11. Harden PHP for security
• sudo nano /etc/php5/apache2/php.ini
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off
• sudo /etc/init.d/apache2 restart
12. Restrict Apache Information Leakage
• sudo nano /etc/apache2/conf.d/security
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header unset ETag
FileETag None
• sudo /etc/init.d/apache2 restart
15. How To Read the "/etc/passwd" File
root:x:0:0:root:/root:/bin/bash
1. root: Account username.
2. x: Placeholder for password information. The password is obtained from the
"/etc/shadow" file.
3. 0: User ID. Each user has a unique ID that identifies them on the system. The
root user is always referenced by user ID 0.
4. 0: Group ID. Each group has a unique group ID. Each user has a "primary" group
that is used as the group by default. Again, the root group's ID is always 0.
5. root: Comment field. This field can be used to describe the user or user's
function. This can be anything from contact information for the user, to
descriptions of the service the account was made for.
6. /root: Home directory. For regular users, this would usually be
"/home/username". For root, this is "/root".
7. /bin/bash: User shell. This field contains the shell that will be spawned or the
command that will be run when the user logs in.
16. How To Read the "/etc/shadow" File
daemon:*:15455:0:99999:7:::
1. daemon: Account username.
2. *: Salt and hashed password. You can see what this looks like with the root entry above. As noted
above, the asterisk signifies that this account cannot be used to log in.
3. 15455: Last password change. This value is measured in days from the Unix "epoch", which is
January 1, 1970.
4. 0: Days until password change permitted. 0 in this field means there are no restrictions.
5. 99999: Days until password change required. 99999 means that there is no limit to how long the
current password is valid.
6. 7: Days of warning prior to expiration. If there is a password change requirement, this will warn
the user to change their password this many days in advance.
7. [blank]The last three fields are used to denote days before the account is made inactive, days
since the Epoch when the account expires. The last field is unused.
22. Cont.
• cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f
/etc/modsecurity/activated_rules/$f ; done
• cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f
/etc/modsecurity/activated_rules/$f ; done
• sudo nano /etc/apache2/mods-available/mod-
security.conf
Include "/etc/modsecurity/activated_rules/*.conf“
• sudo a2enmod headers
• sudo a2enmod mod-security
• sudo /etc/init.d apache2 restart