Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)

1. Login to the server using Root account.
2. Create a new account:
groupadd apache
useradd -g apache -d /dev/null -s /bin/false apache
3. Mount RHEL 5.4 DVD, and move to the RPM folder:
mount /dev/hdc /media
cd /media/Server
4. Before compiling the Apache environment, install the following RPM:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
5. Copy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp
6. Move to /tmp
cd /tmp
7. Extract the httpd-2.2.15.tar.gz file:
tar -zxvf httpd-2.2.15.tar.gz
8. Move to the Apache source folder:
cd httpd-2.2.15
9. Run the commands bellow to compile the Apache environment:
./configure --prefix=/usr/local/apache2 --enable-so

make

make install
10. Remove the Apache source files:
rm -rf /tmp/httpd-2.2.15
rm -f /tmp/httpd-2.2.15.tar.gz
11. Remove Default Content
rm -rf /usr/local/apache2/cgi-bin
rm -rf /usr/local/apache2/htdocs
rm -rf /usr/local/apache2/icons
rm -rf /usr/local/apache2/man
rm -rf /usr/local/apache2/manual
rm -rf /usr/local/apache2/conf/extra
rm -rf /usr/local/apache2/conf/original
12. Updating Ownership and Permissions on Apache2 folders:
chown root:root /usr/local/apache2/bin/apachectl
chown root:root /usr/local/apache2/bin/httpd*
chmod 770 /usr/local/apache2/bin/apachectl
chmod 770 /usr/local/apache2/bin/httpd*
chown -R root:root /usr/local/apache2
chmod -R go-r /usr/local/apache2
chown -R root:root /usr/local/apache2/logs
chmod -R 700 /usr/local/apache2/logs
13. Create folder for the web content:
mkdir -p /www
14. Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
15. Edit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings:
From:
DocumentRoot "/var/www/html"
To:
DocumentRoot "/www"

From:
Listen 80
To:
Listen Server_FQDN:80

From:
ServerAdmin root@localhost
To:
ServerAdmin webmaster@mycompany.com

From:
#ServerName www.example.com:80
To:
ServerName Server_FQDN

From:
LogLevel warn
To:
LogLevel notice

From:
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
To:
# ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

From:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
To:
<Directory />
Options None
AllowOverride None
Order deny,allow
deny from all
</Directory>

From:
<Directory "/usr/local/apache2/htdocs">
To:
<Directory "/www">
<LimitExcept GET POST>
deny from all
</limitexcept>

From:
Options Indexes FollowSymLinks
To:
Options -FollowSymLinks -Includes -Indexes -MultiViews

16. Add the following sections to the end of the httpd.conf file:
ServerSignature Off
ServerTokens Prod
Timeout 60
# Maximum size of the request body.
LimitRequestBody 10000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4094
# Maximum size of the request line.
LimitRequestLine 500
17. Remove the sections bellow from the file httpd.conf
<Directory "/usr/local/apache2/cgi-bin">
18. Edit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"

From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"

19. Starting Apache from command line:
/usr/local/apache2/bin/apachectl start
20. To start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow:
/usr/local/apache2/bin/apachectl start
21. Uninstall the following RPM:
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Previous guides:
Hardening guide for Apache 2.0 on Solaris 10 platform
How to implement SSL on Apache 2.0