Apache Notes
Apache Notes
This document provides information related to the Apache Web Server (httpd daemon) used in the NST distribution.
Security Violations
A default Apache configuration and installation tries very hard to keep the system secure. Unfortunately, these security settings make it impossible to provide the functionality we desired in the creation of the NST WUI (we needed to do things as the root user which a standard Apache installation should never permit). In particular, we have done the following:
- We made the apache user part of the root and nagios groups.
- We made it possible for the apache user to run ANY command on the system as root via the sudo command (this was done by updating the configuration file: "/etc/sudoers").
We convinced ourselves that the security violations we introduced into our Apache configuration were acceptable for the following reasons:
- We configured the httpd process such that it only accepted SSL connections.
- We configured the httpd process such that one could not gain access to it without first logging in as root.
We treat the web server on a NST system as a "pseudo" terminal access point for the root user.
Tightening Security
You can tighten security on a NST web server by limiting what systems are permitted to access which resources. This is done by adding (or replacing) the Order, Allow and Deny directives within the Directory entities that appear in the many configuration files. For example, if you wanted to limit access to the NST WUI to the local system and the system having a IP address of: "192.168.100.29", you would specify the Order and Deny directives as shown below in the file: "/etc/httpd/conf.d/nstwui.conf".
# # Directives to allow use of the nstwui-1.5.0 as a CGI <Directory "/usr/local/nstwui-1.5.0"> DirectoryIndex index.cgi index.html index.html.var index.php index.php3 Options Indexes FollowSymLinks ExecCGI +Includes Order allow,deny Allow from 127.0.0.1 192.168.100.29/32 AuthType Basic AuthName "NST WUI: System Management" AuthUserFile "/etc/httpd/conf/htuser.nst" require user root </Directory> Alias /nstwui "/usr/local/nstwui-1.5.0"
There are MANY locations where this can be done. The file: "/etc/httpd/conf/httpd.conf" contains numerous Directory entities (including the top level setting), and the directory: "/etc/httpd/conf.d" contains numerous configuration files containing Directory entities.
If you want to completely disable the web service on a NST probe, run the following commands:
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Using The NST As A Public Web Server
In general, one should NEVER open a NST probe up to public access. Only those that are very comfortable with configuring Apache web servers should consider it.
If you are really determined to use the NST probe as a public access point, at a minimum you should:
- Remove the apache user from the root and nagios groups in the file: "/etc/groups".
- Remove the apache line in the file: "/etc/sudoers".
- Remove the files: "/etc/httpd/conf.d/nstwui.conf" and "/etc/httpd/conf.d/fs.conf".
- Restart the httpd service.
Once the above steps have been completed, the web server will be in a much more secure state and you should be able to start editing the configuration file(s). In particular, it is recommended to replace all Order, Allow and Deny lines in Directory entities which you do not want to share with the following:
Order Allow,Deny Deny from All
Create/Change Apache Self-Signed SSL Certificate and Key
The following commands can be used when setting up or changing an "SSL" key for Apache Web Server that doesn't require a "passphrase" to be entered during normal operations. It also includes a "self-signed certificate" so you will not need to deal with certificate requests and Certificate Authorities (CA)s. The sequence of events is to create a 3DES key, remove the passphrase and then generate a self-signed certificate.
All commands shown can be done on an NST probe at the Bash Shell command prompt. First we need to generate the "Private Key":
Generating RSA private key, 1024 bit long modulus ...............++++++ .++++++ e is 65537 (0x10001) Enter pass phrase for pass.key: Verifying - Enter pass phrase for pass.key:
total 4 drwxr-xr-x 2 root root 0 Mar 29 07:19 . drwxrwxrwt 4 root root 0 Mar 29 07:19 .. -rw-r--r-- 1 root root 963 Mar 29 07:19 pass.key
--Or-- optionally use a stronger cipher:
Generating RSA private key, 2048 bit long modulus ..................................................................+++ ....+++ e is 65537 (0x10001) Enter pass phrase for pass.key: Verifying - Enter pass phrase for pass.key:
total 4 drwxr-xr-x 2 root root 0 Mar 29 07:31 . drwxrwxrwt 4 root root 0 Mar 29 07:19 .. -rw-r--r-- 1 root root 1766 Mar 29 07:31 pass.key
Next we will generate a decrypted key store in file: "server.key" without a "passphrase":
Enter pass phrase for pass.key: writing RSA key
total 8 drwxr-xr-x 2 root root 0 Mar 29 07:45 . drwxrwxrwt 4 root root 0 Mar 29 07:19 .. -rw-r--r-- 1 root root 1766 Mar 29 07:31 pass.key -rw-r--r-- 1 root root 1675 Mar 29 07:45 server.key
Next we will generate a 1 year "self-signed certificate":
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:New York Locality Name (eg, city) [Newbury]:Newburgh Organization Name (eg, company) [My Company Ltd]:Secure Computing Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:www.securecomputing.com Email Address []:radmin@securecomputing.com
total 12 drwxr-xr-x 2 root root 0 Mar 29 07:57 . drwxrwxrwt 4 root root 0 Mar 29 07:19 .. -rw-r--r-- 1 root root 1766 Mar 29 07:31 pass.key -rw-r--r-- 1 root root 1797 Mar 29 07:57 server.crt -rw-r--r-- 1 root root 1675 Mar 29 07:45 server.key
Finally install your new key store: "server.key" and certificate: "server.crt" to the appropriate Apache configured SSL directories defined by the directives "SSLCertificateFile" and "SSLCertificateKeyFile" and then restart your Apache Web Server.
References
- http://www.apache.org/httpd/
- Information on configuring the httpd process.
- http://www.rpatrick.com/tech/makecert/
- Apache Self-Signed SSL Certificate and Key - Quick and Dirty
- http://www.madboa.com/geek/openssl/
- OpenSSL Command-Line HOWTO
- http://nst.sourceforge.net/nst/docs/scripts/nstcert.html
- NST script to automate Apache key and certificate: "nstcert"