:
<Directory "/usr/local/apache2/htdocs">
To:
<Directory "/www">
<LimitExcept GET POST>
deny from all
</limitexcept>

From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews

16. Add the following sections to the end of the httpd.conf file:
ServerSignature Off
ServerTokens Prod
Timeout 60
# Maximum size of the request body.
LimitRequestBody 10000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4094
# Maximum size of the request line.
LimitRequestLine 500
17. Remove the sections bellow from the file httpd.conf
<Directory "/usr/local/apache2/cgi-bin">
18. Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"

From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"

19. Starting Apache from command line:
/usr/local/apache2/bin/apachectl start
20. To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/apache2/bin/apachectl start
21. Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Previous guides:
Hardening guide for Apache 2.0 on Solaris 10 platform
How to implement SSL on Apache 2.0

Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform

2010-05-13T11:58:00.005+03:00

OS installation phase
1. Boot the server using Windows 2008 R2 bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose "Windows Server 2008 R2 (Server Core Installation)" -> click Next.
4. Accept the license agreement -> click Next.
5. Choose "Custom (Advanced)" installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose "Administrator" account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the command prompt window, run the command bellow:
sconfig.cmd
10. Press "2" to replace the computer name -> specify new computer name -> click "Yes" to restart the server.
11. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
12. From the command prompt window, run the command bellow:
sconfig.cmd
13. Press "5" to configure "Windows Update Settings" -> select "A" for automatic -> click OK.
14. Press "6" to download and install Windows Updates -> choose "A" to search for all updates -> Choose "A" to download and install all updates -> click "Yes" to restart the server.
15. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
16. From the command prompt window, run the command bellow:
sconfig.cmd
17. In-case you need to use RDP to access and manage the server, press "7" to enable "Remote Desktop" -> choose "E" to enable -> choose either "1" or "2" according to your client settings -> Press OK.
18. Press "8" to configure "Network settings" -> select the network adapter by its Index number -> press "1" to configure the IP settings -> choose "S" for static IP address -> specify the IP address, subnet mask and default gateway -> press "2" to configure the DNS servers -> click OK -> press "4" to return to the main menu.
19. Press "9" to configure "Date and Time" -> choose the correct "date/time" and "time zone" -> click OK
20. Press "11" to restart the server to make sure all settings take effect -> click "Yes" to restart the server.

Web server installation phase
1. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
2. For minimal installation of IIS7.5 features, run the command bellow from command prompt:
start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
3. For full installation of IIS7.5 (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
4. For full installation of IIS7.5, including .NET framework (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64
5. Create a new folder for the WWW content, in a different partition then the operating system, for example:
md D:\WWW
6. Copy the content of the web site to the newly created folder.
7. Use the Cacls.exe command to configure the required NTFS permissions for the new WWW folder (according to the principle of least privilege).
8. Run the command bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW
9. Create a new folder for the LogFiles content, in a different partition then the operating system, for example:
md D:\LogFiles
10. Use the Cacls.exe command to configure the required NTFS permissions for the new LogFiles folder (according to the principle of least privilege).
11. Run the commands bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"

%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"D:\LogFiles"

%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles"
12. Run the command bellow to configure the newly created WWW folder for service packs and other installers:
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW

How to implement SSL on Apache 2.0

2010-01-14T13:51:00.005+02:00

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Apache 2.0 on Solaris 10 platform

SSL implementation phase
1. Login to the server using Root account.
2. Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
3. Run the command bellow to install OpenSSL packages:
pkgadd -d . SUNWopensslr SUNWopenssl-commands SUNWopenssl-include SUNWopenssl-libraries
4. Create folder for the SSL certificate files:
mkdir -p /etc/apache2/ssl.crt
5. Create folder for the SSL private key:
mkdir -p /etc/apache2/ssl.key
6. Run the command bellow to generate a key pair:
/usr/sfw/bin/openssl genrsa -des3 -out /etc/apache2/ssl.key/server.key 1024
Specify a complex pass phrase for the private key (and document it)
7. Change the permissions on the private key file:
chmod 600 /etc/apache2/ssl.key/server.key
8. Run the command bellow to generate the CSR:
/usr/sfw/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/apache2/ssl.key/server.key -out /tmp/apache.csr
Note: The command above should be written as one line.
9. Send the file /tmp/apache.csr to a Certificate Authority server.
10. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
11. Copy the file "server.crt" using SCP into /etc/apache2/ssl.crt/
12. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
13. Copy the file "ca-bundle.crt" using SCP into /etc/apache2/ssl.crt/
14. Edit using VI the file /etc/apache2/ssl.conf and change the following strings:
From:
SSLSessionCache dbm:/var/run/apache2/ssl_scache
To:
SSLSessionCache dbm:/var/ apache2/ssl_scache

From:
SSLMutex file:/var/run/apache2/ssl_mutex
To:
SSLMutex file:/var/apache2/ssl_mutex

From:
ServerName 127.0.0.1:443
To:
ServerName Server_FQDN:443

From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"

From:
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
To:
SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

From:
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

To:
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

15. Remove the section bellow:
<Directory "/var/apache2/cgi-bin">
16. Stopping Apache from command line:
/usr/apache2/bin/apachectl stop
17. Starting Apache from command line:
/usr/apache2/bin/apachectl startssl

Drupal and Apache Web Site Security Checklist

2010-01-05T16:28:00.005+02:00

This days more and more people are using Drupal to maintain their web sites.
With the popularity comes the security risks (see: http://drupal.org/security).

Here is a very good guide I found on the web, for securing Drupal on Apache web servers:

Part 1:
http://nadeausoftware.com/articles/2009/05/drupal_and_apache_web_site_security_checklist_part_1
Part 2:
http://nadeausoftware.com/articles/2009/06/drupal_and_apache_web_site_security_checklist_part_2
Part 3:
http://nadeausoftware.com/articles/2009/07/drupal_and_apache_web_site_security_checklist_part_3

Thanks to Nadeau software consulting.

Hardening guide for Apache 2.0 on Solaris 10 platform

2009-12-29T21:28:00.003+02:00

1. Login to the server using Root account.
2. Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
passwd apache
passwd -l apache
3. Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
4. Run the command bellow to install Apache2 packages:
pkgadd -d . SUNWapch2r SUNWapch2u
5. Remove Default Content
rm -r /var/apache2/htdocs/
rm -r /var/apache2/cgi-bin/
rm -r /var/apache2/icons/
6. Updating Ownership and Permissions on Apache2 folders:
chown -R root:root /usr/apache2
chmod -R 770 /usr/apache2/bin
chown -R root:root /etc/apache2
chmod -R go-r /etc/apache2
chmod -R 770 /etc/apache2
chown -R root:root /var/apache2/logs
chmod -R 700 /var/apache2/logs
7. Create folder for the web content:
mkdir -p /www
8. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
9. Copy the configuration file in-order to edit it:
cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings:
From:
# LockFile /var/apache2/logs/accept.lock
To:
LockFile /var/apache2/logs/accept.lock

From:
User webservd
To:
User apache

From:
Group webservd
To:
Group apache

From:
PidFile /var/run/apache2/httpd.pid
To:
PidFile /var/apache2/logs/httpd.pid

From:
DocumentRoot "/var/apache2/htdocs"
To:
DocumentRoot "/www"

From:
ServerSignature On
To:
ServerSignature Off
HostnameLookups Off

From:
# ServerTokens
To:
ServerTokens Prod

From:
ServerAdmin you@yourhost.com
To:
ServerAdmin webmaster@yourcompany.com

From:
ServerName 127.0.0.1
To:
ServerName Server_FQDN

From:
Timeout 300
To:
Timeout 60

From:
LogLevel warn
To:
LogLevel notice

From:
IndexOptions FancyIndexing VersionSort
To:
# IndexOptions FancyIndexing VersionSort

From:
ReadmeName README.html
To:
# ReadmeName README.html

From:
HeaderName HEADER.html
To:
# HeaderName HEADER.html

From:
AddIcon
To:
# AddIcon

From:
DefaultIcon /icons/unknown.gif
To:
# DefaultIcon /icons/unknown.gif

From:
Alias /icons/ "/var/apache2/icons/"
To:
# Alias /icons/ "/var/apache2/icons/"

From:
AliasMatch
To:
# AliasMatch

From:
ScriptAlias
To:
# ScriptAlias

From:
LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
To:
# LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

From
LoadModule imap_module libexec/mod_imap.so
To:
# LoadModule imap_module libexec/mod_imap.so

From:
LoadModule cgi_module libexec/mod_cgi.so
To:
# LoadModule cgi_module libexec/mod_cgi.so

From:
LoadModule suexec_module libexec/mod_suexec.so
To:
# LoadModule suexec_module libexec/mod_suexec.so

From:
LoadModule autoindex_module libexec/mod_autoindex.so
To:
# LoadModule autoindex_module libexec/mod_autoindex.so

From:
LoadModule info_module libexec/mod_info.so
To:
# LoadModule info_module libexec/mod_info.so

From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so

From:
LoadModule status_module libexec/mod_status.so
To:
# LoadModule status_module libexec/mod_status.so

From:
LoadModule userdir_module libexec/mod_userdir.so
To:
# LoadModule userdir_module libexec/mod_userdir.so

From:
LoadModule cern_meta_module modules/mod_cern_meta.so
To:
# LoadModule cern_meta_module modules/mod_cern_meta.so

From:
LoadModule dav_module modules/mod_dav.so
To:
# LoadModule dav_module modules/mod_dav.so

From:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
To:
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>

From:
<Directory "/var/apache2/htdocs">
To:
<Directory "/www">
<Limitexcept GET POST>
deny from all
</Limitexcept>

From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews

11. Add the following sections to the end of the httpd.conf file:
LimitRequestBody 10000
LimitRequestFields 40
LimitRequestFieldSize 100
LimitRequestLine 500
12. Remove the sections bellow from the file httpd.conf
<Directory "/usr/apache2/manual">
<Directory "/var/apache2/cgi-bin">

13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"

From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
14. Starting Apache from command line:
/usr/apache2/bin/apachectl start
15. Run the command bellow to start the Apache service at server start-up:
svcadm enable apache2

How to implement SSL on Tomcat 5.5

2009-12-25T00:19:00.006+02:00

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform

SSL implementation phase
1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
mkdir -p /var/apache/tomcat55/conf/ssl.crt
3. Create folder for the SSL private key:
mkdir -p /var/apache/tomcat55/conf/ssl.key
4. Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
5. Run the command bellow to generate a key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
7. Run the command bellow to generate a CSR (certificate request):
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
8. Send the file /tmp/tomcat.csr to a Certificate Authority server.
9. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
10. Copy the file "server.crt" using SCP into /var/apache/tomcat55/conf/ssl.crt
11. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
12. Copy the file "ca-bundle.crt" using SCP into /var/apache/tomcat55/conf/ssl.crt
13. Run the command bellow to import the trusted root CA public certificate:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

14. Run the command bellow to import the signed public key into the key store:
For 32bit operating system:
/usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

For x64 operating system:
/usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

15. Stop the Tomcat service:
/etc/init.d/tomcat stop
16. Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3"
keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
keystorePass="ComplexPassword"
truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
truststorePass="changeit"
ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
tcpNoDelay="true" />
17. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
<user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
18. Start the Tomcat service:
/etc/init.d/tomcat start -security

Hardening guide for Tomcat 5.5 on Solaris 10 platform

2009-12-24T21:55:00.008+02:00

Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.

Installation phase
1. Login to the server using Root account.
2. Make sure the folder /usr/jdk exists:
ls /ad /usr/jdk
3. If the folder /usr/jdk doesn’t exists, manually create it:
mkdir /usr/jdk
4. Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
5. Move to /usr/jdk folder
cd /usr/jdk
6. Change the permissions on the JDK 1.6 (32bit) script:
chmod +x jdk-6u15-solaris-i586.sh
7. Run the command bellow to install JDK 1.6 (32bit):
./jdk-6u15-solaris-i586.sh
8. Change the permissions on the JDK 1.6 (x64) script:
chmod +x jdk-6u15-solaris-x64.sh
9. Run the command bellow to install JDK 1.6 (x64):
./jdk-6u15-solaris-x64.sh
10. Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
rm /usr/jdk/jdk-6u15-solaris-i586.sh
rm /usr/jdk/jdk-6u15-solaris-x64.sh
rm /usr/jdk/jdk1.6.0_15/src.zip
rm -r /usr/jdk/jdk1.6.0_15/demo
rm -r /usr/jdk/jdk1.6.0_15/sample
11. Remove the link for the Java
rm /usr/bin/java
12. Create new link for the Java (for x64 servers):
ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
13. Reload the links into memory:
rehash
14. Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
15. Run the command bellow to install Tomcat packages:
pkgadd -d . SUNWtcatr SUNWtcatu
16. Remove the following default folders:
rm -r /usr/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
rm -r /var/apache/tomcat55/webapps/jsp-examples
rm -r /var/apache/tomcat55/webapps/servlets-examples
rm -r /var/apache/tomcat55/webapps/webdav
rm -r /var/apache/tomcat55/webapps/balancer
17. Copy the server.xml configuration file:
cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xml
Note: The above command should be written as one line.
18. Edit using VI, the file /var/apache/tomcat55/conf/server.xml
• Uncomment the section bellow:
org.apache.catalina.valves.AccessLogValve
• Replace the non-SSL HTTP/1.1 Connector:
From:

<connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />
To:

<connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" />
19. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:

<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</ROLE-NAME>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>

<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role>
20. Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
<role rolename="admin">
<role rolename="manager">
<user roles="admin,manager" password="adminpass" username="admin">
Note: Specify complex password for the admin account (and document it).
21. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
• Uncomment the section bellow:
org.apache.catalina.valves.RemoteAddrValve
• Replace the data of the value bellow:
From:
allow="127.0.0.1"
To:
allow="172.16.*.*"
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow="128.117.140.62, 128.117.140.63, 128.117.140.99"
22. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
• Inside the “Context” section, add the following line:
<valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow="128.117.140.62, 128.117.140.63, 128.117.140.99"
23. Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
24. Extract the file catalina.jar
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
25. Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.properties
• Replace the string bellow from:
server.infoerver.info=Apache Tomcat/5.5.26
To:
server.infoerver.info=Secure Web server
• Replace the string bellow from:
server.number=5.5.26.0
To:
server.number=1.0.0.0
26. Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
27. Repackage the file catalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
28. Remove the folder bellow:
rm -r /usr/apache/tomcat55/server/lib/org
29. Create a user account for the Tomcat service:
mkdir /home/tomcat
groupadd tomcat
useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
chown tomcat:tomcat /home/tomcat/
passwd tomcat
passwd -l tomcat
30. Create using VI, the file /etc/init.d/tomcat with the following content:
#!/bin/sh
#
# Startup script for Tomcat
#
case "$1" in
start)
echo -n "Starting Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
;;
stop)
echo -n "Stopping Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {startstoprestart}"
exit 1
esac

exit 0
31. Change the permissions on the file /etc/init.d/tomcat
chmod u+x /etc/init.d/tomcat
32. Create soft link/symoblic links for system level startup
ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat
33. Reload the links into memory:
rehash
34. Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/*
chown -R tomcat:tomcat /usr/apache/tomcat55/*

Protecting your backup

2009-12-06T12:47:00.002+02:00

One of the things many companies fail to put enough attention is proper protection to their backups.
I recently read an article about large American bank that sent a notification to its customers of losing a backup-tape, with customer's personal information.
I guess the only reason the bank reveal the information about the security breach is because he had to do so, under a federal law - just think about how many companies keep this sort of information to themselves in-order to avoid lawsuits.

Almost every company perform backup of its data. It can be using commercial software, file copy to a remote site, backup to tape, and now it is becoming more and more common to perform backup to disk, into a large storage device.

Usually, when performing backup to tape, most companies use to move the tapes into offsite storage, such as remote site.
While moving the backup to remote site might be considered as a good security practice against site disaster, there are 2 important things to think about.
The first thing is physical protection during the move, and while storing them on a safe at the remote site.
In this case I strongly recommend document the process - document the labels and dates of the tapes, and maybe even have the person transporting the tapes sign a form, so you'll have more confidence that the tapes were actually being transported to their destination.

Another thing you should consider is encryption to the data itself.
You don't want to be in a situation where somebody steals a suitcase full of backup tapes, where all your data is in clear text.
I guess most commercial products allow you to encrypt your backups, but it raises a question about maintaining the encryption.
If you encrypt your backups using the same password or passphrase year after year, and some ex-employee knows the password, it can harm the whole idea behind encryption.
On the other hand, if you change the password from time to time, you need to manage a list of old passwords against list of dates of backup-tape labels, which might become a headache since it is another thing to maintain.

Today more and more companies are moving to backup-to-disk, because the cost of hard disks is very low, and it's a fast media.
While performing backup to a remote site, you need to consider moving the data over secure or encrypted VPN lines in-order to avoid someone intercepting the data and stealing sensitive files.
Another good practice is to store the data on an encrypted file system. This way you don't need to worry about some will be able to review your files, but you will have the overhead of maintaining the encryption key, and the copy to the encrypted file system might become a little bit slower on slow machines or slow storage devices.

Remember, keeping your backup safe and secure, enables you to overcome site disaster while protecting from data breach and law suites.

Software installation

2009-11-25T22:16:00.001+02:00

One of the most important rules of server hardening is limiting the exposure surface.

I guess it's ok to install a product (from operating system to office applications) on a developer or users desktop using the default installation method (in many cases it means full product installation, since most of us don't bother to read what it means and just click next to continue).

However, on a production environment, any additional component means additional exposure surface, additional disk space and additional CPU and memory usage, which are very critical on production environments.
It is time to read the product documentation, and understand what does each and every component is doing on the system.
Customize or minimal installation is the best practice on this case.
We don't need any sample pages, product documentation or help files, or even demo scripts/web application/databases.

Another best practice is to limit anonymous, guest or any other non-authenticated access to sensitive areas of our application, such as administrative sections in web applications.
The best practice is to configure authentication for administrative sections, using built-in application capabilities such as strong passwords, dedicated accounts with privileges to certain parts of the application, certificate authentication or if nothing else is possible, using file system permissions according to the hosted operating system.

Another crucial part, for applications that start their own service to listen to outside requests, is to use the least-privileges security model, which means, non-administrative/root account to load the service, with limitation for running the specific application and least amount of privileges to the operating system.
The reason for that is if I am using an application that depends on JAVA for example, and there is a flaw in the JAVA runtime that allows it to break the JAVA security mechanism, your server might be vulnerable as well.

Another point to think about is software upgrades. You may be doing a good job during application installation and configuration, but the next product upgrade or security hotfix, might bring back sample applications or change the file system privileges.

Information leakage

2009-11-24T22:25:00.003+02:00

Information is all around us. We don't even realize how much information we share with everyone, and I have two examples to think about.

Business cards
We use to give away our business cards to colleagues and potential customers without realizing how much people can learn about us.
We put our mobile phone number, so now people can reach us 24/7.
We put our phone number, something such as 917-999-6666 and now the potential attacker knows that most of our company phone extensions (and maybe our fax and modem lines) begins with 917-999xxxx and that our extension is probably 6666 (wonder whom will I reach trying 6665 or 6667...)
We put our fax number, which can be used by spammers and advertisers we once met at a commercial fair.
We put our email address, something such as johnd@somecompany.com (in most cases, our username to the internal company assets will be something such as Johnd)

Voicemail / out-of-the-office message
We tend to leave a message on our voice mail or on our company mailbox, information such as:
"Hi, you've reached John Doe, from the sales department. I will be out of the office between July 28th and August 2nd. In case of emergency, you may contact Linda Smith, at 5435742, ext. 2"
If I was a potential hacker, I now know that John will be out of the office, I know his department name, I know the dates he will not be available, I know who replaces him while he is out of the office, and I know how to reach her.
Instead of giving away all this information, why not use something polite and simple, such as:
"Hi, I will be out of the office. You may send me emails and I will get back to you as soon as I will return to the office."

Think about it, the next time you share information, and don't forget that everyone on the internet can see it, the next time you share photos from your wonderful vacation on facebook, or what a great day you had, on twitter, just after you told your boss, you are not coming to the office today since you are not feeling well.

Introduction

2009-11-24T21:23:00.000+02:00

Andy Grove, the former Intel CEO used to say "Only the paranoid survive".

As an information security with more than 7 years in the field, I can tell you that even though I don't consider myself paranoid, people expect me to think out of the box and the only way I see it, to see the world from the eyes of the potential attacker, is to be paranoid.

I have opened this blog, in-order to share with you, my point of view and my experience in the security and technology field, looking at the world in a holistic and non-vendor oriented point of view as much as possible.