Skip to main content
Security & Cloud 24/7

Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

·480 words·3 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

  1. Login to the server using Root account.

  2. Create a new account: groupadd apache useradd -g apache -d /dev/null -s /bin/false apache

  3. Mount RHEL 5.4 DVD, and move to the RPM folder: mount /dev/hdc /media cd /media/Server

  4. Before compiling the Apache environment, install the following RPM: rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm rpm -ivh glibc-headers-2.5-42.x86_64.rpm rpm -ivh glibc-devel-2.5-42.x86_64.rpm rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm

  5. Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp

  6. Move to /tmp cd /tmp

  7. Extract the httpd-2.2.15.tar.gz file: tar -zxvf httpd-2.2.15.tar.gz

  8. Move to the Apache source folder: cd httpd-2.2.15

  9. Run the commands bellow to compile the Apache environment: ./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl make make install

  10. Remove the Apache source files: rm -rf /tmp/httpd-2.2.15rm -f /tmp/httpd-2.2.15.tar.gz

  11. Remove Default Content rm -rf /usr/local/apache2/cgi-bin rm -rf /usr/local/apache2/htdocs rm -rf /usr/local/apache2/icons rm -rf /usr/local/apache2/man rm -rf /usr/local/apache2/manual rm -rf /usr/local/apache2/conf/extra rm -rf /usr/local/apache2/conf/original

  12. Updating Ownership and Permissions on Apache2 folders: chown root:root /usr/local/apache2/bin/apachectl chown root:root /usr/local/apache2/bin/httpd* chmod 770 /usr/local/apache2/bin/apachectl chmod 770 /usr/local/apache2/bin/httpd* chown -R root:root /usr/local/apache2 chmod -R go-r /usr/local/apache2 chown -R root:root /usr/local/apache2/logs chmod -R 700 /usr/local/apache2/logs

  13. Create folder for the web content: mkdir -p /www

  14. Updating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www

  15. Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings: From: DocumentRoot "/var/www/html"To: DocumentRoot "/www"

    From: Listen 80To: Listen Server_FQDN:80

    From: ServerAdmin root@localhost To: ServerAdmin webmaster@mycompany.com

    From: #ServerName www.example.com:80To: ServerName Server_FQDN

    From: LogLevel warnTo: LogLevel notice

    From: ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"To: # ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

    From: <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all </Directory>To: <Directory /> Options None AllowOverride None Order deny,allow deny from all </Directory>

    From: <Directory "/usr/local/apache2/htdocs">To: <Directory "/www"> <LimitExcept GET POST> deny from all </limitexcept>

    From: Options Indexes FollowSymLinksTo: Options -FollowSymLinks -Includes -Indexes -MultiViews

  16. Add the following sections to the end of the httpd.conf file: ServerSignature Off ServerTokens Prod Timeout 60 # Maximum size of the request body. LimitRequestBody 10000 # Maximum number of request headers in a request. LimitRequestFields 40 # Maximum size of request header lines. LimitRequestFieldSize 4094 # Maximum size of the request line. LimitRequestLine 500

  17. Remove the sections bellow from the file httpd.conf <Directory "/usr/local/apache2/cgi-bin">

  18. Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings: From: #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To: #define AP_SERVER_BASEVENDOR "Restricted server"

    From: #define AP_SERVER_BASEPRODUCT "Apache"To: #define AP_SERVER_BASEPRODUCT "Secure Web Server"

  19. Starting Apache from command line: /usr/local/apache2/bin/apachectl start

  20. To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow: /usr/local/apache2/bin/apachectl start

  21. Uninstall the following RPM: rpm -e gcc-4.1.2-46.el5 rpm -e libgomp-4.4.0-6.el5 rpm -e gmp-4.1.4-10.el5 rpm -e glibc-devel-2.5-42 rpm -e glibc-headers-2.5-42 rpm -e kernel-headers-2.6.18-164.el5

Previous guides: