User`s guide
Protogate Freeway Security Features User’s Guide (SFUG) Chapter 6. Hardening a Freeway
Figure 6-5. Disabling SNMP
# For security: prevent snmp from running on this Freeway
if [ -x /usr/local/sbin/snmpd ]; then
if [ -f /read_only_mounts ]; then
mount -u -o rw /usr 2>/dev/null
fi
chmod ugo-x /usr/local/sbin/snmpd
if [ -f /read_only_mounts ]; then
mount -u -o ro /usr 2>/dev/null
fi
fi
6.6. Secure the Webserver
Figure 6-6 shows some adjustments to make the Freeway webserver more secure. These changes mostly change the
configuration of the webserver to cause it to divulge less information about itself and about the Freeway server. Of
course, if you don’t use the webserver, it is more secure not to enable it so it doesn’t run at all.
Figure 6-6. Webserver Security Enhancements
# For security:
# Add "ServerTokens Prod" line to Apache config, if not already there
export AP_SCMD1="‘sed -e \"/^[Ss][Ee][Rr][Vv][Ee][Rr][Tt][Oo][Kk][Ee][Nn][Ss]
*
[Pp][Rr][Oo][Dd]/!d\" \
/usr/local/etc/apache22/httpd.conf |sed -e \"2,//d\"‘"
if [ "${AP_SCMD1}X" = "X" ]; then
if [ -f /read_only_mounts ]; then
mount -u -o rw /usr 2>/dev/null
fi
echo "ServerTokens Prod" >> /usr/local/etc/apache22/httpd.conf
if [ -f /read_only_mounts ]; then
mount -u -o ro /usr 2>/dev/null
fi
fi
# For security:
# Change any "ServerSignature On" line in Apache config to
# "ServerSignature Off"
export AP_SCMD2="‘sed -e \"/^[Ss][Ee][Rr][Vv][Ee][Rr][Ss][Ii][Gg][Nn][Aa][Tt][Uu][Rr][Ee]
*
[Oo][Nn]/!d\" \
/usr/local/etc/apache22/httpd.conf |sed -e \"2,//d\"‘"
if [ ! "${AP_SCMD2}X" = "X" ]; then
if [ -f /read_only_mounts ]; then
mount -u -o rw /usr 2>/dev/null
fi
mv /usr/local/etc/apache22/httpd.conf /usr/local/etc/apache22/httpd.conf.prev
sed -e \
"s/^[Ss][Ee][Rr][Vv][Ee][Rr][Ss][Ii][Gg][Nn][Aa][Tt][Uu][Rr][Ee]
*
[Oo][Nn]/ServerSignature Off/g" \
/usr/local/etc/apache22/httpd.conf.prev > /usr/local/etc/apache22/httpd.conf
if [ -f /read_only_mounts ]; then
mount -u -o ro /usr 2>/dev/null
fi
fi
Protogate DC-908-3004A 21