@ -15,6 +15,12 @@ This exercise is a part of [Linux Server Administration (ICT4TN021, spring 2018)
- [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection)
- [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection)
- [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code]()
- [EXTRA: Additional protection by fine-tuning Apache HTTP headers]()
- [EXTRA: Additional protection by enabling ModSecurity module in Apache]()
- [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment)
- [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment)
- [c) **Short penetration analysis** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#c-find-clues-of-possible-penetration-attempts-to-your-web-server-you-can-find-more-information-about-suspicious-ip-address-without-connecting-them-by-using-commands-ipcalc-geoiplookup-and-whois-for-instance)
- [c) **Short penetration analysis** Find clues of possible penetration attempts to your web server. You can find more information about suspicious IP address without connecting them by using commands ipcalc, geoiplookup and whois, for instance.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#c-find-clues-of-possible-penetration-attempts-to-your-web-server-you-can-find-more-information-about-suspicious-ip-address-without-connecting-them-by-using-commands-ipcalc-geoiplookup-and-whois-for-instance)
@ -296,7 +302,7 @@ newuser@goauldhost:~/source_codes/apache2$ cd apache2-2.4.18/
Implement the patch file changes into the Apache source code:
Implement the patch file changes into the Apache source code:
Before compiling Apache web server, you must install the following build time dependencies:
Before compiling Apache web server, you must install the following build time dependencies:
@ -419,6 +425,26 @@ Header unset ETag
More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). More articles in [ETag](https://en.wikipedia.org/wiki/HTTP_ETag), [Vary: Accept-Encoding](https://blog.stackpath.com/accept-encoding-vary-important), etc.
More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields). More articles in [ETag](https://en.wikipedia.org/wiki/HTTP_ETag), [Vary: Accept-Encoding](https://blog.stackpath.com/accept-encoding-vary-important), etc.
### EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code
[This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output response if multiple errors were encountered while processing the client request:
> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
> Additionally, a <CODE><MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
The message can give a hint about underlying server configuration to a (hostile) client. Applying the patch to the Apache source code will remove the message from erroneous server response. Applying the patch may give little protection against hostile clients who are trying to identify the server you're running on your website.
As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments. This warning applies especially in Apache proxy configurations in which another server redirects error messages to the Apache proxy and multiple errors may occur.
Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder:
and follow the procedures of the previous section to compile and install Apache from source code.
### EXTRA: Disable userdir module for user nobody to reduce server detection
### EXTRA: Disable userdir module for user nobody to reduce server detection
It is recommended to set `UserDir disabled nobody` in `/etc/apache2/mods-enabled/userdir.conf` file as Metasploit offensive scanning method `scanner/http/dir_scanner` can detect existence of URL/folder path `<myserver:80>/~nobody`. Minimize attack vector, and just disable the userdir module for user `nobody` on the server as follows:
It is recommended to set `UserDir disabled nobody` in `/etc/apache2/mods-enabled/userdir.conf` file as Metasploit offensive scanning method `scanner/http/dir_scanner` can detect existence of URL/folder path `<myserver:80>/~nobody`. Minimize attack vector, and just disable the userdir module for user `nobody` on the server as follows:
@ -440,6 +466,148 @@ msf auxiliary(scanner/http/dir_scanner) > run
[*] Using code '404' as not found for AAA.BBB.XXX.CCC
[*] Using code '404' as not found for AAA.BBB.XXX.CCC
[+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC)
[+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC)
```
```
### EXTRA: Delete additional HTTP error code messages from Apache HTML output by updating Apache source code
[This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output if multiple errors were encountered while processing the client request:
> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
> Additionally, a <CODE><MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
The message can give a hint about underlying server configuration to a client. Applying the patch to the apache source code will remove the message from erroneous server response.
As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments.
Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder:
and follow the procedures of the previous section to compile and install Apache from source code.
### EXTRA: Additional protection by fine-tuning Apache HTTP headers
In some server environments, adding some HTTP headers may give extra protection against malicious actions by an hostile client. **NOTE:** Please keep in mind that these settings are not foolproof.
At first, enable Apache `headers` module.
```
sudo a2enmod headers
```
Then, add the following in your Apache virtualhost (for instance, `/etc/apache2/sites-available/000-default.conf`):
More about this option: [Stack Overflow - What is “X-Content-Type-Options=nosniff”?](https://stackoverflow.com/questions/18337630/what-is-x-content-type-options-nosniff)
> Header always append X-Frame-Options SAMEORIGIN
More protection against [Clickjacking attacks](https://www.keycdn.com/blog/x-frame-options/#Clickjacking)
More about this option:
- [keycdn.com - X-Frame-Options - How to Combat Clickjacking](https://www.keycdn.com/blog/x-frame-options/#X-Frame-Options-Directives)
More about this option: [OWASP - Content Security Policy Cheat Sheet: Preventing Clickjacking (CSP 2.0)](https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Preventing_Clickjacking)
### EXTRA: Additional protection by enabling ModSecurity module in Apache
More security features can be added to Apache server by using [ModSecurity Apache module by Trustwave SpiderLabs](https://www.modsecurity.org/about.html). The module is released under [Apache Software License version 2](http://www.apache.org/licenses/LICENSE-2.0.txt). A brief description of the module, quoted from the website:
> ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.
There is an additional ModSecurity ruleset available by OWASP. You can read more about it on [OWASP website: ModSecurity Core Rule Set Project](https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project)
At first, make sure that Apache `security` module is installed:
**NOTE:** Before blindly accepting `security` module, please take extra care if your Apache server is in production or in sensitive environment where stability is absolutely required without nasty or troublesome interruptions!
**NOTE:** If you decided to adapt some of the following `security` module rules, you should identify which of these settings are relevant *in your server environment*.
**NOTE:** The following ruleset is a loose reference which uses the settings by [Ask Apache - Mod_Security .htaccess tricks website](https://www.askapache.com/htaccess/modsecurity-htaccess-tricks/)
Add the following in your VirtualHost configuration (for instance, `/etc/apache2/sites-available/000-default.conf`):
Pekka Helenius
5 years ago
GitHub