Webapp Security

SELinux and Apache

When the server has SELinux enabled, I can't even change the location of DocumentRoot. It kept giving me error about "DocumentRoot /var/www/newdir/html does not exist".

This is because the SELinux policy will deny httpd access to any unlabelled files by default.

Instead of disabling SELinux, we could try toggle the SELinux rule settings.

To see all SELinux values, do:
root# getsebool -a

To see all the apache related SELinux boolean values, do:
root# getsebool -a | grep httpd

Enable SSL on Apache-2.2

This is recorded on CentOS-5, Apache-2.2.3. Also, reference my notes on enabling ssl on apache 2.0.63.

Install httpd and mod_ssl:
root# yum install httpd mod_ssl
root# mkdir /etc/httpd/ssl
root# cd /etc/httpd/ssl
root# vi openssl.cnf

Here you can enter your content of openssl.cnf, and then generate a private key:
root# openssl genrsa -des3 -out server.key 1024

Enable Apache HTTPS

This is recorded from CentOS4, httpd-2.0.63

To start, we make sure we have httpd and mod_ssl installed:

# yum install httpd mod_ssl
# cd /etc/httpd/conf
# vi openssl.conf

After we enter your copy of openssl.conf, we'll modify the Makefile - in the section for the target "$(CRT):", append two lines:

        cp $(KEY) $(KEY).orig
        openssl rsa -in $(KEY) -out $(KEY)

Now we can create the CSR:

Securing MySQL

Remove MySQL from network

By default, MySQL listens on port 3306. Stop it from listening on any TCP/IP port if you don't use it on network.

# vi /etc/my.cnf

Change
#skip-networking
to
skip-networking

Secure the user accounts

A default install of MySQL is somewhat lacking in security. To fix that we are going to do the following:

Wildcard SSL Certificates

To setup a wildcard certificate, use "*.yourdomain.com" as the Common Name when you generate the certificate signing request (CSR).

If you want to same certificate to work on "yourdomain.com" (without the subdomain), then add

subjectAltName=${ENV::SAN}

in the [ usr_crt ] section of your openssl.cnf file, and set the environment variable

export SAN='DNS:yourdomain.com'

before running the openssl commands to create the CSR.

Lighttpd Secure Configuration

Reference:

Google Ratproxy

Google released an open source tool called ratproxy, which aims for helping developers to audit Web application security. It is a non-disruptive tool designed for Web 2.0 and AJAX applications that produces an easy-to-read report of potential exploits.

Linux.com has a review on it today.

Hardening Apache

First, please check the Apache website for

http://xianshield.org/guides/apache2.0guide.html has some nice tips on how to harden your apache server. Especially, check your httpd.conf and make sure the configurations are fine.

Harden Your Drupal Websites

Note: This is still a work in progress. I will gradually add items to the list. You are welcome to contribute your points. Thanks.

To begin, we shall first follow Configuration steps for a more secure site. Then we can do the rest as listed below.

How to Find out Which Process is Issuing ICMP Requests

If your network admin complains that your computer is flooding the network with icmp requests, and if you are not aware of any program that need to do this, you should pay attention and find out what's going on.

To see a statistic report on your computer's icmp activities:

root# netstat -sp

This displays summary statistics for each protocol. Look under the section "Icmp:" for icmp related statistics report.

To see icmp traffic on your computer:

root# tcpdump icmp