Solved

BAD BAD THING

Posted on 2004-04-15
22
367 Views
Last Modified: 2010-04-22
PLEASE LOOK AT : http://www.experts-exchange.com/Operating_Systems/Linux/Q_20955660.html

I will give away 1000 (1 question in two places) but it is urgent and critical.

How to protect Linux Server from getting hacked or crawled by tools that do (they call it so :)))) mirroring or basically
downloading complete site including files, images, code etc ?

Thank you.

0
Comment
Question by:fpoyavo
22 Comments
 
LVL 7

Expert Comment

by:IceRaven
ID: 10838541
Block port 80 NOW!

IceRaven.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10838556
Or shut down apache / tomcat
I wouldn't leave this open to a public network!

IceRaven.
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10838588
The problem is that a couple of days ago our management had conversation with clients and they said they can run our application on port
80 only (before we had 8080 for tomcat and 8081 for appache) and I was against it but....they say we do :)

Fortunetely I was off two days and they did it themselves. Lucky me :))) So... tell me how to explain this security glitch to people above
and may be there is some way to work around ? Or may be port 80 is not that normal multibillion company would use to share
valuable data ? :)))) Life is funny.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10838637
Questions.
What is running on port 80?  Apache/Tomcat

If everything works on 8080 but not 80, just redirect port 80 to port 8080.

You really need to secure it much more than this SSL, for a start.  But one thing at a time.

IceRaven.
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10838660
What happend is that they mapped port 80 from outside to our Tomcat port 8080.  
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10838675
So port 8080 has always had these problems?  Or you don't know because you just discovered them?

IceRaven.
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10838701
Or you don't know because you just discovered them?

TRUE.
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10838715
I assume 8080 might have this problem before it was mapped.
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10839076
How do I fix it ?
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10839831
Can you post your httpd.conf file.

IceRaven.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10839890
This is what I am looking for....

--Snip--

How do I turn automatic directory listings on or off?
If a client requests a URL that designates a directory and the directory does not contain a filename that matches the DirectoryIndex directive, then mod_autoindex can be configured to present a listing of the directory contents.

To turn on automatic directory indexing, find the Options directive that applies to the directory and add the Indexes keyword. For example:

<Directory /path/to/directory>
   Options +Indexes
</Directory>
To turn off automatic directory indexing, remove the Indexes keyword from the appropriate Options line. To turn off directory listing for a particular subdirectory, you can use Options -Indexes. For example:

<Directory /path/to/directory>
   Options -Indexes
</Directory>

--Snip--

Hope it helps.

IceRaven.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:fpoyavo
ID: 10842418
How do I protect 8080 ?
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10843222
Turn off automatic directory listings.

IceRaven.
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10843868
IceRaven ,

I did that but it is still the same. If I remove index.html from directory it can be browsed.

What's next guys ?
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10843917
I can't think of anything else, sorry.

If you could post your httpd.conf file, I might see something there.  
Otherwise, Hope someone helps you out!

Cheers,
IceRaven.
0
 
LVL 10

Expert Comment

by:Mercantilum
ID: 10844271
1 - Try

<Directory />
   Options -Indexes
</Directory>

for any case not covered (link...) by previous directives.

2 - Do a "grep -i index httpd.conf" to detect any +Indexes you may have somewhere you did not see.

3 - If still does not work, check for an apache update (stay in 1.x or 2.x, the change from 1 to 2 is not that straight...)
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10844574
I did for all <Directory> tags the only some left are:

<IfModule mod_autoindex.c>
IndexOptions FancyIndexing
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

Should I do something with these ones ?
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10844593
Is anything has to be done for Tomcat ? I believe our stuff running on Tomcat /Webapps.
 
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10844817
How can I see if apache or tomcat using updated httpd.conf ?
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10844959
Here is httpd.conf :

ServerType standalone


ServerRoot "/opt/testapp/apache"


PidFile /opt/testapp/apache/logs/httpd.pid


ScoreBoardFile /opt/testapp/apache/logs/httpd.scoreboard


Timeout 300


KeepAlive On


MaxKeepAliveRequests 100


KeepAliveTimeout 15


MinSpareServers 5
MaxSpareServers 10


StartServers 5


MaxClients 150


MaxRequestsPerChild 0


LoadModule fastcgi_module     libexec/mod_fastcgi.so


Port 8081


User testapp
Group testapp


ServerAdmin testapp@localhost.localdomain


DocumentRoot "/opt/testapp/www"


<Directory "/opt/testapp/tomcat/webapps">
      Options -Indexes
</Directory>

<Directory "/opt/testapp/tomcat/webapps/sample">
      Options -Indexes
</Directory>


<Directory "/opt/testapp/tomcat/webapps/sample">
      Options -Indexes
      AuthType Basic
      AuthName "Please provide user and password"
      AuthUserFile /opt/testapp/apache/passwd/passwords
        Require user testuser
</Directory>


<Directory "/opt/testapp/tomcat">
      Options -Indexes
</Directory>


<Directory />
    Options -Indexes
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/opt/testapp/www/cgi-bin">
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
      <ifModule mod_fastcgi.c>
            AddHandler fastcgi-script .fcgi
      </ifModule>
</Directory>


<IfModule mod_userdir.c>
    UserDir public_html
</IfModule>


<IfModule mod_dir.c>
    DirectoryIndex index.html
</IfModule>


AccessFileName .htaccess


<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>


UseCanonicalName On


<IfModule mod_mime.c>
    TypesConfig /opt/testapp/apache/conf/mime.types
</IfModule>


DefaultType text/plain


<IfModule mod_mime_magic.c>
    MIMEMagicFile /opt/testapp/apache/conf/magic
</IfModule>


HostnameLookups Off


ErrorLog /opt/testapp/apache/logs/error_log


LogLevel warn


LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent


CustomLog /opt/testapp/apache/logs/access_log common


ServerSignature On




<IfModule mod_alias.c>

   

    <Directory "/opt/testapp/apache/icons">
        Options -Indexes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

   
    ScriptAlias /cgi-bin/ "/opt/testapp/www/cgi-bin/"

   
    <Directory "/opt/testapp/apache/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>

</IfModule>

 
<IfModule mod_autoindex.c>

    #
    # FancyIndexing is whether you want fancy directory indexing or standard
    #
    IndexOptions FancyIndexing

    #
    # AddIcon* directives tell the server which icon to show for different
    # files or filename extensions.  These are only displayed for
    # FancyIndexed directories.
    #
    AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

    AddIconByType (TXT,/icons/text.gif) text/*
    AddIconByType (IMG,/icons/image2.gif) image/*
    AddIconByType (SND,/icons/sound2.gif) audio/*
    AddIconByType (VID,/icons/movie.gif) video/*

    AddIcon /icons/binary.gif .bin .exe
    AddIcon /icons/binhex.gif .hqx
    AddIcon /icons/tar.gif .tar
    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
    AddIcon /icons/a.gif .ps .ai .eps
    AddIcon /icons/layout.gif .html .shtml .htm .pdf
    AddIcon /icons/text.gif .txt
    AddIcon /icons/c.gif .c
    AddIcon /icons/p.gif .pl .py
    AddIcon /icons/f.gif .for
    AddIcon /icons/dvi.gif .dvi
    AddIcon /icons/uuencoded.gif .uu
    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
    AddIcon /icons/tex.gif .tex
    AddIcon /icons/bomb.gif core

    AddIcon /icons/back.gif ..
    AddIcon /icons/hand.right.gif README
    AddIcon /icons/folder.gif ^^DIRECTORY^^
    AddIcon /icons/blank.gif ^^BLANKICON^^

    #
    # DefaultIcon is which icon to show for files which do not have an icon
    # explicitly set.
    #
    DefaultIcon /icons/unknown.gif

    #
    # AddDescription allows you to place a short description after a file in
    # server-generated indexes.  These are only displayed for FancyIndexed
    # directories.
    # Format: AddDescription "description" filename
    #
    AddDescription "GZIP compressed document" .gz
    AddDescription "tar archive" .tar
    AddDescription "GZIP compressed tar archive" .tgz

    #
    # ReadmeName is the name of the README file the server will look for by
    # default, and append to directory listings.
    #
    # HeaderName is the name of a file which should be prepended to
    # directory indexes.
    #
    # If MultiViews are amongst the Options in effect, the server will
    # first look for name.html and include it if found.  If name.html
    # doesn't exist, the server will then look for name.txt and include
    # it as plaintext if found.
    #
    ReadmeName README
    HeaderName HEADER

    #
    # IndexIgnore is a set of filenames which directory indexing should ignore
    # and not include in the listing.  Shell-style wildcarding is permitted.
    #
    IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

</IfModule>
# End of indexing directives.

#
# Document types.
#
<IfModule mod_mime.c>

    #
    # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
    # information on the fly. Note: Not all browsers support this.
    # Despite the name similarity, the following Add* directives have nothing
    # to do with the FancyIndexing customization directives above.
    #
    AddEncoding x-compress Z
    AddEncoding x-gzip gz tgz

    #
    # AddLanguage allows you to specify the language of a document. You can
    # then use content negotiation to give a browser a file in a language
    # it can understand.  
    #
    # Note 1: The suffix does not have to be the same as the language
    # keyword --- those with documents in Polish (whose net-standard
    # language code is pl) may wish to use "AddLanguage pl .po" to
    # avoid the ambiguity with the common suffix for perl scripts.
    #
    # Note 2: The example entries below illustrate that in quite
    # some cases the two character 'Language' abbreviation is not
    # identical to the two character 'Country' code for its country,
    # E.g. 'Danmark/dk' versus 'Danish/da'.
    #
    # Note 3: In the case of 'ltz' we violate the RFC by using a three char
    # specifier. But there is 'work in progress' to fix this and get
    # the reference data for rfc1766 cleaned up.
    #
    # Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
    # French (fr) - German (de) - Greek-Modern (el)
    # Italian (it) - Korean (kr) - Norwegian (no) - Norwegian Nynorsk (nn)
    # Portugese (pt) - Luxembourgeois* (ltz)
    # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
    # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
    # Russian (ru)
    #
    AddLanguage da .dk
    AddLanguage nl .nl
    AddLanguage en .en
    AddLanguage et .ee
    AddLanguage fr .fr
    AddLanguage de .de
    AddLanguage el .el
    AddLanguage he .he
    AddCharset ISO-8859-8 .iso8859-8
    AddLanguage it .it
    AddLanguage ja .ja
    AddCharset ISO-2022-JP .jis
    AddLanguage kr .kr
    AddCharset ISO-2022-KR .iso-kr
    AddLanguage nn .nn
    AddLanguage no .no
    AddLanguage pl .po
    AddCharset ISO-8859-2 .iso-pl
    AddLanguage pt .pt
    AddLanguage pt-br .pt-br
    AddLanguage ltz .lu
    AddLanguage ca .ca
    AddLanguage es .es
    AddLanguage sv .sv
    AddLanguage cz .cz
    AddLanguage ru .ru
    AddLanguage zh-tw .tw
    AddLanguage tw .tw
    AddCharset Big5         .Big5    .big5
    AddCharset WINDOWS-1251 .cp-1251
    AddCharset CP866        .cp866
    AddCharset ISO-8859-5   .iso-ru
    AddCharset KOI8-R       .koi8-r
    AddCharset UCS-2        .ucs2
    AddCharset UCS-4        .ucs4
    AddCharset UTF-8        .utf8

    # LanguagePriority allows you to give precedence to some languages
    # in case of a tie during content negotiation.
    #
    # Just list the languages in decreasing order of preference. We have
    # more or less alphabetized them here. You probably want to change this.
    #
    <IfModule mod_negotiation.c>
        LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
    </IfModule>

    #
    # AddType allows you to tweak mime.types without actually editing it, or to
    # make certain files to be certain types.
    #
    AddType application/x-tar .tgz
    AddType image/x-icon .ico

    #
    # AddHandler allows you to map certain file extensions to "handlers",
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action command (see below)
    #
    # If you want to use server side includes, or CGI outside
    # ScriptAliased directories, uncomment the following lines.
    #
    # To use CGI scripts:
    #
    AddHandler cgi-script .pl

    #
    # To use server-parsed HTML files
    #
    #AddType text/html .shtml
    #AddHandler server-parsed .shtml

    #
    # Uncomment the following line to enable Apache's send-asis HTTP file
    # feature
    #
    #AddHandler send-as-is asis

    #
    # If you wish to use server-parsed imagemap files, use
    #
    #AddHandler imap-file map

    #
    # To enable type maps, you might want to use
    #
    #AddHandler type-map var

</IfModule>
 

 
<IfModule mod_setenvif.c>

     
    BrowserMatch "Mozilla/2" nokeepalive
    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

     
    BrowserMatch "RealPlayer 4\.0" force-response-1.0
    BrowserMatch "Java/1\.0" force-response-1.0
    BrowserMatch "JDK/1\.0" force-response-1.0

</IfModule>
# End of browser customization directives

 
#
# There have been reports of people trying to abuse an old bug from pre-1.1
# days.  This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org.  Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#
#<Location /cgi-bin/phf*>
#    Deny from all
#    ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#    ProxyRequests On

#    <Directory proxy:*>
#        Order deny,allow
#        Deny from all
#        Allow from .your-domain.com
#    </Directory>

    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block
    #
#    ProxyVia On

    #
    # To enable the cache as well, edit and uncomment the following lines:
    # (no cacheing without CacheRoot)
    #
#    CacheRoot "/opt/testapp/apache/proxy"
#    CacheSize 5
#    CacheGcInterval 4
#    CacheMaxExpire 24
#    CacheLastModifiedFactor 0.1
#    CacheDefaultExpire 1
#    NoCache a-domain.com another-domain.edu joes.garage-sale.com

#</IfModule>
# End of proxy directives.

### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

#
# Use name-based virtual hosting.
#
#NameVirtualHost *

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *>
#    ServerAdmin webmaster@dummy-host.example.com
#    DocumentRoot /www/docs/dummy-host.example.com
#    ServerName dummy-host.example.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>


0
 
LVL 5

Accepted Solution

by:
willy134 earned 500 total points
ID: 10846063
<Directory />
    Options -Indexes
    Options FollowSymLinks
    AllowOverride None
</Directory>

Comment out this section.  See if that will hide it.
0
 
LVL 7

Expert Comment

by:IceRaven
ID: 10851809
Willy134 How is this possible!
Options - Indexes is supposed to Turn Automatic Directory Browsing OFF not ON.  Why did it work?

Cheers,
IceRaven.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now