Fincer
/
linux-server-setup
mirror of https://github.com/Fincer/linux-server-setup
1
0
Fork 0
Code Issues 0 Projects 0 Releases 0 Wiki Activity
Instructions to set up a basic LAMP+SSH server environment
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
95 Commits
1 Branch
9.6 MiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
linux-server-setup/exercises/h4.md

867 lines
43 KiB
Raw Permalink Normal View History

H4: Fix typo
5 years ago
Initial commit
5 years ago
Update texts
5 years ago
Initial commit
5 years ago
H4: Update text
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
H4: Update text
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
H4: Update document - Apache stuff
5 years ago
H4: Update title
5 years ago
H4: Update text
5 years ago
H4: Update document - Apache stuff
5 years ago
H4: Add more Apache stuff
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
H4: Update text
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
H4: Update text
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
H4: Update text
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
H4: Update text
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
H4: Update text
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
Update H4
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
Update H4 instructions
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
Update H4
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Add more Apache stuff
5 years ago
H4: Update document - Apache stuff
5 years ago
H4: Add more Apache stuff
5 years ago
H4: clean-up + add more info about deb-src
5 years ago
H4: Add more Apache stuff
5 years ago
H4: Update title
5 years ago
H4: Disable userdir for 'nobody' to reduce offensive attack vector
5 years ago
H4: Add more Apache stuff
5 years ago
H4: Disable userdir for 'nobody' to reduce offensive attack vector
5 years ago
H4: Update text
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text
5 years ago
Initial commit
5 years ago
H4: Update text
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: More about 'w00tw00t' scanning tech
5 years ago
H4: Update text
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
H4: Update text
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
Initial commit
5 years ago
linux_server_setup -> linux-server-setup
5 years ago
Initial commit
5 years ago
H4: Update text & syntaxes
5 years ago
 
  1. Linux servers - Exercise 4
  2. ==============
  3. 

  4. *Disclaimer:*
  5. --------------
  6. 

  7. This exercise is a part of [Linux Server Administration (ICT4TN021, spring 2018) // Linux-palvelimet (ICT4TN021, kevät 2018)](http://www.haaga-helia.fi/fi/opinto-opas/opintojaksokuvaukset/ICT4TN021) school course organized as a part of Information Technology studies in Haaga-Helia university of Applied Sciences, Helsinki, Finland. Course lecturer [Tero Karvinen](http://terokarvinen.com/) has defined the original assignment descriptions in Finnish presented in this document in English. Answers and translations have been written by Pekka Helenius (me, ~ Fincer).
  8. 

  9. *Table of contents:*
  10. --------------
  11. 

  12. - [a) **Websites on the server** Make it possible to create home pages with normal user privileges in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#a-make-it-possible-to-create-home-pages-with-normal-user-privileges-in-your-virtual-server-environment)
  13. 

  14.     - [EXTRA: Deleting Server field from HTTP header by updating Apache source code on Debian-based Linux distributions](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-deleting-server-field-from-http-header-by-updating-apache-source-code-on-debian-based-linux-distributions)
  15. 

  16.     - [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-delete-suggestive-http-error-code-messages-from-apache-html-output-by-updating-apache-source-code)
  17. 

  18.     - [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection)
  19. 

  20.     - [EXTRA: Additional protection by fine-tuning Apache HTTP headers](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-additional-protection-by-fine-tuning-apache-http-headers)
  21. 

  22.     - [EXTRA: Additional protection by enabling ModSecurity module in Apache](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-additional-protection-by-enabling-modsecurity-module-in-apache)
  23. 

  24. - [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment)
  25. 

  26. - [c) **Short penetration analysis** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#c-find-clues-of-possible-penetration-attempts-to-your-web-server-you-can-find-more-information-about-suspicious-ip-address-without-connecting-them-by-using-commands-ipcalc-geoiplookup-and-whois-for-instance)
  27. 

  28. - [d) **Transferring website files** Create a set of websites on your local computer and copy the sites to your web server with scp command.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#d-create-a-set-of-websites-on-your-local-computer-and-copy-the-sites-to-your-web-server-with-scp-command)
  29. 

  30. - [e) **PHP website** Set up a simple PHP webpage on your web server. For instance, you can print a remote address of the user ( $_SERVER['REMOTE_ADDR'] ) etc. Be careful if you use input forms of any kind.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#e-set-up-a-simple-php-webpage-on-your-web-server-for-instance-you-can-print-a-remote-address-of-the-user--_serverremote_addr--etc-be-careful-if-you-use-input-forms-of-any-kind)
  31. 

  32. --------------
  33. 

  34. **a)** Make it possible to create home pages with normal user privileges in your virtual server environment.
  35. --------------
  36. 

  37. **Answer:**
  38. 

  39. Virtual server IP address is `174.138.2.190`. The server is hosted on [DigitalOcean](https://www.digitalocean.com/community/tutorials/how-to-create-your-first-digitalocean-droplet) which provides hosting services for users. Ubuntu 16.04 LTS (without DE) is used as a server platform.
  40. 

  41. Ubuntu distribution hosted on DigitalOcean has custom configurations compared to Canonical version of clean Ubuntu environment. For instance, DigitalOcean has predefined different repository sources in package manager sources file `/etc/apt/sources.list` (http://mirrors.digitalocean.com/ubuntu/) and has customized configuration for Apache web server by default. Can you trust these repositories and predefined configurations as a system administrator? Can you be sure the program source codes are "clean" and do not contain malicious code patches? Are the used package repositories updated and which flags have been used to compile the binary software available there? What differences are there between the official Canonical and DigitalOcean repositories?
  42. 

  43. It is good to stop to think the previous issues before looking for a third party hosting service for your server environment. Do available markets have better virtual hosting service providers and in which criteria? In small business, it can be safer to hold all the aces and set up a minimal self-hosted server using a computer (suited for your needs) such as Raspberry Pi and claim a Domain name for it from a DNS provider. If you do larger business, you need to consider your server capacity again. It can be more profitable and comfortable to buy some server space from a virtual hosting server provider.
  44. 

  45. Of course, if you ever want to, you can install the server environment from scratch using rolling releases such as Arch Linux, Gentoo or 'Linux from Scratch'. However, this is not recommended approach in server environments requiring system stability over newer software. The downside is that some new features or bug/security fixes may not be implemented in older software, so keep that in mind. Some major project, however, backport security fixes to older software versions, too.
  46. 

  47. Anyway,
  48. 

  49. **1.** Do initial configuration for your server following the guide by Tero Karvinen:
  50. 

  51. [Tero Karvinen - First Steps on a New Virtual Private Server – an Example on DigitalOcean and Ubuntu 16.04 LTS](http://terokarvinen.com/2017/first-steps-on-a-new-virtual-private-server-an-example-on-digitalocean)
  52. 

  53. **2.** Connect to your new virtual private server once you have set it up. I use a predefined user name `newuser` in my server environment:
  54. 

  55. ```
  56. phelenius@my-machine:~$ ssh newuser@174.138.2.190
  57. newuser@174.138.2.190's password: 
  58. Welcome to Ubuntu 16.04.3 LTS (GNU/Linux x86_64)
  59. 

  60.  * Documentation:  https://help.ubuntu.com
  61.  * Management:     https://landscape.canonical.com
  62.  * Support:        https://ubuntu.com/advantage
  63. 

  64.   Get cloud support with Ubuntu Advantage Cloud Guest:
  65.     http://www.ubuntu.com/business/services/cloud
  66. 

  67. 7 packages can be updated.
  68. 0 updates are security updates.
  69. 

  70. 

  71. Last login: Tue Feb 13 14:49:24 2018 from XXX.XXX.XXX.XXX
  72. newuser@goauldhost:~$ 
  73. ```
  74. 

  75. **3.** Open default SSH TCP port 22 in your firewall:
  76. 

  77. **NOTE:** Default policy for Ubuntu firewall is to deny/drop all input connections so we need to allow traffic into protocol/daemon specific ports to open up communication between this server and clients.
  78. 

  79. ```
  80. newuser@goauldhost:~$ sudo ufw allow 22/tcp && sudo ufw enable
  81. ```
  82. 

  83. Once you have established SSH connection to your remote server, install `apache2` package and open port `80` for it by doing the following:
  84. 

  85. ```
  86. newuser@goauldhost:~$ sudo apt-get install apache2 && sudo ufw allow 80/tcp
  87. ```
  88. 

  89. **4.** Enable Apache `userdir` module:
  90. 

  91. ```
  92. newuser@goauldhost:~$ sudo a2enmod userdir
  93. ```
  94. 

  95. **5.** Some PHP and userdir module related configurations seem to be predefined in packages provided on DigitalOcean server environment (such as `#` symbols in `/etc/apache2/mods-enabled/php7.0.conf` in order to enable PHP for user sites), unlike stated in [Exercise 3](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h3.md).
  96. 

  97. **6.** Restart Apache HTTP daemon (HTTPD) after enabling `userdir` module:
  98. 

  99. ```
  100. newuser@goauldhost:~$ sudo systemctl restart apache2.service
  101. ```
  102. 

  103. Recheck HTTP daemon state (should return `active`):
  104. 

  105. ```
  106. newuser@goauldhost:~$ systemctl is-active apache2.service
  107. ```
  108. 

  109. If everything seem to be running and working you can try to establish connection to the HTTP daemon server using **your local computer** (do not try this in your virtual private server environment but with an external client computer):
  110. 

  111. ```
  112. phelenius@my-machine:~$ xdg-open http://174.138.2.190:80
  113. ```
  114. 

  115. The IP address here refers to the virtual private server IP address.
  116. 

  117. **7.** If the connection test is successful, you should see something similar to this picture:
  118. 

  119. ![apache2-defaultpage](https://www.dedyprastyo.com/wp-content/uploads/2017/10/Install-Apache-di-Ubuntu-17.04-www.dedyprastyo.com_-400x400.jpg)
  120. 

  121. Let's get back to the virtual server environment in our SSH session.
  122. 

  123. **8.** We should hide any extra server information which is visible for clients. Add the following lines in `/etc/apache2/apache2.conf` (with sudoedit):
  124. 

  125. ```
  126. TraceEnable Off
  127. ServerSignature Off
  128. ServerTokens Prod
  129. ```
  130. 

  131. Description of these lines [here](https://www.petefreitag.com/item/419.cfm).
  132. 

  133. Restart Apache HTTP daemon (web server):
  134. ```
  135. newuser@goauldhost:~$ sudo systemctl restart apache2.service
  136. ```
  137. 

  138. **9.** Create a new user `monkey` (finnish: apina). We do not add this user to `sudo` groups, therefore denying all root access for this user:
  139. 

  140. ```
  141. newuser@goauldhost:~$ sudo adduser monkey
  142. ```
  143. 

  144. or equivalently:
  145. 

  146. ```
  147. newuser@goauldhost:~$ sudo useradd --create-home --shell /bin/bash --user-group --uid 1006 --comment "Monkey account" --password "insert_password_here" monkey
  148. ```
  149. 

  150. where
  151. 

  152. - `/bin/bash` is the default shell for the new user
  153. 

  154. - `1006` is the UID number for the new user. Feel free to change
  155. 

  156. - `"Monkey account"` is so called "friendly" name of the account (usual syntax is: `first name surname`)
  157. 

  158. - `"insert_password_here" is the password for the new user`
  159. 

  160. - `monkey` is the (system) name for the new user
  161. 

  162. **NOTE:** Not all Linux distributions ship with executable (wrapper) script `adduser`. In this case, either `adduser` must be installed or more primitive (but default/standard) command `useradd` should be used instead.
  163. 

  164. Now, change to the default shell of user `monkey` (you can check it by executing: `grep monkey /etc/passwd`):
  165. 

  166. ```
  167. newuser@goauldhost:~$ su monkey
  168. Password: 
  169. monkey@goauldhost:/home/newuser$ cd
  170. monkey@goauldhost:~$ mkdir public_html
  171. ```
  172. 

  173. Therefore we have created a new home site folder for the user `monkey`. Contents of this folder should be available like shown in the following picture:
  174. 

  175. ![monkeysite-samplepic](https://github.com/Fincer/linux-server-setup/blob/master/images/apina-site.png)
  176. 

  177. **NOTE:** As you can see, Apache doesn't give any server information in the website view, thanks for the configurations done in step 8 above.
  178. 

  179. User `monkey` can add any content to his/her personal site. By default, Apache looks for any of the following files, defined in `/etc/apache2/mods-available/dir.conf` (symbolic link in folder `/etc/apache2/mods-enabled/dir.conf`):
  180. 

  181. ```
  182. newuser@goauldhost:~$ ls -l /etc/apache2/mods-enabled/dir.conf
  183. lrwxrwxrwx 1 root root 26 Feb  8 10:40 /etc/apache2/mods-enabled/dir.conf -> ../mods-available/dir.conf
  184. newuser@goauldhost:~$ cat /etc/apache2/mods-enabled/dir.conf |grep -i directoryindex | awk '{$1 = ""; print $i}'
  185.  index.html index.cgi index.pl index.php index.xhtml index.htm
  186. ```
  187. 

  188. Permissions of folder `$HOME/public_html` of the user `monkey` are as follows:
  189. 

  190. ```
  191. monkey@goauldhost:~$ stat -c "Owner: %U (user), %G (group), perms: %a // %A" $HOME
  192. Owner: monkey (user), monkey (group), perms: 775 // drwxrwxr-x
  193. ```
  194. 

  195. or alternatively:
  196. 

  197. ```
  198. monkey@goauldhost:~$ ls -l
  199. total 4
  200. drwxrwxr-x 2 monkey monkey 4096 Feb 13 15:35 public_html
  201. ```
  202. drwxrwxr-x
  203. 123456789 10
  204. 

  205. d = directory
  206. r = read (value 4)
  207. w = write (value 2)
  208. x = execute (value 1)
  209. 

  210. where 
  211. ...symbols 2-4 (rwx) indicate permissions of the user `monkey` to the folder
  212. ...symbols 5-7 (rwx) indicate permissions of the (primary) group where the user `monkey` belongs to. In this case, the group is `monkey`
  213. ...symbols 8-10 (r-x) indicate permissions granted for other system users to the folder
  214. 

  215. Permissions can be written in numeric form but also in symbolic form. For instance,
  216. 

  217. ```
  218. 775 = rwxrwxr-x (4+2+1, 4+2+1, 4+1)
  219. ug=rwx,o=rx => rwxrwxr-x
  220. ```
  221. 

  222. Take a look on the following links to get more information about Unix permissions:
  223. 

  224. - [Arch Wiki - File permissions and attributes](https://wiki.archlinux.org/index.php/File_permissions_and_attributes)
  225. 

  226. - [Wikipedia - Notation_of_traditional_Unix_permissions](https://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions)
  227. 

  228. - [Arch Wiki - umask](https://wiki.archlinux.org/index.php/Umask)
  229. 

  230. Changing permissions is recommended to be done in symbolic mode because individual permissions can't be as flexibly be changed in numeric mode.
  231. 

  232. `ls` command shows user (`monkey`) first after which group (`monkey`) is shown.
  233. 

  234. The folder is accessible in public network via address `http://174.138.2.190:80/~monkey/`
  235. 

  236. You can change above defined permissions with `chmod` command.
  237. 

  238. - Numeric form: `chmod 775 ~/public_html`
  239. 

  240. Symbolic form: `chmod ug=rwx,o=rx ~/public_html`
  241. 

  242. **NOTE:** You can change permissions recursively using `-R` parameter (`chmod -R ...`)
  243. 

  244. ### EXTRA: Deleting Server field from HTTP header by updating Apache source code on Debian-based Linux distributions

  245. 

  246. Including Server field in HTTP header by Apache HTTP daemon (web server) is debated. [HTTP/1.1 standard specification](https://tools.ietf.org/html/rfc2616#page-141) states the following:
  247. 

  248. > Note: Revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Server implementors are encouraged to make this field a configurable option.

  249. 

  250. **NOTE:** Apache must be compiled from source code.
  251. 

  252. Removal of Server field from HTTP header is debated in Apache developers' community (The key question here: does removal of the field actually improve any security?). More about this topic: [StackoverFlow (Can't remove Server: Apache header)](https://stackoverflow.com/questions/35360516/cant-remove-server-apache-header).
  253. 

  254. **NOTE:** The following method does not work with automatic system updates via package repositories (usage of `sudo apt-get update` and `sudo apt-get upgrade` commands) because the patches binary files would be replaced by ones available in the official repositories. Therefore, each time you want to update your Apache server, you need to recompile it from source applying the patch file provided in this GitHub repository. **This method can be troublesome for system administration or contain unaccepted policy in your company. Consider using Puppet/Ansible/Chef/SaltStack or any relevant management to automate method described here.**
  255. 

  256. **NOTE:** You must be aware what you are doing each time you compile software from source. Trust the source, trust the patch files (suffixes `.diff` and `.patch`) and do not do anything that can lead to unknown or troublesome bugs, malicious code execution or create new security risks.
  257. 

  258. **NOTE:** We are unable to sign the package with the official maintainer key because we update Apache with our specific patch file and compile the software ourselves. Therefore we ignore any signing requirements in `dpkg-buildpackage` command (or alternatively we can use our own keys).
  259. 

  260. **NOTE** Consider any policy that determines your production and/or server environment requirements. For instance: Am I allowed to install software from source code? Does my method break a (critical) component in working server environment? Etc.
  261. 

  262. **NOTE: Again. Know exactly what you are about to do. As a system administrator you hold responsibility here. Do not get fired.**
  263. 

  264. We have already improved security of our Apache web server by removing critical information sent to client. However, the server still gives information about its name as follows:
  265. 

  266. ```
  267. newuser@goauldhost:~/source_codes/apache2$ curl -I http://localhost
  268. HTTP/1.1 200 OK
  269. Date: Sat, 17 Feb 2018 13:27:11 GMT
  270. Server: Apache
  271. Content-Type: text/html;charset=UTF-8
  272. ```
  273. 

  274. We want to remove field `Server: Apache`. Multiple approaches were tested (such as `modsecurity2` module and writing line `Header unset Server` into file `/etc/apache2/apache2.conf`) without success. Therefore I ended up patching the source code of Apache web server so that the wanted field can really be removed.
  275. 

  276. Download Apache source code on your Debian-based Linux distribution:
  277. 

  278. ```
  279. mkdir -p ~/source_codes/apache2 && cd ~/source_codes/apache2 && \
  280. apt-get source apache2
  281. 

  282. ```
  283. 

  284. --------------------------
  285. 

  286. **NOTE:** If you get the following error:
  287. 

  288. ```
  289. Reading package lists... Done
  290. E: You must put some 'source' URIs in your sources.list
  291. ```
  292. 

  293. then just 1) uncomment all `deb-src` lines in `/etc/apt/sources.list` file, 2) remove duplicate entries and 3) update databases by issuing the following command sequence:
  294. 

  295. ```
  296. sudo sed -i 's/^# deb-src/deb-src/g' /etc/apt/sources.list && \
  297. cat /etc/apt/sources.list | awk '!x[$0]++' | sudo tee /etc/apt/sources.list && \
  298. sudo apt-get update
  299. 

  300. ```
  301. 

  302. --------------------------
  303. 

  304. After downloading the source add [source code patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_servertokens.patch) into created `$HOME/source_codes/apache2` folder.
  305. 

  306. **NOTE:** I have personally created the patch file with Unix tool `diff`. The patch file is not downloaded from any suspicious website. You can always check & analyse the patch file code yourself if still hesitating.
  307. 

  308. If you have a working Apache HTTP daemon (web server) environment on your Linux, please check the version of your Apache software version with the following command before compiling & installing a custom-patched Apache version:
  309. 

  310. ```
  311. dpkg -s apache2 |grep -i version
  312. 

  313.  Version: 2.4.18-2ubuntu3.5
  314. ```
  315. 

  316. In that way we can be sure version of the downloaded source code matches with our already-installed/existing Apache environment.
  317. 

  318. Once you have downloaded the source code, go to the following folder (which contains the code):
  319. 

  320. ```
  321. cd ~/source_codes/apache2/apache2-2.4.18/
  322. ```
  323. 

  324. Implement the patch file changes into the Apache source code in your current working directory `~/source_codes/apache2/apache2-2.4.18`:
  325. 

  326. ```
  327. patch -Np1 -i < ../patch_apache_servertokens.patch
  328. ```
  329. 

  330. Before compiling Apache web server, you must install the following build time dependencies:
  331. 

  332. ```
  333. sudo apt-get install debhelper libaprutil1-dev libapr1-dev libpcre3-dev zlib1g-dev libssl-dev liblua5.1-0-dev libxml2-dev autotools-dev build-essential libnghttp2-dev liblua5.2-dev
  334. ```
  335. 

  336. Compile and install the Apache web server in your current working directory `~/source_codes/apache2/apache2-2.4.18`:
  337. 

  338. ```
  339. dpkg-buildpackage -rfakeroot -b -us -uc
  340. ...
  341. <compiling source code>
  342. ...
  343. <source code compiled and archived as new deb packages>
  344. ```
  345. 

  346. If Apache HTTP daemon is running, stop it:
  347. 

  348. ```
  349. sudo systemctl stop apache2.service
  350. ```
  351. 

  352. It is essential to check which apache2 packages have been installed into the target system. We want to install only specific deb packages already found in the system, as multiple deb packages have been compiled by the previous command. All found Apache2 packages in the system should be replaced by the ones compiled from the Apache2 source code. 
  353. 

  354. System has the following Apache2 packages:
  355. 

  356. ```
  357. dpkg --get-selections |grep apache | awk '{print $1}'
  358. 

  359. apache2
  360. apache2-bin
  361. apache2-data
  362. apache2-utils
  363. libapache2-mod-php
  364. libapache2-mod-php7.0
  365. ```
  366. 

  367. Then we compare the above list to the compiled deb packages:
  368. 

  369. ```
  370. ls ~/source_codes/apache2 |grep deb
  371. 

  372. apache2_2.4.18-2ubuntu3.5_amd64.deb
  373. apache2_2.4.18-2ubuntu3.5.debian.tar.xz
  374. apache2-bin_2.4.18-2ubuntu3.5_amd64.deb
  375. apache2-data_2.4.18-2ubuntu3.5_all.deb
  376. apache2-dbg_2.4.18-2ubuntu3.5_amd64.deb
  377. apache2-dev_2.4.18-2ubuntu3.5_amd64.deb
  378. apache2-doc_2.4.18-2ubuntu3.5_all.deb
  379. apache2-suexec-custom_2.4.18-2ubuntu3.5_amd64.deb
  380. apache2-suexec-pristine_2.4.18-2ubuntu3.5_amd64.deb
  381. apache2-utils_2.4.18-2ubuntu3.5_amd64.deb
  382. ```
  383. 

  384. ... as a result you should install the following prerequisites:
  385. 

  386. ```
  387. sudo apt-get install -y libaprutil1-dbd-sqlite3 libaprutil1-dbd-mysql libaprutil1-dbd-odbc libaprutil1-dbd-pgsql libaprutil1-ldap libmysqlclient20 libodbc1 libpq5 mysql-common
  388. ```
  389. 

  390. ... after which we can install our compiled Apache2 packages with `dpkg -i` command (assuming your architecture is `amd64`):
  391. 

  392. ```
  393. APACHE_NEW_VERSION="2.4.18-2ubuntu3.5"
  394. 

  395. cd ~/source_codes/apache2 && \
  396. sudo dpkg -i apache2_${APACHE_NEW_VERSION}_amd64.deb apache2-bin_${APACHE_NEW_VERSION}_amd64.deb apache2-data_${APACHE_NEW_VERSION}_all.deb apache2-utils_${APACHE_NEW_VERSION}_amd64.deb
  397. 

  398. ```
  399. 

  400. where `APACHE_NEW_VERSION` is the new compiled version of your Apache web server.
  401. 

  402. If everything has succeeded you should have a working, patched Apache web server in your target system. Because the patches web server software supports `ServerTokens None` option now, we shall add this option into `/etc/apache2/apache2.conf`.
  403. 

  404. ```
  405. sudoedit /etc/apache2/apache2.conf
  406. ```
  407. 

  408. Add the following lines (// just replace `ServerTokens Prod` with `ServerTokens None`):
  409. 

  410. ```
  411. TraceEnable Off
  412. ServerSignature Off
  413. ServerTokens None
  414. ```
  415. 

  416. **NOTE:** Any settings in `/etc/apache2/conf-available/security.conf` overrides these configuration changes.
  417. 

  418. Restart Apache2 server (you must apply the patch file before doing this because the default Apache software does not implement `None` for ServerTokens):
  419. 

  420. ```
  421. sudo systemctl start apache2.service
  422. ```
  423. 

  424. Check whether the configuration works:
  425. 

  426. ```
  427. phelenius@my-machine:~$ curl -I http://174.138.2.190
  428. HTTP/1.1 200 OK
  429. Date: Sat, 17 Feb 2018 14:02:20 GMT
  430. Last-Modified: Wed, 14 Feb 2018 00:06:44 GMT
  431. ETag: "20b-56520e2f88f4a"
  432. Accept-Ranges: bytes
  433. Content-Length: 523
  434. Vary: Accept-Encoding
  435. Content-Type: text/html
  436. ```
  437. 

  438. Therefore we have successfully deleted Server field from HTTP header.
  439. 

  440. You can additionally set and unset more HTTP header fields sent to a client as follows:
  441. 

  442. ```
  443. Header unset Last-Modified
  444. Header unset Accept-Ranges
  445. Header unset Vary
  446. Header unset ETag
  447. ```
  448. 

  449. **NOTE:** `Header unset` settings may cause errors on starting up the server. For example, you may consider usage of `FileETag None` as a replacement for `Header unset ETag`.
  450. 

  451. **NOTE:** You must be careful when unsetting fields because it affects behavior of client programs and efficiency of your server environment (performance, for instance). Remember that factors such as field order, formatting and error messages can give hints about the used server environment as well (for instance, 404 not found message). 
  452. 

  453. **NOTE:** The header options mentioned above work only if module `headers` has been activated (run command `sudo a2enmod headers` and restart the Apache server)
  454. 

  455. More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). More articles in [ETag](https://en.wikipedia.org/wiki/HTTP_ETag), [Vary: Accept-Encoding](https://blog.stackpath.com/accept-encoding-vary-important), etc.
  456. 

  457. ### EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code

  458. 

  459. [This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output response if multiple errors were encountered while processing the client request:
  460. 

  461. > Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

  462. 

  463. and
  464. 

  465. > Additionally, a 'CODE' 'MESSAGE' error was encountered while trying to use an ErrorDocument to handle the request.

  466. 

  467. 

  468. The message can give a hint about underlying server configuration to a (hostile) client. Applying the patch to the Apache source code will remove the message from erroneous server response. Applying the patch may give little protection against hostile clients who are trying to identify the server you're running on your website.
  469. 

  470. As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments. This warning applies especially in Apache proxy configurations in which another server redirects error messages to the Apache proxy and multiple errors may occur.
  471. 

  472. Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder:
  473. 

  474. ```
  475. patch -Np1 -i < ../patch_apache_disable_additional_errormsg.patch
  476. ```
  477. 

  478. and follow the procedures of the previous section to compile and install Apache from source code.
  479. 

  480. ### EXTRA: Disable userdir module for user nobody to reduce server detection

  481. 

  482. It is recommended to set `UserDir disabled nobody` in `/etc/apache2/mods-enabled/userdir.conf` file as Metasploit offensive scanning method `scanner/http/dir_scanner` can detect existence of URL/folder path `<myserver:80>/~nobody`. Minimize attack vector, and just disable the userdir module for user `nobody` on the server as follows:
  483. 

  484. ```
  485. <IfModule mod_userdir.c>
  486.         UserDir public_html
  487.         UserDir disabled root
  488.         UserDir disabled nobody
  489. ...
  490. ```
  491. 

  492. The following demonstration is the view of Metasploit Framework console, using HTTP `dir_scanner` against a server:
  493. 

  494. ```
  495. msf auxiliary(scanner/http/dir_scanner) > run
  496. 

  497. [*] Detecting error code
  498. [*] Using code '404' as not found for AAA.BBB.XXX.CCC
  499. [+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC)
  500. ```
  501. 

  502. ### EXTRA: Additional protection by fine-tuning Apache HTTP headers

  503. 

  504. In some server environments, adding some HTTP headers may give extra protection against malicious actions by an hostile client. **NOTE:** Please keep in mind that these settings are not foolproof.
  505. 

  506. At first, enable Apache `headers` module.
  507. 

  508. ```
  509. sudo a2enmod headers
  510. ```
  511. 

  512. Then, add the following in your Apache virtualhost (for instance, `/etc/apache2/sites-available/000-default.conf`):
  513. 

  514. <VirtualHost *:80>
  515. ...
  516. 

  517.     <IfModule mod_headers.c>
  518.         Header set X-Content-Type-Options nosniff
  519.         Header always append X-Frame-Options SAMEORIGIN
  520.         Header always append X-XSS-Protection 1
  521.         Header always append Content-Security-Policy "frame-ancestors 'self'"
  522.     </IfModule>
  523. 

  524. ...
  525. </VirtualHost>
  526. 

  527. > Header set X-Content-Type-Options nosniff

  528. 

  529. More about this option: [Stack Overflow - What is “X-Content-Type-Options=nosniff”?](https://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff)
  530. 

  531. > Header always append X-Frame-Options SAMEORIGIN

  532. 

  533. More protection against [Clickjacking attacks](https://www.keycdn.com/blog/x-frame-options/#Clickjacking)
  534. 

  535. More about this option: 
  536. 

  537. - [keycdn.com - X-Frame-Options - How to Combat Clickjacking](https://www.keycdn.com/blog/x-frame-options/#X-Frame-Options-Directives)
  538. 

  539. - [OWASP - Clickjacking Defense Cheat Sheet](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet)
  540. 

  541. > Header always append X-XSS-Protection 1

  542. 

  543. More about this option: [keycdn.com - X-XSS-Protection - Preventing Cross-Site Scripting Attacks](https://www.keycdn.com/blog/x-xss-protection/)
  544. 

  545. > Header always append Content-Security-Policy "frame-ancestors 'self'"

  546. 

  547. Another clickjacking attack prevention (CSP 2.0)
  548. 

  549. More about this option: [OWASP - Content Security Policy Cheat Sheet: Preventing Clickjacking (CSP 2.0)](https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Preventing_Clickjacking)
  550. 

  551. ### EXTRA: Additional protection by enabling ModSecurity module in Apache

  552. 

  553. More security features can be added to Apache server by using [ModSecurity Apache module by Trustwave SpiderLabs](https://www.modsecurity.org/about.html). The module is released under [Apache Software License version 2](http://www.apache.org/licenses/LICENSE-2.0.txt). A brief description of the module, quoted from the website:
  554. 

  555. > ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.

  556. 

  557. There is an additional ModSecurity ruleset available by OWASP. You can read more about it on [OWASP website: ModSecurity Core Rule Set Project](https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project)
  558. 

  559. At first, make sure that Apache `security` module is installed:
  560. 

  561. ```
  562. [[ $(dpkg --get-selections | grep libapache2-mod-security2) ]] || sudo apt-get update && sudo apt-get install -y libapache2-mod-security2 modsecurity-crs
  563. ```
  564. 

  565. Then, enable the module:
  566. 

  567. ```
  568. sudo a2enmod security2
  569. ```
  570. 

  571. **NOTE:** Before blindly accepting `security` module, please take extra care if your Apache server is in production or in sensitive environment where stability is absolutely required without nasty or troublesome interruptions!
  572. 

  573. **NOTE:** If you decided to adapt some of the following `security` module rules, you should identify which of these settings are relevant *in your server environment*.
  574. 

  575. **NOTE:** The following ruleset is a loose reference which uses the settings by [Ask Apache - Mod_Security .htaccess tricks website](https://www.askapache.com/htaccess/modsecurity-htaccess-tricks/)
  576. 

  577. Add the following in your VirtualHost configuration (for instance, `/etc/apache2/sites-available/000-default.conf`):
  578. 

  579. ```
  580. <VirtualHost *:80>
  581. ...
  582. 

  583.     <IfModule security2_module.c>
  584.         SecDataDir /var/cache/modsecurity
  585.         IncludeOptional /etc/modsecurity/*.conf
  586.         IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load
  587. 

  588.         # Enable ModSecurity
  589.         SecRuleEngine On
  590. 

  591.         # Sends matching requests a 405 Method Not Allowed Status Code
  592.         SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" "deny,auditlog,status:405"
  593. 

  594.         # Do not accept GET or HEAD requests with bodies
  595.         SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
  596.         SecFilterSelective HTTP_Content-Length "!^$"
  597. 

  598.         # Require Content-Length to be provided with
  599.         # every POST request
  600.         SecFilterSelective REQUEST_METHOD "^POST$" chain
  601.         SecFilterSelective HTTP_Content-Length "^$"
  602. 

  603.         # Don't accept transfer encodings we know we don't handle
  604.         SecFilterSelective HTTP_Transfer-Encoding "!^$"
  605. 

  606.         # Should mod_security inspect POST payloads
  607.         SecFilterScanPOST On
  608. 

  609.         # Make sure that URL encoding is valid
  610.         SecFilterCheckURLEncoding On
  611. 

  612.         # Only log suspicious requests
  613.         SecAuditEngine RelevantOnly
  614. 

  615.         # Unicode encoding check
  616.         SecFilterCheckUnicodeEncoding Off
  617.     </IfModule>
  618. 

  619. ...
  620. </VirtualHost>
  621. ```
  622. 

  623. 

  624. **b)** Set user default website to be the default website for Apache in your virtual server environment.
  625. --------------
  626. 

  627. **Answer:**
  628. 

  629. Let's begin from the final state of the previous answer. We have created a user `monkey` in our server computer. This user has a website URL `174.138.2.190:80/~monkey` which is accessible outside the server computer, too.
  630. 

  631. **1.** Remove default webpage of Apache web server, and move `DocumentRoot` to point to directory `$HOME/public_html` of user `monkey`, after which restart Apache service daemon.
  632. 

  633. ```
  634. newuser@goauldhost:~$ sudo sed -i 's?DocumentRoot /var/www/html?DocumentRoot /home/monkey/public_html?' /etc/apache2/sites-available/000-default.conf
  635. ```
  636. 

  637. We can disable folder path `/var/www` commenting out the following lines (inserting `#` comment symbols) in file `/etc/apache2/apache2.conf` (use command `sudoedit /etc/apache2/apache2.conf`, for instance):
  638. 

  639. ```
  640. #<Directory /var/www/>

  641. #        Options Indexes FollowSymLinks

  642. #        AllowOverride None

  643. #        Require all granted

  644. #</Directory>

  645. ```
  646. 

  647. Restart Apache web server daemon:
  648. 

  649. ```
  650. newuser@goauldhost:~$ sudo systemctl restart apache2.service
  651. ```
  652. 

  653. Go to the following IP address with your **local computer** (use HTTP port `80`):
  654. 

  655. ```
  656. xdg-open http://174.138.2.190:80
  657. ```
  658. 

  659. The opening view should be as follows:
  660. 

  661. ![emptypage-sample](https://github.com/Fincer/linux-server-setup/blob/master/images/empty-page-sample.png)
  662. 

  663. **2.** Create a new file `index.html` in the directory `$HOME/public_html` of user `monkey` (where `$HOME is folder path `/home/monkey/`)
  664. 

  665. ```
  666. newuser@goauldhost:~$ su monkey
  667. Password: 
  668. monkey@goauldhost:/home/newuser$ cd
  669. monkey@goauldhost:~$ echo -e '<!DOCTYPE html>\n <html>\n \t<head>\n \t\t<title>Testi</title>\n \t</head>\n \t<body>\n \t\t<h1>Testi</h1>\n \t</body>\n </html>\n' > ~/public_html/index.html
  670. 

  671. ```
  672. 

  673. **3.** We should redirect all `index.html` traffic to the folder root `/home/monkey/public_html/`. This can be achieved by creating hidden page-related control file `.htaccess` file to the directory root.
  674. 

  675. ```
  676. monkey@goauldhost:~$ cd public_html
  677. monkey@goauldhost:~/public_html$ touch .htaccess
  678. monkey@goauldhost:~/public_html$ echo -e '<IfModule mod_rewrite.c>\n\tRewriteEngine On\n\tRewriteBase /\n\tRewriteRule ^index\.html$ / [NC,R,L]\n</IfModule>' | tee -a ./.htaccess
  679. ```
  680. 

  681. Reactivate Apache module `rewrite`. We shall switch our user because user `monkey` doesn't have `sudo` rights at this point:
  682. 

  683. ```
  684. monkey@goauldhost:~/public_html$ su newuser
  685. Password: 
  686. newuser@goauldhost:/home/monkey/public_html$ sudo a2enmod rewrite
  687. Enabling module rewrite.
  688. To activate the new configuration, you need to run:
  689.   service apache2 restart
  690. newuser@goauldhost:/home/monkey/public_html$ sudo systemctl restart apache2.service
  691. ```
  692. 

  693. Your Apache web server should redirect all traffic of `http://174.138.2.190:80/index.html` to address `http://174.138.2.190:80/`
  694. 

  695. **c)** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance.
  696. --------------
  697. 

  698. **Answer:**
  699. 

  700. The key principle to check any malicious activity is to check system log files, mainly `/var/log/apache/access.log` and `/var/log/apache/error.log` (Apache). Malicious SSH attempts may be checked in `/var/log/auth.log`. Other relevant log files must be considered as important, too.
  701. 

  702. At the time of writing this answer, the Apache web server was running bit over a week period. However, there were no any webpage deployed during that time, and therefore my web server hadn't created any major log entries. However, I noticed one suspicious connection attempt to setup.php file of phpMyAdmin software, although the software was not installed. The lookup was done by checking web server log file `/var/log/apache2/access.log`. The log entry itself was as follows:
  703. 

  704. ```
  705. 66.118.142.165 - - [13/Feb/2018:14:43:58 +0000] "HEAD /phpmyadmin/scripts/setup.php HTTP/1.0" 404 159 "-" "-"
  706. ```
  707. 

  708. We shall analyze the logged IP address (+ download a georeferred IP database to determine more specific geolocation of the source by using `wget` command):
  709. 

  710. ```
  711. newuser@goauldhost:~$ sudo apt-get -y install geoip-bin
  712. newuser@goauldhost:~$ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
  713. newuser@goauldhost:~$ gunzip GeoLiteCity.dat.gz
  714. newuser@goauldhost:~$ OBSIP=66.118.142.165
  715. newuser@goauldhost:~$ echo -e "Server Geolocation:\n$(geoiplookup -f /home/newuser/GeoLiteCity.dat $OBSIP)\n\n$(nslookup $OBSIP)\n\nDNS Name:\n$(dig +short -x $OBSIP)" && unset OBSIP
  716. ```
  717. 

  718. Output is as follows:
  719. 

  720. ```
  721. Server Geolocation:
  722. GeoIP City Edition, Rev 1: US, FL, Florida, Tampa, 33611, 27.886700, -82.511703, 539, 813
  723. 

  724. Server:		67.207.67.2
  725. Address:	67.207.67.2#53
  726. 

  727. Non-authoritative answer:
  728. 165.142.118.66.in-addr.arpa	name = 66-118-142-165.static.sagonet.net.
  729. 

  730. Authoritative answers can be found from:
  731. 

  732. DNS Name:
  733. 66-118-142-165.static.sagonet.net.
  734. 

  735. ```
  736. 

  737. The log entry tells us that connection to page `http://174.138.2.190:80/phpmyadmin/scripts/setup.php` was tried to be established. The server responded with code 404 (HTTP_NOT_FOUND), indicating that the address couldn't be found. It is seen that user agent string of `66.118.142.165` is empty (just a line). It is known that the user agent string can very easily be customized.
  738. 

  739. HTTP [HEAD method](http://condor.depaul.edu/dmumaugh/readings/handouts/SE435/HTTP/node14.html) were used in the connection attempt. The HTTP HEAD method is more suitable for quick file existence look-ups than HTTP GET method because only the file existence is checked, leading to decreased data transfer rates between a server and a client. The HEAD method is usually used for caching documents (data). A client program just tries to download metadata of the request document from a server. [Apache web server does not return the message response body while answering to the client program with the HTTP HEAD method.](https://hc.apache.org/httpclient-3.x/methods/head.html).
  740. 

  741. the HEAD method can be "disabled" by adding the following lines into 1) file `~/public_html/.htaccess` (in the case of this assignment) 2) or into file `/etc/apache2/sites-available/000-default.conf` 3) or any site-specific configuration file in Apache's `sites-available` folder 4) or any `.htaccess` file in a website directory root:
  742. 

  743. ```
  744. RewriteEngine on
  745. RewriteCond %{THE_REQUEST} !^(POST|GET)\ /.*\ HTTP/1\.1$ 
  746. RewriteRule .* - [F,L]
  747. ```
  748. 

  749. The original answer [here](https://www.linuxquestions.org/questions/linux-security-4/disabling-head-options-http-methods-in-apache-webserver-763347/#post4511023)
  750. 

  751. It is understandable that line `RewriteEngine on` doesn't need to be determined twice and adding this code requires re-enabling of Apache rewrite module.
  752. 

  753. I have had a Debian-based web server (LAMP) environment in the past years. I have included Apache `/var/log/apache/access.log` parts of that web server environment here (year 2014):
  754. 

  755. [Apache - access.log, example](https://github.com/Fincer/linux-server-setup/blob/master/other/apache-log-sample)
  756. 

  757. The log file reveals many suspicious connection attempts from Thailand and Netherlands, for instance.
  758. 

  759. The most memorable log entry from the past years was, however, a penetration attempt by Romanian hacker/bot group and it looked like as follows:
  760. 

  761. ```
  762. 4.125.148.79 - - [07/Aug/2013:20:53:35 +0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 142 "-" "ZmEu"
  763. ```
  764. 

  765. `w00tw00t` scanning technique is an old one and dates back to the last decade. However, it is still being widely used. More about this intrusive scanning technique:
  766. 

  767. - [Symantec: Hacktool.DFind](https://www.symantec.com/security-center/writeup/2005-011411-1411-99)
  768. 

  769. - [NinTechNet: How to block web vulnerability scanners with iptables.](https://blog.nintechnet.com/how-to-block-w00tw00t-at-isc-sans-dfind-and-other-web-vulnerability-scanners/)
  770. 

  771. Information about `w00tw00t` is widely available from other online sources as well.
  772. 

  773. **d)** Create a set of websites on your local computer and copy the sites to your web server with scp command.
  774. --------------
  775. 

  776. **Answer:**
  777. 

  778. **1.** Let's create the required websites locally, after which the upload is done with user `newuser`. I have used pre-created websites in this assignment. The upload is done with my Arch Linux computer using required SSH protocol:
  779. 

  780. ```
  781. [13/02/2018 21:04:16 - fincer: ~ ]$ scp /home/fincer/Documents/website/website_1.03_fincer.zip newuser@174.138.2.190:./
  782. The authenticity of host '174.138.2.190 (174.138.2.190)' can't be established.
  783. ECDSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
  784. Are you sure you want to continue connecting (yes/no)? yes
  785. Warning: Permanently added '174.138.2.190' (ECDSA) to the list of known hosts.
  786. newuser@174.138.2.190's password: 
  787. website_1.03_fincer.zip                                                                    100%  656KB 655.8KB/s   00:01
  788. [13/02/2018 21:04:32 - fincer: ~ ]$ 
  789. ```
  790. 

  791. **2.** Modify Apache default webpage address to point to `/home/newuser/public_html/`:
  792. 

  793. ```
  794. newuser@goauldhost:~$ sudo sed -i 's?DocumentRoot /home/monkey/public_html?DocumentRoot /home/newuser/public_html?' /etc/apache2/sites-available/000-default.conf
  795. newuser@goauldhost:~$ sudo systemctl restart apache2.service
  796. ```
  797. 

  798. **3.** Because `/home/newuser/public_html/` is empty (checked with `ls` command), we shall extract uploaded `website_1.03_fincer.zip` to that directory.
  799. 

  800. ```
  801. newuser@goauldhost:~$ sudo apt-get update && sudo apt-get install unzip
  802. newuser@goauldhost:~$ mv website_1.03_fincer.zip ./public_html/ && cd ./public_html
  803. newuser@goauldhost:~$ unzip website_1.03_fincer.zip
  804. ```
  805. 

  806. **4.** It should be possible to open the website using URL `174.138.2.190`, and the website should look like the following:
  807. 

  808. ![website-sample](https://github.com/Fincer/linux-server-setup/blob/master/images/pekkahh-website.png)
  809. 

  810. **5.** Let's copy another website sample into folder `$HOME/public_html/` of user `monkey`:
  811. 

  812. ```
  813. [13/02/2018 22:01:40 - fincer: ~ ]$ scp /home/fincer/Documents/server_site.tar.xz monkey@174.138.2.190:./public_html/
  814. ```
  815. 

  816. **6.** Let's establish a new SSH connection to the virtual server computer with user `monkey`:
  817. 

  818. ```
  819. [13/02/2018 22:04:23 - fincer: ~ ]$ ssh monkey@174.138.2.190
  820. ```
  821. 

  822. **7.** In the virtual web server computer terminal, go to `$HOME/public_html/` of user `monkey`, extract `server_site.tar.xz` and put the extracted files into correct places in the directory hierarchy. Rename old `index.html` file to `index.html.old`
  823. 

  824. ```
  825. monkey@goauldhost:~/public_html$ mv index.html index.html.old
  826. monkey@goauldhost:~/public_html$ tar xf server_site.tar.xz
  827. monkey@goauldhost:~/public_html$ mv ./server_site/* ./
  828. monkey@goauldhost:~/public_html$ rm -Rf ./{server_site,server_site.tar.xz}
  829. ```
  830. 

  831. (you could have just used one * symbol in the previous rm command because the equal name syntax, i.e. `rm -Rf ./server_site*`)
  832. 

  833. The deployed website can be viewed in URL address `http://174.138.2.190:80/~monkey`, and they look as follows (this example is a work time // wage calculator):
  834. 

  835. ![workprice-samplesite](https://github.com/Fincer/linux-server-setup/blob/master/images/workprice-site_example.png)
  836. 

  837. **NOTE:** There are differences in the URL due to language reasons (`~apina` translates from finnish to english as `~monkey`)
  838. 

  839. **e)** Set up a simple PHP webpage on your web server. For instance, you can print a remote address of the user ( $_SERVER['REMOTE_ADDR'] ) etc. Be careful if you use input forms of any kind.
  840. --------------
  841. 

  842. **Answer:**
  843. 

  844. In this answer, I add a PHP-based BMI calculator (Body Mass Index) to my website. For this purpose, two files were created: `bmicalc.html` and `bmicalc.php` which both are uploaded to the virtual web server with the following command, executed at the **local computer**:
  845. 

  846. ```
  847. phelenius@my-machine:~$ scp $HOME/public_html/bmi-index/{bmicalc.php,bmicalc.html} newuser@174.138.2.190:./public_html/
  848. newuser@174.138.2.190's password:
  849. bmicalc.php                                                           100% 3051     3.0KB/s   00:00    
  850. bmicalc.html                                                          100%  523     0.5KB/s   00:00 
  851. ```
  852. 

  853. The following image demonstrates a web browser view of URL address `174.138.2.190/bmicalc.html`. 
  854. 

  855. - On the left side: the source code of the HTML page.
  856. 

  857. - On the right side: server-side "raw" PHP source code which is not seen by the client program, our web browser in this case (PHP code = server-side execution, i.e. only web server sees the code, JavaScript code = client-side execution, i.e. client can see the code, too)
  858. 

  859. ![bmicalc-sample](https://github.com/Fincer/linux-server-setup/blob/master/images/bmicalc-sample.png)
  860. 

  861. **Edit** The following changes has been done after answering the assignment:
  862. 

  863. - PHP-related HTTP method GET has been changed to POST method afterwards because usage of the GET method leads to visible input values in a web browser URL field. This doesn't happen when using the POST method.
  864. 

  865. - Implementation of server-side solutions which restrict user accessibility to other web server directories and files.
  866. 

  867. - PHP code has been merged with the HTML document, i.e. there is no additional `.php` file in the web server anymore.