From 3af5665daf37e4226a665fc44748691c51190f44 Mon Sep 17 00:00:00 2001 From: Pekka Helenius Date: Wed, 15 Aug 2018 16:52:53 +0300 Subject: [PATCH] H4: Update text --- exercises/h4.md | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/exercises/h4.md b/exercises/h4.md index ea17777..f487b40 100644 --- a/exercises/h4.md +++ b/exercises/h4.md @@ -6,6 +6,23 @@ Linux servers - Exercice 4 This exercise is a part of [Linux servers (ICT4TN021, spring 2018) // Linux-palvelimet (ICT4TN021, kevät 2018)](http://www.haaga-helia.fi/fi/opinto-opas/opintojaksokuvaukset/ICT4TN021) school course organized as a part of Information Technology studies in Haaga-Helia university of Applied Sciences, Helsinki, Finland. Course lecturer [Tero Karvinen](http://terokarvinen.com/) has defined the original assignment descriptions in Finnish presented in this document in English. Answers and translations have been written by Pekka Helenius (me, ~ Fincer). +*Table of contents:* +-------------- + +- [a) **Websites on the server** Make it possible to create home pages with normal user privileges in your virtual server environment.](https://github.com/Fincer/linux_server_setup/blob/master/exercises/h4.md#a-make-it-possible-to-create-home-pages-with-normal-user-privileges-in-your-virtual-server-environment) + + - [EXTRA: Deleting Server field from HTTP header by updating Apache source code on Debian-based Linux distributions](https://github.com/Fincer/linux_server_setup/blob/master/exercises/h4.md#extra-deleting-server-field-from-http-header-by-updating-apache-source-code-on-debian-based-linux-distributions) + +- [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux_server_setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment) + +- [c) **Short penetration analysis** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance.](https://github.com/Fincer/linux_server_setup/blob/master/exercises/h4.md#c-find-clues-of-possible-penetration-attempts-to-your-web-server-you-can-find-more-information-about-suspicious-ip-address-without-connecting-them-by-using-commands-ipcalc-geoiplookup-and-whois-for-instance) + +- [d) **Transferring website files** Create a set of websites on your local computer and copy the sites to your web server with scp command.](https://github.com/Fincer/linux_server_setup/blob/master/exercises/h4.md#d-create-a-set-of-websites-on-your-local-computer-and-copy-the-sites-to-your-web-server-with-scp-command) + +- [e) **PHP website** Set up a simple PHP webpage on your web server. For instance, you can print a remote address of the user ( $_SERVER['REMOTE_ADDR'] ) etc. Be careful if you use input forms of any kind.](https://github.com/Fincer/linux_server_setup/blob/master/exercises/h4.md#e-set-up-a-simple-php-webpage-on-your-web-server-for-instance-you-can-print-a-remote-address-of-the-user--_serverremote_addr--etc-be-careful-if-you-use-input-forms-of-any-kind) + +-------------- + **a)** Make it possible to create home pages with normal user privileges in your virtual server environment. -------------- @@ -189,8 +206,10 @@ where Permissions can be written in numeric form but also in symbolic form. For instance, +``` 775 = rwxrwxr-x (4+2+1, 4+2+1, 4+1) ug=rwx,o=rx => rwxrwxr-x +``` Take a look on the following links to get more information about Unix permissions: @@ -389,7 +408,7 @@ Header unset ETag More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). More articles in [ETag](https://en.wikipedia.org/wiki/HTTP_ETag), [Vary: Accept-Encoding](https://blog.stackpath.com/accept-encoding-vary-important), etc. -**s)** Set user default website to be the default website for Apache in your virtual server environment. +**b)** Set user default website to be the default website for Apache in your virtual server environment. -------------- **Answer:** @@ -460,11 +479,13 @@ newuser@goauldhost:/home/monkey/public_html$ sudo systemctl restart apache2.serv Your Apache web server should redirect all traffic of `http://174.138.2.190:80/index.html` to address `http://174.138.2.190:80/` -**y)** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance. +**c)** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance. -------------- **Answer:** +The key principle to check any malicious activity is to check system log files, mainly `/var/log/apache/access.log` and `/var/log/apache/error.log` (Apache). Malicious SSH attempts may be checked in `/var/log/auth.log`. Other relevant log files must be considered as important, too. + At the time of writing this answer, the Apache web server was running bit over a week period. However, there were no any webpage deployed during that time, and therefore my web server hadn't created any major log entries. However, I noticed one suspicious connection attempt to setup.php file of phpMyAdmin software, although the software was not installed. The lookup was done by checking web server log file `/var/log/apache2/access.log`. The log entry itself was as follows: ``` @@ -528,7 +549,7 @@ The most memorable log entry from the past years was, however, a penetration att 4.125.148.79 - - [07/Aug/2013:20:53:35 +0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 142 "-" "ZmEu" ``` -**y)** Create a set of websites on your local computer and copy the sites to your web server with scp command. +**d)** Create a set of websites on your local computer and copy the sites to your web server with scp command. -------------- **Answer:** @@ -594,7 +615,7 @@ The deployed website can be viewed in URL address `http://174.138.2.190:80/~monk **NOTE:** There are differences in the URL due to language reasons (`~apina` translates from finnish to english as `~monkey`) -**y)** Set up a simple PHP webpage on your web server. For instance, you can print a remote address of the user ( $_SERVER['REMOTE_ADDR'] ) etc. Be careful if you use input forms of any kind. +**e)** Set up a simple PHP webpage on your web server. For instance, you can print a remote address of the user ( $_SERVER['REMOTE_ADDR'] ) etc. Be careful if you use input forms of any kind. -------------- **Answer:**