Hardening guide for Apache 246 on CentOS 64 64bit edition.docx
《Hardening guide for Apache 246 on CentOS 64 64bit edition.docx》由会员分享,可在线阅读,更多相关《Hardening guide for Apache 246 on CentOS 64 64bit edition.docx(10页珍藏版)》请在冰豆网上搜索。
HardeningguideforApache246onCentOS6464bitedition
Thisdocumentexplainstheprocessofinstallation,configurationandhardeningofApacheserverfromsourcefiles,basedonCentOS6.4defaultinstallation(IPTablesandSELinuxenabledbydefault),includingsupportforTLSv1.2andprotectionfrom BEASTattack and CRIMEattack.
SomeofthefeaturesexplainedinthisdocumentaresupportedbyonlysomeoftheInternetbrowsers:
oX-Frame-Options–Minimumbrowsersupport:
IE8.0,Firefox3.6.9,Chrome4.1.249,Opera10.50,Safari4.0
oTLS1.2–Minimumbrowsersupport:
IE8.0onWindows7/8(Needtobeenabledbydefault),Firefox24.0(Needtobeenabledbydefault),Chrome30,Opera17,Safari5.0
Pre-Requirements
opolicycoreutils-python-*packageinstalled
osetools-libs-*packageinstalled
olibcgroup-*packageinstalled
oaudit-libs-python-*packageinstalled
olibsemanage-python-*packageinstalled
osetools-libs-python-*packageinstalled
ogcc*packageinstalled
ogcc-c++*packageinstalled
oautoconf*packageinstalled
oautomake*packageinstalled
InstallationPhase
1.LogintotheserverusingRootaccount
2.UpgradetheOpensslbuild:
rpm-ivh--nosignature
yum--enablerepo=axivoupdateopenssl-y
3.DownloadApachesourcefileinto /tmp,from:
http:
//httpd.apache.org/download.cgi
4.DownloadAPRandAPR-Utilsourcefilesinto /tmp,from:
https:
//apr.apache.org/download.cgi
5.DownloadPCREsourcefileinto /tmp,from:
6.CompilePCREfromsourcefile:
tarzxvf/tmp/pcre-8.33.tar.gz-C/tmp
mv/tmp/pcre-8.33/usr/local/pcre
cd/usr/local/pcre
./configure--prefix=/usr/local/pcre
make
makeinstall
7.ExtractApachesourcefiles:
cd/tmp
tarzxvfhttpd-2.4.6.tar.gz
cdhttpd-2.4.6/srclib/
tarzxvf../../apr-1.4.8.tar.gz
ln-sapr-1.4.8/apr
tarzxvf../../apr-util-1.5.2.tar.gz
ln-sapr-util-1.5.2/apr-util
8.CompiletheApachefromsourcefiles:
cd/tmp/httpd-2.4.6
./configure--prefix=/opt/httpd--with-included-apr--enable-so--enable-ssl--with-ssl=/opt/openssl-1.0.1e--enable-ssl-staticlib-deps--enable-mods-static=ssl--with-pcre=/usr/local/pcre
make
makeinstall
9.Removethesourcefiles:
rm-rf/tmp/apr-1.4.8.tar.gz
rm-rf/tmp/apr-util-1.5.2.tar.gz
rm-rf/tmp/httpd-2.4.6.tar.gz
rm-rf/tmp/httpd-2.4.6
rm-rf/tmp/pcre-8.33.tar.gz
10.RemoveDefaultContent:
rm-rf/opt/httpd/cgi-bin
rm-rf/opt/httpd/htdocs
rm-rf/opt/httpd/icons
rm-rf/opt/httpd/man
rm-rf/opt/httpd/manual
rm-rf/opt/httpd/conf/extra/httpd-autoindex.conf
rm-rf/opt/httpd/conf/extra/httpd-autoindex.conf.in
rm-rf/opt/httpd/conf/extra/httpd-dav.conf
rm-rf/opt/httpd/conf/extra/httpd-dav.conf.in
rm-rf/opt/httpd/conf/extra/httpd-default.conf
rm-rf/opt/httpd/conf/extra/httpd-default.conf.in
rm-rf/opt/httpd/conf/extra/httpd-info.conf
rm-rf/opt/httpd/conf/extra/httpd-info.conf.in
rm-rf/opt/httpd/conf/extra/httpd-languages.conf
rm-rf/opt/httpd/conf/extra/httpd-languages.conf.in
rm-rf/opt/httpd/conf/extra/httpd-manual.conf
rm-rf/opt/httpd/conf/extra/httpd-manual.conf.in
rm-rf/opt/httpd/conf/extra/httpd-mpm.conf
rm-rf/opt/httpd/conf/extra/httpd-mpm.conf.in
rm-rf/opt/httpd/conf/extra/httpd-multilang-errordoc.conf
rm-rf/opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in
rm-rf/opt/httpd/conf/extra/httpd-userdir.conf
rm-rf/opt/httpd/conf/extra/httpd-userdir.conf.in
rm-rf/opt/httpd/conf/extra/httpd-vhosts.conf
rm-rf/opt/httpd/conf/extra/httpd-vhosts.conf.in
rm-rf/opt/httpd/conf/extra/proxy-html.conf
rm-rf/opt/httpd/conf/extra/proxy-html.conf.in
rm-rf/opt/httpd/conf/original
11.UpdatingOwnershipandPermissionsonApachefolders:
chownroot:
root/opt/httpd/bin/apachectl
chownroot:
root/opt/httpd/bin/httpd
chmod770/opt/httpd/bin/apachectl
chmod770/opt/httpd/bin/httpd
chown-Rroot:
root/opt/httpd
chmod-Rgo-r/opt/httpd
chown-Rroot:
root/opt/httpd/logs
chmod-R700/opt/httpd/logs
12.Createfolderforthewebcontent:
mkdir-p/www
13.UpdatingOwnershipandPermissionsonthewebcontentfolder:
chown-Rroot/www
chmod-R775/www
14.FixtheSELinuxsecuritycontextonthenewwebfolder:
semanagefcontext-a-thttpd_sys_content_t"/www(/.*)?
"
restorecon-F-R-v/www
15.EditusingVIthefile /opt/httpd/conf/httpd.conf andchangethefollowingstrings:
From:
LogLevelwarnTo:
LogLevelnotice
From:
DocumentRoot"/opt/httpd/htdocs"To:
DocumentRoot"/www"
From:
Listen80To:
Listen Server_FQDN:
80
Note:
Replace Server_FQDN withtheactualDNSname.
From:
ServerAdminroot@localhostTo:
ServerAdminwebmaster@
Note:
Replace withtheactualCompanyDNSname.
From:
#ServerName:
80To:
ServerName Server_FQDN
Note:
Replace Server_FQDN withtheactualDNSname.
From:
ScriptAlias/cgi-bin/"/opt/httpd/cgi-bin/"To:
#ScriptAlias/cgi-bin/"/opt/httpd/cgi-bin/"
From:
OptionsFollowSymLinks
AllowOverrideNone
To:
OptionsNone
AllowOverrideNone
Requirealldenied
Orderdeny,allow
denyfromall
denyfromall
From:
OptionsIndexesFollowSymLinks
AllowOverrideNone
To:
OptionsNone
AllowOverrideNone
Requireallgranted
Orderallow,deny
Allowfromall
denyfromall
16.Commentoutalllinesinsidethe /opt/httpd/conf/httpd.conf file,beginingwith:
ScriptAlias
IndexOptions
AddIconByEncoding
AddIconByType
AddIcon
DefaultIcon
ReadmeName
HeaderName
IndexIgnore
LanguagePriority
ForceLanguagePriority
17.Commentoutthelinesinsidethe /opt/httpd/conf/httpd.conf filebelowtodisabledefaultmodules:
LoadModulecgi_modulemodules/mod_cgi.so
LoadModulestatus_modulemodules/mod_status.so
LoadModuleinfo_modulemodules/mod_info.so
LoadModuleautoindex_modulemodules/mod_autoindex.so
LoadModuleinclude_modulemodules/mod_include.so
LoadModuleuserdir_modulemodules/mod_userdir.so
LoadModuleenv_modulemodules/mod_env.so
LoadModulenegotiation_modulemodules/mod_negotiation.so
LoadModuleactions_modulemodules/mod_actions.so
18.Commentouttheentiresection insidethe/opt/httpd/conf/httpd.conf
19.Addthefollowingsectionstotheendofthe /opt/httpd/conf/httpd.conffile:
#Configurecustomerrormessage:
ErrorDocument400"TherequestedURLwasnotfoundonthisserver."
ErrorDocument401"TherequestedURLwasnotfoundonthisserver."
ErrorDocument403"TherequestedURLwasnotfoundonthisserver."
ErrorDocument404"TherequestedURLwasnotfoundonthisserver."
ErrorDocument405"TherequestedURLwasnotfoundonthisserver."
ErrorDocument408"TherequestedURLwasnotfoundonthisserver."
ErrorDocument410"TherequestedURLwasnotfoundonthisserver."
ErrorDocument411"TherequestedURLwasnotfoundonthisserver."
ErrorDocument412"TherequestedURLwasnotfoundonthisserver."
ErrorDocument413"TherequestedURLwasnotfoundonthisserver."
ErrorDocument414"TherequestedURLwasnotfoundonthisserver."
ErrorDocument415"TherequestedURLwasnotfoundonthisserver."
ErrorDocument500"TherequestedURLwasnotfoundonthisserver."
#ConfigureServerTokens
ServerTokensProd
#DisableServerSignature
ServerSignatureOff
#DisableTracing
TraceEnableOff
#Maximumsizeoftherequestbody.
LimitRequestBody25000
#Maximumnumberofrequestheadersinarequest.
LimitRequestFields40
#Maximumsizeofrequestheaderlines.
LimitRequestFieldSize4000
#Maximumsizeoftherequestline.
LimitRequestLine4000
MaxRequestsPerChild10000
#Configureclickjackingprotection
HeaderalwaysappendX-Frame-OptionsSAMEORIGIN
20.EditusingVIthefile /opt/httpd/include/ap_release.h andreplacethefollowingstrings:
From:
#defineAP_SERVER_BASEVENDOR"ApacheSoftwareFoundation"To:
#defineAP_SERVER_BASEVENDOR"Restrictedserver"
From:
#defineAP_SERVER_BASEPROJECT"ApacheHTTPServer"To:
#defineAP_SERVER_BASEPROJECT"SecureWebServer"
From:
#defineAP_SERVER_BASEPRODUCT"Apache"To:
#defineAP_SERVER_BASEPRODUCT"SecureWebServer"
21.DownloadtheApachebootscriptinto /tmp from:
http:
//www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2
22.ExtractandinstalltheApachebootscript:
cd/tmp/
tarxvjfblfs-bootscripts-20131023.tar.bz2
cd/tmp/blfs-bootscripts-20131023
makeinstall-httpd
23.EditusingVI,thefile /etc/init.d/httpd,andreplacethestringsbelow:
From:
/usr/sbin/apachectlTo:
/opt/httpd/bin/apachectl
From:
log_info_msgTo:
echo
From:
evaluate_retvalTo:
#evaluate_retval
24.ConfiguretheApachetostartautomatically:
chkconfighttpdon
25.ConfigureIPTables:
serviceiptablesstop
iptables-PINPUTDROP
iptables-AINPUT-ilo-jACCEPT
iptables-AOUTPUT-olo-jACCEPT
iptables-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT
26.AllowSSHaccessfromInternalsegment(i.e.10.0.0.0/8)
iptables-AINPUT-mstate--stateNEW-ptcp--dport22-s 10.0.0.0/8 -jACCEPT
Note:
Replace 10.0.0.0/8 withtheinternalsegmentandsubnetmask
27.AllowHTTPaccessfromtheInternetonthepublicinterface(i.e.eth0)
iptables-AINPUT-mstate--stateNEW-ptcp--dport80-i eth0 -jACCEPT
Note:
Replace eth0 withthepublicinterfacename
28.SavetheIPTablessettings:
serviceiptablessave
29.StarttheApachedaemon:
servicehttpdstart
SSLConfigurationPhase
1.LogintotheserverusingRootaccount.
2.CreatefolderfortheSSLcertificatefiles:
mkdir-p/opt/httpd/conf/ssl
chmod600/opt/httpd/conf/ssl
3.Runthecommandbellowtogenerateakeypair:
/usr/bin/opensslgenrsa-