#!/usr/bin/env bash # This script requires TLS1.2 APACHE_BASE=$( httpd -S 2>&1 | awk '/ServerRoot/ {print $2}' | tr -d \") # Harden apache cp -p $APACHE_BASE/conf/httpd.conf $APACHE_BASE/conf/httpd.conf-pre-hardening cat <> $APACHE_BASE/conf/httpd.conf TraceEnable off RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] SSLFIPS On ServerTokens PROD ServerSignature off EOF # Disable unused modules if [ -d $APACHE_BASE/conf.modules.d ]; then sed -i.preHarden -e 's/^/###/g' $APACHE_BASE/conf.modules.d/00-dav.conf sed -i.preHarden -e 's/^/###/g' $APACHE_BASE/conf.modules.d/00-proxy.conf sed -i.preHarden -e 's/^/###/g' $APACHE_BASE/conf.modules.d/01-cgi.conf sed -i.preHarden -e 's/^Load.*\(authn_dbd\|authn_dbm\|authn_socache\|authz_dbd\|authz_dbm\|cache\|cache_disk\|cache_socache\|macro\|socache_dbm\|socache_memcache\)_module.*/###&/1' /etc/httpd/conf.modules.d/00-base.conf fi httpd -S 2>/dev/null | grep ":443" | awk '{print $NF}' | tr -d '[()]' | awk -F: '{print $1}' | while read c; do sed -i.preHardening -e 's/SSLProtocol.*/SSLProtocol -ALL +TLSv1.2/g' $c sed -i.preHardening2 -e 's/SSLCipherSuite.*/SSLCipherSuite \"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS !DH !3DES\"/g' $c done sed -i.preHardening -e 's/^expose_php.*/expose_php = Off/g' /etc/php.ini