Category Archives: Apache2

Protect your server from the POODLE attack

Leave a reply

You can protect your server from the POODLE attack, as described here, by disabling the SSLv3 protocol on your (Ubuntu) Apache webserver. This is easily done by changing a single configuration file. Edit the file /etc/apache2/apache2.conf  and search for the line containing SSLProtocol. Change this line from

SSLProtocol all -SSLv2

to

SSLProtocol all -SSLv2 -SSLv3

This disables SSLv3 connections to your server. Restart your apache webserver

sudo service apache2 restart

and then test if the changes were successfull:

1. Try to open a SSLv2 connection; this should give you an error:

openssl s_client -ssl2 -connect bjdejong.nl:443

CONNECTED(00000003)1255:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s2_pkt.c:427:

2. Try to open a SSLv3 connection; this should give you an error:

openssl s_client -ssl3 -connect bjdejong.nl:443

CONNECTED(00000003)
1256:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s3_pkt.c:1143:SSL alert number 40
1256:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s3_pkt.c:564:

3. Try to open a TLS connection; this should give you no error:

openssl s_client -tls1 -connect bjdejong.nl:443

CONNECTED(00000003)
depth=0 /O=Landing page bjdejong.NL/CN=*.landingpage.nl/emailAddress=bjdejong@bjdejong.nl
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Landing page bjdejong.NL/CN=*.landingpage.nl/emailAddress=bjdejong@bjdejong.nl
verify return:1
---
Certificate chain
0 s:/O=Landing page
bjdejong.NL/CN=*.landingpage.nl/emailAddress=berendjdejong@gmail.com
i:/O=Landing page bjdejong.NL/CN=*.landingpage.nl/emailAddress=berendjdejong@gmail.com
---
Server certificate
-----BEGIN CERTIFICATE----
MIIDnzCCAoegAwIBAgIJAJl1fA2nG/6eMA0GCSqGSIb3DQEBBQUAMGYxITAfBgNV
......

If everything went ok you are protected against the POODLE attack.

Share

Ubuntu Apache problems on Azure

Leave a reply

Apache SSLCipherSuite settings1pix apache-logo

Got the error below in your apache error log when trying to start the Apache server?

[Mon Jan 19 20:19:24 2015] [error] Unable to configure permitted SSL ciphers

Then you have permitted ciphers in your apache.conf  (at /etc/apache2 ) that are not compatible with your openssl configuration (probably version 1.01, check with openssl version). To solve this problem remove the +TLSv1.1:+TLSv1.2 from the line starting with SSLCipherSuite.

Restart your apache server; it should be running now….

Want to get rid of the Apache2 message “Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName”?

Edit your /etc/hosts  file and add the FQDN to the line that contains
127.0.0.1    localhost

 

Share

Ubuntu iptables redirect

Leave a reply

computer-firewalliptables redirect

Having trouble ssh-ing on port 22?  Then try to use another port with help of your iptables firewall. With iptables it is possible (among other things) to redirect traffic on an incoming port to another port of your choice.

To save your current firewall setup you could choose to save your configuration with:

sudo iptables-save > ipfw.conf

Restoring your old configurations is as easy as:

sudo iptables-restore < ipfw.conf

Execute the following command to redirect traffic on port 443 to port 22:

sudo iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-ports 22

Now to create socks a tunnel on the 443 port execute the following command (add the -vvv option to get debugging info from ssh):

# -p443  Port to connect to on the remote host
# -D8080 Specifies a local "dynamic" application-level port forwarding.
# -C     Request compression of all data
# -N     Do not execute a remote command (useful for port forwarding)
# -i ... Identity file to use
sudo ssh -p443 -D8080 -N uid@hostname -C -i /home/uid/.ssh/identity

To use this connection in the browser tell the browser to use a socks proxy on port 8080 or use the tsocks  command to “socksify a tool” for example an ssh session to other servers.

tsocks ssh uid@hostname

 

Share

XDebug NetBeans Apache configuration

Leave a reply

So you want to debug your PHP website code with xdebug netbeans? In this post I will explain how to configure XDebug / Apache and NetBeans to start a debug session for your website.

First of all install the necessary components:

apt-get install apache2
apt-get install mysql-server
apt-get install php5-mysql
apt-get install php5-xdebug

Restart the apache webservice and check for any errors:

service apache2 restart

Create a new website configuration in /etc/apache2/sites-available  :

<VirtualHost *:80>
   ServerName www.xdebugger.tst
   ServerAdmin webmaster@xdebugger.tst
   DocumentRoot /var/www/xdebugger/www
   <Directory / >
      Options FollowSymLinks
      AllowOverride None
   </Directory>
   <Directory /var/www/xdebugger/www">
      Options Indexes FollowSymLinks MultiViews
      AllowOverride All
      Order allow,deny
      allow from all
   </Directory>
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Update your hosts file so you can easily test this new site .Add the following line to the file /etc/hosts :

127.0.0.1           www.xdebugger.tst

Next enable remote debugging with XDebug. Although you just installed XDebug it will be disabled by default.

Create a script index.php  to see your changes to the apache / php configuration in the directory /var/www/xdebugger/www :

<?php
phpinfo();
?>

Navigate to http://www.xdebugger.tst

xdebugoff

As you can see in the picture above XDebug is not enabled. To enable the XDdebug feature add the following lines (if not already there) to the file /etc/php5/apache2/conf.d/20-xdebug.ini :

zend_extension=xdebug.so
xdebug.remote_enable=on

Now restart your apache service once more; execute the script and check the xdebug.remote_enable  setting:

Execute

sudo service apache2 restart

Navigate to http://www.xdebugger.tst

xdebugon

 

Now goto your netbeans IDE and create a new project:

File -> New project
Category: PHP
Projects: PHP Application with Existing Source
Press Next
Sources Folder: /var/www/xdebugger/www
Project Name: xdebugger
Press Next
Project URL: http://www.xdebugger.tst (same value as the one you added to /etc/hosts!)
Press Finish

Set the main project to the newly created project:

Goto Run -> Set Main Project -> xdebugger

Next start your first debugging session!

Goto Debug -> Debug Main project

Additonal information about configuring NetBenas can be found here

Share

Analyze IP addresses accessing your Apache server

Leave a reply

The awk command below retrieves the first column of your apache log file which containsscript the IP address of the browser accessing your host (if you have a virtual host setup with the vhost_combined CustomLog you should retrieve column 2 instead).

After retrieving the column it is sorted and all unique values are determined and counted. After that the list of unique values and there count is sorted (reverse) to get the top list of IP’s.

awk '{ print $1}' $LOGFILE | sort | uniq -c | sort -nr > $DEST

Output of this statement:

606 188.203.177.225
502 84.87.80.237
376 86.81.89.200
365 24.132.181.21
295 94.212.84.128
279 86.81.89.250
251 94.212.208.48
235 85.150.175.72
226 94.212.194.142

 

 

Share

Apache deny and allow access from ipaddress

Leave a reply

With help of a .htaccess file we can deny or allow access from a specific ip address or range of ip addresses.

Deny access from all IP addresses in the range 192.168.2.*:

<Limit GET HEAD POST>
order allow,deny
allow from all
deny from 192.168.19.
</Limit>

The line order allow,deny means that Apache should first evaluate the allow entries (which states that everyone is allowed access) and then the deny entries (which states that the range 192.168.19.* is denied access). Effectively this means that the range 192.168.19.* is denied access.

Order of evaluation is allow, deny; so this means:
allow access from all
deny access from 192.168.19.

Allow only access from the IP range 192.168.19.*:

<Limit GET HEAD POST>
order deny,allow
allow from 192.168.19.
deny from all
</Limit>

Order of evaluation is deny, allow; so this means:
deny access from all
allow from 192.168.19.

Share

Configure Apache

Leave a reply

Perform a clean Apache install:

sudo apt-get install apache2

After that copy original configuration files:

cp /etc/apache2/apach2.conf /etc/apache2/apache2.conf.org
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default.org
cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/default-ssl.org

To prevent users from getting a directory listing add the next line to the bottom of your apache2.conf:
Options -Indexes

A fresh apache install has the following modules installed

apachectl -t -D DUMP_MODULES
Loaded Modules:
core_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
alias_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_default_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
mime_module (shared)
negotiation_module (shared)
php5_module (shared)
reqtimeout_module (shared)
setenvif_module (shared)
status_module (shared)
Syntax OK

As you can see the rewrite module is missing from this list. You can simple active this module by executing:

a2enmod rewrite

 

 

Share

Add SSL to localhost on apache / linux

Leave a reply

Generate a Certificate Signing Request

1. Generate the keys for the Certificate Signing Request (CSR)

openssl genrsa -des3 -out server.key.secure 1024

2. Create the insecure key.

openssl rsa -in server.key.secure -out server.key.insecure

3. Create the CSR.

openssl req -new -key server.key.insecure -out server.csr

Fill in the appropriate information.

4. Create the self-signed certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This creates server.crt

5. Install the self-signed certificate

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Now you can configure apache with the ability to use public-key cryptography to use the certificate and key files.

Configure Apache to use SSL on local host

6. Enable ssl

sudo a2enmod ssl

7. Edit your default-ssl site (make backup copy)

Change:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

To:

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

8. Enable the default-ssl site.

sudo a2ensite default-ssl

8. Restart the server.

sudo service apache2 restart

Navigate to https://localhost and examine your certificate details

Share

Ubuntu Apache + MySQL + WordPress

Leave a reply

Install devenv with Ubuntu + Apache + MySQL

Create a new virtual machine and mount your Ubuntu ISO as CDROM drive. Startup the new virtual machine and install Ubuntu with default options.

After Ubuntu installation is complete be sure to add the guest additions to your system (keep your original configuration when asked):

$>apt-get install virtualbox-guest-x11

Ubuntu windows appearing slow? See this url: http://askubuntu.com/questions/207813/why-does-an-ubuntu-12-10-guest-in-virtualbox-run-very-very-slowly/214968#214968

Upgrade and update your system to make sure you have the latest and the greatest software:

$>apt-get update
$>apt-get upgrade

Mandatory components for your development environment

$>apt-get install apache2
$>apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql
# Enter root password and press OK (twice)
# Install MySQL system tables:
$>mysql_install_db
# Secure your MySQL installation
$>/usr/bin/mysql_secure_installation
# Enter the root password choosen above
# Choose n (already have a password)
# Enter four times (everything default)
$>apt-get install php5 php5-xdebug libapache2-mod-php5 php5-mcrypt php5-cli php5-curl php5-gd
# Install your favorite editor for quick edits....
$>apt-get install vim

Optional (but useful tools)

WebMin server administration

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.610_all.deb
dpkg --install webmin_1.610_all.deb

When you want to mount an external CIFS filesystem (for example your NAS) install the CIFS utility package.

$>apt-get install cifs-utils

Mount a cifs remote file system:

$>mkdir /mnt/share
$>mount.cifs //SERVER/share /mnt/share -o user=USER,uid=1000,gid=1000
# Enter your password
# Install netbeans
$>apt-get install netbeans
# Install chromium-browser
Install chrome browser
$>apt-get install chromium-browser
# Install the Gimp
$>sudo apt-get install gimp
# Install VIM
$>sudo apt-get install vim

Setup WordPress installatie

For pretty URL’s to work make sure the rewrite module is enabled in Apache. You can do this with the WebMin tool; in Webmin goto “Servers”, “Apache Webserver”, select the “Global configuration” tab, select “Configure Apache modules”, check the “Rewrite” module.

Changes take effect immediately.

$>cd /var/www/
$>mkdir demo
$>cd demo
$>wget http://wordpress.org/latest.tar.gz
$>tar -xzvf latest.tar.gz
$>mv wordpress www
$>rm latest.tar.gz
$>cd /var/www
$>chown -R www-data:www-data .

Setup the MySQL database

$>mysql -uroot -pXXXXXXX
mysql>create database wp_demo;
mysql>create user 'wp_demo'@'localhost' IDENTIFIED BY 'XXXXXXXXXX';
mysql> grant create,drop,select,insert,update,delete on wp_demo.* to 'wp_demo'@'localhost';
Share