more apache/php

[inittux]

Going to setup a test domain this weekend and going to try to finally implent IDS on my server. Although I find modsecurity quite confusing still. With the asl rules my whole site becomes access denied and with just the base rules activated I get errors when changing some settings in the joomla backend. I'll have a look at it later.

[inittux]

Seems like I got mod_security working. Am able to do all my admin stuff in the backend without getting errors from mod_security. Using this

http://www.atomicorp.com/wiki/index.php/...stallation

 

Is there anyway to test it? Dave/Hybrid/Anyweb, feel free to try and test out the security of my webserver And I got logwatch configured and working,

only still working on getting fail2ban work with the backend of my site.And I found this usefull post which I will look at later again. And after

I have looked at those I'll be looking at a smart way to backup/restore.And the last thing I stilll want to do look some more into more security

for my webserver, which I found plenty of information of on the web.Once I finally get all of this working and sorted out and feel I understand

it enough to make/manage a secure webserver I'll be movingonto my next project on my server.

[hybrid]

If you have access to a Windows machine on your network, NetSparker Community Edition is a great tool for testing the security of your server -- and probably for testing your IDS too. It will pound at the target website, searching for vulnerabilities, 'fuzzing' the site's various inputs with all sorts of data to try and get it to behave in an unexpected way.

 

I've used it very successfully in the past to identify and resolve vulnerabilities in my web-facing code.

[inittux]

Seems like my server security isn't all that great. And think my server also already being abused :(

Two email adresses which I know nothing of.

 

[hybrid]

Both of these email addresses are used in the credits to the Apache icon set, which appear on DirectoryIndex pages. While NetSparker is warning you about these email addresses are made available publicly on your server, this particular entry is nothing to worry about!

 

See https://www.apache.org/icons/ for the credits.

 

This is also only an 'information' level issue that it has found (see the 'i' icon next to Email Address Disclosure in the Issue list). Therefore, it's not of the highest priority. This entry in the issues list doesn't at all suggest your server is compromised.

 

NetSparker will give you a lot of information. Interpreting the results is as important as doing the scan in the first place. :)

[inittux]

Both of these email addresses are used in the credits to the Apache icon set, which appear on DirectoryIndex pages. While NetSparker is warning you about these email addresses are made available publicly on your server, this particular entry is nothing to worry about!

 

See https://www.apache.org/icons/ for the credits.

 

This is also only an 'information' level issue that it has found (see the 'i' icon next to Email Address Disclosure in the Issue list). Therefore, it's not of the highest priority. This entry in the issues list doesn't at all suggest your server is compromised.

 

NetSparker will give you a lot of information. Interpreting the results is as important as doing the scan in the first place. :)

 

I'm glad, that I would really feel like a noob. Only thing that safe is my php it says:

 

Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

 

and my cookie is not marked as secure but that would be logical cuz I generated my own https certificate and my cookie is not marked as http only. will have a look at that.

 

And need to look at my directory listing:

 

An attacker can see the files located in the directory and could potentially access files which disclose sensitive information.

[hybrid]

Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

 

Again, this is low priority -- not a vulnerability per se, but just some information disclosure to your server's users that isn't strictly necessary.

 

To resolve this, you can find the relevant line in php.ini and change it to:

 

Code:

expose_php = Off

 

and my cookie is not marked as secure but that would be logical cuz I generated my own https certificate and my cookie is not marked as http only. will have a look at that.

 

This might be a setting in the CMS software you're using -- there might be a Joomla setting to make the cookie marked as 'secure'. (Note that marked as 'secure' and marked as 'HTTP only' are different things.)

 

 

And need to look at my directory listing:

 

An attacker can see the files located in the directory and could potentially access files which disclose sensitive information.

 

For this, you'll need to go to the Apache configuration for that particular <Directory> and change the Options line:

 

Code:

Options -Indexes

 

(You probably want to just add -Indexes to the line, and remove Indexes if it is there, because a brand new Options line will override any other Options that might be set).

[Dungeon-Dave]

"Options -Indexes" is supposed to be an apache default setting for quite some time now.

 

I remember the days when +Indexes was commonplace, then -Indexes and "403=welcome.html" kicked in (which caused me no end of headache when trying to debug Apache configs, I tell you).

 

In terms of pen-testing, nessus can scan and report vulns.

 

To see what's happening in real-time, "tail -f /var/log/httpd/mod_security.log" or so to watch reports scrolling up the page.

[inittux]

in my case it would be audit_log. Seems to be working :)

 

tail -f /var/log/httpd/audit_log

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoj7UQg8AAC-zIsAAAAAA] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-2LQoAAAAD] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-0JiQAAAAB] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-3MHkAAAAE] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-4M@wAAAAF] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-1KZ4AAAAC] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-5N18AAAAG] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.9.54] [domain feedmebits.nl] [200] [/20111129/20111129-1305/20111129-130555-TtTKoz7UQg8AAC-6OsoAAAAH] [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_zz_strict.conf"] [line "37"] [id "330792"] [msg "Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors."] [severity "CRITICAL"] Warning. Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required.

[modsecurity] [client 145.117.4.128] [domain feedmebits.nl] [500] [/20111129/20111129-1310/20111129-131010-TtTLoj7UQg8AAC-0JiUAAAAB] (null)

[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111129/20111129-1543/20111129-154345-TtTvoT7UQg8AAC-zIsQAAAAA] (null)

[Dungeon-Dave]

When I've been debugging mod_sec, I find that a tail of that logfile when a site breaks on me shows what's tripping it (rule name, ID, etc).

 

Note that - in terms of vulnerabilities - disclosure of information is not insecure in itself. How that information is used to enumerate and select an exploit is.

 

Concealing the fact you're using a version of PHP does not make that version secure, it just means a cracker will take longer to choose an appropriate attack vector.