build:apache
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
build:apache [2008/06/10 17:58] 68.188.64.23 Add SNUG site. (CMB) |
build:apache [2009/01/26 15:46] 151.145.245.20 Don't allow Indexes to be visible in web sites, as it leaks information that may be helpful to attackers. (CMB) |
||
|---|---|---|---|
| Line 119: | Line 119: | ||
| <Directory /home/web/www.sluug.org/public> | <Directory /home/web/www.sluug.org/public> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews IncludesNoExec | + | Options FollowSymLinks MultiViews IncludesNoExec |
| DirectoryIndex index.shtml index.html | DirectoryIndex index.shtml index.html | ||
| Order allow,deny | Order allow,deny | ||
| Line 150: | Line 150: | ||
| <Directory /home/web/wiki.sluug.org> | <Directory /home/web/wiki.sluug.org> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 184: | Line 184: | ||
| <Directory /home/web/stllug.sluug.org/public> | <Directory /home/web/stllug.sluug.org/public> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 216: | Line 216: | ||
| <Directory /home/web/hzwlug.sluug.org> | <Directory /home/web/hzwlug.sluug.org> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 245: | Line 245: | ||
| <Directory /home/web/stclug.sluug.org> | <Directory /home/web/stclug.sluug.org> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 274: | Line 274: | ||
| <Directory /home/web/security.sluug.org> | <Directory /home/web/security.sluug.org> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 302: | Line 302: | ||
| <Directory /home/web/solaris.sluug.org> | <Directory /home/web/solaris.sluug.org> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 312: | Line 312: | ||
| a2ensite solaris.sluug.org | a2ensite solaris.sluug.org | ||
| </code> | </code> | ||
| + | |||
| Line 332: | Line 333: | ||
| <Directory /home/web/slacc.sluug.org> | <Directory /home/web/slacc.sluug.org> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 363: | Line 364: | ||
| <Directory /home/web/snug.sluug.org> | <Directory /home/web/snug.sluug.org> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 372: | Line 373: | ||
| <code rootshell> | <code rootshell> | ||
| a2ensite snug.sluug.org | a2ensite snug.sluug.org | ||
| + | </code> | ||
| + | |||
| + | |||
| + | ==== Webmail Site ==== | ||
| + | |||
| + | <code rootshell> | ||
| + | mkdir /var/www/webmail.sluug.org | ||
| + | chown -R www-data:www-data /var/www/webmail.sluug.org | ||
| + | chmod g+s /var/www/webmail.sluug.org | ||
| + | </code> | ||
| + | |||
| + | Edit ''/etc/apache2/sites-available/webmail.sluug.org'': | ||
| + | <file> | ||
| + | <VirtualHost *> | ||
| + | ServerName webmail.sluug.org | ||
| + | ServerAlias mail.sluug.org | ||
| + | UseCanonicalName On | ||
| + | DocumentRoot /var/www/webmail.sluug.org/public | ||
| + | <Directory /var/www/webmail.sluug.org/public> | ||
| + | AllowOverride All | ||
| + | Options FollowSymLinks MultiViews | ||
| + | Order allow,deny | ||
| + | Allow from all | ||
| + | </Directory> | ||
| + | </VirtualHost> | ||
| + | </file> | ||
| + | |||
| + | <code rootshell> | ||
| + | a2ensite webmail.sluug.org | ||
| </code> | </code> | ||
| Line 391: | Line 421: | ||
| <Directory /home/web/test.sluug.org/public> | <Directory /home/web/test.sluug.org/public> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 449: | Line 479: | ||
| <Directory /home/booch/web/blog.craigbuchek.com> | <Directory /home/booch/web/blog.craigbuchek.com> | ||
| AllowOverride All | AllowOverride All | ||
| - | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
| Order allow,deny | Order allow,deny | ||
| Allow from all | Allow from all | ||
| Line 522: | Line 552: | ||
| Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors. | Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors. | ||
| + | |||
| + | ==== Application Defenses ==== | ||
| + | |||
| + | Implement these defenses from [[http://www.0x000000.com/index.php?i=567&bin=1000110111]]: | ||
| + | |||
| + | <file> | ||
| + | # NC - Not Case sensitive, OR - previous rule OR following rul | ||
| + | |||
| + | # Disallow these HTTP methods. NOTE: Allow DELETE is we've got a Web API or WebDAV. | ||
| + | RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC,OR] | ||
| + | |||
| + | # Prevent CRLF injection. | ||
| + | RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR] | ||
| + | |||
| + | # Prevent mangled referrers and cookies, intended to exploit log files and such. | ||
| + | RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] | ||
| + | RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] | ||
| + | |||
| + | # Clean up URIs and make sure they're 9999 characters or less. | ||
| + | RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR] | ||
| + | |||
| + | # Disallow some nasty user agents. | ||
| + | RewriteCond %{HTTP_USER_AGENT} ^$ [OR] | ||
| + | RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR] | ||
| + | RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan).* [NC,OR] | ||
| + | RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] | ||
| + | |||
| + | # Disallow nasty query strings. | ||
| + | RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR] | ||
| + | RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR] | ||
| + | RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR] | ||
| + | RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC] | ||
| + | |||
| + | # Rewrite the request to a fail-safe page. FIXME: Set to an actual page. | ||
| + | RewriteRule ^(.*)$ access_log.php | ||
| + | </file> | ||
| + | |||
| ==== SSL ==== | ==== SSL ==== | ||
| + | |||
| Turn on SSL. | Turn on SSL. | ||
build/apache.txt ยท Last modified: 2009/03/03 16:02 by 151.145.245.20
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
