Apache HTTP Server

From Indie IT Wiki

HOWTO: Secure Apache SSL

https://techbrij.com/free-ssl-lets-encrypt-apache-ubuntu

sudo nano /etc/apache2/mods-available/ssl.conf

SSLProtocol all -SSLv2 -SSLv3 -TLSV1
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SSLv3:!SSLv2:!TLSv1

sudo service apache2 restart

https://www.ssllabs.com/ssltest

https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm#apache_forward_secrecy

HOWTO: Fix Error In Apache 2.4.3+ "Client Denied By Server Configuration"

Make sure you have this new Apache 2.4.3+ directive in your Virtual Host config:-

require all granted

Thanks - http://stackoverflow.com/questions/10351167/apache-client-denied-by-server-configuration

HOWTO: Upgrade To Apache 2.4 On Ubuntu 12.04 LTS

sudo aptitude remove ~iapache
sudo apt-add-repository ppa:ondrej/apache2
sudo aptitude update
sudo aptitude install apache2
sudo aptitude install libapache2-mod-php5

HOWTO: Test POST Requests

curl -X POST http://www.website.co.uk/PAULLY.php

HOWTO: Stop POST Requests

<VirtualHost *:80>
 ...
 <Directory /var/www/site/unsafe>
   AllowOverride ALL
 </Directory>
</VirtualHost>
sudo a2enmod rewrite

Add the following to a file called .htaccess in the web site root directory. This example shows a Contact Us PHP page which IS allowed to POST...

# deny all POST requests
<IfModule mod_rewrite.c>
  RewriteCond %{REQUEST_METHOD} POST
  RewriteRule .* - [F,L]
</IfModule>
<LimitExcept GET HEAD>
  Order Allow,Deny
  Deny from all
</LimitExcept>
#  allow the contact us page
<Files contact_submit.php>
  order allow,deny
  allow from all
</Files>

Restart Apache...

sudo service apache2 restart

HOWTO: Fix Error: The timeout specified has expired: SSL input filter read failed

If you see the following lines in your Apache logs...

The timeout specified has expired: SSL input filter read failed.

...then you need to do 2 things to fix it.

1. Change all your VirtualHost directives to a specific IP address instead of *:443...

<VirtualHost 192.168.1.252:443>

2. Add the following line to the end of your VirtualHost SSL port 443 directives blocks...

  SetEnv nokeepalive ssl-unclean-shutdown
</VirtualHost>

Thanks - http://serverfault.com/questions/539961/apache-request-header-read-timeout-reverse-proxy

HOWTO: Convert Apache SSL Certificate to Windows IIS

Conversion

https://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-an-apache-server-to-a-windows-server.html

Installation

https://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm

HOWTO: Fix POODLEbleed Bug

SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EECDH+AES:EDH+AES
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Thanks - http://poodlebleed.com

HOWTO: Remove Unwanted Modules

List

sudo apache2ctl -M

Remove

sudo a2dismod

Test

sudo apache2ctl configtest

Restart

sudo service apache2 restart

HOWTO: Generate SSL Certificate

Log in to your web server via SSH, create an 'ssl' directory, and then run the following.

e.g.

su - root
cd
mkdir ssl
cd ssl
openssl req -nodes -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr -subj "/C=GB/ST=Kent/L=Folkestone/O=The Company Name/OU=IT/CN=mydomain.co.uk"

Now copy the text of the mydomain.csr file and log in to your SSLs.com account, and following the prompts.

https://www.ssls.com

http://www.rosehosting.com/blog/set-up-ssl-encrypted-connection-in-postfix-dovecot-and-apache/ (Apache + Dovecot)

https://support.comodo.com/index.php?/Knowledgebase/Article/View/1/19/csr-generation-using-openssl-apache-wmod_ssl-nginx-os-x

HOWTO: Install SSL Certificate

SSLEngine on
SSLCertificateFile /etc/letsencrypt/ssl/server.crt
SSLCertificateKeyFile /etc/letsencrypt/ssl/server.key

Note: If you are missing chain.pem, you can get it from second certificate of .crt file OR from below link:

https://letsencrypt.org/certificates/

For newer Apache version, SSLCertificateChainFile is no longer needed.

SSLCertificateChainFile /etc/letsencrypt/ssl/chain.pem
server.crt = domain certificate + Issuer certificate
chain.pem = Issuer certificate = Intermediate certificate = chain certificate
server.key = domain key file

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/66/

Comodo Positive SSL CA Bundle

New-PositiveSSL-bundle-12.ca-bundle

https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=120

HOWTO: Benchmark

ab -n 100 -c 10 http://your.domain.com/

HOWTO: Add The Missing HTPasswd Application

The application htpasswd is not installed by default. To add it, run this command...

sudo aptitude install apache2-utils

HOWTO: Stop Unwanted Unnecessary And Exploitable Cpanel Scripts

cd /usr/local/cpanel/cgi-sys/
chmod 0000 Formmail* formail* guestbook* Count*

http://douglas.wordpress.com/2008/04/06/disabling-unnecessary-and-exploitable-scripts/

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/CGICenter

HOWTO: Block w00tw00t Vulneribility Scanner

/sbin/iptables -I INPUT -d MY.IP.ADDRESS -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.' -j DROP

http://spamcleaner.org/en/misc/w00tw00t.html

HOWTO: Secure Tighten

  1. examine
  2. general
  3. mod_evasive
  4. mod_security
  5. testing

examine

NEW - Use Kali Linux USB Distro - NEW

Download the Nikto software from here...

http://cirt.net/nikto2

Unpack, and then update...

perl nikto.pl -update

Run your first test...

perl nikto.pl -h server.name

During a scan, you can press these keys...

SPACE - Report current scan status
v - Turn verbose mode on/off
d - Turn debug mode on/off
e - Turn error reporting on/off
p - Turn progress reporting on/off
r - Turn redirect display on/off
c - Turn cookie display on/off
o - Turn OK display on/off
a - Turn auth display on/off
q - Quit
N - Next host
P - Pause

How to fix common issues...

+ Server leaks inodes via ETags, header found with file /, inode: 1049636, size: 536, mtime: 0x4e6d13349dea4
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-562: /server-info: This gives a lot of Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/index.html: Admin login page/section found.

And...

+ Server: Apache
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 21637505, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2013-10-20 23:44:09 (GMT0) (24 seconds)

Edit the Apache Server security file...

sudo nano /etc/apache2/conf.d/security

or

sudo nano /etc/httpd/conf/httpd.conf

or

sudo nano /etc/apache2/conf-enabled/security.conf

Add these lines at the bottom...

#     
# Paully's Security Tweaks
#     
Header unset ETag
FileETag None
Header always append X-Frame-Options SAMEORIGIN
ServerSignature Off
ServerTokens Prod
TraceEnable Off

Enable mod_headers...

sudo a2enmod headers

Reload Apache...

sudo service apache2 reload
service httpd restart

Retest with Nikto...

nikto -host 192.168.0.2

http://www.reecefowell.com/2012/09/27/nikto-server-auditing-and-resolving-issues/

general

http://httpd.apache.org/docs/trunk/misc/security_tips.html

mod_evasive

http://systembash.com/content/how-to-stop-an-apache-ddos-attack-with-mod_evasive/

mod_security

http://www.root25.com/2012/11/how-to-install-modsecurity-on-apache-ubuntu12-stepbystep-tutorial.html

https://raw.github.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended

http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

http://www.grosseosterhues.com/2011/07/enabling-mod-security-protection-in-apache2-on-ubuntu/

testing

In order to prove the setup is working, a test file called test.php with the following content can be used:

<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>

It’s supposed to be placed in the root of your web server, so that it can be accessed by http://yourserver.tld/test.php. To run the actual test, the following address will do:

http://yourserver.tld/test.php?secret_file=/etc/passwd

If the content of /etc/passwd is displayed, ModSecurity is not working. A working installation will show a “403 Forbidden” error message.

http://yourserver.tld/?abc=../../

Another test...

http://yourserver.tld/?id='23' or '1'='1'

HOWTO: Check The Server CN (CommonName) Of Your SSL Certificate

openssl x509 -in server.crt -noout -subject

HOWTO: Redirect Whole Web Site To Secure

Method 1

Using mod_rewrite

Edit your .htaccess file and add the following block of code...

# This checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on

# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

Method 2

Using virtual hosts (using redirect)

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName www.example.com
   Redirect permanent / https://secure.example.com/
</VirtualHost>

<VirtualHost _default_:443>
   ServerName secure.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
   # etc...
</VirtualHost>

https://wiki.apache.org/httpd/RedirectSSL

keywords: apache, rewrite, redirect http, https

HOWTO: Hide Files In A Directory Listing

Add the following line to your .htaccess file...

IndexIgnore filename.ext *.ico

Thanks to http://www.ducea.com/2006/06/08/apache-tips-tricks/

WebDAV

/etc/apache2/modules.d/45_mod_dav.conf

<IfDefine DAV>

<IfModule mod_dav.c>
   LimitXMLRequestBody 131072
   Alias /dav "/var/www/dav"
   <Directory /var/www/dav>
       Dav On
       Options +Indexes
       IndexOptions FancyIndexing
       AddDefaultCharset UTF-8
       AllowOverride None 
       Order allow,deny 
       Allow from all
       AuthType Basic
       AuthName "WebDAV"
       AuthUserFile /etc/apache2/dav.passwd
       Require valid-user
   </Directory>
</IfModule>

DavLockDB "/var/lib/dav/lockdb"

# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with several clients that do not appropriately handle
# redirects for folders with DAV methods.
<IfModule setenvif_module>
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012345678]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
</IfModule>

</IfDefine>

Create the password file and restart Apache...

htpasswd -c /etc/apache2/dav.passwd test
/etc/init.d/apache2 restart

To test, install the software cadaver

emerge net-misc/cadaver

Then...

server.domain.com ~ $ cadaver http://10.0.0.1/dav

Authentication required for WebDAV on server `10.0.0.1':
Username: test
Password: 
dav:/dav/> ls
Listing collection `/dav/': succeeded.
       fish.txt                               5  Jan 24 15:22
dav:/dav/> cat fish.txt 
Displaying `/dav/fish.txt':
fish
dav:/dav/> quit
Connection to `10.0.0.1' closed.

Glossary

http://httpd.apache.org/docs/2.2/glossary.html