Fincer
/
linux-server-setup
mirror of https://github.com/Fincer/linux-server-setup
1
0
Fork 0
Code Issues 0 Projects 0 Releases 0 Wiki Activity
Browse Source

H4: Update document - Apache stuff

master
Pekka Helenius 5 years ago
committed by GitHub
parent
6fd2ab9059
commit
bdd07bdba7
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 27 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +10
    -27
      exercises/h4.md

+ 10
- 27
exercises/h4.md View File

@ -12,14 +12,14 @@ This exercise is a part of [Linux Server Administration (ICT4TN021, spring 2018)
- [a) **Websites on the server** Make it possible to create home pages with normal user privileges in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#a-make-it-possible-to-create-home-pages-with-normal-user-privileges-in-your-virtual-server-environment)
- [EXTRA: Deleting Server field from HTTP header by updating Apache source code on Debian-based Linux distributions](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-deleting-server-field-from-http-header-by-updating-apache-source-code-on-debian-based-linux-distributions)
- [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-delete-suggestive-http-error-code-messages-from-apache-html-output-by-updating-apache-source-code)
- [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection)
- [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code]()
- [EXTRA: Additional protection by fine-tuning Apache HTTP headers]()
- [EXTRA: Additional protection by enabling ModSecurity module in Apache]()
- [EXTRA: Additional protection by fine-tuning Apache HTTP headers](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-additional-protection-by-fine-tuning-apache-http-headers)
- [EXTRA: Additional protection by enabling ModSecurity module in Apache](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-additional-protection-by-enabling-modsecurity-module-in-apache)
- [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment)
@ -431,7 +431,10 @@ More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_
> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
> Additionally, a <CODE> <MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
and
> Additionally, a 'CODE' 'MESSAGE' error was encountered while trying to use an ErrorDocument to handle the request.
The message can give a hint about underlying server configuration to a (hostile) client. Applying the patch to the Apache source code will remove the message from erroneous server response. Applying the patch may give little protection against hostile clients who are trying to identify the server you're running on your website.
@ -466,26 +469,6 @@ msf auxiliary(scanner/http/dir_scanner) > run
[*] Using code '404' as not found for AAA.BBB.XXX.CCC
[+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC)
```
### EXTRA: Delete additional HTTP error code messages from Apache HTML output by updating Apache source code
[This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output if multiple errors were encountered while processing the client request:
> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
> Additionally, a <CODE> <MESSAGE> error was encountered while trying to use an ErrorDocument to handle the request.
The message can give a hint about underlying server configuration to a client. Applying the patch to the apache source code will remove the message from erroneous server response.
As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments.
Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder:
```
newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i < ../patch_apache_disable_additional_errormsg.patch
```
and follow the procedures of the previous section to compile and install Apache from source code.
### EXTRA: Additional protection by fine-tuning Apache HTTP headers


Write Preview
Loading…
Cancel
Save