Home|Cudeso|Linux|*NIX / BSD|Misc|
 

Tweaky Apache

This page is a summary of hints and tricks that I have used to configure my GNU/Linux-machines. Some of these may be useful, some may not, some could screw up your machine!

Apache

1. Adding users for restricted access

2. Security hole 'exec'

3. Apache Possible Directory Index Disclosure Vulnerability

4. Use include files with 'regular' html-files

5. Use a robots.txt file to control spiders

6. Check your page for valid HTML

7. Hide include files

8. Write virus-garbage to other logfile

9. fork: Resource temporarily unavailable





1. Adding users for restricted access

First you need to create a .htaccess file in the directory that you want to protect. As an example you could use this :
AuthName "restricted stuff"
AuthType Basic
AuthUserFile /etc/httpd/conf/restricted_users
require valid-user
The first time you'd like to add a user you need to issue :
htpasswd -c <passwordfile> <username>
You can skip the -c once the passwordfile is created

2. Security hole 'exec'

The implementation of "exec" includes a major security hole. In stead of using exec with the options you should use :
options IncludesNoExec

3. Apache Possible Directory Index Disclosure Vulnerability

A possible vulnerability exists in Apache (v1.3.19 and v1.3.20) that could cause directory contents to be disclosed when directory indexing is enabled, despite the presence of an 'index.html' file.

The problem is likely the result of an error in "multiview" functionality provided as part of Apache's content negotiation support. Exploitation of this problem may lead to the dislosure of sensitive information to attackers. Hackers can exploit this with :
http://target-webserver/?M=A
http://target-webserver/?S=D
There's no current solution but a workaround could be to disable multiviews in the configuration.

More information can be found at SecurityFocus

4. Use include files with 'regular' html-files

By default Apache will not parse 'regular' html-files (ie files with the extension *.html). This is not nice when you would like to include a text file in every web-page (for example a footer). You can change the default behavior by adding this line to your config file (put this in the 'main'-section - just perform a search for AddType text/html .shtml and put it just below)
AddType text/html .html
AddHandler server-parsed .html

5. Use a robots.txt file to control spiders

When you registered your page to several search-engines, you will notice in the access-logs that they are visiting you. It's possible to direct their behavior, allthough not all spiders index your site or access pages the way it should be. To instruct how a 'normal' spider should behave, you need to place a robots.txt file in the root of your web. An example of such a file is :
 #
 # robots.txt for http://www.dbsi.be
 # For use by search.w3.org
 # User-agent: W3Crobot/1
 # Disallow: /Out-Of-Date

 # AltaVista Search
 # User-agent: AltaVista Intranet V2.0 W3C Webreq
 # Disallow: /Out-Of-Date

 # exclude some access-controlled areas
 User-agent: *
 # Disallow: /Systems
 # Disallow: /Web
 # Disallow: /History
 # Disallow: /Out-Of-Date
When you specify a * for the user-agent, every spider will (should) listen to it.

When there's one spider you want to prevent from indexing your page, you can disallow access. Off course, this could be handled with mod_rewrite. Because the syntax isn't quite that 'easy' there's another way. Put this in your config-file.
SetEnvIfNoCase User-Agent "Wget" bad_bot
...

 <Directory "/home/httpd/">
   Order Allow,Deny
   Allow from all
   Deny from env=bad_bot
 </Directory>

6. Check your page for valid HTML

You can check wether your painfully html-page is compliant with HTML-standards at http://validator.w3.org

7. Hide include files

For security reasons it could be a good practice to hide the include files you use with PHP. Be careful though, when you use these include files for SSI (server side includes) they will also be hidden. So make sure, you use another extension (like for example SSI). To prevent *.inc files from showing up in the users-webbrowser add this section to the 'server-wide-section' configuration section of Apache.
kudos to Tiger_66_Y2K who alerted me to the fact that \.inc does not catch everything, you need to use \.inc$
<Files ~ "\.inc$">
   Order allow,deny
   Deny from all
</Files>

8. Write virus-garbage to other logfile

Because there are a lot of viruses on the lose, my logs get overfilled with garbage. A useful directive can be found at http://real.ath.cx/BSDinstall.html (near the bottom) so that all virus-related stuff is written to one logfile. One remark. When you're using virtual directories with each its own logfile, you must specify the customlog directive in every virtual directory.
   # For Code Red
   SetEnvIf Request_URI "^/default.ida" attacks
   # For Nimda
   SetEnvIf Request_URI "^/scripts" attacks
   SetEnvIf Request_URI "^/c/winnt" attacks
   SetEnvIf Request_URI "^/_mem_bin" attacks
   SetEnvIf Request_URI "^/_vti_bin" attacks
   SetEnvIf Request_URI "^/MSADC" attacks
   SetEnvIf Request_URI "^/msadc" attacks
   SetEnvIf Request_URI "^/d/winnt" attacks
put this in every virtual directory
   CustomLog /var/www/logs/access_log combined env=!attacks
   CustomLog /var/www/logs/attack_log combined env=attacks

9. fork: Resource temporarily unavailable

When you're using user-limits you can receive this message upon running the configure script. Edit your /etc/security/limits file and make sure the user you're 'configuring' with has at least access to minimum 50 proc's.
Copyleft 2002-2007 - cudeso.bewebmaster@cudeso.betop