Apache Notes: Difference between revisions
Line 105: | Line 105: | ||
</div> | </div> | ||
'''--Or--''' optionally use a stronger cipher: | '''--Or--''' optionally use a <u>'''stronger'''</u> cipher: | ||
<div class="screen"> | <div class="screen"> | ||
<div class="screenTitle">Step: 1 - Generate RSA Private Key: AES-256 2048 Bits</div> | <div class="screenTitle">Step: 1 - Generate RSA Private Key: AES-256 2048 Bits</div> |
Revision as of 06:44, 29 March 2007
Apache Notes
This document provides information related to the Apache Web Server (httpd daemon) used in the NST distribution.
Security Violations
A default Apache configuration and installation tries very hard to keep the system secure. Unfortunately, these security settings make it impossible to provide the functionality we desired in the creation of the NST WUI (we needed to do things as the root user which a standard Apache installation should never permit). In particular, we have done the following:
- We made the apache user part of the root and nagios groups.
- We made it possible for the apache user to run ANY command on the system as root via the sudo command (this was done by updating the configuration file: "/etc/sudoers").
We convinced ourselves that the security violations we introduced into our Apache configuration were acceptable for the following reasons:
- We configured the httpd process such that it only accepted SSL connections.
- We configured the httpd process such that one could not gain access to it without first logging in as root.
We treat the web server on a NST system as a "pseudo" terminal access point for the root user.
Tightening Security
You can tighten security on a NST web server by limiting what systems are permitted to access which resources. This is done by adding (or replacing) the Order, Allow and Deny directives within the Directory entities that appear in the many configuration files. For example, if you wanted to limit access to the NST WUI to the local system and the system having a IP address of: "192.168.100.29", you would specify the Order and Deny directives as shown below in the file: "/etc/httpd/conf.d/nstwui.conf".
# # Directives to allow use of the nstwui-1.5.0 as a CGI <Directory "/usr/local/nstwui-1.5.0"> DirectoryIndex index.cgi index.html index.html.var index.php index.php3 Options Indexes FollowSymLinks ExecCGI +Includes Order allow,deny Allow from 127.0.0.1 192.168.100.29/32 AuthType Basic AuthName "NST WUI: System Management" AuthUserFile "/etc/httpd/conf/htuser.nst" require user root </Directory> Alias /nstwui "/usr/local/nstwui-1.5.0"
There are MANY locations where this can be done. The file: "/etc/httpd/conf/httpd.conf" contains numerous Directory entities (including the top level setting), and the directory: "/etc/httpd/conf.d" contains numerous configuration files containing Directory entities.
If you want to completely disable the web service on a NST probe, run the following commands:
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Using The NST As A Public Web Server
In general, one should NEVER open a NST probe up to public access. Only those that are very comfortable with configuring Apache web servers should consider it.
If you are really determined to use the NST probe as a public access point, at a minimum you should:
- Remove the apache user from the root and nagios groups in the file: "/etc/groups".
- Remove the apache line in the file: "/etc/sudoers".
- Remove the files: "/etc/httpd/conf.d/nstwui.conf" and "/etc/httpd/conf.d/fs.conf".
- Restart the httpd service.
Once the above steps have been completed, the web server will be in a much more secure state and you should be able to start editing the configuration file(s). In particular, it is recommended to replace all Order, Allow and Deny lines in Directory entities which you do not want to share with the following:
Order Allow,Deny Deny from All
Create/Change Apache Self-Signed SSL Certificate and Key
The following commands can be used when setting up or changing an "SSL" key for Apache Web Server that doesn't require a "passphrase" to be entered during normal operations. It also includes a "self-signed certificate" so you will not need to deal with certificate requests and Certificate Authorities (CA)s. The sequence of events is to create a 3DES key, remove the passphrase and then generate a self-signed certificate.
All commands shown can be done on an NST probe at the Bash Shell command prompt:
Generating RSA private key, 1024 bit long modulus ...............++++++ .++++++ e is 65537 (0x10001) Enter pass phrase for pass.key: Verifying - Enter pass phrase for pass.key:
total 4 drwxr-xr-x 2 root root 0 Mar 29 07:19 . drwxrwxrwt 4 root root 0 Mar 29 07:19 .. -rw-r--r-- 1 root root 963 Mar 29 07:19 pass.key
--Or-- optionally use a stronger cipher:
Generating RSA private key, 2048 bit long modulus ..................................................................+++ ....+++ e is 65537 (0x10001) Enter pass phrase for pass.key: Verifying - Enter pass phrase for pass.key:
total 4 drwxr-xr-x 2 root root 0 Mar 29 07:31 . drwxrwxrwt 4 root root 0 Mar 29 07:19 .. -rw-r--r-- 1 root root 1766 Mar 29 07:31 pass.key
References
- http://www.apache.org/httpd/
- Information on configuring the httpd process.