From 571c5f8078d370dd39c7ca92b41a69aeb09324fa Mon Sep 17 00:00:00 2001 From: Pekka Helenius Date: Mon, 3 Sep 2018 02:47:22 +0300 Subject: [PATCH] H4: Disable userdir for 'nobody' to reduce offensive attack vector --- exercises/h4.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/exercises/h4.md b/exercises/h4.md index ad86328..7ade3a0 100644 --- a/exercises/h4.md +++ b/exercises/h4.md @@ -12,6 +12,8 @@ This exercise is a part of [Linux Server Administration (ICT4TN021, spring 2018) - [a) **Websites on the server** Make it possible to create home pages with normal user privileges in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#a-make-it-possible-to-create-home-pages-with-normal-user-privileges-in-your-virtual-server-environment) - [EXTRA: Deleting Server field from HTTP header by updating Apache source code on Debian-based Linux distributions](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-deleting-server-field-from-http-header-by-updating-apache-source-code-on-debian-based-linux-distributions) + + - [EXTRA: Disable userdir module for user nobody to avoid server detection]() - [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment) @@ -415,6 +417,28 @@ Header unset ETag More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). More articles in [ETag](https://en.wikipedia.org/wiki/HTTP_ETag), [Vary: Accept-Encoding](https://blog.stackpath.com/accept-encoding-vary-important), etc. +### EXTRA: Disable userdir module for user nobody to avoid server detection + +It is recommended to set `UserDir disabled nobody` in `/etc/apache2/mods-enabled/userdir.conf` file as Metasploit offensive scanning method `scanner/http/dir_scanner` can detect existence of URL/folder path `/~nobody`. Minimize attack vector, and just disable the userdir module for user `nobody` on the server as follows: + +``` + + UserDir public_html + UserDir disabled root + UserDir disabled nobody +... +``` + +The following demonstration is the view of Metasploit Framework console, using HTTP `dir_scanner` against a server: + +``` +msf auxiliary(scanner/http/dir_scanner) > run + +[*] Detecting error code +[*] Using code '404' as not found for AAA.BBB.XXX.CCC +[+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC) +``` + **b)** Set user default website to be the default website for Apache in your virtual server environment. --------------