RailoInstallationonCentOSLinux6BestPractices

Purpose:
ThisdocumentisintendedforsystemadministratorswhowanttodeploytheirMuraCMS,Railo,Tomcat,andJRE
stackinasecurebuteasytofollowmanner.Thisdocumentisnotintendedtoguaranteefoolproofsecurity,but
ratherserveasasetofguidelinesforcommonsecuritymindedbestpractices.Itisimportantforthereaderto
understandthatnosystem,nomatterhowwellprotected,willeverbe100%guaranteedsecurehowever,by
followingthesesimpleguidelinesthereadercanensurethattheirsystemswilldeterthevastmajorityofcommon
intrusiontechniques.
Thisdocumentwillassumethatyou,thereader,willhavebasicknowledgeofinstallingCentOSLinuxandediting
fileswithinitusingtheeditorofyourchoice.

PreparingYourServer
1. StartWithaBlankSlate
ItisrecommendedthatyourbeginbyinstallingafreshcopyofCentOS6ontoyourserver.Thefreshcopy
oftheOperatingSystemwillensurethattherearenolingeringabnormalitiesinthesystemyou'llbe
installingyourRailostackonto.
ItisalsorecommendedthatyouperformaminimalinstallofCentOS,asitwillmeanthatonlythebare
minimumwillbeinstalledinitially.Anythingthatyouneedtoaddyoucanaddmanually.Thisalsomeans
thatyouwon'thaveanysuperfluousprogramsrunningorevenavailableontheserveritself,andagainit
willminimizetheinitialattackvectorsavailableonyourserver.

2. StartWithaVeryMinimalandRestrictiveFirewall
Duringtheinstallationprocess,theCentOSinstallerwillpromptyouifyouwanttoconfigureanyinitial
firewallrules.Itisrecommendedthatyoubothenablethefirewall,andonlyallowthemostbasicfirewall
exceptions,suchasSSHaccess(port21)andHTTPaccess(port80).Again,thiswillminimizetheattack
vectorsthatanattackercouldexploit.
Oncetheinitialminimalfirewallisconfiguredbytheinstallationprocess,youshouldonlyaddrulesas
absolutelynecessaryandifyoucan,addincomingIPAddressrestrictionsonthemsothatonly
connectionscomingfromapprovedrangeswillbeabletoconnect.Forexample,thefollowingrule(added
byeditingthe/etc/sysconfig/iptablesfilewhichwascreatedbytheinstallprocess)wouldrestrictwhocan
connecttoyourSSHporttoonlyaspecificClassCrangeofIPAddresses:
ARHFirewall1INPUTmstatestateNEWmtcpptcpdport22s192.168.254.0/24jACCEPT

Notethelineabove,thedportorDestinationPortisport22,whichisthedefaultSSHport.Next,note
theIPrangeweusedasanexamplehere,whichis192.168.254.0averycommoninternalnetwork
range.PleaseadjusttheallowedIPrangesasnecessaryforyournetwork.
Onceyou'veaddedoreditedthelinefortheSSHport22,don'tforgettorestarttheiptablesfirewallwiththe
followingcommand:
#/etc/init.d/iptablesrestart

or...
#serviceiptablesrestart

Whicheveryouprefer.

3. InstallAllAvailablePatches
Itisimportanttoinstallallavailablepatchesassoonaspossibleonyournewsystem.Youcanpatchthe
systemmanuallywiththefollowingcommands:
#yumyupgradeyum
#yumyupgrade

AslongasyoursystemhasaccesstotheInternetandisabletodownloadfilesfrompublicrepositories,
YUMwillgodownloadallthelatestpatchesthatareavailableforyoursystem.
ThefirstcommandupdatestheYUMprogramitself.ThenextlinetellsYUMtograballotheravailable
updates.BecauseYUMitselfwasjustupdated,itshouldhavethemostrecentpatchinginformation
availabletoit.

4. ConfigureAutomaticOSPatching
Nowthatthesystemisallpatchedup,weneedtoconfigureaprocessthatwillrunthosesameupdates
onaregularbasis.Iwouldrecommendnightlyforthemostuptodatepatching.Also,ifyourunnightly,
chancesaregoodthatthepatchdownloadwillbequickandsmalleverytime.

Todothis,wefirstneedtocreateashellscriptusingthetexteditorofourchoice.Let'scallit
yumupdate.sh.Now,weneedtoaddthefollowingcommandstoit:
#!/bin/bash
/usr/bin/yumyupgradeyum
/usr/bin/yumyupgrade

Onceyou'veaddedthoselines,savethefileandplaceitineitherofthefollowingdirectories:
/etc/cron.daily/yumupdate.sh
/etc/cron.weekly/yumupdate.sh

Justtobeclear,filesplacedincron.dailywillberuneveryday,andfilesplacedincron.weeklywillberun
eachweek.Theexacttimethateachareexecutediscontrolledbythe/etc/crontabfile,whichyoucanalso
customizeasneeded.
InstallMinimalApacheModules
AsApachewillmostlikelybeyourmostprominentandmostimportantpublicfacingserver,itisagood
ideatokeepitassimpleaspossibletokeepattackvectorsataminimum.Don'tinstallmodulesthat
you'renotsureyou'lluse,suchasPHP,userdirectorysupport,orCGIBINsupport.
HideApacheVersionNumber
YoucantellApachetohideitsversionnumberbymodifyingtheServerTokensattributeinthemain
Apacheconfigfile(httpd.confinRHEL/CentOSorapache2.confinDebian/Ubuntu):
ServerTokensProd
SettingthisvaluewillcauseApachesimplytoreportApacheandnotincludeaversionnumber.
Youcanalsodisabletheserversignature,whichisdeisplayedatthebottomofanyerrormessages
Apachegenerates,byusingthefollowingparameter:
ServerSignatureOff

5. AdditionalSuggestionsfortheSecurityMinded
a. RunSSHonanonstandardport(insteadofport22)
b. LeaveSELinuxenabledandcreaterulestoallowRailotofunctionthroughit(PeteFreitag/
FoundeocanprovideadditionalassistanceingettingSELinuxworkingwithRailo)

UsingtheRailoInstaller
1. ConsideraNonStandardInstallationDirectory
ThestandardinstallationdirectoryforRailois/opt/railo/.Ifanattackerknowsthistheycancraftattacks
basedoffthatinformation.Forexample,attackswhichuseparentdirectorytraversalmechanisms,such
as../../opt/railo/intheURLs.Anonstandardinstallationdirectorywillsimplymakeyourserverless

vulnerabletocustomizedattacks.Maybesomethingunpredictablelike/railo042178/or
/opt/cfml/server/railorocks/
Thedownsideofthisisthatdocumentationisoftenwrittenwiththedefaultsinmind,andmanyexamples
arebasedonthedefaults.Asareader,youwillberequiredtointerpolatethedefaultdocumentationfor
yourownspecificenvironment.

2. BeCreativeWithYourDedicatedRailoSystemUser
Itisfarmoredifficulttobruteforceausernameandpasswordcombinationifanattackerhasnoidea
wheretobeginwithausername.Tothatend,becreativewhenyoupickausernameforyournewRailo
installation.Donotuseobvioususernamessuchasadminorrailo,butstillkeepitrecognisableand
memorable.Forexample,youcouldcallyournewRailousertheflash,afterthespeedybutfictional
superherocharacter.Youknow...becauseherunsfast.

3. ConsiderUsingaPhraseasaPassword
Usingphrasesaspasswordsisnotanewidea,butitispossibletodowithRailoandisaprovenmethod
foraddressingbruteforcepasswordbreakinsaswellasmakesiteasytorememberaspecific
password.Forexample,considerthefollowingpassphrase:
Ialwaysthoughtaboutgetting1butIneverdid!
Thisphrasemakesanexcellentpassword.Asfarasnumberofcharactersgoes,it'sawhopping49
characterslong.Itcontainsamixofupperandlowercaseletters,numbers,andspecialcharacters.Inthe
worldofpasswords,thiseasytorememberphraseisabehemoth,andveryunlikelytobebruteforced
unlesssomeoneknewyouwereusingaphraseandspecificallytargetedthatkindofapassphrase.At
thetimeofthiswriting,mostbruteforceattacksdonotspecificallytargetfullphrases.
Evenifyoudon'tdecidetouseaphraseasapassword,it'sagoodideatouseasmanycharactersas
youcanrememberandmixitupwithletters(mixedcase),numbers,andspecialcharacters.

LockingDownYourRailoStack
1. OpenPort8888OnlytoaSpecificIPPort8888inadefaultRailoInstallerconfigurationistheTomcat
webserverport.ThisportisusedasthedefaultaccesspointfortheRailoServerAdministrator.Asthe
serveradministrator,youwilllikelyaccessthisURLinordertoimplementserverwidepolicyforyourRailo
server.
RestrictaccesstothisporttoonlyasingleIPviatheCentOSfirewallbyeditingthe/etc/sysconfig/iptables
fileandaddingalinesimilartothefollowing:
ARHFirewall1INPUTmstatestateNEWmtcpptcpdport8888s192.168.254.250jACCEPT

Asbefore,editthesourceIPaddressbychanging192.168.254.250towhateverisappropriateforyour
network.

2. DoNotOpenPorts8005(Shutdown)or8009(AJP)tothePublic

TheRailo4BETA3andnewerinstallerswillusemod_proxy_htmlbydefault,sotheAJPport8009,while
available,isnotusedbydefault.IfyouneedtoopentheAJPporttoanexternalwebserverinorderto
connecttoitfrommod_proxy_ajpormod_jk,thenitisrecommendyouonlyopenport8009totheIP
addressofthewebserverthatneedstoconnecttoit.Youcanuseafirewalllinesimilartotheexample
aboveandchangetheportandIPtomatchyournetwork.
TheTomcatShutdownport8005bydefaultshouldnotbeopentothepublic.Itisrecommendedthat
youonlyinitiateTomcatshutdowncommandsfromthelocalconsole.

3. BlockAccesstoRailoAdministratorsThroughApache
InyourApachehostconfigurationforthesiteorsitesyouwillbeservingthroughApacheandRailo,you
canaddthefollowinginordertodenyaccesstoallbutapprovedIP's:
<Location/railocontext/admin>
Orderdeny,allow
Denyfromall
Allowfrom192.168.254.250
Allowfrom127.0.0.1
</Location>

ThissameconceptcanbeimplementedtodenyaccesstotheMuraAdministrator.Ifassetsinthe
railocontextarenotneeded(egcfformjavascript),thenyoumayblocktheentire/railocontext/insteadof
justtheadministrator.

4. LockdownApacheandRailoUsers
TheuseraccountsthatRailoandApacherunasshouldberestrictedsuchthattheyonlyhavetheabilityto
dowhattheapplicationrequiresandnothingmore.Thedefaultshellshouldbespecifiedto
/sbin/nologinpreventloginoverssh.
Filesystempermissionsshouldberestrictedaswell,ApacheorRailowilltypicallyonlyneedread
permissionformostfilesinthewebroot.Theexecutepermissionmayberequiredondirectories.
RailoandApacheshouldnotbesetuptorunundertherootaccount.

5. EnsuretheJVMisuptodate
EnsurethattheJVMversionyouareusingcontainsallknownsecuritypatches.

6. AdditionalSuggestionsfortheSecurityMinded:
a. CreateanadditionalApachebasedpassword(.htpasswd)forsensitiveareas.
b. ForcetheuseofSSLwhenaccessingtheAdministrators
c. DisguiseRailobyeitherusingfullSESURL'sorbyreplacingtheextensiontosomethingother
thenaCFMLrelatedextension.IE:renameyour.cfmfilesto.phpandpass.phpfilesofftoRailo
forprocessing.

d. EnsurethattheumaskhasbeenspecifiedappropriatelyintheTomcat/Railostartupscriptto
preventitfromcreatingfileswithmorepermissionthannecessary.

e. Considersettingupauditingwithauditd

f. IftheTomcat/ApacheAJPconnectorisusedspecifyasharedsecret.
g. Removeanyservlet/filtermappingsfromweb.xmlthatarenotrequired.

LockingDownRailoServer
1. DisablePublicDebuggingErrorOutput
TodisabledetailederrormessagesinRailo,logintotheRailoserveradministratorandgotoSettings
Errorandselecterrorpublic.cfmfromthedropdownoptions.Thiswillonlydisplayanextremely
genericanduninformativeerrormessagetotheendusers.
Ifyoulike,youcancustomisetheseerrortemplatestosendanemailofftoyourdevelopmentteam,
informingthemthatanerroroccurredandpossiblygivingthemmoredetailsabouttheerror.

2. EnsureAllAdministratorsforAllContextsHavePasswordsAssignedandUseCaptcha
IntheRailoServerAdministrator,gotoSecurityPassword.Fromthisscreenyoucansetthe
passwordsofallexistingwebcontextsandenablecaptchastopreventbruteforcingpasswordbreaking
attemptsonyourRailoServer&WebAdministrators

3. ReduceRequestTimeoutsasLowasPossible
TochangetheRequestTimeoutvalue,logintotheRailoserveradministratorandgotoSettings
ApplicationRequestTimout.Itisrecommendedyouchangeitfrom50secondstoabout10orso.
Experimentwiththistomakesuretherequesttimeoutsdonoteffectneededfunctionalitythatmayexistin
yourapplication.

4. EnsureRailo'sScriptProtectfeatureisenabled
Railo'sbuiltinScriptProtectfeatureisdesignedtoprotectyoursitefromcrosssitescriptingattacks.
ScriptProtectwillautomaticallyfilterdangeroustagsinincomingvariablescopeslikeCGI,cookie,form,
andURLscopes.

ToensureRailo'sScriptProtectfeatureisenabled,logintotheRailoserveradministratorandgoto
SettingsApplicationScriptProtectandensureit'ssettoall.
Note:Thissettingdoesnotprovidecomprehensivecrosssitescriptingprevention,additionalstepsmust
betakeninyourcustomsourcecodetoalleviaterisk.

5. AvoidUsingSystemHeavyClientVariables
Instead,trytokeepasmanyvariablesaspossiblesessionbased,sotheyexpireandareremovedwhen
thesessionexpires.

6. SetSessionTimeoutstoasLowasPossible
ThishelpsfreeupRAMandpreventssomeformsofDoSattacks.Youcanconfiguresessiontimeout
valuesgloballyintheRailoServerAdministratorSettingsApplicationscreen.

7. KeepDatasourcePermissionsSimple
Ifyoucan,onlyenableSELECT,INSERT,UPDATE,andDELETEpermissions.Thiswillalmostnullify
SQLinjectionattacks.WhatcommandsareacceptedbyRailoisconfigurableforeachDSN,andis
controlledwhenyoucreateoreditaDSN.

8. UseaSeparateDBUserforEachDSN
IsolatingyourDatabaseuserswillhelpmitigateattacksshouldasitebefoundvulnerable.Forexample
shouldaSQLinjectionattackoccurinonesite,theattackerwillonlyhavegainedthepowersofthesingle
Databaseuseraccountandwouldonlyhaveaccesstothesitesanddataforthatsitenotanyothersites
thatmaybepresentonthesystem.

9. ConsiderUsingaWebApplicationFirewall(likeFuseGuard)
WebApplicationFirewallsareexcellentatdetectinganddeterringattacksonasystem.HighqualityWeb
ApplicationFirewallsalsohavetheabilitytologattackstoletyouknowwhatkindofattacksarebeing
directedatyourservers,soyoucanbetterprepareyourdefenses.WebApplicationFirewallsarewell
worththeirinitialinvestment.
AdditionalinformationonFuseGuardcanbefoundatthisURL:
http://foundeo.com/security/

Thisdocumentpreparedby::
JordanMichaels(jordan@getrailo.org)
PeteFreitag(pete@foundeo.com)
MattLevine(matt@blueriver.com)