Jump to content
Forum upgrade is live! Read more... ×
Sign in to follow this  
smakme7757

CentOS 6.3 & HTTPD (Apache)

Recommended Posts

At the moment i have a CentOS 6.3 server running in Hyper-V which hosts a small directory listing of all my non-preregistered software. Like Windows ISO files and so on. The goal is to have a nice easy way to obtain these files while at school. This saves me from filling my laptop SSD up With ISO files as i can just grab them via this server which is much faster than most Public Mirrors for similar files.

 

Current setup.

 

1. IP-Tables are installed on CentOS and are blocking everything except:

SSH and HTTPS

 

2. The perimiter firewall only forwards ports 443 to this particular server.

 

3. I have altered my httpd.conf file to allow me to use a .htpasswd file to protect the root directory With a username and password. This .passwd file is kept out of the document root so it isn't served to the web.

 

4. As you might have guessed i'm running my own SSL certificate (4096) so passwords should be protected when i log in from a remote location.

 

5. Apache doesn't show it's version number

 

6. Everything is working fine so far.

 

My question is, seeing as this server isn't in a DMZ or isolated from the rest of my LAN; apart from a gaping hole in Apache, is there anything else i should do to secure it? Anything i havn't thought of that could become a big problem?

 

Thanks i appreciate the input.

Edited by smakme7757

Share this post


Link to post
Share on other sites

*Nothing on the internet is safe*

With that out of the way...if someone wanted to mess with you, they could use SSLStrip...

Personally I'd just use SCP on a non standard port, and use Ostiary:

http://ingles.homeunix.net/software/ost/index.html

For some port knocking* goodness

Also don't use something silly like dyndns, and just use IP address monitoring via mail

 

#Removes tinfoil hat#

 

*kinda

Share this post


Link to post
Share on other sites

Thanks for the replies guys. Very helpful.

 

So far this is what i've done before i read your suggestions

 

In Hyper-V

 

1. Create new virtual switch of type Private

2. Added the CentOS web server to that switch so it's the only machine there (isolated from the rest of the LAN - No internet access, can only see its self.)

3. Installed a new VM with Sophos UTM

4. Configured that as a bridge between my router and the webserver and only allowing the HTTPS protocol between the 2 - everything else is blocked/dropped.

 

So all traffic coming in on port 443 is sent to the Sophos UTM that is configured to send 443 traffic to my web server. All traffic is inspected by the UTM as well as uploads to the server being scanned by the IPS system and onboard antivirus. Downloads are however exempt.

 

I'e have a look at fail2ban, but i think the UTM might have similar technology. I'm yet to read through all the documentation though.

 

 

If for some reason my web server gets hacked and the attacker gets root access all they get is access to that isolated network unless they can hack past the Sophos UTM.

Edited by smakme7757

Share this post


Link to post
Share on other sites

Sounds like VLANing, but not really...If you want an honest opinion, seems overly complex for a simple task, but hey, it's also not what I'd consider a 'standard' setup, which is always a good thing.

I like fail2ban, but once again, overly difficult to get onto my favorite router: OpenWRT, which is why I prefer Ostiary. I'd also rather trust myself with what is essentially an on/off switch.

 

But to answer your initial question, the only thing I can see on face value, externally being a threat, is the SSL certs...they ain't as secure as people think, they are quite prone to MITM attacks now. The only protocol that is worth trusting (in my view) is SSH with keys, so the likes of SCP can be used for file transfer, and SShuttle is great for VPN like goodness. But also, once again, I'll quite happily admit I'm wearing a tinfoil hat right now...

Share this post


Link to post
Share on other sites

Sounds like VLANing, but not really...If you want an honest opinion, seems overly complex for a simple task, but hey, it's also not what I'd consider a 'standard' setup, which is always a good thing.

I like fail2ban, but once again, overly difficult to get onto my favorite router: OpenWRT, which is why I prefer Ostiary. I'd also rather trust myself with what is essentially an on/off switch.

 

But to answer your initial question, the only thing I can see on face value, externally being a threat, is the SSL certs...they ain't as secure as people think, they are quite prone to MITM attacks now. The only protocol that is worth trusting (in my view) is SSH with keys, so the likes of SCP can be used for file transfer, and SShuttle is great for VPN like goodness. But also, once again, I'll quite happily admit I'm wearing a tinfoil hat right now...

I like SCP as well, but i know how to do that ;). So settings it up with RSA key pairs on a non standard port would have only taken an hour or so. Here i get to experiment with something i have never done before. So it's more or less a practical/useful experiment to be honest.

 

But i know you're right. The simplest solution is always the best solution more or less, but i felt like going "all in" on this one seeing as the technology was new to me.

 

Nice to know that the most likely threat would be a MITM which isn't such a big deal i guess. It's mostly the isolation i was after in case someone got onto the public machine.

Edited by smakme7757

Share this post


Link to post
Share on other sites

Just a few things (which have probably been mentioned).

 

Apache

 

If you are just using it to provide files most security issues should be fine for you.

ModSecurity would be overkill but have a look if you setup something more complex later it will be useful.

Hide the apache version.

Not much else should be needed for a default Apache setup other than keeping up with security patches.

 

SSH

Use a non-default port.

Setup fail2ban.

Use pub key auth only and also set it to only allow the users you specify (all in the sshd config).

Setup port knocking if you are incredibly paranoid.

Share this post


Link to post
Share on other sites

Just a few things (which have probably been mentioned).

 

Apache

 

If you are just using it to provide files most security issues should be fine for you.

ModSecurity would be overkill but have a look if you setup something more complex later it will be useful.

Hide the apache version.

Not much else should be needed for a default Apache setup other than keeping up with security patches.

 

SSH

Use a non-default port.

Setup fail2ban.

Use pub key auth only and also set it to only allow the users you specify (all in the sshd config).

Setup port knocking if you are incredibly paranoid.

Thanks for the tips. I've ccovered most of those so i think i'm in good shape. So far so good :).

Share this post


Link to post
Share on other sites

And if you are using scp, learn rsync :) It will save you loads of time on slower connections to refresh files in either direction.

If you can ssh, and you have rsync installed on client and server, you are good to go!

Share this post


Link to post
Share on other sites

And if you are using scp, learn rsync :) It will save you loads of time on slower connections to refresh files in either direction.

If you can ssh, and you have rsync installed on client and server, you are good to go!

 

Somewhat off topic, but I came across this recently:

http://www.rapid7.com/products/nexpose/edi...nd-features.jsp

 

Made by the same guys that manage metasploit now, has a community version, and really quite useful (if you're into security that is).

Big headache, keeping this short and sweet.

 

Thanks TinBane: Never heard of Rsync - will check it out. Link that looks good.

Thanks _sentinel going to download a single user copy and check it out!

Share this post


Link to post
Share on other sites

Somewhat off topic, but I came across this recently:

http://www.rapid7.com/products/nexpose/edi...nd-features.jsp

 

Made by the same guys that manage metasploit now, has a community version, and really quite useful (if you're into security that is).

Thanks... might give it a whirl at work.

 

i gave ut a shot lastnight using The Virtual appliance and its quite interesting. Highlighted that my PhP Version om my hostes webspace is out of date and vulnerable against certain metasploit attacks.

 

my personal webserver at home had a few flags for unused modules in apache but otherwise is was looking good.

 

I probably shouldn't have mentioned that about my hosted web space, but meh lol.

Share this post


Link to post
Share on other sites

There's another few things you could do... and SSLing the site is an excellent move by the way.

 

If you're doing directory listing, you'll run into the "Index of /" problem.

 

Punch that into google, quotes and all to see what I mean - you can discover everyone's shares just by searching for a common header.

 

Security through obscurity is your friend - you'll want the HeaderName and ReadmeName directives in your .htaccess as well as the IndexIgnore directive:

http://stackoverflow.com/questions/1210902...s-hide-index-of

Share this post


Link to post
Share on other sites

Another option if you like the convenience of HTTP/Apache is to tunnel HTTP traffic over SSH eg:

 

ssh -L 8080:localhost:80 -N YOUR_HOSTNAME

 

Open up a terminal and enter the above (obviously replacing with your hostname), you can then browse to http://localhost:8080/

 

All traffic sent to port 8080 is sent over the SSH connection and forwarded to the specified remote host.

 

-L lets you specify a local port to connect to and a remote host (and port) to forward traffic to, scheme of the argument is local_port:host:host_port

-N tells ssh to not attempt any remote commands.

 

Once done Ctrl+C to close the connection.

Edited by SledgY

Share this post


Link to post
Share on other sites

Another option if you like the convenience of HTTP/Apache is to tunnel HTTP traffic over SSH eg:

 

ssh -L 8080:localhost:80 -N YOUR_HOSTNAME

 

Open up a terminal and enter the above (obviously replacing with your hostname), you can then browse to http://localhost:8080/

 

All traffic sent to port 8080 is sent over the SSH connection and forwarded to the specified remote host.

 

-L lets you specify a local port to connect to and a remote host (and port) to forward traffic to, scheme of the argument is local_port:host:host_port

-N tells ssh to not attempt any remote commands.

 

Once done Ctrl+C to close the connection.

Good point and playing with the compression levels might help as well.

 

I use port forwarding for work but that's more due to me being to lazy to allow ports through all of the firewalls when it's only temporary.

Share this post


Link to post
Share on other sites

One more thing I also always like to do is to filter User Agents to prevent crawlers stealing my bandwidth - I tend to use haproxy for that but you can always use simple htaccess files

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×