When the server has SELinux enabled, I can't even change the location of DocumentRoot. It kept giving me error about "DocumentRoot /var/www/newdir/html does not exist".

This is because the SELinux policy will deny httpd access to any unlabelled files by default.

Instead of disabling SELinux, we could try toggle the SELinux rule settings.

To see all SELinux values, do:
root# getsebool -a

To see all the apache related SELinux boolean values, do:
root# getsebool -a | grep httpd

This is recorded on CentOS-5, Apache-2.2.3. Also, reference my notes on enabling ssl on apache 2.0.63.

Install httpd and mod_ssl:
root# yum install httpd mod_ssl
root# mkdir /etc/httpd/ssl
root# cd /etc/httpd/ssl
root# vi openssl.cnf

Here you can enter your content of openssl.cnf, and then generate a private key:
root# openssl genrsa -des3 -out server.key 1024

This is recorded from CentOS4, httpd-2.0.63

To start, we make sure we have httpd and mod_ssl installed:

# yum install httpd mod_ssl
# cd /etc/httpd/conf
# vi openssl.conf

After we enter your copy of openssl.conf, we'll modify the Makefile - in the section for the target "$(CRT):", append two lines:

        cp $(KEY) $(KEY).orig
        openssl rsa -in $(KEY) -out $(KEY)

Now we can create the CSR:

Remove MySQL from network

By default, MySQL listens on port 3306. Stop it from listening on any TCP/IP port if you don't use it on network.

# vi /etc/my.cnf

Change
#skip-networking
to
skip-networking

Secure the user accounts

A default install of MySQL is somewhat lacking in security. To fix that we are going to do the following:

To setup a wildcard certificate, use "*.yourdomain.com" as the Common Name when you generate the certificate signing request (CSR).

If you want to same certificate to work on "yourdomain.com" (without the subdomain), then add

subjectAltName=${ENV::SAN}

in the [ usr_crt ] section of your openssl.cnf file, and set the environment variable

export SAN='DNS:yourdomain.com'

before running the openssl commands to create the CSR.

Reference:

Google released an open source tool called ratproxy, which aims for helping developers to audit Web application security. It is a non-disruptive tool designed for Web 2.0 and AJAX applications that produces an easy-to-read report of potential exploits.

Linux.com has a review on it today.

First, please check the Apache website for

• Apache HTTP Server Version 2.2 Security Tips
• Apache HTTP Server Version 2.0 Security Tips

http://xianshield.org/guides/apache2.0guide.html has some nice tips on how to harden your apache server. Especially, check your httpd.conf and make sure the configurations are fine.

Note: This is still a work in progress. I will gradually add items to the list. You are welcome to contribute your points. Thanks.

To begin, we shall first follow Configuration steps for a more secure site. Then we can do the rest as listed below.

If your network admin complains that your computer is flooding the network with icmp requests, and if you are not aware of any program that need to do this, you should pay attention and find out what's going on.

To see a statistic report on your computer's icmp activities:

root# netstat -sp

This displays summary statistics for each protocol. Look under the section "Icmp:" for icmp related statistics report.

To see icmp traffic on your computer:

root# tcpdump icmp