Skip to main content
Security & Cloud 24/7

Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

·450 words·3 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

Pre-requirements:

  • JDK 1.6 source file
  • Resin Professional 4.0.8 source file

Installation phase

  1. Login to the server using Root account.

  2. Create a new account: groupadd resin useradd -g resin -d /home/resin -s /bin/bash resin

  3. Create folder for the web content: mkdir -p /www

  4. Updating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www

  5. Copy JDK 1.6 into /tmp

  6. Change the permissions on the JDK 1.6: chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin

  7. Run the command bellow to install JDK 1.6: /tmp/jdk-6u20-linux-i586-rpm.bin

  8. Remove the JDK 1.6 source files: rm -f /tmp/jdk-6u20-linux-i586-rpm.bin rm -f /usr/java/jdk1.6.0_20/src.zip rm -rf /usr/java/jdk1.6.0_20/demo rm -rf /usr/java/jdk1.6.0_20/sample rm -rf /opt/sun/javadb/demo rm -rf /opt/sun/javadb/docs

  9. Before compiling the Resin environment, install the following RPM from the RHEL DVD: rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm rpm -ivh glibc-headers-2.5-42.i386.rpm rpm -ivh glibc-devel-2.5-42.i386.rpm rpm -ivh gmp-4.1.4-10.el5.i386.rpm rpm -ivh libgomp-4.4.0-6.el5.i386.rpm rpm -ivh gcc-4.1.2-46.el5.i386.rpm rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm rpm -ivh zlib-devel-1.2.3-3.i386.rpm rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm

  10. Copy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp

  11. Move to /tmp cd /tmp

  12. Extract the resin-pro-4.0.8.tar.gz file: tar -zxvf resin-pro-4.0.8.tar.gz

  13. Move to the Resin 4.0.8 source folder: cd /tmp/resin-pro-4.0.8

  14. Run the commands bellow to compile the Resin 4.0.8 environment: ./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20 Note: The command above should be written as one line.

    make make install

  15. Edit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow: From: <resin:if test="${resin.userName == 'root'}">To: <resin:if test="${resin.userName == 'resin'}">

    From: <user-name>www-data</user-name>To: <user-name>resin</user-name>

    From: <group-name>www-data</group-name>To: <group-name>resin</group-name>

    From: <server id="" address="127.0.0.1" port="6800">To: <server id="" address="Server_DNS_Name" port="6800">

    From: <http address="*" port="8080"/>To: <http address="Server_DNS_Name" port="8080"/>

    From: <dependency-check-interval>2s</dependency-check-interval>To: <dependency-check-interval>600s</dependency-check-interval>

    From: <host id="" root-directory=".">To: <host id="Server_DNS_Name" root-directory="/www">

    From: <root-directory>.</root-directory>To: <root-directory>/www</root-directory>

    From: <resin:set var="resin_admin_external" value="false"/>To: <resin:set var="resin_admin_external" value="true"/>

  16. Change the ownership on the folder bellow: chown resin:root -R /www/*

  17. Manually start the Resin service: /usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin

  18. Manually stop the Resin service: /usr/local/resin/bin/resin.sh stop

  19. Copy the Resin license file into /usr/local/resin/licenses

  20. Change the ownership and permissions on the folders bellow: chmod 664 -R /www/watchdog-data/ chmod 777 /www/watchdog-data/default/ chown resin:root -R /www/watchdog-data/*

  21. Remove the Resin 4.0.8 source folder: rm -rf /tmp/resin-pro-4.0.8

  22. Remove default documents: rm -rf /www/doc/resin-doc

  23. To start Resin service at server start-up, run the commands bellow: chkconfig --add resin chkconfig resin on /etc/init.d/resin start

  24. From a client machine, open an internet browser and login to the address: http://Server_DNS_Name:8080/resin-admin/

  25. Enter a username and password in the lower half of the page, then click “Create Configuration File”. The recommended username is “admin”.

  26. Rename the admin-users.xml file: mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml

  27. Browse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.