Apache Lockdown

To setup the new www servers, follow the normal build procedure for RHEL4 machine in RTFM, then I follow this:

************* Install Apache **********
up2date -i httpd httpd-devel mod_ssl
Have it start on boot
chkconfig --level 345 httpd on

***************** install ftp server *****
up2date -i vsftpd
start it... no configuration needed.
Have it start on boot 'chkconfig --level 345 vsftpd on'

***** Install php dependencies ***********
up2date -i gcc zlib-devel openssl-devel aspell-devel curl-devel gmp-devel libjpeg-devel libxml2-devel freetype-devel ncurses-devel krb5-devel bzip2-devel libpng-devel unixODBC-devel libxslt-devel net-snmp-devel flex elfutils-devel elfutils-libelf-devel

****** Get and install Oracle libraries *****************
cd ~
wget oracle-instantclient-basic-10.1.0.4-1.i386.rpm
wget oracle-instantclient-devel-10.1.0.4-1.i386.rpm
rpm -Uvh oracle*
rm -f oracle*

******** Get php *************
install php rpm to get php.conf for apache:
up2date -i php

******** Install mod_jk ************
Download newest jakarta-tomcat-connectors (time of writing was jakarta-tomcat-connectors-1.2.15-src)
extract.. cd to jk/native/apache-2.0
./configure --with-apxs=/usr/sbin/apxs
make
make install

********* Install JBoss from development **********
Get JBoss tarball from Development, and put it in /home/jboss.

********* Install mod_security per documentation on site ******

mod_jk.conf
***********************************
LoadModule jk_module modules/mod_jk.so

#
# JkLogLevel debug

JkLogLevel error
JkLogFile /var/log/httpd/mod_jk.log
JkWorkersFile /etc/httpd/conf/workers.properties
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

#

mod_security_large.conf
***********************************

SecFilterEngine On

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly

# Should only be on if the webserver is capable
SecFilterCheckUnicodeEncoding Off

# Cookie format checks.
SecFilterCheckCookieFormat On

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Default action set
SecFilterDefaultAction "deny,log,status:406"

# BEGIN RULES
#
# Basic rules with arbitrary command detection

SecFilterSelective THE_REQUEST "\.htgroup"
SecFilterSelective THE_REQUEST "\.htaccess"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~root"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilterSelective THE_REQUEST "/htgrep" log,pass
SecFilterSelective THE_REQUEST "/\.history"
SecFilterSelective THE_REQUEST "/\.bash_history"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "]expression\s*\(/i"
SecFilterSelective THE_REQUEST "\s*expression\s*\(^}}\s*<\/STYLE>/i"
SecFilterSelective THE_REQUEST "SCRIPT"

#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST "Content-Type\:.*(<:space:*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome):space:*>|onmouseover=|javascript\:)"
#Not included by default for safer config
#SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
#SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

#Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"

#Generic PHP remote file inclusion attack signature
SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-A-Z)"
#SecFilterSelective REQUEST_URI "\.php\?" chain
#SecFilter "(http|https|ftp)\:/" chain
#SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-A-Z)"

#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter "(\.*.*.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe):space:+a-z|0-9|\*| |,+:space:(from|into|table|database|index|view).*methodName\>"

# Application specific rules
# This is a compilation of rulesets made for specific vulnerabilities that exist
# in out-dated, popular web-applications.
###

# END RULES

Enable the NameVirtualHost line in /etc/httpd/conf/httpd.conf, and make the user/group:
User www
Group www

Also add this after the other conf.d line in httpd.conf:
Include conf.d/*.conf-ssl

Change 'ServerTokens OS' to 'ServerTokens Prod'
set Servername, and ServerAdmin.

Set mounts with good secure options like:

/dev/mapper/VolGroup00-LogVolHome on /home type ext3 (rw,nosuid,nodev)
/dev/mapper/VolGroup00-LogVolTmp on /tmp type ext3 (rw,noexec,nosuid,nodev)
/dev/mapper/VolGroup00-LogVolVar on /var type ext3 (rw,noexec,nosuid,nodev)

Change the OPTIONS line in /etc/sysconfig/httpd to:
OPTIONS=" -D SSL"

Restart Apache
/etc/init.d/httpd restart

***** If mod_security is wanted/needed ******

wget http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz
tar -xvf modsecurity* ; cd modsecurity*/apache2/
/usr/sbin/apxs -cia mod_security.c

Put this in /etc/httpd/conf.d/mod_security.conf

SecFilterEngine On
SecFilterDefaultAction "deny,log,status:403"
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecUploadDir /tmp
SecUploadKeepFiles Off
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log
SecFilterDebugLog /var/log/httpd/mod_sec_debug_log
SecFilterDebugLevel 0

Restart Apache
/etc/init.d/httpd restart