Apache HTTP Server
HOWTO: Secure Apache SSL
https://techbrij.com/free-ssl-lets-encrypt-apache-ubuntu
sudo nano /etc/apache2/mods-available/ssl.conf SSLProtocol all -SSLv2 -SSLv3 -TLSV1 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SSLv3:!SSLv2:!TLSv1 sudo service apache2 restart
https://www.ssllabs.com/ssltest
https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm#apache_forward_secrecy
HOWTO: Fix Error In Apache 2.4.3+ "Client Denied By Server Configuration"
Make sure you have this new Apache 2.4.3+ directive in your Virtual Host config:-
require all granted
Thanks - http://stackoverflow.com/questions/10351167/apache-client-denied-by-server-configuration
HOWTO: Upgrade To Apache 2.4 On Ubuntu 12.04 LTS
sudo aptitude remove ~iapache sudo apt-add-repository ppa:ondrej/apache2 sudo aptitude update sudo aptitude install apache2 sudo aptitude install libapache2-mod-php5
HOWTO: Test POST Requests
curl -X POST http://www.website.co.uk/PAULLY.php
HOWTO: Stop POST Requests
<VirtualHost *:80> ... <Directory /var/www/site/unsafe> AllowOverride ALL </Directory> </VirtualHost>
sudo a2enmod rewrite
Add the following to a file called .htaccess in the web site root directory. This example shows a Contact Us PHP page which IS allowed to POST...
# deny all POST requests <IfModule mod_rewrite.c> RewriteCond %{REQUEST_METHOD} POST RewriteRule .* - [F,L] </IfModule> <LimitExcept GET HEAD> Order Allow,Deny Deny from all </LimitExcept> # allow the contact us page <Files contact_submit.php> order allow,deny allow from all </Files>
Restart Apache...
sudo service apache2 restart
HOWTO: Fix Error: The timeout specified has expired: SSL input filter read failed
If you see the following lines in your Apache logs...
The timeout specified has expired: SSL input filter read failed.
...then you need to do 2 things to fix it.
1. Change all your VirtualHost directives to a specific IP address instead of *:443...
<VirtualHost 192.168.1.252:443>
2. Add the following line to the end of your VirtualHost SSL port 443 directives blocks...
SetEnv nokeepalive ssl-unclean-shutdown </VirtualHost>
Thanks - http://serverfault.com/questions/539961/apache-request-header-read-timeout-reverse-proxy
HOWTO: Convert Apache SSL Certificate to Windows IIS
Conversion
Installation
https://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm
HOWTO: Fix POODLEbleed Bug
SSLProtocol all -SSLv2 -SSLv3 SSLCompression off SSLHonorCipherOrder On SSLCipherSuite EECDH+AESGCM:EECDH+AES:EDH+AES BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Thanks - http://poodlebleed.com
HOWTO: Remove Unwanted Modules
List
sudo apache2ctl -M
Remove
sudo a2dismod
Test
sudo apache2ctl configtest
Restart
sudo service apache2 restart
HOWTO: Generate SSL Certificate
Log in to your web server via SSH, create an 'ssl' directory, and then run the following.
e.g.
su - root cd mkdir ssl cd ssl openssl req -nodes -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr -subj "/C=GB/ST=Kent/L=Folkestone/O=The Company Name/OU=IT/CN=mydomain.co.uk"
Now copy the text of the mydomain.csr file and log in to your SSLs.com account, and following the prompts.
http://www.rosehosting.com/blog/set-up-ssl-encrypted-connection-in-postfix-dovecot-and-apache/ (Apache + Dovecot)
HOWTO: Install SSL Certificate
SSLEngine on SSLCertificateFile /etc/letsencrypt/ssl/server.crt SSLCertificateKeyFile /etc/letsencrypt/ssl/server.key
Note: If you are missing chain.pem, you can get it from second certificate of .crt file OR from below link:
https://letsencrypt.org/certificates/
For newer Apache version, SSLCertificateChainFile is no longer needed.
SSLCertificateChainFile /etc/letsencrypt/ssl/chain.pem
server.crt = domain certificate + Issuer certificate chain.pem = Issuer certificate = Intermediate certificate = chain certificate server.key = domain key file
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/66/
Comodo Positive SSL CA Bundle
New-PositiveSSL-bundle-12.ca-bundle
https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=120
HOWTO: Benchmark
ab -n 100 -c 10 http://your.domain.com/
HOWTO: Add The Missing HTPasswd Application
The application htpasswd is not installed by default. To add it, run this command...
sudo aptitude install apache2-utils
HOWTO: Stop Unwanted Unnecessary And Exploitable Cpanel Scripts
cd /usr/local/cpanel/cgi-sys/ chmod 0000 Formmail* formail* guestbook* Count*
http://douglas.wordpress.com/2008/04/06/disabling-unnecessary-and-exploitable-scripts/
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/CGICenter
HOWTO: Block w00tw00t Vulneribility Scanner
/sbin/iptables -I INPUT -d MY.IP.ADDRESS -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.' -j DROP
http://spamcleaner.org/en/misc/w00tw00t.html
HOWTO: Secure Tighten
- examine
- general
- mod_evasive
- mod_security
- testing
examine
NEW - Use Kali Linux USB Distro - NEW
Download the Nikto software from here...
Unpack, and then update...
perl nikto.pl -update
Run your first test...
perl nikto.pl -h server.name
During a scan, you can press these keys...
SPACE - Report current scan status v - Turn verbose mode on/off d - Turn debug mode on/off e - Turn error reporting on/off p - Turn progress reporting on/off r - Turn redirect display on/off c - Turn cookie display on/off o - Turn OK display on/off a - Turn auth display on/off q - Quit N - Next host P - Pause
How to fix common issues...
+ Server leaks inodes via ETags, header found with file /, inode: 1049636, size: 536, mtime: 0x4e6d13349dea4 + The anti-clickjacking X-Frame-Options header is not present. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3092: /admin/: This might be interesting... + OSVDB-562: /server-info: This gives a lot of Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts. + OSVDB-3233: /icons/README: Apache default file found. + /admin/index.html: Admin login page/section found.
And...
+ Server: Apache + The anti-clickjacking X-Frame-Options header is not present. + No CGI Directories found (use '-C all' to force check all possible dirs) + Server leaks inodes via ETags, header found with file /icons/README, inode: 21637505, size: 5108, mtime: 0x438c0358aae80 + OSVDB-3233: /icons/README: Apache default file found. + 6544 items checked: 0 error(s) and 3 item(s) reported on remote host + End Time: 2013-10-20 23:44:09 (GMT0) (24 seconds)
Edit the Apache Server security file...
sudo nano /etc/apache2/conf.d/security
or
sudo nano /etc/httpd/conf/httpd.conf
or
sudo nano /etc/apache2/conf-enabled/security.conf
Add these lines at the bottom...
# # Paully's Security Tweaks # Header unset ETag FileETag None Header always append X-Frame-Options SAMEORIGIN ServerSignature Off ServerTokens Prod TraceEnable Off
Enable mod_headers...
sudo a2enmod headers
Reload Apache...
sudo service apache2 reload service httpd restart
Retest with Nikto...
nikto -host 192.168.0.2
http://www.reecefowell.com/2012/09/27/nikto-server-auditing-and-resolving-issues/
general
http://httpd.apache.org/docs/trunk/misc/security_tips.html
mod_evasive
http://systembash.com/content/how-to-stop-an-apache-ddos-attack-with-mod_evasive/
mod_security
http://www.root25.com/2012/11/how-to-install-modsecurity-on-apache-ubuntu12-stepbystep-tutorial.html
https://raw.github.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
http://www.grosseosterhues.com/2011/07/enabling-mod-security-protection-in-apache2-on-ubuntu/
testing
In order to prove the setup is working, a test file called test.php with the following content can be used:
<?php $secret_file = $_GET['secret_file']; include ( $secret_file); ?>
It’s supposed to be placed in the root of your web server, so that it can be accessed by http://yourserver.tld/test.php. To run the actual test, the following address will do:
http://yourserver.tld/test.php?secret_file=/etc/passwd
If the content of /etc/passwd is displayed, ModSecurity is not working. A working installation will show a “403 Forbidden” error message.
http://yourserver.tld/?abc=../../
Another test...
http://yourserver.tld/?id='23' or '1'='1'
HOWTO: Check The Server CN (CommonName) Of Your SSL Certificate
openssl x509 -in server.crt -noout -subject
HOWTO: Redirect Whole Web Site To Secure
Method 1
Using mod_rewrite
Edit your .htaccess file and add the following block of code...
# This checks to make sure the connection is not already HTTPS RewriteCond %{HTTPS} !=on # This rule will redirect users from their original location, to the same location but using HTTPS. # i.e. http://www.example.com/foo/ to https://www.example.com/foo/ # The leading slash is made optional so that this will work either in httpd.conf # or .htaccess context RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
Method 2
Using virtual hosts (using redirect)
NameVirtualHost *:80 <VirtualHost *:80> ServerName www.example.com Redirect permanent / https://secure.example.com/ </VirtualHost> <VirtualHost _default_:443> ServerName secure.example.com DocumentRoot /usr/local/apache2/htdocs SSLEngine On # etc... </VirtualHost>
https://wiki.apache.org/httpd/RedirectSSL
keywords: apache, rewrite, redirect http, https
HOWTO: Hide Files In A Directory Listing
Add the following line to your .htaccess file...
IndexIgnore filename.ext *.ico
Thanks to http://www.ducea.com/2006/06/08/apache-tips-tricks/
WebDAV
/etc/apache2/modules.d/45_mod_dav.conf
<IfDefine DAV> <IfModule mod_dav.c> LimitXMLRequestBody 131072 Alias /dav "/var/www/dav" <Directory /var/www/dav> Dav On Options +Indexes IndexOptions FancyIndexing AddDefaultCharset UTF-8 AllowOverride None Order allow,deny Allow from all AuthType Basic AuthName "WebDAV" AuthUserFile /etc/apache2/dav.passwd Require valid-user </Directory> </IfModule> DavLockDB "/var/lib/dav/lockdb" # The following directives disable redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with several clients that do not appropriately handle # redirects for folders with DAV methods. <IfModule setenvif_module> BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[012345678]" redirect-carefully BrowserMatch "^gnome-vfs/1.0" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully </IfModule> </IfDefine>
Create the password file and restart Apache...
htpasswd -c /etc/apache2/dav.passwd test /etc/init.d/apache2 restart
To test, install the software cadaver
emerge net-misc/cadaver
Then...
server.domain.com ~ $ cadaver http://10.0.0.1/dav Authentication required for WebDAV on server `10.0.0.1': Username: test Password: dav:/dav/> ls Listing collection `/dav/': succeeded. fish.txt 5 Jan 24 15:22 dav:/dav/> cat fish.txt Displaying `/dav/fish.txt': fish dav:/dav/> quit Connection to `10.0.0.1' closed.