Skip to main content
Security & Cloud 24/7

Hardening guide for Apache 2.0 on Solaris 10 platform

·463 words·3 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

  1. Login to the server using Root account.

  2. Create a new account: groupadd apache useradd -g apache -d /dev/null -s /bin/false apache passwd apache passwd -l apache

  3. Mount Solaris 10 DVD, and move to the packages folder: cd /cdrom/sol_10_1008_x86/Solaris_10/Product

  4. Run the command bellow to install Apache2 packages: pkgadd -d . SUNWapch2r SUNWapch2u

  5. Remove Default Content rm -r /var/apache2/htdocs/ rm -r /var/apache2/cgi-bin/ rm -r /var/apache2/icons/

  6. Updating Ownership and Permissions on Apache2 folders: chown -R root:root /usr/apache2 chmod -R 770 /usr/apache2/bin chown -R root:root /etc/apache2 chmod -R go-r /etc/apache2 chmod -R 770 /etc/apache2 chown -R root:root /var/apache2/logs chmod -R 700 /var/apache2/logs

  7. Create folder for the web content: mkdir -p /www

  8. Updating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www

  9. Copy the configuration file in-order to edit it: cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf

  10. Edit using VI the file /etc/apache2/httpd.conf and change the following strings: From: # LockFile /var/apache2/logs/accept.lockTo: LockFile /var/apache2/logs/accept.lock

    From: User webservdTo: User apache From: Group webservdTo: Group apache From: PidFile /var/run/apache2/httpd.pidTo: PidFile /var/apache2/logs/httpd.pid From: DocumentRoot "/var/apache2/htdocs"To: DocumentRoot "/www"

    From: ServerSignature OnTo: ServerSignature Off HostnameLookups Off

    From: # ServerTokensTo: ServerTokens Prod

    From: ServerAdmin you@yourhost.comTo: _ServerAdmin_ [_webmaster@yourcompany.com_](mailto:webmaster@yourcompany.com)

    From: ServerName 127.0.0.1To: _ServerName Server_FQDN_ From: Timeout 300To: Timeout 60

    From: LogLevel warnTo: LogLevel notice

    From: IndexOptions FancyIndexing VersionSortTo: # IndexOptions FancyIndexing VersionSort

    From: ReadmeName README.htmlTo: # ReadmeName README.html

    From: HeaderName HEADER.htmlTo: # HeaderName HEADER.html

    From: AddIconTo: # AddIcon

    From: DefaultIcon /icons/unknown.gifTo: # DefaultIcon /icons/unknown.gif

    From: Alias /icons/ "/var/apache2/icons/"To: # Alias /icons/ "/var/apache2/icons/"

    From: AliasMatchTo: # AliasMatch

    From: ScriptAliasTo: # ScriptAlias

    From: LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo: # LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

    From LoadModule imap_module libexec/mod_imap.soTo: # LoadModule imap_module libexec/mod_imap.so

    From: LoadModule cgi_module libexec/mod_cgi.soTo: # LoadModule cgi_module libexec/mod_cgi.so

    From: LoadModule suexec_module libexec/mod_suexec.soTo: # LoadModule suexec_module libexec/mod_suexec.so

    From: LoadModule autoindex_module libexec/mod_autoindex.soTo: # LoadModule autoindex_module libexec/mod_autoindex.so

    From: LoadModule info_module libexec/mod_info.soTo: # LoadModule info_module libexec/mod_info.so

    From: LoadModule status_module libexec/mod_status.soTo: # LoadModule status_module libexec/mod_status.so

    From: LoadModule status_module libexec/mod_status.soTo: # LoadModule status_module libexec/mod_status.so

    From: LoadModule userdir_module libexec/mod_userdir.soTo: # LoadModule userdir_module libexec/mod_userdir.so

    From: LoadModule cern_meta_module modules/mod_cern_meta.soTo: # LoadModule cern_meta_module modules/mod_cern_meta.so

    From: LoadModule dav_module modules/mod_dav.soTo: # LoadModule dav_module modules/mod_dav.so

    From: <Directory /> Options FollowSymLinks AllowOverride None </Directory> To: <Directory /> Options None AllowOverride None Order deny,allow deny from all </Directory>

    From: <Directory "/var/apache2/htdocs">To: <Directory "/www"> <Limitexcept GET POST> deny from all </Limitexcept>

    From: Options Indexes FollowSymLinksTo: Options -FollowSymLinks -Includes -Indexes -MultiViews

  11. Add the following sections to the end of the httpd.conf file: LimitRequestBody 10000 LimitRequestFields 40 LimitRequestFieldSize 100 LimitRequestLine 500

  12. Remove the sections bellow from the file httpd.conf <Directory "/usr/apache2/manual"> <Directory "/var/apache2/cgi-bin">

  13. Edit using VI the file /usr/apache2/include/ap_release.h and change the following strings: From: #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To: #define AP_SERVER_BASEVENDOR "Restricted server" From: #define AP_SERVER_BASEPRODUCT "Apache"To: #define AP_SERVER_BASEPRODUCT "Secure Web Server"

  14. Starting Apache from command line: /usr/apache2/bin/apachectl start

  15. Run the command bellow to start the Apache service at server start-up: svcadm enable apache2