Fedora Security :: Apache: How To Autoindex With Mod_security
May 13, 2009
Once the mod_security module gets loaded to apache, autoindexing stops to work. In a folder without index.html the server says: 403 Forbidden You don't have permission to access /TheFolder/ on this server. I was trying to find something to comment out in the /etc/httpd/modsecurity.d and in the modsecurity.conf files .. but couldnt find anything relevant. how to have mod_security on with haveing autoindexing on aswell?
View 3 Replies
ADVERTISEMENT
Jul 19, 2010
Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the "Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these) They also offer the Enhanced Rule Set for mod_security in a commercial package [URL] The main point there in their info link is the first point
Quote:
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard However acc. to this wiki article ( http://en.wikipedia.org/wiki/Payment...urity_Standard ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either. So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.
View 2 Replies
View Related
Mar 6, 2010
I wasn't sure if this is the right place to ask or comment on this, but since it's about Apache web server I thought it should work. I finally figured out how to set up and bring up the site using virtual hosts in Apache, though at the moment it's just for my localhost install.
I set them up so I can have a place to play with possible new themes and/or test out the Drupal 7 alpha / beta releases without messing up my current configuration. I decided to look at the error logs for the currently configured site and it had a lot of messages similar to the following:
[Sat Mar 06 09:45:39 2010] [error] [client 127.0.0.1] ModSecurity: Unable to retrieve collection (name "ip", key "127.0.0.1"). Use SecDataDir to define data directory first. [hostname "site.local"] [uri "/"] [unique_id "ZnUHgsCoAAEAABdzR2QAAAAB"]
View 4 Replies
View Related
Sep 29, 2010
I have just installed the latest version of mod_security from source on Ubuntu Server 10.04. And it seems like it went okay while I followed the official installation manual for UNIX.
Question 1: How do I know that mod_security is really on? Can I view any status anywhere?
Question 2: What's the difference between the base_rules and the optional_rules? When I load the optional_rules, I always get an error message and Apache2 won't run. The base_rules works fine.
View 6 Replies
View Related
Jul 22, 2010
currently I'm fiddling around with mod_security for apache2 configurations on CentOS boxes, right now in a test environment first (i.e. separate non production box).CentOS includes the mod_security "Core Rule Set" by Breach Security Inc, the devs behind that module.So far all's running mostly, logs/auditlogs etc.For simple testing, I made a small php form as following:
Code:
<?php
$link = mysql_connect("localhost",$user,$pass); //un/pw obfuscated for forum post
[code]...
View 1 Replies
View Related
Jun 22, 2010
I want to be able to created directories and upload files (images mostly) via a php web page. The directory structure is a throwback to windows and I really really don't want to have to change it because there are so many files/links already there.
/cust/cust_name/site/version/web (all html/php files go here)
I want to be able to edit the files with a 3rd party tool (SSH based). These are small orgs, like my church, local community club, sports team, etc., so file ownership needs to sync with the editor, not apache.
[Code].....
View 5 Replies
View Related
May 4, 2010
I'm attempting to use mod_security with apache2 but it doesnt seem to load. Running Ubuntu 9.10.
Code:
$ ls -a mods-enabled/
. authz_host.load dir.load php5.load
.. authz_user.load env.load setenvif.conf
alias.conf autoindex.conf mime.conf setenvif.load
[code]....
View 1 Replies
View Related
Feb 6, 2010
We are trying to define an appliance based on Suse for an application server and Web server Apache, so we would like to know configuration best practices for network and security, is there any paper/doc about best practices?
View 3 Replies
View Related
Aug 18, 2010
Has anyone used the mod_auth_remote module to delegate authentication? I have two apache2 servers. One is a content server and the other one is the sso/auth server. When the content server receives a request for a resource protected by basic authentication, the request is forwarded to the sso server for authentication. So far so good. But, the sso server should return a http 200 to the content server and granting access to the user. However, the sso server always returns a http 301 to the content server. So I appear to be stuck in an authentication loop.
Content server config:
<Directory /var/www/html/secure/>
AuthType Basic
AuthName "Content server"
AuthRemoteServer sso.intra
AuthRemotePort 80
AuthRemoteURL /auth
[Code]...
Or perhaps you have a better way of accomplishing apache sso across multiple servers?
View 1 Replies
View Related
Mar 6, 2010
I happened to be looking at my Apache-2.2.8 log on an Ubuntu LTS 8.04.4 system, and noticed a few lines like this:
Code:
61.160.212.242 - - [06/Mar/2010:07:04:41 -0800] "GET http://218.30.115.246/ HTTP/1.1" 200 295 "-" "-"
61.160.212.242 - - [06/Mar/2010:07:05:29 -0800] "GET http://218.30.115.246/ HTTP/1.1" 200 295 "-" "-"
xxx.xxx.xxx.xxx - - [06/Mar/2010:07:56:15 -0800] "GET http://218.30.115.246/ HTTP/1.1" 400 290 "-" "-"
(The third line is me telnetting to the server and trying to issue the same request. Note that I got a 400 error response, while the guy coming from 61.160.212.242 got 200s. Also, if you just open the http://218.30.114.246/ URL, you get back "hello" (nothing else, just 5 characters). I'm presently putting together a bootable CD with chkrootkit to run on the machine. (I found a thread that mentioned in passing that this was related to PHP, which I have running on that Apache server, but my Google-fu isn't strong enough to track down the original thread.) (After checking with chkrootkit: nothing unusual found.)
View 10 Replies
View Related
Apr 6, 2010
how can i make apache to run in runlevel2
View 1 Replies
View Related
Jun 7, 2011
I've setup the Uncomplicated Firewall (UFW) on Ubuntu 10.04 LTS and blocked an IP address. UFW status shows that the firewall is active and the IP in question is denied. The issue is that I'm seeing the blocked IP address in my Apache logs.
View 1 Replies
View Related
Sep 2, 2010
The actual file didn't exist. I am confident it came through a site but I am more curious what settings in apache affect the ability to do this?
View 2 Replies
View Related
Jun 13, 2010
What would be the effect of setting ProFTPd's user and group to the same user and group that Apache use? Are there any security risks in doing this, or is this safe to do?
View 4 Replies
View Related
Oct 3, 2010
Lately i just installed Ubuntu 10.10 and get my Squid installed.It work much superior than Polipo for cache but i do not understand why i got Apache installed after i installed Squid.Is there any co-relation between Apache and Squid?Does it gonna make me run my own web server?
View 4 Replies
View Related
Jul 6, 2011
I know how to assign file permissions and other tasks like user to group, but I'm stuck with a situation in how I should set up my system.So I have a LAMP server set up. I'm not the only developer so I created a group called "developers" for my other users "Mike," "Alex," and "Cindy," which are developers (I'm Mike by the way). I know that "www-data" is the user and group Apache uses.This is good because only I have permission to update the production site, but for the dev site, it's a different story.
View 3 Replies
View Related
May 21, 2010
I will be setting up Apache web server in DMZ and Oracle web server (Windows) in LAN. The requirement is to allow logged in visitors to view / change their details via the web site. What is the best way to configure this. Is simply allowing web server's ip to communicate with oracle server's ip (and the oracle port) is secure enough or is there a way to do this more securely?
View 6 Replies
View Related
Aug 29, 2010
Basically, this is not the first time it happened, but the third I would say. My trouble and concern is with this massive downloading targeting a test file of mine/client file of mine. Since my server couldn't support that many connections child process spawns, my apache server crashed.
I managed to solve it by closing the client's account, preventing the attack from continuous download. Another way I could solve it was by replacing the file they attempted to attack with 0 byte file.
I'm wondering if there is a possible solution to prevent such issue in future. I'm also not very sure what kind of attack this is. Could it be DDOS? But from what I've asked, some said it wasn't DDOSed, if it was, my whole server would go down, not only apache.
What I was curious was how these attacker found out the files that were stored on the server. These files were not leaked outside, nor there could be a possibility to access that folder because it was protected by .htaccess which deny everyone.
View 4 Replies
View Related
Jan 25, 2011
recently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.
View 2 Replies
View Related
Jul 10, 2010
Does anyone know of any software that can monitor the Apache logs for certain phrases or keywords then send an alert when found? For example I know an attempt to hack has been made when I see log entries like this....
/admin/
/admin/phpadmin/
/phpadmin/
But by the time I see it, the attempt has long since failed or succeeded. What I need is a way for my server to alert me WHILE someone is entering these phrases. I realize there may be a "hit" to performance but my server is not that busy anyway (except for hackers).
View 3 Replies
View Related
Sep 29, 2010
I am running Ubuntu 10.04 on my laptop. I have an Apache web server running that I can access at 192.168.1.102 ("It works! This is the default web page for this server. ...").
Are there any security risks in leaving this running? Is the web server available to anyone outside my network?
View 2 Replies
View Related
Apr 5, 2011
I'm trying to modify an existing user so that any files they create can be at least read (although writing and execution would be nice) by any other user. The reason is because I need the daemon running my Apache server to be able to access files created by a daemon running under this user, files which will be created and accessed in real-time.
View 3 Replies
View Related
Apr 29, 2011
Does anyone know any common apache 2.2 exploits and how to stop them? I am setting up a web server and want it to be secure as possible. I currently have a basic lamp server on a ubuntu server.
View 1 Replies
View Related
Jun 3, 2011
Ok, so I have a few web apps that need to run shell commands. Heres a great example of one:
Code:
This is a PHP script getting my system volume. Herein lies the problem... www-data doesn't have permission to do this!
I changed my apache config to use MY account as the web user, and it does in fact work the way I want it to.
Obviously, I dont want to leave apache running as me, and want it to keep using www-data.... heres my question... how can I give permission for www-data to execute certain programs?
View 3 Replies
View Related
Feb 18, 2010
I have been tasked with sending a kill -s SIGHUP (a reload) to a Daemon process owned by root running on a centOS 5.4 machine.
Obviously, Apache cannot normally do this, so I'm going to have to use the sudoers file.
My problem is, how do I allow the Apache user to only run the kill command? nothing else.
in testing, I've gotten Apache to basically run every command prefixed with sudo and no password prompting. But I want the added security to only run the kill command without the password being prompted everything else should prompt for a password.
I'm trying to understand the sudoers file, and i must say, its non-trivial.
is there a simple 1 line I can put in the sudoers file like
PHP Code:
apache ALL=(ALL) NOPASSWD: /bin/kill
View 6 Replies
View Related
Sep 27, 2010
I have setup a VPS server, created two accounts to two domains respectively, and in one account I built a tool to manage other accounts. I have been rigorously researching and found information, however not implemented yet, about granting apache sudo rights through an interface on one account, so that it can execute scripts as root to manage installations in other accounts. what I mean this is my tool will use 'rsync' to duplicate installations from any account into any account.
My question for security, is it secure to grant apache sudo rights? I have not resolved successfully granting it permissions, and I would not want to waste my time investigating more on it if it can compromise the system in any way.
In your experience, is it feasible to build such a tool like I described? I have the tool working to copy within account and to addon domains and it works great, but I want it to manage all accounts on the server.
View 3 Replies
View Related
Jun 19, 2010
I've set up a server for the first time today and I'm reading up on how to secure it. But I was wondering if anyone here would give me some tips from personal experience on what to do before going online with my website for the whole world to see. I'm running Ubuntu Server edition and Apache. Am I good to go with default settings or is there anything recommended that I should first do?
View 9 Replies
View Related
Oct 7, 2010
I have a server with a couple of sites on it. Some of them have a webform where people can send them emails that they are interested in their work etc. though the "To:" and "From:" adress can't be change by the enduser, you can only enter text and press send. However it seems that someone (not on the server) has found a hole/exploit to use those webforms to send mails to who ever he wants.. I have the webserver setup with ssmtp (simple smtp) and it just forwards the mail sent from the server to my mail-server and there on it sends it out on the internet. If I check my log on the mail-server I can see the whole smtp session, where it's comming from and where it's going etc. I see that it comes from my webserver and over there I only have these log entries:
Oct 6 22:04:47 ettan2 sSMTP[1771]: Sent mail for itaumail@itau.com.br (221 2.0.0 Bye) uid=204 username=torget outbytes=3290
There are loads of those log entries, mostly at after office-hours between 17:00 and 7:00 I have scanned through all the Apache logs and can't find Anything that point to the e-mail addresses used or something like that. The reason I found this out was because he tries to send to a host that doesn't allow connection on port 25 so all the mails got stuck in the queue, over 1000 atm.. I'm using Apache 2.2 and Postfix 2.6 on a Debian Lenny install. What can I do to find out how he's doing this and close the "exploit"? Who would you recommend to setup the mail() thing in PHP for most security?
View 6 Replies
View Related
Jun 30, 2010
I'm about to have a web server at home for the first time. I've always missed having full control and not having to contact my hosting company when I need to do some specific changes - and some changes they won't do for you at all.I've chosen the non-GUI Ubuntu Server with LAMP, and nothing more is installed really except for a couple of command line tools from the repository. The LAMP software has been locked down as good as I can by following some guides on the net and using common sense. Like Apache 2 don't have access to the file system except for the www folder, and setting the headers to Prod. MySQL has skip-networking and I've commented out the listen string to localhost. PHP has a truckload of functions that I've disabled in the php.ini, also by following some guides on the net, among some other security enhancing php.ini editing.
The only thing the server will serve is a well known PHP forum and some html docs, and that's all. Nothing advanced or complicated stuff, and I'm definitely not programming PHP myself or letting anyone do it for me.But I do want to sleep well at night knowing that my server is always on and sitting on the edge of my home network! And can I do that? I've heard that you don't need to be worried about getting your Linux server box hacked, but you should be worried about anyone getting root access to it. But is it really that simple? Ubuntu is shipped without root account and you must have the sudo password, right? What's the odds for anyone to get full access to my system?An issue: I've heard that Apache never must run as root. When I do a ps -ef, I see that there are several www-data processes running apache, but there's one root process running apache too. Is this normal and is it safe?An issue: I've heard that PHP can fail pretty easily. But isn't PHP running under apache 2 and limited by the www-data filesystem access?An issue: MySQL is running as a MySQL user, and I guess that's an unprivileged user right?
View 9 Replies
View Related
Apr 2, 2010
I have one requirement i.e I want to call the java file from the php function using shell_exec command , i am using the chroot jail concept , if i using this command i am getting the empty file because java environment is outside the chroot jail,so how to access the the files those are out side the chroot jail.
View 3 Replies
View Related
