Difference between revisions of "Apache Notes"

From NST Wiki
Jump to navigationJump to search
(Create/Change Apache Self-Signed SSL Certificate and Key)
(Create/Change Apache Self-Signed SSL Certificate and Key)
Line 84: Line 84:
  
 
<div class="screen">
 
<div class="screen">
   <div class="screenTitle">Step: 1 - Create RSA Private Key: 3DES 1024 Bits</div>
+
   <div class="screenTitle">Step: 1 - Generate RSA Private Key: 3DES 1024 Bits</div>
 
   <div class="userInput"><span class="prompt">[root@probe cert]# </span>openssl genrsa -des3 -out pass.key 1024</div>
 
   <div class="userInput"><span class="prompt">[root@probe cert]# </span>openssl genrsa -des3 -out pass.key 1024</div>
 
   <pre class="computerOutput">
 
   <pre class="computerOutput">
Line 107: Line 107:
 
Or optionally use a stronger cipher:
 
Or optionally use a stronger cipher:
 
<div class="screen">
 
<div class="screen">
   <div class="screenTitle">Step: 1 - Create RSA Private Key: AES-256 2048 Bits</div>
+
   <div class="screenTitle">Step: 1 - Generate RSA Private Key: AES-256 2048 Bits</div>
 
   <div class="userInput"><span class="prompt">[root@probe cert]# </span>openssl genrsa -aes256 -out pass.key 2048</div>
 
   <div class="userInput"><span class="prompt">[root@probe cert]# </span>openssl genrsa -aes256 -out pass.key 2048</div>
 
   <pre class="computerOutput">
 
   <pre class="computerOutput">

Revision as of 06:38, 29 March 2007

Apache Notes

This document provides information related to the Apache Web Server (httpd daemon) used in the NST distribution.

Security Violations

A default Apache configuration and installation tries very hard to keep the system secure. Unfortunately, these security settings make it impossible to provide the functionality we desired in the creation of the NST WUI (we needed to do things as the root user which a standard Apache installation should never permit). In particular, we have done the following:

  1. We made the apache user part of the root and nagios groups.
  2. We made it possible for the apache user to run ANY command on the system as root via the sudo command (this was done by updating the configuration file: "/etc/sudoers").

We convinced ourselves that the security violations we introduced into our Apache configuration were acceptable for the following reasons:

  1. We configured the httpd process such that it only accepted SSL connections.
  2. We configured the httpd process such that one could not gain access to it without first logging in as root.

We treat the web server on a NST system as a "pseudo" terminal access point for the root user.


Tightening Security

You can tighten security on a NST web server by limiting what systems are permitted to access which resources. This is done by adding (or replacing) the Order, Allow and Deny directives within the Directory entities that appear in the many configuration files. For example, if you wanted to limit access to the NST WUI to the local system and the system having a IP address of: "192.168.100.29", you would specify the Order and Deny directives as shown below in the file: "/etc/httpd/conf.d/nstwui.conf".

#
# Directives to allow use of the nstwui-1.5.0 as a CGI
<Directory "/usr/local/nstwui-1.5.0">
  DirectoryIndex index.cgi index.html index.html.var index.php index.php3
  Options Indexes FollowSymLinks ExecCGI +Includes

  Order allow,deny
  Allow from 127.0.0.1 192.168.100.29/32

  AuthType Basic
  AuthName "NST WUI: System Management"
  AuthUserFile "/etc/httpd/conf/htuser.nst"
  require user root
</Directory>

Alias /nstwui "/usr/local/nstwui-1.5.0"

There are MANY locations where this can be done. The file: "/etc/httpd/conf/httpd.conf" contains numerous Directory entities (including the top level setting), and the directory: "/etc/httpd/conf.d" contains numerous configuration files containing Directory entities.

If you want to completely disable the web service on a NST probe, run the following commands:

Commands: "service" & "chkconfig"
[root@probe ~]# service httpd off
[root@probe ~]#
[root@probe ~]# chkconfig httpd off
[root@probe ~]#
[root@probe ~]# chkconfig --list httpd
httpd            0:off   1:off   2:off    3:off    4:off    5:off    6:off
[root@probe ~]#


Using The NST As A Public Web Server

In general, one should NEVER open a NST probe up to public access. Only those that are very comfortable with configuring Apache web servers should consider it.

If you are really determined to use the NST probe as a public access point, at a minimum you should:

  • Remove the apache user from the root and nagios groups in the file: "/etc/groups".
  • Remove the apache line in the file: "/etc/sudoers".
  • Remove the files: "/etc/httpd/conf.d/nstwui.conf" and "/etc/httpd/conf.d/fs.conf".
  • Restart the httpd service.

Once the above steps have been completed, the web server will be in a much more secure state and you should be able to start editing the configuration file(s). In particular, it is recommended to replace all Order, Allow and Deny lines in Directory entities which you do not want to share with the following:

Order Allow,Deny
Deny from All


Create/Change Apache Self-Signed SSL Certificate and Key

The following commands can be used when setting up or changing an "SSL" key for Apache Web Server that doesn't require a "passphrase" to be entered during normal operations. It also includes a "self-signed certificate" so you needn't bother with certificate requests and CAs. The sequence of events is to create a 3DES key, remove the passphrase, and then generate a self-signed certificate.

All commands shown can be done on an NST probe at the Bash Shell command prompt:

Step: 1 - Generate RSA Private Key: 3DES 1024 Bits
[root@probe cert]# openssl genrsa -des3 -out pass.key 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for pass.key:
Verifying - Enter pass phrase for pass.key:
[root@probe cert]#
[root@probe cert]# ls -al
total 4
drwxr-xr-x 2 root root   0 Mar 29 07:19 .
drwxrwxrwt 4 root root   0 Mar 29 07:19 ..
-rw-r--r-- 1 root root 963 Mar 29 07:19 pass.key
[root@probe cert]#

Or optionally use a stronger cipher:

Step: 1 - Generate RSA Private Key: AES-256 2048 Bits
[root@probe cert]# openssl genrsa -aes256 -out pass.key 2048
Generating RSA private key, 2048 bit long modulus
..................................................................+++
....+++
e is 65537 (0x10001)
Enter pass phrase for pass.key:
Verifying - Enter pass phrase for pass.key:
[root@probe cert]#
[root@probe cert]# ls -al
total 4
drwxr-xr-x 2 root root    0 Mar 29 07:31 .
drwxrwxrwt 4 root root    0 Mar 29 07:19 ..
-rw-r--r-- 1 root root 1766 Mar 29 07:31 pass.key
[root@probe cert]#

References

http://www.apache.org/httpd/ 
Information on configuring the httpd process.