Ubuntu/apache2

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
(Hardening)
 
(4 intermediate revisions by one user not shown)
Line 57: Line 57:
 
  </nowiki>
 
  </nowiki>
  
 
''Disable SSLv2/3''<br>
 
Add the following to your apache config.  I added mine right below the other SSL Entries specifying the engine, cert file and key file.
 
#Disable SSLv3
 
SSLProtocol All -SSLv2 -SSLv3
 
  
 
==mod_authz_host==
 
==mod_authz_host==
Line 99: Line 94:
 
==Hardening==
 
==Hardening==
 
Hardening is a must.<br>
 
Hardening is a must.<br>
 +
 +
====Disable options through virtual site conf====
 
All of the following can be added to a virtual site conf file to harden it by disabling options that have been commonly used as attack vectors:
 
All of the following can be added to a virtual site conf file to harden it by disabling options that have been commonly used as attack vectors:
 
*Directory browsing
 
*Directory browsing
Line 107: Line 104:
 
<Directory /var/www/mysite.com/>
 
<Directory /var/www/mysite.com/>
 
                 Options -Indexes -Includes -ExecCGI -FollowSymLinks
 
                 Options -Indexes -Includes -ExecCGI -FollowSymLinks
 +
</Directory></nowiki>
 +
*Or disable ALL options:
 +
<nowiki>i.e.
 +
<Directory /var/www/mysite.com/>
 +
                Options None
 +
</Directory></nowiki>
 +
 +
====Disable SSLv2/3====
 +
Add the following to your apache virtual site config.  I added mine right below the other SSL Entries specifying the engine, cert file and key file.
 +
<nowiki>#Disable SSLv3
 +
SSLProtocol All -SSLv2 -SSLv3</nowiki>
 +
 +
====Hide Apache Version Number====
 +
<nowiki>i.e.
 +
<Directory /var/www/mysite.com/>
 +
                ServerSignature Off
 +
</Directory></nowiki>
 +
 +
====Prevent directive inheritance====
 +
Primarily used to prevent inheritance of directives defined in .htaccess, this can prevent unwanted directives from being loaded on the site.
 +
<nowiki>i.e.
 +
<Directory /var/www/mysite.com/>
 +
                AllowOverride None
 +
</Directory></nowiki>
 +
 +
====Limit Body request size====
 +
Good primarily for limiting upload size requests, but you can also use it when there is no option to upload and help mitigate some DOS attacks.<br>
 +
Really not sure how to calculate what size to put if you're not allowing uploading, so I tried setting the size to the largest file size served to clients and it seems to load everything in the site fine.
 +
<nowiki>i.e.
 +
<Directory /var/www/mysite.com/>
 +
                LimitRequestBody 1021933
 
</Directory></nowiki>
 
</Directory></nowiki>

Latest revision as of 23:03, 20 January 2016

Contents

[edit] Basic Info

apache2 is the most popular web hosting application on the market today


start|stop|restart apache2

sudo /etc/init.d/apache2 start|stop|restart

OR

sudo service apache2 start|stop|restart

apache2 enable site

a2ensite [site config file name]
i.e. a2ensite default-ssl

apache2 disable site

a2dissite [site config file name]
i.e. a2dissite default-ssl

apache2 enable module

a2enmod [module]
i.e. a2enmod mod_ssl

apache2 disable module

a2dismod [module]
i.e. a2dismod mod_ssl

disable indexing

~$ sudo a2dismod autoindex
Module autoindex disabled.
To activate the new configuration, you need to run:
  service apache2 restart

[edit] mod_rewrite

very power, very confusing tool.
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
http://httpd.apache.org/docs/current/rewrite/remapping.html

[edit] enabling

was not enabled by default for my ubuntu 14.04 vm.

sudo a2enmod rewrite

[edit] redirect

Request: redirect all traffic from a domain, including any subpage, to the landing/index page of another domain
Condition: mod_rewrite is enabled. virtual hosts are used
Resolution:

 <VirtualHost *:80>
         RewriteEngine on
         RewriteCond %{REQUEST_URI} !^/index.html$
         RewriteRule .* http://newdomain.com/? [R=302,L]
         ServerName olddomain1.com
         ServerAlias olddomain2.com
         Redirect permanent / http://newdomain.com/
 </VirtualHost>
 
 <VirtualHost *:80>
         ServerName newdomain.com
         ServerAdmin [email protected]
         DocumentRoot /var/www/newdomain.com
         TransferLog /var/log/apache2/newdomain.com-access_log
         ErrorLog /var/log/apache2/newdomaincom-error_log
 </VirtualHost>
 


[edit] mod_authz_host

Great tool for restricting access to a virtual site, easy to read and understand. Add options to the <Directory> settings in the site conf file.

ie.
<Directory /var/www/mysite.com/>
          Order Deny,Allow
          Deny from all
          Allow from 10.1.1.50
</Directory>

[edit] listen on non-standard port

On ubuntu 14.04, it is done by adding this:

~$ sudo vi /etc/apache2/ports.conf

Listen 80
Listen 8080


[edit] Troubleshooting

[edit] AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message

Ubuntu 14.04
~$ echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/fqdn.conf
~$ sudo a2enconf fqdn

[edit] SSL Error: Invalid method in request \x16\x03\x01

I only started having SSL issues after moving to CloudFlare as a proxy so that they would provide me with a free SSL cert. I found that this issue appeared to be due to the fact my Virtual Host site conf was setup as such:

(snippet)
   <VirtualHost https://wiki.r00tedvw.com:443>
        Servername https://wiki.r00tedvw.com

I changed it to this:

   <VirtualHost *:443>
        Servername https://wiki.r00tedvw.com

Apparently, it is redundant and will cause issues if you list the hostname in the VirtualHost. In this instance, I only have (1) site live on the server, so this may not be the correct solution for a multi-tenant setup.


[edit] Hardening

Hardening is a must.

[edit] Disable options through virtual site conf

All of the following can be added to a virtual site conf file to harden it by disabling options that have been commonly used as attack vectors:

  • Directory browsing
  • Server side Includes
  • CGI execution
  • Symbolic links
i.e.
<Directory /var/www/mysite.com/>
                Options -Indexes -Includes -ExecCGI -FollowSymLinks
</Directory>
  • Or disable ALL options:
i.e.
<Directory /var/www/mysite.com/>
                Options None
</Directory>

[edit] Disable SSLv2/3

Add the following to your apache virtual site config. I added mine right below the other SSL Entries specifying the engine, cert file and key file.

#Disable SSLv3
SSLProtocol All -SSLv2 -SSLv3

[edit] Hide Apache Version Number

i.e.
<Directory /var/www/mysite.com/>
                ServerSignature Off
</Directory>

[edit] Prevent directive inheritance

Primarily used to prevent inheritance of directives defined in .htaccess, this can prevent unwanted directives from being loaded on the site.

i.e.
<Directory /var/www/mysite.com/>
                AllowOverride None
</Directory>

[edit] Limit Body request size

Good primarily for limiting upload size requests, but you can also use it when there is no option to upload and help mitigate some DOS attacks.
Really not sure how to calculate what size to put if you're not allowing uploading, so I tried setting the size to the largest file size served to clients and it seems to load everything in the site fine.

i.e.
<Directory /var/www/mysite.com/>
                LimitRequestBody 1021933
</Directory>
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Open Source Products
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
MagicMirror
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Politics
Volkswagen
Covid
NCDMV
Toolbox