Skip to main content
Security & Cloud 24/7

Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)

·349 words·2 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

  1. Login to the server using Root account.

  2. Create a new account: groupadd lighttpd useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd

  3. Mount RHEL 5.4 DVD, and move to the RPM folder: mount /dev/hdc /media cd /media/Server

  4. Before compiling the Lighttpd environment, install the following RPM: rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm rpm -ivh glibc-headers-2.5-49.x86_64.rpm rpm -ivh glibc-devel-2.5-49.x86_64.rpm rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm

  5. Download Lighttpd 1.4.26 from: http://www.lighttpd.net/download/

  6. Copy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp

  7. Move to /tmp cd /tmp

  8. Extract the lighttpd-1.4.26.tar.gz file: tar -zxvf lighttpd-1.4.26.tar.gz

  9. Download into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c

  10. Move to the Lighttpd source folder: cd /tmp/lighttpd-1.4.26

  11. Run the commands bellow to compile the Lighttpd environment: ./configure --with-openssl --without-bzip2 make make install

  12. Create the following folders: mkdir -p /etc/lighttpd mkdir -p /var/log/lighttpd mkdir -p /var/cache/lighttpd/compress

  13. Copy the lighttpd.conf file: cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf

  14. Updating Ownership and Permissions on Lighttpd folders: chown lighttpd:lighttpd /var/log/lighttpd chown lighttpd:root /etc/lighttpd/lighttpd.conf chown lighttpd:lighttpd /var/cache/lighttpd/compress chmod o-r /etc/lighttpd/lighttpd.conf chmod -R o-r /var/log/lighttpd

  15. Create folder for the web content: mkdir -p /www

  16. Updating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www

  17. Edit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings: From: server.document-root = "/srv/www/htdocs/"To: server.document-root = "/www"

    From: #server.bind = "127.0.0.1"To: server.bind = "Server_FQDN"

    From: # server.tag = "lighttpd"To: server.tag = "Secure Web Server"

    From: #server.username = "wwwrun"To: server.username = "lighttpd"

    From: #server.groupname = "wwwrun"To: server.groupname = "lighttpd"

    From: #dir-listing.activate = "enable"To: dir-listing.activate = "disable"

  18. Create using VI, a file called /etc/sysconfig/lighttpd with the following content: LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf

  19. To manually start Lighttpd use the command: /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

  20. To start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow: /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

  21. Remove the Lighttpd source files: rm -rf /tmp/lighttpd-1.4.26 rm -f /tmp/lighttpd-1.4.26.tar.gz

  22. Uninstall the following RPM: rpm -e gcc-4.1.2-48.el5 rpm -e libgomp-4.4.0-6.el5 rpm -e gmp-4.1.4-10.el5 rpm -e glibc-devel-2.5-49 rpm -e glibc-headers-2.5-49 rpm -e kernel-headers-2.6.18-194.el5