Using Apache

• Welcome to linuxzoo
  • System Administration
    • Apache
      • Using Apache

Basic Authentication

Basic Authentication

• Often you might want simple usernames and passwords to control access you parts of a website.
• There are many approaches for this.
• The easiest way is to use Basic Authentication.
• This, when required, asks the browser to ask you for a username and password for accessing protected pages.
• The username and password is sent as clear text for every page request made by the browser.

.htaccess

• The best way to control basic authentication is via an .htaccess file in the directory to protect.
• To allow this the <directory> definition which includes the directory to be protected must have

  	AllowOveride AuthConfig
  

Building a Password File

• You have to create a file with usernames and passwords.
• It is a good idea if this file is not one which someone can access via a URL.

  > htpasswd -c /home/gordon/password andrew
  New Password: *******
  Retype New Password: *******
  Adding password for user andrew.
  

  -c is only the first time running the command, as this creates the file too. Miss out -c after the first run.

.htaccess

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /home/gordon/password
Require user andrew

• Authtype Digest
  • This is another option, which requests the passwords in an encrypted format. It is not as widely supported as Basic.

The password file

• The password file created is just a text file.
• As a text file it does not scale well...
  • As more users are added the file gets bigger.
  • On every page request the file has to be parsed again.
• There are other formats available using hashed files (either db or dbm). These are faster to access but more complex to manage.

Any valid user

Require user andrew

• Can be changed to

  Require valid-user 
  

• In this way any user in the password file can access the directory.

Groups

• Just as in passwd users are also in groups, you can use the same idea for apache.
• Create a plain text file with the following format: Groupname: user1 user2 user3 ...
• If users gordon and andrew exists, and you want them to be known as group staff...

  staff: gordon andrew
  

  Add to .htaccess

  AuthType Basic
  AuthName "By Invitation Only"
  AuthUserFile /home/gordon/password
  AuthGroupFile /home/gordon/groups
  Require group staff 
  

Basic Auth Problems

• Its simple protection.
• Passwords in the clear.
• Every request need the password file lookup
• Large numbers of users difficult to manage
• Not a good idea for commercial systems
  • Yet some big sites use it!
• However, users recognise it and understand it.

Control by IP

• .htaccess can offer more control than just Basic Authentication.
• You can also restrict access to directories by IP.
• To do this you need to use
  • Order - read deny then allow or vice versa
  • Allow from - allow this match to access
  • Deny from - stop this match

Example

• Stop 10.0.0.1 accessing a directory...
• Edit the .htaccess in that directory:

  order allow,deny
  allow from all
  deny from 10.0.0.1
  

Order is important

order allow,deny
allow from all
deny from 10.0.0.1

• This is identical to:

  order allow,deny
  deny from 10.0.0.1
  allow from all
  

Domain Names

• You want to block anyone from jim.com and bob.com:

  order allow, deny
  deny bob.com jim.com
  allow all
  

Development site

• You want only 10.0.1.0/24 and 10.0.0.2 to access the site:

  order deny, allow
  deny 10.0.1.0/24
  deny 10.0.0.2
  allow all
  

Log Analysis

Logs

• Apache produces two types of log files
  • Error Logs
  • Access Logs
• Error logs are useful for debugging
• Access logs are excellent for monitoring how your site is being used.
  • Fun for people who have hobby sites
  • Life or death if your business relies on the web site.

Where are the logs

• Normally they go to /var/log/httpd/access_log and error_log
• In a virtual host we set them to what we liked:

  <VirtualHost>
  ...
  	ErrorLog logs/gr-error_log
    	CustomLog logs/gr-access_log combined
  </VirtualHost>
  

Logging in /var/log/http access file

• The normally used log format is called "combined".
• It contains significant amounts of information about each page request.
• Specifically, the log format is:

  %h %l %u %t %r %>s %b Referrer UserAgent
  

• h - IP of the client
• l - useless ident info
• u - username in basic authentication
• t - time of request
• r - the request itself
• s - The response code (e.g. 200 is a successful request)
• b - size of the response page
• Referrer - who the client things told it to come here
• User Agent - identification info of the browser

Analysing the log

• The log is useful in itself for checking the proper function of the server.
• However, traffic analysis is also valuable.
• There are a number of tools available to do this.
• One of the best free ones is webaliser.

Webaliser Summary

Analysis

• The summer is quiet for linuxzoo.
• Students are enthusiastic in October...
• After that it settles down to "kept busy".

Per day activity - October

• I wonder which day was the first tutorial?
• Look at the 7 day oscillations. This is common in many web sites.
• Who stole all my web site data on the 25th?

Hour analysis - October

• Peak learning time (so they say) is 11am.
• Students here seem to like 9am-4pm.
• American students produce another bump later at night.

Users

Referrer Info

What search terms?

Where from?

Google Analytics

• Another approach to web logging is to use JavaScript embedded in each web page.
• This does away with the need to access the web log.
  • Good if you don't have access!
• It does mean that
  • You only get logs where there is javascript switched on.
  • Each page is slowed by having extra stuff on it.
  • It's a little more complex.

db.grussell.org

Logging Summary

• What is best?
• I have used both and have mixed feelings...
• Things to consider
  • Convenience
  • Reliability
  • Availability
  • Performance
  • Cost
  • Privacy
  • Complexity

Apache Security

Security

• Hackers often consider a web server a good hacking target
• You should be very careful how apache is configured.
• The main problem is CGI scripts
  • CGI is a program which runs when you view a page.
  • Its output is sent back to the user's browser.
  • As it is an active process it can do permanent things to your server.

Simple CGI: who.cgi

#!/bin/sh
echo 'Content-Type: text/html; charset=ISO-8859-1'
echo
echo '<body><pre>'
whoami
env
echo '</pre></body>'

http://servername/who.cgi

apache SERVER_SIGNATURE=Apache/2.0.51 (Fedora) Server at servername Port 80 
UNIQUE_ID=umn4CZKwogYAADNFYkcAAAAI HTTP_KEEP_ALIVE=300 
HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 
SERVER_PORT=80 
HTTP_HOST=servername DOCUMENT_ROOT=/home/gordon/public_html HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7 SCRIPT_FILENAME=/home/gordon/public_html/who.cgi REQUEST_URI=/who.cgi 
SCRIPT_NAME=/who.cgi 
SCRIPT_URI=http://servername/who.cgi 
HTTP_CONNECTION=keep-alive 
REMOTE_PORT=1234 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
SCRIPT_URL=/who.cgi 
PWD=/home/gordon/public_html SERVER_ADMIN=me@grussell.org HTTP_ACCEPT_LANGUAGE=en-gb,en;q=0.5 HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
REMOTE_ADDR=50.50.50.1
SHLVL=1 
SERVER_NAME=servername SERVER_SOFTWARE=Apache/2.0.51 (Fedora)
QUERY_STRING= SERVER_ADDR=146.176.162.6 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 HTTP_ACCEPT_ENCODING=gzip,deflate REQUEST_METHOD=GET _=/bin/env 

Issues

• This cgi program only prints.
• However, it could also delete things, or transfer data, copy passwords, etc.
• A hacker is rarely wanting distruction.
• Hackers want access! This requires either
  • Transferring hacking programs to the server
  • Copying files from the server (e.g. /etc/passwd).

Ideas

• Make sure apache runs as a user just for the server
  • The user "apache" is commonly used here.
  • In the httpd.conf, make sure there is:

    	user apache
    	group apache
    

• Hide the apache version number.
  • Might be useful if a hacker is searching for a buggy apache version.
  • In httpd.conf

    	ServerSignature Off 
    	ServerTokens Prod 
    

• Don't allow apache to ever give pages from "/"

  <Directory /> 
  	Order Deny,Allow 
  	Deny from all 
  </Directory> 
  

• Do you really need directory browsing?

  	  Options -Indexes 
  

• The apache user should not own its conf files

  $ chown -R root:apache /etc/httpd
  $ chmod -R u=rwx,g=r,o-rwx /etc/httpd 
  

• Do not allow apache to surf the web:

  $ iptables -A OUTPUT -m owner 
  		--uid-owner apache 
                  -m state --state NEW 
             	-j DROP
  

Discussion

Discussion

• You want to secure apache so that all web requests can only use the characters a-z, ".", and "/". If they don't then display the contents of "/noway.html".

Discussion

• Here are some mock exam questions you should now be able to answer:

Question 1

• The following is an .htaccess file of a fictitious student on a student's web account.

  Auth Type Basic
  AuthTitle "Password Required"
  AuthUserFile home/jim/.www-password
  <Limit GET POST>
  Required user jim
  </Limit>
  

• Spot 4 errors

Question 2

• The following is an .htaccess file of a fictitious student on a student's web account.

  AuthType Basic
  AuthName "Password Required"
  AuthUserFile /home/09006754/.www-password
  <Limit GET POST>
  Require user server_admin
  </Limit>
  

• Provide the code to change the password for server_admin.

Question 3

• Below is a line from a webserver logfile:

  2005-10-17 00:00:08 W3SVC1097 213.171.193.80 GET /robots.txt - 80 - 202.160.180.33 HTTP/1.0 Mozilla/5.0+(compatible;+Yahoo!+Slurp;
  	+http://help.yahoo.com/help/us/ysearch/slurp) - - 404 0 2 1814 194 421
  

• What kind of request was this? Was this a successful request (i.e. was a document found)?