Table of Contents
Apache config snippets
Require login to server but allow from local subnet
This will pass your password in CLEAR text unless you have this in a https server.
<Directory "/data/webroot/protected/https"> Options Indexes FollowSymLinks Includes AllowOverride None Order deny,allow Deny from all Allow from 192.168.1.0/24 Satisfy any AuthType Basic AuthName "Authorized Users Only" AuthUserFile /data/webroot/protected/useraccess.txt AuthGroupFile /data/webroot/protected/groupaccess.txt Require group GroupName </Directory> cat *.txt mygrp:GuessMyPassword GroupName: mygrp
Apache http to https Redirect
root@host03:/etc/apache2/sites-available# more wiki-http-redirect-to-https <VirtualHost *:80> ServerName wiki.example.int Redirect permanent / https://wiki.example.int </VirtualHost>
Poodle SSL vulnerability
Background
Apache2 on Ubuntu
- Edit /etc/apache2/mods-available/ssl.conf
- Change
SSLProtocol all
toSSLProtocol all -SSLv3
. SSLv2 is not supported. - Check strong ciphers are enabled.
- Restart Apache.
Testing
Use openssl s_client
utility to force ssl connection with disallowed protocol (SSLv3):-
This should FAIL!
root@host:/etc/apache2# openssl s_client -connect 23.24.25.26:443 -ssl3 CONNECTED(00000003) 139648475055776:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139648475055776:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1413802832 Timeout : 7200 (sec) Verify return code: 0 (ok) --- root@fmtswebhost2:/etc/apache2#
This should succeed with TLS.
root@host:/etc/apache2# openssl s_client -connect 31.14.29.46:443 CONNECTED(00000003) depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=GB/serialNumber=03513618/street=2 New Brunswick Square/street=Brindley Road/postalCode=B21 2AZ/C=GB/ST=West Midlands/L=Birmingham/O=MTServer Limited/CN=www.mtserver.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA --- Server certificate ....edited.... --- No client certificate CA names sent --- SSL handshake has read 4370 bytes and written 375 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 9511860F5F1D9F8DDFA990D9FE6BD45B07A1D06778DF612E4A13698543AFA4E5 Session-ID-ctx: Master-Key: 68C45A2FCF7F380E2DB62E9C615565BB817C838D7DDA427390650C8E83BE324D48E65D7DFDE6FFC126180A96A10B005F Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: ....edited.... Start Time: 1413803043 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- read:errno=0 root@host:/etc/apache2#
Log file entry examples
Obviously the Firefox and Chrome entries are well known, I have added a few examples of unusual user-agents to help with any debugging.
Cisco 7940/7960 ip phones:-
==> /var/log/httpd/access_log <== 192.168.123.123 - - [28/Jul/2023:17:37:24 +0100] "GET /cisco/bmp/eng.bmp HTTP/1.1" 200 8178 "-" "Allegro-Software-WebClient/3.10b1"