Securing website as per Trustkeeper report
To resolve security issues on one of the clients website below changes were required.
- Openssl needs to be upgraded from OpenSSL 0.9.8e-fips-rhel5 to openssl-1.0.1b
- Compile Apache with new openssl
- Compile mod_jk with apache
- SSLv2 should be disabled, and SSLv3, TLSv1, and/or newer should be implemented.
- SSLCipherSuite should be kept for High encryption standards.
- Configure Apache server to disable FileMatch feature of httpd.conf
- Disable ephemeral Diffie-Hellman ciphers in Apache
- Auto completion by the browsers should be blocked on JBOSS
- Remove the 'favicon.ico' file or create a custom one for your site
- Apache upgrade from 2.2.22 to 2.4.2 - Testing phase for hrdap01 only.
- Since drupal is also on the same public ip Apache needs to be upgraded from 2.2.15 to 2.4.2
- For durpal Openssl needs to be upgraded from OpenSSL 0.9.8e-fips-rhel5 to openssl-1.0.1b
Drupal hosted on node1 - 192.168.0.1
Testing for all the above should be done on node2 - 192.168.0.2
Below are the configurations and paramaters for the above said points.
1.Openssl needs to be upgraded from OpenSSL 0.9.8e-fips-rhel5 to openssl-1.0.1b
Note:- If new openssl is installed without removing old openssl then Apache will work with new openssl but other programs will still use the old openssl libs.
Steps:-
To install OpenSSL, you will need:
* make
* Perl 5
* an ANSI C compiler
* a development environment in form of development libraries and C
header files
* a supported Unix operating system
# wget http://www.openssl.org/source/openssl-1.0.1b.tar.gz
# tar xvzf openssl-1.0.1b.tar.gz
# ./config --prefix=/usr/local/openssl
# make
# make install
# /usr/local/openssl/bin/openssl version
2.Compile Apache with new openssl
# cd /home/sacharya/apache
# wget http://apache.deathculture.net//httpd/httpd-2.2.22.tar.gz
# tar xvzf httpd-2.2.22.tar.gz
# cd httpd-2.2.22
# vi config.nice
Add below lines
#! /bin/sh
#
# Created by configure
LDFLAGS="-ldl"; export LDFLAGS
"./configure" \
"--prefix=/d03/apache2" \
"--enable-so" \
"--enable-ssl" \
"--with-included-apr" \
"--enable-rewrite" \
"--disable-userdir" \
"--disable-autoindex" \
"--disable-status" \
"--with-ssl=/usr/local/openssl" \
"build_alias=" \
"host_alias=" \
"target_alias=" \
"LDFLAGS=-ldl" \
"$@"
Export ldl flags to enable ssl libs
vi /root/.bash_profile
export LDFLAGS=-ldl
Now compile Apache
# cd /home/sacharya/apache/httpd-2.4.2
# ./config.nice
# make
# make install
3.Compile mod_jk with apache
# wget http://apache.tradebit.com/pub//tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.30-src.tar.gz
# ./configure with-apxs=/d03/apache2/bin/apxs
# make
# make install
Proceed for Apache and jboss integration steps for http and https.
Below 4th and 5th point goes in httpd-ssl.conf
4.SSLv2 should be disabled, and SSLv3, TLSv1, and/or newer should be implemented.
SSLProtocol -ALL +SSLv3 +TLSv1
5.SSLCipherSuite should be kept for High encryption standards.
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
6.Configure Apache server to disable FileMatch feature of httpd.conf
Below changes goes in httpd-ssl.conf
#<FilesMatch "\.(cgi|shtml|phtml|php)$">
# SSLOptions +StdEnvVars
#</FilesMatch>
#<Directory "/d03/apache2/cgi-bin">
# SSLOptions +StdEnvVars
#</Directory>
7.Disable ephemeral Diffie-Hellman ciphers in Apache
'
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:'!kEDH':!NULL