Jump to content


Photo

CentOS 6.3 & HTTPD (Apache)


  • Please log in to reply
16 replies to this topic

#1 smakme7757

smakme7757

    Champion

  • Atomican
  • 4,205 posts
  • Location:Europe

Posted 03 February 2013 - 05:26 AM

At the moment i have a CentOS 6.3 server running in Hyper-V which hosts a small directory listing of all my non-preregistered software. Like Windows ISO files and so on. The goal is to have a nice easy way to obtain these files while at school. This saves me from filling my laptop SSD up With ISO files as i can just grab them via this server which is much faster than most Public Mirrors for similar files. Current setup. 1. IP-Tables are installed on CentOS and are blocking everything except: SSH and HTTPS 2. The perimiter firewall only forwards ports 443 to this particular server. 3. I have altered my httpd.conf file to allow me to use a .htpasswd file to protect the root directory With a username and password. This .passwd file is kept out of the document root so it isn't served to the web. 4. As you might have guessed i'm running my own SSL certificate (4096) so passwords should be protected when i log in from a remote location. 5. Apache doesn't show it's version number 6. Everything is working fine so far. My question is, seeing as this server isn't in a DMZ or isolated from the rest of my LAN; apart from a gaping hole in Apache, is there anything else i should do to secure it? Anything i havn't thought of that could become a big problem? Thanks i appreciate the input.

Edited by smakme7757, 03 February 2013 - 08:29 AM.


#2 _sentinel

_sentinel

    Primarch

  • Atomican
  • 1,494 posts

Posted 05 February 2013 - 09:21 PM

*Nothing on the internet is safe*
With that out of the way...if someone wanted to mess with you, they could use SSLStrip...
Personally I'd just use SCP on a non standard port, and use Ostiary:
http://ingles.homeun.../ost/index.html
For some port knocking* goodness
Also don't use something silly like dyndns, and just use IP address monitoring via mail

#Removes tinfoil hat#

*kinda
C2D 6400 | GA-965P-DS4 | 4GB Team Xtreme | Radeon 4870 1GB | Razer AC-1 | Logitech G15 & G9 | Antec 182SE | Corsair HX620w | Thermalright Ultra120 eXtreme | Nexus Fans "Easy chewy, those buttons are your friends"

#3 iamthemaxx

iamthemaxx

    Super Hero

  • Super Hero
  • 29,287 posts
  • Location:(Check Length)

Posted 06 February 2013 - 07:58 AM

Look into fail2ban as well, it'd be a safe bet.

#4 smakme7757

smakme7757

    Champion

  • Atomican
  • 4,205 posts
  • Location:Europe

Posted 06 February 2013 - 10:36 PM

Thanks for the replies guys. Very helpful. So far this is what i've done before i read your suggestions In Hyper-V 1. Create new virtual switch of type Private 2. Added the CentOS web server to that switch so it's the only machine there (isolated from the rest of the LAN - No internet access, can only see its self.) 3. Installed a new VM with Sophos UTM 4. Configured that as a bridge between my router and the webserver and only allowing the HTTPS protocol between the 2 - everything else is blocked/dropped. So all traffic coming in on port 443 is sent to the Sophos UTM that is configured to send 443 traffic to my web server. All traffic is inspected by the UTM as well as uploads to the server being scanned by the IPS system and onboard antivirus. Downloads are however exempt. I'e have a look at fail2ban, but i think the UTM might have similar technology. I'm yet to read through all the documentation though. If for some reason my web server gets hacked and the attacker gets root access all they get is access to that isolated network unless they can hack past the Sophos UTM.

Edited by smakme7757, 06 February 2013 - 10:36 PM.


#5 _sentinel

_sentinel

    Primarch

  • Atomican
  • 1,494 posts

Posted 06 February 2013 - 11:40 PM

Sounds like VLANing, but not really...If you want an honest opinion, seems overly complex for a simple task, but hey, it's also not what I'd consider a 'standard' setup, which is always a good thing. I like fail2ban, but once again, overly difficult to get onto my favorite router: OpenWRT, which is why I prefer Ostiary. I'd also rather trust myself with what is essentially an on/off switch. But to answer your initial question, the only thing I can see on face value, externally being a threat, is the SSL certs...they ain't as secure as people think, they are quite prone to MITM attacks now. The only protocol that is worth trusting (in my view) is SSH with keys, so the likes of SCP can be used for file transfer, and SShuttle is great for VPN like goodness. But also, once again, I'll quite happily admit I'm wearing a tinfoil hat right now...
C2D 6400 | GA-965P-DS4 | 4GB Team Xtreme | Radeon 4870 1GB | Razer AC-1 | Logitech G15 & G9 | Antec 182SE | Corsair HX620w | Thermalright Ultra120 eXtreme | Nexus Fans "Easy chewy, those buttons are your friends"

#6 smakme7757

smakme7757

    Champion

  • Atomican
  • 4,205 posts
  • Location:Europe

Posted 07 February 2013 - 12:10 AM

Sounds like VLANing, but not really...If you want an honest opinion, seems overly complex for a simple task, but hey, it's also not what I'd consider a 'standard' setup, which is always a good thing.
I like fail2ban, but once again, overly difficult to get onto my favorite router: OpenWRT, which is why I prefer Ostiary. I'd also rather trust myself with what is essentially an on/off switch.

But to answer your initial question, the only thing I can see on face value, externally being a threat, is the SSL certs...they ain't as secure as people think, they are quite prone to MITM attacks now. The only protocol that is worth trusting (in my view) is SSH with keys, so the likes of SCP can be used for file transfer, and SShuttle is great for VPN like goodness. But also, once again, I'll quite happily admit I'm wearing a tinfoil hat right now...

I like SCP as well, but i know how to do that ;). So settings it up with RSA key pairs on a non standard port would have only taken an hour or so. Here i get to experiment with something i have never done before. So it's more or less a practical/useful experiment to be honest.

But i know you're right. The simplest solution is always the best solution more or less, but i felt like going "all in" on this one seeing as the technology was new to me.

Nice to know that the most likely threat would be a MITM which isn't such a big deal i guess. It's mostly the isolation i was after in case someone got onto the public machine.

Edited by smakme7757, 07 February 2013 - 12:24 AM.


#7 Xen

Xen

    Overlord

  • Atomican
  • 3,006 posts

Posted 07 February 2013 - 09:49 AM

Just a few things (which have probably been mentioned). Apache If you are just using it to provide files most security issues should be fine for you. ModSecurity would be overkill but have a look if you setup something more complex later it will be useful. Hide the apache version. Not much else should be needed for a default Apache setup other than keeping up with security patches. SSH Use a non-default port. Setup fail2ban. Use pub key auth only and also set it to only allow the users you specify (all in the sshd config). Setup port knocking if you are incredibly paranoid.

#8 smakme7757

smakme7757

    Champion

  • Atomican
  • 4,205 posts
  • Location:Europe

Posted 09 February 2013 - 11:42 PM

Just a few things (which have probably been mentioned).

Apache

If you are just using it to provide files most security issues should be fine for you.
ModSecurity would be overkill but have a look if you setup something more complex later it will be useful.
Hide the apache version.
Not much else should be needed for a default Apache setup other than keeping up with security patches.

SSH
Use a non-default port.
Setup fail2ban.
Use pub key auth only and also set it to only allow the users you specify (all in the sshd config).
Setup port knocking if you are incredibly paranoid.

Thanks for the tips. I've ccovered most of those so i think i'm in good shape. So far so good :).

#9 TinBane

TinBane

    Super Hero

  • Mod
  • 21,537 posts

Posted 11 February 2013 - 02:59 PM

And if you are using scp, learn rsync :) It will save you loads of time on slower connections to refresh files in either direction. If you can ssh, and you have rsync installed on client and server, you are good to go!
Romans 10:3 absit iniuria verbis

#10 _sentinel

_sentinel

    Primarch

  • Atomican
  • 1,494 posts

Posted 11 February 2013 - 06:55 PM

Somewhat off topic, but I came across this recently:
http://www.rapid7.co...nd-features.jsp

Made by the same guys that manage metasploit now, has a community version, and really quite useful (if you're into security that is).
C2D 6400 | GA-965P-DS4 | 4GB Team Xtreme | Radeon 4870 1GB | Razer AC-1 | Logitech G15 & G9 | Antec 182SE | Corsair HX620w | Thermalright Ultra120 eXtreme | Nexus Fans "Easy chewy, those buttons are your friends"

#11 smakme7757

smakme7757

    Champion

  • Atomican
  • 4,205 posts
  • Location:Europe

Posted 12 February 2013 - 12:31 AM

And if you are using scp, learn rsync :) It will save you loads of time on slower connections to refresh files in either direction.
If you can ssh, and you have rsync installed on client and server, you are good to go!



Somewhat off topic, but I came across this recently:
http://www.rapid7.co...nd-features.jsp

Made by the same guys that manage metasploit now, has a community version, and really quite useful (if you're into security that is).

Big headache, keeping this short and sweet.

Thanks TinBane: Never heard of Rsync - will check it out. Link that looks good.
Thanks _sentinel going to download a single user copy and check it out!

#12 Xen

Xen

    Overlord

  • Atomican
  • 3,006 posts

Posted 12 February 2013 - 01:21 PM

Somewhat off topic, but I came across this recently:
http://www.rapid7.co...nd-features.jsp

Made by the same guys that manage metasploit now, has a community version, and really quite useful (if you're into security that is).


Thanks... might give it a whirl at work.

#13 smakme7757

smakme7757

    Champion

  • Atomican
  • 4,205 posts
  • Location:Europe

Posted 12 February 2013 - 05:02 PM

Somewhat off topic, but I came across this recently:
http://www.rapid7.co...nd-features.jsp

Made by the same guys that manage metasploit now, has a community version, and really quite useful (if you're into security that is).


Thanks... might give it a whirl at work.

i gave ut a shot lastnight using The Virtual appliance and its quite interesting. Highlighted that my PhP Version om my hostes webspace is out of date and vulnerable against certain metasploit attacks.

my personal webserver at home had a few flags for unused modules in apache but otherwise is was looking good.

I probably shouldn't have mentioned that about my hosted web space, but meh lol.

#14 Leonid

Leonid

    Immortal

  • Atomican't
  • 40,545 posts

Posted 18 February 2013 - 02:57 PM

There's another few things you could do... and SSLing the site is an excellent move by the way.

If you're doing directory listing, you'll run into the "Index of /" problem.

Punch that into google, quotes and all to see what I mean - you can discover everyone's shares just by searching for a common header.

Security through obscurity is your friend - you'll want the HeaderName and ReadmeName directives in your .htaccess as well as the IndexIgnore directive:
http://stackoverflow...s-hide-index-of
"I'd rather die standing up than live on my knees." - Stephane Charbonnier (1967-2015)

"If liberty means anything, it means the right to tell people what they do not want to hear." - George Orwell

#15 SledgY

SledgY

    Master

  • Atomican
  • 917 posts

Posted 19 February 2013 - 12:13 PM

Another option if you like the convenience of HTTP/Apache is to tunnel HTTP traffic over SSH eg:

ssh -L 8080:localhost:80 -N YOUR_HOSTNAME

Open up a terminal and enter the above (obviously replacing with your hostname), you can then browse to http://localhost:8080/

All traffic sent to port 8080 is sent over the SSH connection and forwarded to the specified remote host.

-L lets you specify a local port to connect to and a remote host (and port) to forward traffic to, scheme of the argument is local_port:host:host_port
-N tells ssh to not attempt any remote commands.

Once done Ctrl+C to close the connection.

Edited by SledgY, 19 February 2013 - 12:16 PM.

poweredbypenguins.org - SledgY lives in the cloud...

#16 Xen

Xen

    Overlord

  • Atomican
  • 3,006 posts

Posted 19 February 2013 - 01:23 PM

Another option if you like the convenience of HTTP/Apache is to tunnel HTTP traffic over SSH eg:

ssh -L 8080:localhost:80 -N YOUR_HOSTNAME

Open up a terminal and enter the above (obviously replacing with your hostname), you can then browse to http://localhost:8080/

All traffic sent to port 8080 is sent over the SSH connection and forwarded to the specified remote host.

-L lets you specify a local port to connect to and a remote host (and port) to forward traffic to, scheme of the argument is local_port:host:host_port
-N tells ssh to not attempt any remote commands.

Once done Ctrl+C to close the connection.


Good point and playing with the compression levels might help as well.

I use port forwarding for work but that's more due to me being to lazy to allow ports through all of the firewalls when it's only temporary.

#17 Leonid

Leonid

    Immortal

  • Atomican't
  • 40,545 posts

Posted 14 March 2013 - 07:19 PM

One more thing I also always like to do is to filter User Agents to prevent crawlers stealing my bandwidth - I tend to use haproxy for that but you can always use simple htaccess files
"I'd rather die standing up than live on my knees." - Stephane Charbonnier (1967-2015)

"If liberty means anything, it means the right to tell people what they do not want to hear." - George Orwell




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users