Jump to content
inittux

more apache/php

Recommended Posts

Going to setup a test domain this weekend and going to try to finally implent IDS on my server. Although I find modsecurity quite confusing still. With the asl rules my whole site becomes access denied and with just the base rules activated I get errors when changing some settings in the joomla backend. I'll have a look at it later.

  • Like 2

Share this post


Link to post
Share on other sites

Seems like I got mod_security working. Am able to do all my admin stuff in the backend without getting errors from mod_security. Using this

http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Installation

 

Is there anyway to test it? Dave/Hybrid/Anyweb, feel free to try and test out the security of my webserver And I got logwatch configured and working,

only still working on getting fail2ban work with the backend of my site.And I found this usefull post which I will look at later again. And after

I have looked at those I'll be looking at a smart way to backup/restore.And the last thing I stilll want to do look some more into more security

for my webserver, which I found plenty of information of on the web.Once I finally get all of this working and sorted out and feel I understand

it enough to make/manage a secure webserver I'll be movingonto my next project on my server.

Share this post


Link to post
Share on other sites

If you have access to a Windows machine on your network, NetSparker Community Edition is a great tool for testing the security of your server -- and probably for testing your IDS too. It will pound at the target website, searching for vulnerabilities, 'fuzzing' the site's various inputs with all sorts of data to try and get it to behave in an unexpected way.

 

I've used it very successfully in the past to identify and resolve vulnerabilities in my web-facing code.

Share this post


Link to post
Share on other sites

Seems like my server security isn't all that great. And think my server also already being abused :(

Two email adresses which I know nothing of.

 

netsparker.JPG

Share this post


Link to post
Share on other sites

Both of these email addresses are used in the credits to the Apache icon set, which appear on DirectoryIndex pages. While NetSparker is warning you about these email addresses are made available publicly on your server, this particular entry is nothing to worry about!

 

See https://www.apache.org/icons/ for the credits.

 

This is also only an 'information' level issue that it has found (see the 'i' icon next to Email Address Disclosure in the Issue list). Therefore, it's not of the highest priority. This entry in the issues list doesn't at all suggest your server is compromised.

 

NetSparker will give you a lot of information. Interpreting the results is as important as doing the scan in the first place. :)

Share this post


Link to post
Share on other sites

Both of these email addresses are used in the credits to the Apache icon set, which appear on DirectoryIndex pages. While NetSparker is warning you about these email addresses are made available publicly on your server, this particular entry is nothing to worry about!

 

See https://www.apache.org/icons/ for the credits.

 

This is also only an 'information' level issue that it has found (see the 'i' icon next to Email Address Disclosure in the Issue list). Therefore, it's not of the highest priority. This entry in the issues list doesn't at all suggest your server is compromised.

 

NetSparker will give you a lot of information. Interpreting the results is as important as doing the scan in the first place. smile.png

 

I'm glad, that I would really feel like a noob. Only thing that safe is my php it says:

 

Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

 

and my cookie is not marked as secure but that would be logical cuz I generated my own https certificate and my cookie is not marked as http only. will have a look at that.

 

And need to look at my directory listing:

 

An attacker can see the files located in the directory and could potentially access files which disclose sensitive information.

Share this post


Link to post
Share on other sites
Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

 

Again, this is low priority -- not a vulnerability per se, but just some information disclosure to your server's users that isn't strictly necessary.

 

To resolve this, you can find the relevant line in php.ini and change it to:

 

expose_php = Off

 

and my cookie is not marked as secure but that would be logical cuz I generated my own https certificate and my cookie is not marked as http only. will have a look at that.

 

This might be a setting in the CMS software you're using -- there might be a Joomla setting to make the cookie marked as 'secure'. (Note that marked as 'secure' and marked as 'HTTP only' are different things.)

 

 

And need to look at my directory listing:

 

An attacker can see the files located in the directory and could potentially access files which disclose sensitive information.

 

For this, you'll need to go to the Apache configuration for that particular <Directory> and change the Options line:

 

Options -Indexes

 

(You probably want to just add -Indexes to the line, and remove Indexes if it is there, because a brand new Options line will override any other Options that might be set).

Share this post


Link to post
Share on other sites

"Options -Indexes" is supposed to be an apache default setting for quite some time now.

 

I remember the days when +Indexes was commonplace, then -Indexes and "403=welcome.html" kicked in (which caused me no end of headache when trying to debug Apache configs, I tell you).

 

In terms of pen-testing, nessus can scan and report vulns.

 

To see what's happening in real-time, "tail -f /var/log/httpd/mod_security.log" or so to watch reports scrolling up the page.

Share this post


Link to post
Share on other sites

in my case it would be audit_log. Seems to be working :)

 

tail -f /var/log/httpd/audit_log

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoj7UQg8AAC-zIsAAAAAA] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-2LQoAAAAD] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-0JiQAAAAB] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-3MHkAAAAE] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-4M@wAAAAF] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-1KZ4AAAAC] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-5N18AAAAG] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-6OsoAAAAH] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.4.128] [domain feedmebits.nl] [500] [/20111129/20111129-1310/20111129-131010-TtTLoj7UQg8AAC-0JiUAAAAB] (null)

[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111129/20111129-1543/20111129-154345-TtTvoT7UQg8AAC-zIsQAAAAA] (null)

Share this post


Link to post
Share on other sites

When I've been debugging mod_sec, I find that a tail of that logfile when a site breaks on me shows what's tripping it (rule name, ID, etc).

 

Note that - in terms of vulnerabilities - disclosure of information is not insecure in itself. How that information is used to enumerate and select an exploit is.

 

Concealing the fact you're using a version of PHP does not make that version secure, it just means a cracker will take longer to choose an appropriate attack vector.

Share this post


Link to post
Share on other sites

When I've been debugging mod_sec, I find that a tail of that logfile when a site breaks on me shows what's tripping it (rule name, ID, etc).

 

Note that - in terms of vulnerabilities - disclosure of information is not insecure in itself. How that information is used to enumerate and select an exploit is.

 

Concealing the fact you're using a version of PHP does not make that version secure, it just means a cracker will take longer to choose an appropriate attack vector.

 

Seems like my mod_security is working :)

 

# tail /home/www/feedmebits.nl/logs/error.log

[Thu Dec 01 15:42:56 2011] [error] [client 145.117.85.40] File does not exist: /home/www/feedmebits.nl/htdocs/login

[sat Dec 03 16:58:54 2011] [error] [client 94.24.41.240] ModSecurity: [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to www.spamhaus.org)"] [severity "ERROR"] Access denied with code 403 (phase 1). RBL lookup of 240.41.24.94.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits). [hostname "62.212.66.15"] [uri "/admin/cdr/counter.txt"] [unique_id "TtpHPj7UQg8AAC-4NEcAAAAF"]

 

Still working on my fail2ban. But looking at this seems like mod_security is giving me some protection :)

Share this post


Link to post
Share on other sites

When I've been debugging mod_sec, I find that a tail of that logfile when a site breaks on me shows what's tripping it (rule name, ID, etc).

 

Note that - in terms of vulnerabilities - disclosure of information is not insecure in itself. How that information is used to enumerate and select an exploit is.

 

Concealing the fact you're using a version of PHP does not make that version secure, it just means a cracker will take longer to choose an appropriate attack vector.

 

Seems like my mod_security is working smile.png

 

# tail /home/www/feedmebits.nl/logs/error.log

[Thu Dec 01 15:42:56 2011] [error] [client 145.117.85.40] File does not exist: /home/www/feedmebits.nl/htdocs/login

[sat Dec 03 16:58:54 2011] [error] [client 94.24.41.240] ModSecurity: [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to www.spamhaus.org)"] [severity "ERROR"] Access denied with code 403 (phase 1). RBL lookup of 240.41.24.94.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits). [hostname "62.212.66.15"] [uri "/admin/cdr/counter.txt"] [unique_id "TtpHPj7UQg8AAC-4NEcAAAAF"]

 

Still working on my fail2ban. But looking at this seems like mod_security is giving me some protection smile.png

 

Look also at your modsec_audit_log and modsec_debug_log - they should have more detailed info.

Share this post


Link to post
Share on other sites

[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111211/20111211-0519/20111211-051943-TuQvXz7UQg8AABLQSoYAAAAE] (null)
[modsecurity] [client 75.146.88.220] [domain feedmebits.nl] [400] [/20111211/20111211-0829/20111211-082944-TuRb6D7UQg8AABLTUYoAAAAH] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111211/20111211-1244/20111211-124434-TuSXoj7UQg8AABPsRtgAAAAP] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111211/20111211-1527/20111211-152723-TuS9yz7UQg8AABLMQSgAAAAA] (null)
[modsecurity] [client 212.68.63.135] [domain feedmebits.nl] [400] [/20111211/20111211-1842/20111211-184226-TuTrgj7UQg8AABLQSo4AAAAE] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111211/20111211-2035/20111211-203545-TuUGET7UQg8AABLNQ4IAAAAB] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111212/20111212-0226/20111212-022601-TuVYKT7UQg8AABLMQSoAAAAA] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111212/20111212-0400/20111212-040025-TuVuST7UQg8AABLTUZMAAAAH] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111212/20111212-1125/20111212-112536-TuXWoD7UQg8AABPsRuAAAAAP] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111212/20111212-1322/20111212-132252-TuXyHD7UQg8AABLMQTMAAAAA] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111212/20111212-1852/20111212-185229-TuY-XT7UQg8AABLST0gAAAAG] (null)
[modsecurity] [client 188.32.174.67] [domain feedmebits.nl] [400] [/20111212/20111212-1958/20111212-195833-TuZO2T7UQg8AABPlKsUAAAAI] (null)
[modsecurity] [client 109.73.175.3] [domain www.donniepinkston.net] [301] [/20111212/20111212-2317/20111212-231745-TuZ9iT7UQg8AABPtSrgAAAAQ]  [file "/etc/httpd/modsecurity.d/asl/modsec/10_asl_rules.conf"] [line "58"] [id "340361"] [rev "2"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: CONNECT method denied"] [data "connect"] [severity "CRITICAL"] Access denied with code 403 (phase 1). Pattern match "connect" at REQUEST_METHOD.
[modsecurity] [client 109.73.175.3] [domain www.pr0.net] [301] [/20111212/20111212-2329/20111212-232907-TuaAMz7UQg8AABLNQ5IAAAAB]  [file "/etc/httpd/modsecurity.d/asl/modsec/10_asl_rules.conf"] [line "58"] [id "340361"] [rev "2"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: CONNECT method denied"] [data "connect"] [severity "CRITICAL"] Access denied with code 403 (phase 1). Pattern match "connect" at REQUEST_METHOD.
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111213/20111213-0022/20111213-002247-TuaMxz7UQg8AABPoNbEAAAAL] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111213/20111213-0216/20111213-021646-Tuanfj7UQg8AABPlKs0AAAAI] (null)
[modsecurity] [client 109.73.175.3] [domain www.donniepinkston.net] [301] [/20111213/20111213-0221/20111213-022141-TuaopT7UQg8AABLRTPwAAAAF]  [file "/etc/httpd/modsecurity.d/asl/modsec/10_asl_rules.conf"] [line "58"] [id "340361"] [rev "2"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: CONNECT method denied"] [data "connect"] [severity "CRITICAL"] Access denied with code 403 (phase 1). Pattern match "connect" at REQUEST_METHOD.
[modsecurity] [client 62.149.171.68] [domain feedmebits.nl] [400] [/20111213/20111213-0409/20111213-040910-TubB1j7UQg8AABLST1EAAAAG] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111213/20111213-0941/20111213-094136-TucPwD7UQg8AABLMQT4AAAAA] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111213/20111213-1113/20111213-111334-TuclTj7UQg8AABPtSsAAAAAQ] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111213/20111213-1704/20111213-170452-Tud3pD7UQg8AABPqPeQAAAAN] (null)
[modsecurity] [client 109.230.213.134] [domain feedmebits.nl] [400] [/20111213/20111213-2122/20111213-212236-Tue0DD7UQg8AABLORfcAAAAC] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111213/20111213-2209/20111213-220943-Tue-Fz7UQg8AABPrRJwAAAAO] (null)
[modsecurity] [client 109.230.213.134] [domain feedmebits.nl] [400] [/20111213/20111213-2236/20111213-223608-TufFSD7UQg8AABPrRJ8AAAAO] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111214/20111214-0028/20111214-002848-TuffsD7UQg8AABPqPesAAAAN] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111214/20111214-0751/20111214-075142-TuhHfj7UQg8AABLQSrAAAAAE] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111214/20111214-0859/20111214-085931-TuhXYz7UQg8AABLMQUoAAAAA] (null)
[modsecurity] [client 145.117.87.13] [domain feedmebits.nl] [200] [/20111214/20111214-1141/20111214-114138-Tuh9YT7UQg8AABLQSrIAAAAE] Pattern match "joomla.*administration login.*username and password do not match" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/asl/modsec/12_asl_brute.conf"] [line "83"] [id "377304"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Brute Force Attack Protection: Joomla Administration system Login Attempt Failure (Not Blocked)"] [severity "ERROR"]
[modsecurity] [client 145.117.87.13] [domain feedmebits.nl] [200] [/20111214/20111214-1141/20111214-114145-Tuh9aT7UQg8AABLNQ6QAAAAB] Pattern match "joomla.*administration login.*username and password do not match" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/asl/modsec/12_asl_brute.conf"] [line "83"] [id "377304"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Brute Force Attack Protection: Joomla Administration system Login Attempt Failure (Not Blocked)"] [severity "ERROR"]
[modsecurity] [client 145.117.87.13] [domain feedmebits.nl] [200] [/20111214/20111214-1141/20111214-114151-Tuh9bj7UQg8AABPoNcIAAAAL] Pattern match "joomla.*administration login.*username and password do not match" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/asl/modsec/12_asl_brute.conf"] [line "83"] [id "377304"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Brute Force Attack Protection: Joomla Administration system Login Attempt Failure (Not Blocked)"] [severity "ERROR"]
[modsecurity] [client 145.117.87.13] [domain feedmebits.nl] [200] [/20111214/20111214-1141/20111214-114156-Tuh9cz7UQg8AABLPSFQAAAAD] Pattern match "joomla.*administration login.*username and password do not match" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/asl/modsec/12_asl_brute.conf"] [line "83"] [id "377304"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Brute Force Attack Protection: Joomla Administration system Login Attempt Failure (Not Blocked)"] [severity "ERROR"]
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111214/20111214-1515/20111214-151521-TuiveT7UQg8AABLRTQwAAAAF] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111214/20111214-1953/20111214-195325-TujwpT7UQg8AABPuTdYAAAAR] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111214/20111214-2239/20111214-223911-TukXfz7UQg8AABLRTQ0AAAAF] (null)

Looks like it is working from those logs smile.png

 

fail2ban is still a challenge. But it's fun working on various projects at the same time. After I"m done with these small projects. I want to start my next big project.

Share this post


Link to post
Share on other sites

Just ensure that you whitelist your own IP in F2B - it's possible to lock yourself out!

 

(I did it once when connecting remotely from an airport before flying out. I had to connect back to my home machine then connect through that to the remote server to remove the block)

 

F2B is dead cool, but requires a bit of reading and planning prior to implementation. Once I get my linux blog sorted, I'll post my experiences on that.

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...