Apache2
als Webserver verwenden wir Apache2 mit PHP, mod_security, mod_auth_pam, mod_deflate. Desweiteren lassen wir die Logfiles nach einem Tag rotieren.
Multihome-Umgebung
In einer Multihome-Umgebung laufen z.b. mehrere verschiedene Domains/Apache-Prozesse auf einem Server. Diese Domains haben aber überhaupt nichts miteinander zu tun. D. h. wiederrum, daß die Domains bzw. der User, die dahinter stehen, natürlich auch kein Zugriff auf die jeweiligen Dateien der andere Domains haben. Gleiches gilt natürlich für den Apache-Prozess! Als Apache-Worker-Modul wird apache2-mpm-itk verwendet.
Für die technische Umsetzung bedeutet das folgendes:
- Optional: Jede Domain hat eine eigenen User/Gruppe (der User ist nicht in seiner eigene Gruppe!, der User bekommt nur r-Rechte, die Gruppe rw-Rechte. In dieser Gruppe muß auch der User sein, der die Seiten der Website pflegt.)
conf.d/myconfig
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined
# global access log
CustomLog "|| /usr/sbin/vlogger -s access.log -t access.log.%Y.%m -u ${APACHE_RUN_USER} -g ${APACHE_RUN_GROUP} ${APACHE_LOG_DIR}/vlogger" vcombined
UseCanonicalName Off
conf.d/security
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerTokens Prod
ServerSignature Off
Module
Verzeichnisschutz
authnz_external (imap)
#/etc/checkpasswd-imap.ini
[localhost]
host = localhost
port = 1143
allow-everybody = .*
#/etc/apache2/conf-available/auth_external.conf
AddExternalAuth imapauth /usr/bin/checkpasswd-imap-pipe.py
SetExternalAuthMethod imapauth pipe
#virtual host
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider external
AuthExternal imapauth
mod_auth_pam
Für den Verzeichnisschutz verwenden wir mod_auth_pam, d.h. wir können die gleichen Logindaten wie am System nutzen. Damit man eine Gruppe nutzen kann, wird libapache2-mod-auth-sys-group benötigt!
eine bsp. .htaccess:
AuthPAM_Enabled on AuthType Basic AuthName "secure area" require group staff
Falls es nicht geht, vom error.log:
[error] [client 217.229.133.31] PAM: user 'xyz' - not authenticated: Authentication failure
Der User www-data muß Mitglied der Gruppe shadow sein!
mod-auth-imap
Source: http://ben.brillat.net/projects/mod_auth_imap/
kleines Howto: https://hw.cs.southern.edu/prot/mod_auth_imap.htm
Patch for dovecot: http://srteam.skyrock.com/2121064465-mod-auth-imap2-et-dovecot-le-patch.html or you get
mod_auth_imap: Premature server disconnect for user xxx
mod_auth_imap: Server said: * CAPABILITY ...
--- mod_auth_imap.c.orig 2006-05-08 01:22:43.000000000 +0200
+++ mod_auth_imap.c 2012-09-24 19:56:27.000000000 +0200
@@ -44,8 +44,6 @@
#define _OK 1
-int Sock;
-
/*******************************************************************************
* tcp_gets
@@ -141,6 +139,7 @@
char result[512],buf[512];
int ret=0;
int port;
+ int Sock; // Don't know why it used to be global, but having it local solved *all* my problems
port=atoi(cport);
@@ -164,15 +163,17 @@
tcp_puts(Sock,buf);
//get the capability line...
- tcp_gets(Sock,result,500);
+ //tcp_gets(Sock,result,500);
//get the "A001 OK CAPABILITY completed" line..
- tcp_gets(Sock,result,500);
+ //tcp_gets(Sock,result,500);
//skip lines that start with "*"
- if (strncmp(result,"* ",2 == 0)) {
+ //if (strncmp(result,"* ",2 == 0)) {
+ do {
tcp_gets(Sock,result,500);
- }
+ //}
+ } while (strncmp(result,"* ",2) == 0);
//Verify that it supports the CAPABILITY command
if (strncmp(result,"A001 OK", 7) != 0) {
@@ -186,7 +187,11 @@
memset(buf,0,500);
sprintf(buf,"A002 LOGIN %s \"%s\"\r\n", username, pass);
tcp_puts(Sock,buf);
- tcp_gets(Sock,result,500);
+
+ //skip lines that start with "*" (sometimes needed with dovecot)
+ do {
+ tcp_gets(Sock,result,500);
+ } while (strncmp(result,"* ",2) == 0);
if (strncmp(result,"A002 OK",7) == 0) {
if (logflag) {
@@ -197,7 +202,6 @@
} else if (strncmp(result,"A002 NO",7) == 0) {
if (logflag) {
ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Login failed for user %s.", user
name);
- ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Server said: %s", result);
}
ret=!_OK;
@@ -205,7 +209,6 @@
//it must have told us BYE and disconnected
if (logflag) {
ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Premature server disconnect for
user %s.", username);
- ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Server said: %s", result);
}
ret=!_OK;
@@ -218,11 +221,11 @@
sprintf(buf,"A003 LOGOUT\r\n");
tcp_puts(Sock,buf);
- //read the BYE line
- tcp_gets(Sock,result,500);
+ //read the BYE line, skip lines that start with "*"
+ do {
+ tcp_gets(Sock,result,500);
+ } while (strncmp(result,"* ",2) == 0);
- //read the OK LOGOUT
- tcp_gets(Sock,result,500);
if (strncmp(result,"A003 OK",7) == 0) {
if (logflag) {
@@ -233,7 +236,6 @@
} else {
if (logflag) {
ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Error in logout for %s.", userna
me);
- ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Server said: %s", result);
}
ret=!_OK;
.htaccess
#Turn on IMAP Authentication Auth_IMAP_Enabled on #Give a name to the authentication domain, whatever you want: AuthName "SAU Email username and password" #Only basic authentication is supported for now: AuthType Basic #If you feel like it, restrict the users or allow all valid users: Require valid-user #Make IMAP Authentication authoritative for this .htaccess file: Auth_IMAP_Authoritative on #Set the IMAP Server to which you want to connect (default=localhost): Auth_IMAP_Server imap.southern.edu #Set the port on which the imap server is running (default=143): Auth_IMAP_Port 143 #Turn on some extra logging (login attempts, etc.) in Apache's Error Log Auth_IMAP_Log on
mod_security
ModSecurity is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.
Installation http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server
Links
- http://www.atomicorp.com/wiki/index.php/Mod_security
- https://blog.art-of-coding.eu/implementing-a-web-application-firewall/
Install
#/etc/modsecurity/modsecurity.conf
SecRuleEngine On
SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000
SecTmpDir /var/cache/modsecurity/
SecDataDir /var/cache/modsecurity/
SecUploadDir /var/cache/modsecurity/upload/
cd /etc/modsecurity
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
mkdir activated_rules activated_optional_rules
ln -s /usr/share/modsecurity-crs/base_rules base_rules
ln -s /usr/share/modsecurity-crs/optional_rules/ optional_rules
cd base_rules
for f in `ls *` ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd ..
cd optional_rules
for f in `ls *` ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_optional_rules/$f ; done
cd ..
ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf
Enable module in apache
#/etc/apache2/mods-available/mod-security.conf
...
Include "/etc/modsecurity/*.conf"
Include "/etc/modsecurity/activated_rules/*.conf"
Include "/etc/modsecurity/activated_optional_rules/*.conf"
...
optional disable filter
Für bestimmte Verzeichnisse kann man den Filter auch ausstellen:
<LocationMatch "/ajaxplorer/">
SecRuleRemoveById 200003 960024 960915
</LocationMatch>
OR
<Location /upload.php>
# Do not inherit filters from the parent folder
SecFilterInheritance Off
</Location>
Virus-Scanner for uploaded files
#in modsecurity_crs_46_av_scanning.conf
#
# Modify the operator to use the correct AV scanning script/tool
# Example tools are in the util directory.
#
SecRule FILES_TMPNAMES "@inspectFile /usr/bin/runAV.pl" \
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"
Global Blacklist
#/etc/apache2/conf.d/modsecurity-blacklist
#disable rule for all domains
#missing_request_header
SecRuleRemoveById 960015
#Request Missing a User Agent Header
SecRuleRemoveById 960009
bad robot data
/etc/modsecurity/activated_rules/modsecurity_35_bad_robots.data e.g. to remove surveybot
Links
- Howto - Apache2 ModSecurity - Enhance your Web Server and Applications security with an Opensource Web Application Firewall (WAF)
- Reference Manual
- Web Services using Mod Security (Apache) Methodology and Filtering Techniques by Shreeraj Shah on 19/01/05
- http://www.gotroot.com/mod_security+rules
- Die Apache-Firewall: Web-Server mit mod_security absichern
mod_php
see PHP
mod_dav
WEBDAV-Modul für Apache. Damit ist es möglich Dateien über https zu manipulieren (ändern, löschen, erstellen usw.). installieren: a2enmod dav
#httpd.conf
Alias /phparea /home/gstein/php_files
Alias /php-source /home/gstein/php_files
DavLockDB /tmp/DavLock.myvhost
<Location /php-source>
Dav On
AuthType Basic
AuthName DAV
AuthPAM_Enabled on
require group staff
php_flag engine off # oder ForceType text/plain
</Location>
mod_evasive
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted (on a blocking list)
<IfModule mod_evasive.c>
#DOSHashTableSize gibt die Größe der Hashtabelle in Bytes an
DOSHashTableSize 3097
#DOSPageCount gibt die Anzahl der Seitenaufrufe eines Clients pro DOSPageInterval-Zeitintervall
DOSPageCount 2
#DOSSiteCount gibt die Anzahl der Seitenaufrufe auf einen Child-Prozess pro DOSSiteInterval-Zeitintervall
DOSSiteCount 50
#DOSPageInterval und DOSSiteInterval werden in Sekunden angegeben
DOSPageInterval 1
DOSSiteInterval 1
#DOSBlockingPeriod gibt die Sperrzeit in Seknunden an
DOSBlockingPeriod 60
#DOSEmailNotify gibts die eMail Adresse an, an welche eine Warnmail geschickt wird
DOSEmailNotify admin@mydomain.net
#DOSSystemCommand führt bei einem Angriff weitere Programme/Scripte aus wenn gewünscht
#DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
#DOSLogDir gibt das Verzeichnis an in dem das Modul seine Logfiles schreibt
DOSLogDir /srv/www/vlogger/_mod_evasive
#DOSWhitelist beinhaltet eine Aufzählung aller IP-Adressen für die mod_evasive NICHT gilt
DOSWhitelist 127.0.0.1
</IfModule>
mod_cband
Bandbreiten-Beschränkung http://nodomain.cc/archives/2007/01/05/684-Apache2-Zugriffskontrolle-mit-mod_cband.html
mod_ssl
SSL-Test: https://www.ssllabs.com/ssltest/
#/etc/apache2/mods-available/ssl.conf
#against BEAST
SSLHonorCipherOrder On
#https://weakdh.org/sysadmin.html
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!LOW:!MEDIUM"
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2 -SSLv3
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
#SSLStrictSNIVHostCheck On
Logging POST requests with Apache
found on https://www.technovelty.org/web/logging-post-requests-with-apache.html
SecRuleEngine On
SecAuditEngine on
SecAuditLog /var/log/apache2/website-audit.log
SecRequestBodyAccess on
SecAuditLogParts ABIFHZ
SecDefaultAction "nolog,noauditlog,allow,phase:2"
SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2"
SecRule REQUEST_URI ".*" "auditlog"