1. Install Mod_security apache module

 yum install mod_security

edit /etc/httpd/conf.d/mod_security.con  and chage it to:

LoadModule security_module modules/mod_security.so

<IfModule mod_security.c>
    # Turn ModSecurity On
    SecFilterEngine On

    # Reject requests with status 403
    SecFilterDefaultAction "deny,log,status:403"

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding Off

    # Accept almost all byte values
    SecFilterForceByteRange 1 255

    # Server masking is optional
    # SecServerSignature "Microsoft-IIS/5.0"

    SecUploadDir /tmp
    SecUploadKeepFiles Off

    # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    SecAuditLog /var/log/apache2/audit_log

    # You normally won't need debug logging
    SecFilterDebugLevel 0
    SecFilterDebugLog /var/log/apache2/modsec_debug_log

    # Only accept request encodings we know how to handle
    # we exclude GET requests from this because some (automated)
    # clients supply "text/html" as Content-Type
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Type \
    "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

    # Do not accept GET or HEAD requests with bodies
    SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Length "!^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
</IfModule>

2. Secure the tmp folder 

 cd /dev
#Create 100MB file for /tmp partition.
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
#Make an extended filesystem for tmpMnt file
/sbin/mke2fs /dev/tmpMnt
Backup /tmp dir
cp -R /tmp /tmp_backup
#Mount the new /tmp filesystem with noexec
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 1777 /tmp
#Copy everything back to new /tmp and remove backup
cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup
#Now we need to add this to fstab so it mounts automatically on reboots.

nano -w /etc/fstab
#add:
/dev/tmpMnt             /tmp                    ext2    loop,noexec,nosuid,rw  0 0

3. Set register_globals in php.ini to off (optional)

 nano /your/patho/to/php.ini
#find and change register_globals to off

4. Setup basic firewall options (it also bolcks ICMP requests-it is optional)

nano /etc/sysconfig/iptables

*nat
:OUTPUT ACCEPT [7:541]
:POSTROUTING ACCEPT [7:479]
:PREROUTING ACCEPT [1250:117694]
COMMIT
# Completed on Sat Sep  8 15:54:16 2007
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [2094:186924]
:OUTPUT ACCEPT [991:255278]
:POSTROUTING ACCEPT [990:255176]
:PREROUTING ACCEPT [2187:197644]
COMMIT
# Completed on Sat Sep  8 15:54:16 2007
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A FORWARD -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 106 -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 5432 -j DROP
-A INPUT -p tcp -m tcp --dport 9008 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP
-A INPUT -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
 

Finaly restart your services

/etc/init.d/iptables restart

/etc/init.d/httpd restart 

Be first to comment this article

Write Comment

Please keep the topic of messages relevant to the subject of the article. Personal verbal attacks will be deleted. Please don't use comments to plug your web site. Such material will be removed. Just ensure to *Refresh* your browser for a new security code to be displayed prior to clicking on the 'Send' button. Keep in mind that the above process only applies if you simply entered the wrong security code.
Name:
E-mail
Homepage
Title:
BBCode:
Comment:
Code:*
	I wish to be contacted by email regarding additional comments

Powered by AkoComment Tweaked Special Edition v.1.4.5