Monday, January 28, 2013

Vulnerability fixes – HTTP Server Prone To Slow Denial Of Service Attack

What if your security team do vulnerability scanning and found out your Apache Web Server have the possibility of having "HTTP Server Prone To Slow Denial Of Service Attack"?

Normally, this happen when hacker use slowloris tool to hold the connection of your Apache Web Server until your web server went down. For my testing, I use “HTTP attack version 3.6 (slow headers and slow POST)” tools to conduct the testing. Please visit http://code.google.com/p/slowhttptest/

How to avoid this?

Step 1: Open httpd.conf file and uncomment this line :

LoadModule reqtimeout_module modules/mod_reqtimeout.so

                                                               
Step 2: Add this tag in httpd.conf

<IfModule reqtimeout_module> 
# Wait max 10 seconds for the first byte of the request line+headers
# From then, require a minimum data rate of 500 bytes/s, but don't
# wait longer than 20 seconds in total.
RequestReadTimeout header=10-20,minrate=500 
# Wait max 10 seconds for the first byte of the request body (if any)
# From then, require a minimum data rate of 500 byte/s.
RequestReadTimeout body=10,minrate=500 
</IfModule>

Restart your web server.
Voila, your Apache Web Server is safe now!

Sunday, January 27, 2013

How to use mod_rewrite to redirect the request to your web application?

Recently, I was asked to redirect those request that direct access to the root of my web server(for example, http://[SERVER]/ or http://[SERVER]/index.html or https://[SERVER]/ or https://[SERVER]/index.html) to the login page of my web application. Due to some reason, I just can't use RedirectMatch or Redirect, I have more RewriteRule which I need to take into consideration. Below are some simple configuration by using RewriteEngine to achieve the requirement.

First step, open https.conf and comment out

LoadModule rewrite_module modules/mod_rewrite.so


For your info, I have configured 2 virtual host in httpd-vhosts.conf

1. 1 virtual host which is listening to port 80
2. 1 virtual host which  is listening to port 443, which is my SSL configuration.

I also configured mod_jk redirect traffic request to my Apache Web Application Server which is in my virtual host configuration as well.

Hence, my httpd-vhost.conf is currently having configuration like this,

<VirtualHost *:80>     ServerAdmin webmaster@dummy-host2.example.com
     DocumentRoot "C:\Apache24\htdocs"
     ServerName dummy-host2.example.com
     ErrorLog "logs/dummy-host2.example.com-error.log"
     CustomLog "logs/dummy-host2.example.com-access.log" common
     ...
</VirtualHost>


<VirtualHost *:443>
     ServerAdmin webmaster@dummy-host2.example.com     DocumentRoot "C:\Apache24\htdocs"
     ServerName dummy-host2.example.com
     ErrorLog "logs/dummy-host2.example.com-error.log"
     CustomLog "logs/dummy-host2.example.com-access.log" common
     ...
</VirtualHost>


I add the rewrite rule to each of the virtual host configuration

RewriteEngine On

RewriteCond %{REQUEST_URI} ^/index.html [OR]
RewriteCond %{REQUEST_URI} "^/$"
RewriteRule (.*)  https://%{HTTP_HOST}/myapp/ [R=301,L]


This is to make sure, whoever open the browser and type in
 http://[SERVER]/ or http://[SERVER]/index.html or https://[SERVER]/ or https://[SERVER]/index.html will be getting redirect to https://[SERVER]/myapp/ which is the URL of my web application.

Thursday, January 24, 2013

How to configure mod_jk to redirect your traffic from Apache Web Server (2.4) to Tomcat?

In corporate environment, there might be a requirement that the system don't allow the end user direct assess to the application server (Tomcat server). They want user assess to web server (Apache Web Server) and the web server redirect the traffic to application server. Hence, the configuration below is to serve the purpose. 

To configure the mod_jk in Apache Web Server (2.4), below are the assumption

1. Use Apache Web Server 2.4
2. Apache home folder is c:\Apache24
3. Place mod_jk.so, worker.properties and in c:\Apache24\conf folder

Step 1 - Open the httpd.conf and add in the configuration as shown below:

# Load mod_jk for communicating with Tomcat
LoadModule jk_module "C:/Apache24/conf/mod_jk.so"
# Where to find workers.properties
JkWorkersFile "C:/Apache24/conf/workers.properties"
# Where to put jk logs
JkLogFile "C:/Apache24/logs/mod_jk.log"
# Set the jk log level [debug/error/info]
JkLogLevel error
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE, 
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format 
JkRequestLogFormat "%w %V %T"

Step 2 - Add in the workers.properties to c:\Apache24\conf with the setting as shown below

worker.list=worker
worker.mcWorker.port=8009
worker.mcWorker.host=localhost
worker.mcWorker.type=ajp13

Step 3 - If you configure virtual host, add the line below to each of the virtual host configuration in httpd-vhosts.conf. Otherwise, add into httpd.conf.

JkMount /myserverpath* worker


Tuesday, January 22, 2013

Apache server unable to start after https setup?


Weird thing happened after I configured https on my Apache Web Server, my web server unable to start!!! To resolve this issue, open httpd-ssl.conf, replace “Listen 443” with “Listen 443 http”.



SSLSessionCache: Invalid argument: size has to be >= 8192 bytes

During the Apache https setup, I encountered the error as shown below when I run “httpd –S” command.


To resolve this issue, I run the command “dir /x c:\” to find the directory name in short form.



Replace the folder name in httpd-ssl.conf with the directory name in short form as shown in the screen above.
SSLSessionCache        "shmcb:C:/PROGRA\~2/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"

How to generate self signed certificate on Apache Web Server (2.2) ?


How to generate self signed certificate on Apache Web Server (2.2)?

Step 1:

- Download Apache which have openssl bundle together as a package. You can go to http://www.apachelounge.com/download/
- Open command prompt and browse to the "APACHE_HOME\bin" folder
- Follow the steps as shown below:

1. Generate private key
openssl genrsa -des3 -out "[CERTIFICATE_FOLDER]\server.key" 1024

2. Generate CSR
openssl req -new -key "[CERTIFICATE_FOLDER]\server.key" -config "[APACHE_HOME]\conf\openssl.cnf" -out "[CERTIFICATE_FOLDER]\server.csr"

3. Backup the private key and after this command, passphrase will no longer in the private key
copy "[CERTIFICATE_FOLDER]\server.key" "[CERTIFICATE_FOLDER]\server.key.org"
openssl rsa -in "[CERTIFICATE_FOLDER]\server.key.org" -out "[CERTIFICATE_FOLDER]\server.key"

4. Generate the certificate
openssl x509 -req -days 365 -in "[CERTIFICATE_FOLDER]\server.csr" -signkey "[CERTIFICATE_FOLDER]\server.key" -out "[CERTIFICATE_FOLDER]\server.crt"


Step 2:

- Go to "APACHE_HOME\conf" folder and open httpd.conf.
- Uncomment line
LoadModule ssl_module modules/mod_ssl.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so

Include conf/extra/httpd-vhosts.conf
Include conf/extra/httpd-ssl.conf


Step 3:


- Go to "APACHE_HOME\conf\extra" folder and open httpd-ssl.conf.

SSLCertificateFile "[CERTIFICATE_FOLDER]\server.crt"
SSLCertificateKeyFile "[CERTIFICATE_FOLDER]\server.key"

Tips:
To check the Apache configuration, open Window command prompt and browse to the "APACHE_HOME\bin" folder, type in the command "httpd -S".

Step 4:

- Go to "APACHE_HOME\conf\extra" folder and open httpd-vhosts.conf, edit the value of both of the virual host configuration

<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host2.example.com
    DocumentRoot "[APACHE_HOME]\htdocs"
    ServerName dummy-host2.example.com
ServerAlias www.dummy-host2.example.com
    ErrorLog "logs/dummy-host2.example.com-error.log"
    CustomLog "logs/dummy-host2.example.com-access.log" common
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot "[APACHE_HOME]\htdocs"
ServerName dummy-host2.example.com
ServerAlias www.dummy-host2.example.com

    ErrorLog "logs/dummy-host2.example.com-error.log"
    CustomLog "logs/dummy-host2.example.com-access.log" common

    SSLEngine on
    SSLCipherSuite HIGH:!aNULL:!MD5
SSLCertificateFile "[CERTIFICATE_FOLDER]\server.crt"
SSLCertificateKeyFile "[CERTIFICATE_FOLDER]\server.key"
</VirtualHost>

How to grant access to remote server to connect to MySQL server?

Normally, if your application server and database server are sitting in 2 different server, you are unable to connect from application server to the database server without granting access rights in the mysql database. To grant the access rights, below are the command which you can cut and paste into your mysql browser and run.

GRANT ALL PRIVILEGES ON *.* TO username@address IDENTIFIED BY “password”;
flush privileges;

username = [USER ID] in the application server
address = [IP Address of the remote machine]
password = [PASSWORD of the USER ID]

Once run the script, voila! you get the rights to connect to the database server from application server.

Wednesday, January 16, 2013

How to generate self signed certificate on Apache Web Server (2.4) ?

How to generate self signed certificate on Apache Web Server (2.4)?
Step 1:
- Download Apache which have openssl bundle together as a package. You can go to http://www.apachelounge.com/download/
- Open command prompt and browse to the "APACHE_HOME\bin" folder
- Type in the command as shown below

openssl req -x509 -config "C:\Apache24\conf\openssl.cnf" -nodes -days 365 -newkey rsa:2048 -keyout "C:\Apache24\certificate\server.key" -out "C:\Apache24\certificate\server.crt"

Fill in all the relevant information.

Step 2:
- Go to "APACHE_HOME\conf" folder and open httpd.conf.
- Uncomment line
LoadModule ssl_module modules/mod_ssl.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Include conf/extra/httpd-vhosts.conf
Include conf/extra/httpd-ssl.conf

Step 3:
- Go to "APACHE_HOME\conf\extra" folder and open httpd-ssl.conf.

SSLCertificateFile "C:\Apache24\certificate\server.crt"
SSLCertificateKeyFile "C:\Apache24\certificate\server.key"

Tips:
To check the Apache configuration, - Open command prompt and browse to the "APACHE_HOME\bin" folder, type in the command "httpd -S".


Step 4:
- Go to "APACHE_HOME\conf\extra" folder and open httpd-vhosts.conf, edit the value of both of the virual host configuration

<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host2.example.com
    DocumentRoot "C:\Apache24\htdocs"
    ServerName dummy-host2.example.com
    ErrorLog "logs/dummy-host2.example.com-error.log"
    CustomLog "logs/dummy-host2.example.com-access.log" common
</VirtualHost>

<VirtualHost *:443>
ServerName www.domain.com
DocumentRoot "C:\Apache24\htdocs"
ServerName dummy-host2.example.com
SSLEngine on
SSLCertificateFile "C:\Apache24\certificate\server.crt"
SSLCertificateKeyFile "C:\Apache24\certificate\server.key"
</VirtualHost>