Apache Notes

From NST Wiki
Jump to: navigation, search

Apache Notes

This document provides information related to the Apache Web Server (httpd daemon) used in the NST distribution.

Security Violations

A default Apache configuration and installation tries very hard to keep the system secure. Unfortunately, these security settings make it impossible to provide the functionality we desired in the creation of the NST WUI (we needed to do things as the root user which a standard Apache installation should never permit). In particular, we have done the following:

  1. We made the apache user part of the root and nagios groups.
  2. We made it possible for the apache user to run ANY command on the system as root via the sudo command (this was done by updating the configuration file: "/etc/sudoers").

We convinced ourselves that the security violations we introduced into our Apache configuration were acceptable for the following reasons:

  1. We configured the httpd process such that it only accepted SSL connections.
  2. We configured the httpd process such that one could not gain access to it without first logging in as root.

We treat the web server on a NST system as a "pseudo" terminal access point for the root user.


Adding Additional NST WUI Users

It is possible to grant someone else the ability to use the NST WUI without letting them use the root NST WUI account. This will allow the other user full root privileges from the NST WUI while logging with different credentials. So, you should only do this for someone you really trust as they will be able to do anything they want to the system.

To add additional accounts with access to the entire NST WUI just update your Apache configuration files to permit it:

Update The Apache Permission Requirements

Prior to the 2582 build of the NST WUI, only the root user in the /etc/httpd/conf/htuser.nst configuration file was granted access to the services provided by the web server.

You can use the following command to update all of the configuration files to grant permission to any user account which appears in the /etc/httpd/conf/htuser.nst file:

for f in $(find /etc/httpd -name "*.conf*" | less); do sed -i -e "s,require user root,require valid-user," ${f}; done

NOTE: This step is no longer required if you have a build of the NST with a 2582 or later subversion identifier.

For finer grained control (to limit accounts to certain areas). You can edit each of the configuration files by hand and only change "require user root" to "require valid-user" for the areas you want to make available to everyone with a account.

Add New User Accounts

Update the NST WUI password file (/etc/httpd/conf/htuser.nst) with new user accounts (it only contains the root by default). For example to add user "janedoe" with a password of "badpass", use:

htpasswd -b /etc/httpd/conf/htuser.nst janedoe badpass

Restart The Web Server

Restart the httpd service on your NST system to load the new changes.

systemctl restart httpd.service

Verify Your Changes

At this point you should use a browser to verify that both the root and janedoe users are able to access the NST WUI.


Tightening Security

You can tighten security on a NST web server by limiting what systems are permitted to access which resources. This is done by adding (or replacing) the Order, Allow and Deny directives within the Directory entities that appear in the many configuration files. For example, if you wanted to limit access to the NST WUI to the local system and the system having a IP address of: "192.168.100.29", you would specify the Order and Deny directives as shown below in the file: "/etc/httpd/conf.d/nstwui.conf".

#
# Directives to allow use of the nstwui-1.5.0 as a CGI
<Directory "/usr/local/nstwui-1.5.0">
  DirectoryIndex index.cgi index.html index.html.var index.php index.php3
  Options Indexes FollowSymLinks ExecCGI +Includes

  Order allow,deny
  Allow from 127.0.0.1 192.168.100.29/32

  AuthType Basic
  AuthName "NST WUI: System Management"
  AuthUserFile "/etc/httpd/conf/htuser.nst"
  require user root
</Directory>

Alias /nstwui "/usr/local/nstwui-1.5.0"

There are MANY locations where this can be done. The file: "/etc/httpd/conf/httpd.conf" contains numerous Directory entities (including the top level setting), and the directory: "/etc/httpd/conf.d" contains numerous configuration files containing Directory entities.

If you want to completely disable the web service on a NST probe, run the following commands:

Commands: "service" & "chkconfig"
[root@probe ~]# service httpd off
[root@probe ~]#
[root@probe ~]# chkconfig httpd off
[root@probe ~]#
[root@probe ~]# chkconfig --list httpd
httpd            0:off   1:off   2:off    3:off    4:off    5:off    6:off
[root@probe ~]#

Using The NST As A Public Web Server

In general, one should NEVER open a NST probe up to public access. Only those that are very comfortable with configuring Apache web servers should consider it.

If you are really determined to use the NST probe as a public access point, at a minimum you should:

  • Remove the apache user from the root and nagios groups in the file: "/etc/groups".
  • Remove the apache line in the file: "/etc/sudoers".
  • Remove the files: "/etc/httpd/conf.d/nstwui.conf" and "/etc/httpd/conf.d/fs.conf".
  • Restart the httpd service.

Once the above steps have been completed, the web server will be in a much more secure state and you should be able to start editing the configuration file(s). In particular, it is recommended to replace all Order, Allow and Deny lines in Directory entities which you do not want to share with the following:

Order Allow,Deny
Deny from All


Static IP Address, SSL Configuration & NST WUI Access

NST Script: nstnetcfg

See page: HowTo Setup a Server With Multiple Network Interface Adapters Using: "nstnetcfg" for a simplified means of setting up networking on an NST system and proper access to the "NST WUI".

 

Starting with NST 18 when setting up an NST system using a static "IPv4 Address", one will need to configure your NST system for proper access to the "NST WUI". A new NST script: nstipconf is available to help assist you. If one wants to do this manually then the following configuration changes need to occur.

Start by manually editing the Apache SSL configuration file: "/etc/httpd/conf.d/ssl.conf" for access to the NST WUI via "https". Change the IP Address associated with the Virtual Host configuration entry to match your NST system static IP Address. Also update the "ServerName" directive. The example below is for a system with an IP Address of "172.32.1.45":

 

.
.
.
##
## SSL Virtual Host Context
##

<VirtualHost 172.32.1.45:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
ServerName 172.32.1.45:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
.
.
.

Next use the NST script: nstcert to generate new Apache SSL certificate and key files and install them.

SSL Certificate & Key File Generation
[root@probe ~]# nstcert --common "172.31.1.45" --name server --ssl-host "172.32.1.45" -v
+ NOTE    + Generating key file: server.key
+ SUCCESS + Created key: server.key
+ NOTE    + Generating certificate: server.crt
+ SUCCESS + Created key: server.key
+ NOTE    + Generating Apache config file: server-apache.conf
+ SUCCESS + Created Apache config file: server-apache.conf

Congratulations, we have successfully generated the following:

  server.key          install under: /etc/httpd/conf/ssl.key/
  server.crt          install under: /etc/httpd/conf/ssl.crt/
  server-apache.conf  install under: /etc/httpd/conf.d

After installing the above files in the directories shown, you will
want to edit "/etc/httpd/conf.d/server-apache.conf" and then issue
the following command to apache:

  systemctl restart httpd.service

The current mapping is:

  https://172.31.1.45:443/ ->
  

Finally, one needs to reload the Apache web service via systemctl:

Reload Apache Web Server & Display Web Service Status
[root@probe ~]# systemctl reload httpd.service
[root@probe ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
	  Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
	  Active: active (running) since Wed 2013-02-27 08:23:43 EST; 1 day 1h ago
	 Process: 7797 ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS)
	 Process: 13017 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
	Main PID: 7801 (httpd)
	  Status: "Total requests: 1; Current requests/sec: 0; Current traffic:   0 B/sec"
	  CGroup: name=systemd:/system/httpd.service
		  ├─7801 /usr/sbin/httpd -DFOREGROUND
		  ├─7805 /usr/sbin/httpd -DFOREGROUND
		  ├─7806 /usr/sbin/httpd -DFOREGROUND
		  ├─7807 /usr/sbin/httpd -DFOREGROUND
		  ├─7808 /usr/sbin/httpd -DFOREGROUND
		  ├─7809 /usr/sbin/httpd -DFOREGROUND
		  └─7810 /usr/sbin/httpd -DFOREGROUND

Feb 27 08:23:41 shopper2 systemd[1]: Starting The Apache HTTP Server...
Feb 27 08:23:43 shopper2 systemd[1]: Started The Apache HTTP Server.
Feb 28 09:23:01 shopper2 systemd[1]: Reloading The Apache HTTP Server.
Feb 28 09:23:01 shopper2 systemd[1]: Reloaded The Apache HTTP Server.
  
[root@probe ~]#

 

Create/Change Apache Self-Signed SSL Certificate and Key

The following commands can be used when setting up or changing an "SSL" key for Apache Web Server that doesn't require a "passphrase" to be entered during normal operations. It also includes a "self-signed certificate" so you will not need to deal with certificate requests and Certificate Authorities (CA)s. The sequence of events is to create a 3DES key, remove the passphrase and then generate a self-signed certificate.

All commands shown can be done on an NST probe at the Bash Shell command prompt. First we need to generate the "Private Key":

Step: 1 - Generate RSA Private Key: 3DES 1024 Bits
[root@probe cert]# openssl genrsa -des3 -out pass.key 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for pass.key:
Verifying - Enter pass phrase for pass.key:
[root@probe cert]#
[root@probe cert]# ls -al
total 4
drwxr-xr-x 2 root root   0 Mar 29 07:19 .
drwxrwxrwt 4 root root   0 Mar 29 07:19 ..
-rw-r--r-- 1 root root 963 Mar 29 07:19 pass.key
[root@probe cert]#


--Or-- optionally use a stronger cipher:

Step: 1 - Generate RSA Private Key: AES-256 2048 Bits
[root@probe cert]# openssl genrsa -aes256 -out pass.key 2048
Generating RSA private key, 2048 bit long modulus
..................................................................+++
....+++
e is 65537 (0x10001)
Enter pass phrase for pass.key:
Verifying - Enter pass phrase for pass.key:
[root@probe cert]#
[root@probe cert]# ls -al
total 4
drwxr-xr-x 2 root root    0 Mar 29 07:31 .
drwxrwxrwt 4 root root    0 Mar 29 07:19 ..
-rw-r--r-- 1 root root 1766 Mar 29 07:31 pass.key
[root@probe cert]#


Next we will generate a decrypted key store in file: "server.key" without a "passphrase":

Step: 2 - Generate Server Key Store Without Passphrase
[root@probe cert]# openssl rsa -in pass.key -out server.key
Enter pass phrase for pass.key:
writing RSA key
[root@probe cert]#
[root@probe cert]# ls -al
total 8
drwxr-xr-x 2 root root    0 Mar 29 07:45 .
drwxrwxrwt 4 root root    0 Mar 29 07:19 ..
-rw-r--r-- 1 root root 1766 Mar 29 07:31 pass.key
-rw-r--r-- 1 root root 1675 Mar 29 07:45 server.key
[root@probe cert]#


Next we will generate a 1 year "self-signed certificate":

Step: 3 - Generate A 1 Year Self-Signed Certificate
[root@probe cert]# openssl req -new -key server.key -x509 -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New York
Locality Name (eg, city) [Newbury]:Newburgh
Organization Name (eg, company) [My Company Ltd]:Secure Computing
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []:www.securecomputing.com
Email Address []:radmin@securecomputing.com
[root@probe cert]#
[root@probe cert]# ls -al
total 12
drwxr-xr-x 2 root root    0 Mar 29 07:57 .
drwxrwxrwt 4 root root    0 Mar 29 07:19 ..
-rw-r--r-- 1 root root 1766 Mar 29 07:31 pass.key
-rw-r--r-- 1 root root 1797 Mar 29 07:57 server.crt
-rw-r--r-- 1 root root 1675 Mar 29 07:45 server.key
[root@probe cert]#


Finally install your new key store: "server.key" and certificate: "server.crt" to the appropriate Apache configured SSL directories defined by the directives "SSLCertificateFile" and "SSLCertificateKeyFile" and then restart your Apache Web Server.

Step: 4 - Install Key/Certificate & Restart Apache
[root@probe cert]# cp -p server.crt /etc/httpd/conf/ssl.crt/
[root@probe cert]# cp -p server.key /etc/httpd/conf/ssl.key/
[root@probe cert]# apachectl restart
[root@probe cert]#

References

http://www.apache.org/httpd/ 
Information on configuring the httpd process.
http://www.rpatrick.com/tech/makecert/ 
Apache Self-Signed SSL Certificate and Key - Quick and Dirty
http://www.madboa.com/geek/openssl/ 
OpenSSL Command-Line HOWTO
http://nst.sourceforge.net/nst/docs/scripts/nstcert.html
NST script to automate Apache key, certificate and configuration: "nstcert"