-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStep2c-Prep.html
145 lines (145 loc) · 11.9 KB
/
Step2c-Prep.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
<!doctype html>
<html lang="en" prefix="og: http://ogp.me/ns#">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="description" content="Securing Apache - Fedora/RedHat Step2c - Configuring Apache/PHP" />
<meta name="keywords" content="Apache, Security, SSL, TLS, Certificate, Fedora, RedHat, SUSE, CentOS, Elliptical Curves, RSA, Encryption, PHP" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<meta name="author" content="Kevin Dziekonski" />
<meta name="generator" content="The Dead's Script O' Rama" />
<meta name="application-name" content="Zombie Security" />
<meta http-equiv="Content-Type" content="text/html" />
<meta name="robots" content="index, follow" />
<meta name="googlebot" content="index, follow" />
<meta name="copyright" content="Zombie materials are subject to copyrights" />
<meta property="og:title" content="Free Best Practice Security Guides" />
<meta property="og:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:secure_url" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:type" content="image/jpg" />
<meta property="og:image:alt" content="Zombie Security – Free Best Practice Security Guides" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://zombiesecured.com" />
<meta property="og:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="og:site_name" content="Zombie Secured" />
<meta property="twitter:card" content="summary" />
<meta property="twitter:site" content="https://zombiesecured.com " />
<meta property="twitter:site.id" content="@zombiesecured" />
<meta property="twitter:creator" content="@kevindziekonski" />
<meta property="twitter:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="twitter:title" content="Zombiesecured Free Educational Best Practices Security Guides" />
<meta property="twitter:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="twitter:image.alt" content="Free security education and best practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="msapplication-TileColor" content="#D83434" />
<meta name="msapplication-TileImage" content="https://zombiesecured.com/images/favicon.jpg" />
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-touch-fullscreen" content="yes">
<link rel="apple-touch-icon" href="https://zombiesecured.com/images/favicon.png" />
<link rel="canonical" href="https://zombiesecured.com/" />
<title>Step 2c - Configuring Apache/PHP (Fedora/Redhat)</title>
</head>
<body>
<div class="container-fluid">
<!-- Add the common header to display the main menu. -->
<div id="header"></div>
<div class="row">
<!-- This section is the side menu section -->
<div class="col-md-2">
<div id="apacheFedoraSideMenu"></div>
</div>
<!-- This section is the content section -->
<div class="col-md-10">
<div class="card border-dark mb-3 mt-3">
<div class="card-header d-flex align-items-center justify-content-center">
<!-- This is the content header start. Add text here for the content banner text. -->
<h4>Securing Apache - Fedora/CentOS/SUSE/RedHat</h4>
</div>
<div class="card-body">
<!-- This section is the content section. Add the bulk HTML here -->
<h3>Step 2c - Configuring Apache/PHP</h3>
<p class="card-text">We need to minimize the information we are sharing with everyone. Also, we need to look over what <a href="https://httpd.apache.org/docs/trunk/new_features_2_4.html" title="Apache2.4 Modules" target="_blank">modules are running</a> and interacting with what applications. The bulk of the work is really in this procedure. It does not just involve turning on or off modules; but instead heavy tweaking the modules behavior and function can really harden a system beyond a hackers reach. Over time I will release more documentation on how to modify and alter Apache2 for performance and trapping rogue admins. </p>
<h4>How to enable or disable Apache modules</h4>
<p class="card-text">Comment/uncomment out the lines for each module listed in <strong>/etc/httpd/conf.modules.d/</strong></p>
<h4>Disable unnecessary Apache modules </h4>
<p class="card-text">To list all of the Apache modules running:</p>
<pre>httpd -M</pre>
<p class="card-text">Disable ANY Modules not needed for your configuration or turn them all off and then we can re-enable/install the needed modules</p>
<h4>Enabling needed Apache modules </h4>
<p class="card-text">The commands below will install the necessary Modules for now</p>
<pre>yum install mod_ssl</pre>
<pre>yum install mod_session</pre>
<p class="card-text">mod_headers is installed and is enabled by default</p>
<h4>Enabling the newly created sites under Apache</h4>
<p class="card-text">The newly created sited should be enabled automatically if they were configured correctly and no command is necessary.</p>
<h4>Disabling the default sites under Apache</h4>
<p class="card-text orange">Do not forget to handle the IP defaulting to a web page if you disable the defaults. Do not use the Apache2 default page!</p>
<p class="card-text">Comment out the content of the below mentioned files and if you want you can even rename them after doing so.</p>
<pre>nano /etc/httpd/conf.d/welcome.conf</pre>
<h4>Change the Timeout & KeepAlive </h4>
<pre>nano /etc/httpd/conf/httpd.conf</pre>
<p class="card-text"><strong>Add the following lines that are highlighed in blue to your httpd.conf file:</strong> <span class="blue"> <--- Change the lines in blue below</span><br>
Timeout <span class="blue">30</span><br>
KeepAliveTimeout <span class="blue">5</span><br>
<br>
<span class="blue"><Directory /></span><span class="orange"> <--- Protect our system files - If you did not add this in the prior <a href="Step2b-Prep.html" target="_blank">Step2b</a>, you can add it globally here</span><br>
<span class="blue"> Require all denied<br>
AllowOverride None<br>
Options None</span><br>
<span class="blue"></Directory></span> </p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Remove Apache Version, Operating System, Port, and Hostname from being advertised</h4>
<p class="card-text">We could put all of Security Header settings in this file, but I highly do not recommend it on a Server that hosts numerous sites!</p>
<pre>nano /etc/httpd/conf/httpd.conf</pre>
<p class="card-text"><strong>Locate and change:</strong> <span class="blue"> <--- Change the lines in blue below</span><br>
ServerTokens <span class="blue">Prod</span><br>
ServerSignature <span class="blue">Off</span><br>
TraceEnable <span class="blue">Off</span> </p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Remove the PHP version from being advertised (Just incase you have it installed)</h4>
<pre>nano /etc/php.ini</pre>
<p class="card-text"><strong>Locate, find and change:</strong><span class="blue"> <--- Change the line in blue below</span><br>
expose_php = <span class="blue">Off</span></p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Tweak our performance a bit with mpm_event</h4>
<p class="card-text">Each process under event can contain multiple threads and each is capable of more than one task. This results in Apache having the lowest requirements when used with mpm_event.</p>
<p class="card-text">We are using a configuration that requires us to address the higher load requirements.</p>
<pre>nano /etc/httpd/conf.modules.d/00-mpm.conf</pre>
<p class="card-text">Comment LoadModule line for mpm_prefork_module, mpm_worker_module and Un-comment LoadModule line for mpm_event_module in in the 00-mpm.conf file.</p>
<p class="card-text"><strong>Add the following settings in the httpd.conf file:</strong><span class="blue"> <--- Add the lines in blue below</span></p>
<p class="card-text orange">If this a Web server, email, DNS, and so forth, cut everything in half and MaxMemFree minimum of 4096 - Which is 4 megs and alter as necessary.</p>
<p class="card-text"><IfModule mpm_event_module><br>
<span class="blue"> MaxMemFree 0</span><br>
<span class="blue"> StartServers 5</span><br>
<span class="blue"> ServerLimit 32</span><br>
<span class="blue"> MaxClients 256</span><br>
<span class="blue"> MaxRequestWorkers 50</span><br>
<span class="blue"> MaxConnectionsPerChild 1000</span><br>
</IfModule></p>
<h4>Restart Apache</h4>
<pre>systemctl restart httpd</pre>
</div>
<!-- This is the end of the bulk content section. -->
<div class="card-footer text-secondary">
<!-- This is the card footer where the next/previous links and arrows go. The links will need to be updated for every page. -->
<a class="text-secondary float-left" href="Step2b-Prep.html"><i class="fa fa-arrow-left fa-2x"></i> PREVIOUS </a> <a class="text-secondary float-right" href="Step3-Lock.html"> NEXT <i class="fa fa-arrow-right fa-2x"></i></a> </div>
</div>
</div>
</div>
</div>
<!-- Add the common footer. -->
<div id="footer"></div>
<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://code.jquery.com/jquery-3.3.1.min.js" integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
<script src="/js/zombie.js"></script>
</body>
</html>