|
| Home|Cudeso|Linux|*NIX / BSD|Misc| |
Last modified 17-Dec-2006 From 38.107.191.91 To linux.cudeso.be   |
Tweaky ApacheThis page is a summary of hints and tricks that I have used to configure my GNU/Linux-machines. Some of these may be useful, some may not, some could screw up your machine!Apache1. Adding users for restricted access2. Security hole 'exec'3. Apache Possible Directory Index Disclosure Vulnerability4. Use include files with 'regular' html-files5. Use a robots.txt file to control spiders6. Check your page for valid HTML7. Hide include files8. Write virus-garbage to other logfile9. fork: Resource temporarily unavailable1. Adding users for restricted accessFirst you need to create a.htaccess file in the directory that you want to protect.
As an example you could use this :
AuthName "restricted stuff"
The first time you'd like to add a user you need to issue :
AuthType Basic AuthUserFile /etc/httpd/conf/restricted_users require valid-user
htpasswd -c <passwordfile> <username>
You can skip the -c once the passwordfile is created2. Security hole 'exec'The implementation of "exec" includes a major security hole. In stead of using exec with the options you should use :options IncludesNoExec
3. Apache Possible Directory Index Disclosure VulnerabilityA possible vulnerability exists in Apache (v1.3.19 and v1.3.20) that could cause directory contents to be disclosed when directory indexing is enabled, despite the presence of an 'index.html' file.The problem is likely the result of an error in "multiview" functionality provided as part of Apache's content negotiation support. Exploitation of this problem may lead to the dislosure of sensitive information to attackers. Hackers can exploit this with :
http://target-webserver/?M=A
There's no current solution but a workaround could be to disable multiviews in
the configuration.http://target-webserver/?S=D More information can be found at SecurityFocus 4. Use include files with 'regular' html-filesBy default Apache will not parse 'regular' html-files (ie files with the extension *.html). This is not nice when you would like to include a text file in every web-page (for example a footer). You can change the default behavior by adding this line to your config file (put this in the 'main'-section - just perform a search forAddType text/html .shtml and put it just below)
AddType text/html .html
AddHandler server-parsed .html 5. Use a robots.txt file to control spidersWhen you registered your page to several search-engines, you will notice in the access-logs that they are visiting you. It's possible to direct their behavior, allthough not all spiders index your site or access pages the way it should be. To instruct how a 'normal' spider should behave, you need to place a robots.txt file in the root of your web. An example of such a file is :# # robots.txt for http://www.dbsi.be # For use by search.w3.org # User-agent: W3Crobot/1 # Disallow: /Out-Of-Date # AltaVista Search # User-agent: AltaVista Intranet V2.0 W3C Webreq # Disallow: /Out-Of-Date # exclude some access-controlled areas User-agent: * # Disallow: /Systems # Disallow: /Web # Disallow: /History # Disallow: /Out-Of-Date When there's one spider you want to prevent from indexing your page, you can disallow access. Off course, this could be handled with mod_rewrite. Because the syntax isn't quite that 'easy' there's another way. Put this in your config-file. SetEnvIfNoCase User-Agent "Wget" bad_bot ... <Directory "/home/httpd/"> Order Allow,Deny Allow from all Deny from env=bad_bot </Directory> 6. Check your page for valid HTMLYou can check wether your painfully html-page is compliant with HTML-standards at http://validator.w3.org7. Hide include filesFor security reasons it could be a good practice to hide the include files you use with PHP. Be careful though, when you use these include files for SSI (server side includes) they will also be hidden. So make sure, you use another extension (like for example SSI). To prevent *.inc files from showing up in the users-webbrowser add this section to the 'server-wide-section' configuration section of Apache.kudos to Tiger_66_Y2K who alerted me to the fact that \.inc does not catch everything, you need to use \.inc$
<Files ~ "\.inc$">
Order allow,deny Deny from all </Files> 8. Write virus-garbage to other logfileBecause there are a lot of viruses on the lose, my logs get overfilled with garbage. A useful directive can be found at http://real.ath.cx/BSDinstall.html (near the bottom) so that all virus-related stuff is written to one logfile. One remark. When you're using virtual directories with each its own logfile, you must specify the customlog directive in every virtual directory.# For Code Red SetEnvIf Request_URI "^/default.ida" attacks # For Nimda SetEnvIf Request_URI "^/scripts" attacks SetEnvIf Request_URI "^/c/winnt" attacks SetEnvIf Request_URI "^/_mem_bin" attacks SetEnvIf Request_URI "^/_vti_bin" attacks SetEnvIf Request_URI "^/MSADC" attacks SetEnvIf Request_URI "^/msadc" attacks SetEnvIf Request_URI "^/d/winnt" attacks put this in every virtual directory CustomLog /var/www/logs/access_log combined env=!attacks CustomLog /var/www/logs/attack_log combined env=attacks 9. fork: Resource temporarily unavailableWhen you're using user-limits you can receive this message upon running the configure script. Edit your/etc/security/limits file and make sure the user you're 'configuring' with has at least access
to minimum 50 proc's.
|
Copyleft 2002-2007 - cudeso.be webmaster@cudeso.be | top  |
| Fortune : Everything that you know is wrong, but you can be straightened out. | |