Difference between revisions of ""Secure" Word Press on Amazon Linux"

From Michael's Information Zone
Jump to navigation Jump to search
Line 44: Line 44:
 
sudo mv /etc/httpd/conf.d/ssl.conf ./
 
sudo mv /etc/httpd/conf.d/ssl.conf ./
 
echo -e "LoadModule ssl_module modules/mod_ssl.so\nListen 443\nSSLPassPhraseDialog  builtin\nSSLSessionCache        shmcb:/var/cache/mod_ssl/scache(512000)\nSSLSessionCacheTimeout  300\nSSLMutex default\nSSLRandomSeed startup file:/dev/urandom  256\nSSLRandomSeed connect builtin\nSSLCryptoDevice builtin\n\n<VirtualHost *:80>\nRewriteEngine On\nRewriteCond %{HTTPS} off\nRewriteRule (.*) https://%{HTTP_HOST}:443%{REQUEST_URI}\n</VirtualHost>\n\n<VirtualHost _default_:443>\nDocumentRoot /var/www/html/wordpress\nErrorLog logs/ssl_error_log\nTransferLog logs/ssl_access_log\nLogLevel warn\nSSLEngine on\nSSLCertificateFile /etc/pki/tls/certs/localhost.crt\nSSLCertificateKeyFile /etc/pki/tls/private/localhost.key\n</VirtualHost>" > /etc/httpd/conf.d/vhost.conf
 
echo -e "LoadModule ssl_module modules/mod_ssl.so\nListen 443\nSSLPassPhraseDialog  builtin\nSSLSessionCache        shmcb:/var/cache/mod_ssl/scache(512000)\nSSLSessionCacheTimeout  300\nSSLMutex default\nSSLRandomSeed startup file:/dev/urandom  256\nSSLRandomSeed connect builtin\nSSLCryptoDevice builtin\n\n<VirtualHost *:80>\nRewriteEngine On\nRewriteCond %{HTTPS} off\nRewriteRule (.*) https://%{HTTP_HOST}:443%{REQUEST_URI}\n</VirtualHost>\n\n<VirtualHost _default_:443>\nDocumentRoot /var/www/html/wordpress\nErrorLog logs/ssl_error_log\nTransferLog logs/ssl_access_log\nLogLevel warn\nSSLEngine on\nSSLCertificateFile /etc/pki/tls/certs/localhost.crt\nSSLCertificateKeyFile /etc/pki/tls/private/localhost.key\n</VirtualHost>" > /etc/httpd/conf.d/vhost.conf
sudo apachectl graceful
 
 
</pre>
 
</pre>
 +
Since echo can not write to the destination file, here is the entry formatted for copy and past into a conf file
 +
<pre>
 +
LoadModule ssl_module modules/mod_ssl.so
 +
Listen 443
 +
SSLPassPhraseDialog  builtin
 +
SSLSessionCache        shmcb:/var/cache/mod_ssl/scache(512000)
 +
SSLSessionCacheTimeout  300
 +
SSLMutex default
 +
SSLRandomSeed startup file:/dev/urandom  256
 +
SSLRandomSeed connect builtin
 +
SSLCryptoDevice builtin
 +
 +
<VirtualHost *:80>
 +
RewriteEngine On
 +
RewriteCond %{HTTPS} off
 +
RewriteRule (.*) https://%{HTTP_HOST}:443%{REQUEST_URI}
 +
</VirtualHost>
 +
 +
<VirtualHost _default_:443>
 +
DocumentRoot /var/www/html/wordpress
 +
ErrorLog logs/ssl_error_log
 +
TransferLog logs/ssl_access_log
 +
LogLevel warn
 +
SSLEngine on
 +
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 +
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 +
</VirtualHost>
 +
</pre>
 +
*Restart Apache
 +
sudo apachectl graceful
 
*Allow the web server to write to the uploads directory for automatic updates. This first chown command shouldn't be needed, I will be doing further testing to ensure it can be removed.
 
*Allow the web server to write to the uploads directory for automatic updates. This first chown command shouldn't be needed, I will be doing further testing to ensure it can be removed.
 
<pre>
 
<pre>

Revision as of 10:20, 28 December 2017

These instructions follow my attempts for a generally "locked down" instance for running Word Press without losing sleep.

Version I am working with before updates
Linux ip-172-26-9-250 4.9.51-10.52.amzn1.x86_64 #1 SMP Fri Sep 29 01:16:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[1][2]

sudo yum -y update
sudo yum -y install libselinux libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils fail2ban httpd mysql mysql-server php php-mysql mod_ssl yum-cron
sudo ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
sudo sed -i 's/selinux=/selinux=1\ security=selinux\ enforcing=1/' /etc/grub.conf
sudo sed -i 's/selinux=/selinux=1\ security=selinux\ enforcing=1/' /boot/grub/menu.lst
sudo echo -e "ServerTokens Prod\nServerSignature Off" >> /etc/httpd/conf/httpd.conf
sudo rm -f /etc/httpd/conf.d/welcome.conf
sudo sed -i 's/expose_php\ =\ On/expose_php\ =\ off/' /etc/php.ini
sudo chkconfig fail2ban on
sudo chkconfig mysqld on
sudo chkconfig httpd on
sudo touch /.autorelabel
sudo reboot
  • After logging back in make sure services are started.
sudo service httpd status
sudo service mysqld status
sudo service fail2ban status
  • Prepare MySQL for Word Press by creating a database.
sudo mysql_secure_installation
mysql -uroot -p
  • Grab Word Press and install in the appropriate location
wget https://wordpress.org/latest.tar.gz
mkdir build
cd build
tar -xf ../latest.tar.gz
sudo mv wordpress /var/www/html/wordpress
  • There are many ways to make this work, I prefer vhosts and sub directories. This will get us up and running with a self signed cert for initial configuration. Afterwards the cert should be updated.
sudo mv /etc/httpd/conf.d/ssl.conf ./
echo -e "LoadModule ssl_module modules/mod_ssl.so\nListen 443\nSSLPassPhraseDialog  builtin\nSSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)\nSSLSessionCacheTimeout  300\nSSLMutex default\nSSLRandomSeed startup file:/dev/urandom  256\nSSLRandomSeed connect builtin\nSSLCryptoDevice builtin\n\n<VirtualHost *:80>\nRewriteEngine On\nRewriteCond %{HTTPS} off\nRewriteRule (.*) https://%{HTTP_HOST}:443%{REQUEST_URI}\n</VirtualHost>\n\n<VirtualHost _default_:443>\nDocumentRoot /var/www/html/wordpress\nErrorLog logs/ssl_error_log\nTransferLog logs/ssl_access_log\nLogLevel warn\nSSLEngine on\nSSLCertificateFile /etc/pki/tls/certs/localhost.crt\nSSLCertificateKeyFile /etc/pki/tls/private/localhost.key\n</VirtualHost>" > /etc/httpd/conf.d/vhost.conf

Since echo can not write to the destination file, here is the entry formatted for copy and past into a conf file

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}:443%{REQUEST_URI}
</VirtualHost>

<VirtualHost _default_:443>
DocumentRoot /var/www/html/wordpress
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>
  • Restart Apache
sudo apachectl graceful
  • Allow the web server to write to the uploads directory for automatic updates. This first chown command shouldn't be needed, I will be doing further testing to ensure it can be removed.
sudo chown -R apache:apache /var/www/html/wordpress/*
sudo chcon -R -t httpd_sys_rw_content_t /var/www/html/wordpress/wp-content/uploads/*
sudo setsebool -P httpd_read_user_content on
sudo setsebool -P httpd_can_network_connect_db on
  • Make sure that you use 172.0.0.1 for the database server, instead of localhost (it gets complicated otherwise)
  • Add various contextual permissions (need to research this. Optionally you could enable httpd_unified, but this is not the best idea)
allow httpd_t etc_mail_t:dir { search getattr };
allow httpd_t http_port_t:tcp_socket name_connect;
allow httpd_t httpd_sys_content_t:dir write;
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t user_home_t:file read;
  • Fail2ban policy
sudo setsebool -P authlogin_nsswitch_use_ldap on
sudo semodule -i fail2ban.pp
  • Make sure Amazon has the access it needs
sudo sudo setsebool -P authlogin_nsswitch_use_ldap on
sudo grep shutdown /var/log/audit/audit.log | audit2allow -M shutdown
sudo semodule -i shutdown.pp
  • Reboot again just for the fun of it.
  • Install Wordfence Security plugin. Modify settings to fit your needs.

SELinux Notes

  • From before making any changes.
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_network_relay, httpd_graceful_shutdown, allow_ypbind, httpd_can_network_connect

allow httpd_t http_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using one of the these booleans:
#     httpd_read_user_content, httpd_enable_homedirs

allow httpd_t user_home_t:dir getattr;

  • sudo semanage fcontext -a -t httpd_sys_rw_content_t "/path(/.*)?"
  • https://www.tecmint.com/hide-apache-web-server-version-information/
  • https://www.tecmint.com/hide-php-version-http-header/