Differences

This shows you the differences between two versions of the page.

--- build:apache [2008/06/10 17:53]
68.188.64.23 Add SNUG link. (CMB)
+++ build:apache [2009/03/03 16:02] (current)
151.145.245.20 Add separate default site. (CMB)
@@ Line 99: / Line 99: @@
 </code>
+==== Default Site ====
+The default site is a "catch-all" that will serve any site that doesn't have a domain name specified in a site config file.
+We've set this up to deny all requests, since we were getting a lot of attacks trying to use the server as a proxy to other sites.
+(Some attempts even had "proxy_test_referer" in the Referer field.)
+Edit ''/etc/apache2/sites-available/000-default'':
+<file>
+NameVirtualHost *
+<VirtualHost *>
+    # Minimize logging of this junk.
+    #CustomLog /dev/null ""
+    #ErrorLog /dev/null
+    CustomLog /var/log/apache2/attack.log combined
+    ErrorLog /var/log/apache2/attack_error.log
+    LogLevel emerg
+    # Don't allow access to anything, causing a 403 error message for any request.
+    ErrorDocument 403 "Site does not exist on this server!"
+    <Location />
+        Order allow,deny
+        Deny from all
+    </Location>
+</VirtualHost>
+</file>
+<code rootshell>
+a2ensite 000-default
+</code>
 ==== Main SLUUG Site ====
@@ Line 108: / Line 138: @@
 </code>
-Edit ''<nowiki>/etc/apache2/sites-available/000-www.sluug.org</nowiki>'':
+Edit ''<nowiki>/etc/apache2/sites-available/www.sluug.org</nowiki>'':
 <file>
-NameVirtualHost *
 <VirtualHost *>
 	ServerName www.sluug.org
@@ Line 119: / Line 148: @@
 	<Directory /home/web/www.sluug.org/public>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews IncludesNoExec
+		Options FollowSymLinks MultiViews IncludesNoExec
 		DirectoryIndex index.shtml index.html
 		Order allow,deny
@@ Line 132: / Line 161: @@
 <code rootshell>
-a2ensite 000-www.sluug.org
+a2ensite www.sluug.org
 </code>
@@ Line 150: / Line 179: @@
 	<Directory /home/web/wiki.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 184: / Line 213: @@
 	<Directory /home/web/stllug.sluug.org/public>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 216: / Line 245: @@
 	<Directory /home/web/hzwlug.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 245: / Line 274: @@
 	<Directory /home/web/stclug.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 274: / Line 303: @@
 	<Directory /home/web/security.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 302: / Line 331: @@
 	<Directory /home/web/solaris.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 312: / Line 341: @@
 a2ensite solaris.sluug.org
 </code>
 ==== SLACC Site ====
@@ Line 331: / Line 362: @@
 	<Directory /home/web/slacc.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 342: / Line 373: @@
 </code>
+==== SNUG Site ====
+<code rootshell>
+mkdir /home/web/snug.sluug.org
+chown -R www-data:snug /home/web/snug.sluug.org
+chmod g+s /home/web/snug.sluug.org
+</code>
+Edit ''/etc/apache2/sites-available/snug.sluug.org'':
+<file>
+<VirtualHost *>
+	ServerName snug.sluug.org
+	ServerAlias novell.sluug.org
+	ServerAlias netware.sluug.org
+	ServerAlias www.stl-nui.org
+	ServerAlias stl-nui.org
+	UseCanonicalName On
+	DocumentRoot /home/web/snug.sluug.org
+	<Directory /home/web/snug.sluug.org>
+		AllowOverride All
+		Options FollowSymLinks MultiViews
+		Order allow,deny
+		Allow from all
+	</Directory>
+</VirtualHost>
+</file>
+<code rootshell>
+a2ensite snug.sluug.org
+</code>
+==== Webmail Site ====
+<code rootshell>
+mkdir /var/www/webmail.sluug.org
+chown -R www-data:www-data /var/www/webmail.sluug.org
+chmod g+s /var/www/webmail.sluug.org
+</code>
+Edit ''/etc/apache2/sites-available/webmail.sluug.org'':
+<file>
+<VirtualHost *>
+	ServerName webmail.sluug.org
+	ServerAlias mail.sluug.org
+	UseCanonicalName On
+	DocumentRoot /var/www/webmail.sluug.org/public
+	<Directory /var/www/webmail.sluug.org/public>
+		AllowOverride All
+		Options FollowSymLinks MultiViews
+		Order allow,deny
+		Allow from all
+	</Directory>
+</VirtualHost>
+</file>
+<code rootshell>
+a2ensite webmail.sluug.org
+</code>
 ==== Test Site ====
@@ Line 360: / Line 450: @@
 	<Directory /home/web/test.sluug.org/public>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 418: / Line 508: @@
 	<Directory /home/booch/web/blog.craigbuchek.com>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 491: / Line 581: @@
 Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors.
+==== Application Defenses ====
+Implement these defenses from [[http://www.0x000000.com/index.php?i=567&bin=1000110111]]:
+<file>
+# NC - Not Case sensitive, OR - previous rule OR following rul
+# Disallow these HTTP methods. NOTE: Allow DELETE is we've got a Web API or WebDAV.
+RewriteCond %{REQUEST_METHOD}  ^(TRACE|DELETE|TRACK) [NC,OR]
+# Prevent CRLF injection.
+RewriteCond %{THE_REQUEST}     ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
+# Prevent mangled referrers and cookies, intended to exploit log files and such.
+RewriteCond %{HTTP_REFERER}    ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
+RewriteCond %{HTTP_COOKIE}     ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
+# Clean up URIs and make sure they're 9999 characters or less.
+RewriteCond %{REQUEST_URI}     ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
+# Disallow some nasty user agents.
+RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
+RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
+RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan).* [NC,OR]
+RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
+# Disallow nasty query strings.
+RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
+RewriteCond %{QUERY_STRING}    ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
+RewriteCond %{QUERY_STRING}    ^.*\.[A-Za-z0-9].* [NC,OR]
+RewriteCond %{QUERY_STRING}    ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
+# Rewrite the request to a fail-safe page. FIXME: Set to an actual page.
+RewriteRule ^(.*)$ access_log.php
+</file>
 ==== SSL ====
 Turn on SSL.

SLUUG Wiki

User Tools

Site Tools

Differences

Page Tools