Skip to content

Entries from December 2012.

Hardening Apache Based Installations

Sometimes you want to test some server-side software on public server but don't want be hit by automated scripts that explore known vulnerabilities in software. The simplest solution is to add additional protection using Apache-based access restrictions.

Enable .htaccess in Apache

Changing configuration can be very flexible and as simple as placing special file in directory you want to protect. Special files ".htaccess" are fragments of Apachec configuration that can be placed in your WWW directory structure. But you have to enable them in apache config (/etc/apache2/sites-available/default):

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

Restrict by login / password

We would like to protect application installed under given path with additional login/password. We use digest method to protect password from sniffing even with HTTP connections.

First of all we need mod_auth_digest to be enabled in Apache (a module must be enabled): # a2enmod auth_digest

/etc/init.d/apache2 restart

Then we will create file with user passwords:

$ htdigest -c /home/www-data/.htpasswd app admi

And finally we need to point to that file (fill .htaccess in appropriate directory):

AuthType Digest
AuthName "app"
AuthUserFile /home/www-data/.htpasswd
Require user admin

Then browser should show you authentication window.

Even if installed software probably has some bugs and exploits you can safely test it on public site as long as you trust your users won't try to hack this site (site access is not public, requires Apache login).

DHCP command line diagnostics - an aternative to Wireshark

I do prefer small command line utilities over heavy GUI tools and use then whenever possible. Command line has better post-processing possibilities (you can pipe output to other tools) and automation (you can easily script them). Small example of network scan below.

For example sometimes you want to analyze DHCP requests details but without overhead needed by Wireshark (you may work over SSH without GUI). Then it's very easy using some useful command line tool. Recently I needed to check "Vendor class identifier" field sent from device with given MAC address: (1C:C6:3C:74:B9:47 in our case). It's very easy:

$ sudo dhcpdump -i eth0 -h 1C:C6:3C:74:B9:47 | grep 'Vendor class identifier'
OPTION:  60 ( 25) Vendor class identifier   ABC8776
OPTION:  60 ( 25) Vendor class identifier   ABC8776

"eth0" was my local device used for sniffing network packers.

As you can see it was very easy (and much faster that typical Wireshark use).