Browse Source

H4: Add more Apache stuff

master
Pekka Helenius 6 years ago
committed by GitHub
parent
commit
6fd2ab9059
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 169 additions and 1 deletions
  1. +169
    -1
      exercises/h4.md

+ 169
- 1
exercises/h4.md View File

@ -15,6 +15,12 @@ This exercise is a part of [Linux Server Administration (ICT4TN021, spring 2018)
- [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection) - [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection)
- [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code]()
- [EXTRA: Additional protection by fine-tuning Apache HTTP headers]()
- [EXTRA: Additional protection by enabling ModSecurity module in Apache]()
- [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment) - [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment)
- [c) **Short penetration analysis** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#c-find-clues-of-possible-penetration-attempts-to-your-web-server-you-can-find-more-information-about-suspicious-ip-address-without-connecting-them-by-using-commands-ipcalc-geoiplookup-and-whois-for-instance) - [c) **Short penetration analysis** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#c-find-clues-of-possible-penetration-attempts-to-your-web-server-you-can-find-more-information-about-suspicious-ip-address-without-connecting-them-by-using-commands-ipcalc-geoiplookup-and-whois-for-instance)
@ -296,7 +302,7 @@ newuser@goauldhost:~/source_codes/apache2$ cd apache2-2.4.18/
Implement the patch file changes into the Apache source code: Implement the patch file changes into the Apache source code:
``` ```
newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i ../patch_apache_servertokens.patch
newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i < ../patch_apache_servertokens.patch
``` ```
Before compiling Apache web server, you must install the following build time dependencies: Before compiling Apache web server, you must install the following build time dependencies:
@ -419,6 +425,26 @@ Header unset ETag
More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). More articles in [ETag](https://en.wikipedia.org/wiki/HTTP_ETag), [Vary: Accept-Encoding](https://blog.stackpath.com/accept-encoding-vary-important), etc. More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). More articles in [ETag](https://en.wikipedia.org/wiki/HTTP_ETag), [Vary: Accept-Encoding](https://blog.stackpath.com/accept-encoding-vary-important), etc.
### EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code
[This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output response if multiple errors were encountered while processing the client request:
> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
> Additionally, a <CODE> <MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
The message can give a hint about underlying server configuration to a (hostile) client. Applying the patch to the Apache source code will remove the message from erroneous server response. Applying the patch may give little protection against hostile clients who are trying to identify the server you're running on your website.
As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments. This warning applies especially in Apache proxy configurations in which another server redirects error messages to the Apache proxy and multiple errors may occur.
Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder:
```
newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i < ../patch_apache_disable_additional_errormsg.patch
```
and follow the procedures of the previous section to compile and install Apache from source code.
### EXTRA: Disable userdir module for user nobody to reduce server detection ### EXTRA: Disable userdir module for user nobody to reduce server detection
It is recommended to set `UserDir disabled nobody` in `/etc/apache2/mods-enabled/userdir.conf` file as Metasploit offensive scanning method `scanner/http/dir_scanner` can detect existence of URL/folder path `<myserver:80>/~nobody`. Minimize attack vector, and just disable the userdir module for user `nobody` on the server as follows: It is recommended to set `UserDir disabled nobody` in `/etc/apache2/mods-enabled/userdir.conf` file as Metasploit offensive scanning method `scanner/http/dir_scanner` can detect existence of URL/folder path `<myserver:80>/~nobody`. Minimize attack vector, and just disable the userdir module for user `nobody` on the server as follows:
@ -440,6 +466,148 @@ msf auxiliary(scanner/http/dir_scanner) > run
[*] Using code '404' as not found for AAA.BBB.XXX.CCC [*] Using code '404' as not found for AAA.BBB.XXX.CCC
[+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC) [+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC)
``` ```
### EXTRA: Delete additional HTTP error code messages from Apache HTML output by updating Apache source code
[This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output if multiple errors were encountered while processing the client request:
> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
> Additionally, a <CODE> <MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
The message can give a hint about underlying server configuration to a client. Applying the patch to the apache source code will remove the message from erroneous server response.
As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments.
Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder:
```
newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i < ../patch_apache_disable_additional_errormsg.patch
```
and follow the procedures of the previous section to compile and install Apache from source code.
### EXTRA: Additional protection by fine-tuning Apache HTTP headers
In some server environments, adding some HTTP headers may give extra protection against malicious actions by an hostile client. **NOTE:** Please keep in mind that these settings are not foolproof.
At first, enable Apache `headers` module.
```
sudo a2enmod headers
```
Then, add the following in your Apache virtualhost (for instance, `/etc/apache2/sites-available/000-default.conf`):
<VirtualHost *:80>
...
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN
Header always append X-XSS-Protection 1
Header always append Content-Security-Policy "frame-ancestors 'self'"
</IfModule>
...
</VirtualHost>
> Header set X-Content-Type-Options nosniff
More about this option: [Stack Overflow - What is “X-Content-Type-Options=nosniff”?](https://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff)
> Header always append X-Frame-Options SAMEORIGIN
More protection against [Clickjacking attacks](https://www.keycdn.com/blog/x-frame-options/#Clickjacking)
More about this option:
- [keycdn.com - X-Frame-Options - How to Combat Clickjacking](https://www.keycdn.com/blog/x-frame-options/#X-Frame-Options-Directives)
- [OWASP - Clickjacking Defense Cheat Sheet](https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet)
> Header always append X-XSS-Protection 1
More about this option: [keycdn.com - X-XSS-Protection - Preventing Cross-Site Scripting Attacks](https://www.keycdn.com/blog/x-xss-protection/)
> Header always append Content-Security-Policy "frame-ancestors 'self'"
Another clickjacking attack prevention (CSP 2.0)
More about this option: [OWASP - Content Security Policy Cheat Sheet: Preventing Clickjacking (CSP 2.0)](https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Preventing_Clickjacking)
### EXTRA: Additional protection by enabling ModSecurity module in Apache
More security features can be added to Apache server by using [ModSecurity Apache module by Trustwave SpiderLabs](https://www.modsecurity.org/about.html). The module is released under [Apache Software License version 2](http://www.apache.org/licenses/LICENSE-2.0.txt). A brief description of the module, quoted from the website:
> ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.
There is an additional ModSecurity ruleset available by OWASP. You can read more about it on [OWASP website: ModSecurity Core Rule Set Project](https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project)
At first, make sure that Apache `security` module is installed:
```
[[ $(dpkg --get-selections | grep libapache2-mod-security2) ]] || sudo apt-get update && sudo apt-get install -y libapache2-mod-security2 modsecurity-crs
```
Then, enable the module:
```
sudo a2enmod security2
```
**NOTE:** Before blindly accepting `security` module, please take extra care if your Apache server is in production or in sensitive environment where stability is absolutely required without nasty or troublesome interruptions!
**NOTE:** If you decided to adapt some of the following `security` module rules, you should identify which of these settings are relevant *in your server environment*.
**NOTE:** The following ruleset is a loose reference which uses the settings by [Ask Apache - Mod_Security .htaccess tricks website](https://www.askapache.com/htaccess/modsecurity-htaccess-tricks/)
Add the following in your VirtualHost configuration (for instance, `/etc/apache2/sites-available/000-default.conf`):
```
<VirtualHost *:80>
...
<IfModule security2_module.c>
SecDataDir /var/cache/modsecurity
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load
# Enable ModSecurity
SecRuleEngine On
# Sends matching requests a 405 Method Not Allowed Status Code
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" "deny,auditlog,status:405"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Only log suspicious requests
SecAuditEngine RelevantOnly
# Unicode encoding check
SecFilterCheckUnicodeEncoding Off
</IfModule>
...
</VirtualHost>
```
**b)** Set user default website to be the default website for Apache in your virtual server environment. **b)** Set user default website to be the default website for Apache in your virtual server environment.
-------------- --------------


Loading…
Cancel
Save