From bdd07bdba70d0cc631fa22244f0c682e23dc2211 Mon Sep 17 00:00:00 2001 From: Pekka Helenius Date: Fri, 21 Sep 2018 17:19:27 +0300 Subject: [PATCH] H4: Update document - Apache stuff --- exercises/h4.md | 37 ++++++++++--------------------------- 1 file changed, 10 insertions(+), 27 deletions(-) diff --git a/exercises/h4.md b/exercises/h4.md index 9954bff..a6103c8 100644 --- a/exercises/h4.md +++ b/exercises/h4.md @@ -12,14 +12,14 @@ This exercise is a part of [Linux Server Administration (ICT4TN021, spring 2018) - [a) **Websites on the server** Make it possible to create home pages with normal user privileges in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#a-make-it-possible-to-create-home-pages-with-normal-user-privileges-in-your-virtual-server-environment) - [EXTRA: Deleting Server field from HTTP header by updating Apache source code on Debian-based Linux distributions](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-deleting-server-field-from-http-header-by-updating-apache-source-code-on-debian-based-linux-distributions) - + + - [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-delete-suggestive-http-error-code-messages-from-apache-html-output-by-updating-apache-source-code) + - [EXTRA: Disable userdir module for user nobody to reduce server detection](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-disable-userdir-module-for-user-nobody-to-reduce-server-detection) - - [EXTRA: Delete suggestive HTTP error code messages from Apache HTML output by updating Apache source code]() - - - [EXTRA: Additional protection by fine-tuning Apache HTTP headers]() - - - [EXTRA: Additional protection by enabling ModSecurity module in Apache]() + - [EXTRA: Additional protection by fine-tuning Apache HTTP headers](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-additional-protection-by-fine-tuning-apache-http-headers) + + - [EXTRA: Additional protection by enabling ModSecurity module in Apache](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#extra-additional-protection-by-enabling-modsecurity-module-in-apache) - [b) **Default website** Set user default website to be the default website for Apache in your virtual server environment.](https://github.com/Fincer/linux-server-setup/blob/master/exercises/h4.md#b-set-user-default-website-to-be-the-default-website-for-apache-in-your-virtual-server-environment) @@ -431,7 +431,10 @@ More about HTTP header syntax in [Wikipedia](https://en.wikipedia.org/wiki/List_ > Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. -> Additionally, a error was encountered while trying to use an ErrorDocument to handle the request. +and + +> Additionally, a 'CODE' 'MESSAGE' error was encountered while trying to use an ErrorDocument to handle the request. + The message can give a hint about underlying server configuration to a (hostile) client. Applying the patch to the Apache source code will remove the message from erroneous server response. Applying the patch may give little protection against hostile clients who are trying to identify the server you're running on your website. @@ -466,26 +469,6 @@ msf auxiliary(scanner/http/dir_scanner) > run [*] Using code '404' as not found for AAA.BBB.XXX.CCC [+] Found http://AAA.BBB.XXX.CCC:80/~nobody/ 403 (AAA.BBB.XXX.CCC) ``` -### EXTRA: Delete additional HTTP error code messages from Apache HTML output by updating Apache source code - -[This patch file](https://raw.githubusercontent.com/Fincer/linux-server-setup/master/patches/patch_apache_disable_additional_errormsg.patch) removes the following field from Apache HTML output if multiple errors were encountered while processing the client request: - -> Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. - -> Additionally, a error was encountered while trying to use an ErrorDocument to handle the request. - -The message can give a hint about underlying server configuration to a client. Applying the patch to the apache source code will remove the message from erroneous server response. - -As I have stated in the patch file, the removal can bury underneath problems in server configuration and thus hamper debugging of errors which are based on HTTP return codes. Thus, use discretion before implementing the patch in the Apache server configuration, especially in production and in other sensitive environments. - -Apply the patch by doing the following in your `~/source_codes/apache2/apache2-2.4.18` folder: - -``` -newuser@goauldhost:~/source_codes/apache2/apache2-2.4.18$ patch -Np1 -i < ../patch_apache_disable_additional_errormsg.patch -``` - -and follow the procedures of the previous section to compile and install Apache from source code. - ### EXTRA: Additional protection by fine-tuning Apache HTTP headers