[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 385
  • Last Modified:

BAD BAD THING

PLEASE LOOK AT : http://www.experts-exchange.com/Operating_Systems/Linux/Q_20955660.html

I will give away 1000 (1 question in two places) but it is urgent and critical.

How to protect Linux Server from getting hacked or crawled by tools that do (they call it so :)))) mirroring or basically
downloading complete site including files, images, code etc ?

Thank you.

0
fpoyavo
Asked:
fpoyavo
1 Solution
 
IceRavenCommented:
Block port 80 NOW!

IceRaven.
0
 
IceRavenCommented:
Or shut down apache / tomcat
I wouldn't leave this open to a public network!

IceRaven.
0
 
fpoyavoAuthor Commented:
The problem is that a couple of days ago our management had conversation with clients and they said they can run our application on port
80 only (before we had 8080 for tomcat and 8081 for appache) and I was against it but....they say we do :)

Fortunetely I was off two days and they did it themselves. Lucky me :))) So... tell me how to explain this security glitch to people above
and may be there is some way to work around ? Or may be port 80 is not that normal multibillion company would use to share
valuable data ? :)))) Life is funny.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
IceRavenCommented:
Questions.
What is running on port 80?  Apache/Tomcat

If everything works on 8080 but not 80, just redirect port 80 to port 8080.

You really need to secure it much more than this SSL, for a start.  But one thing at a time.

IceRaven.
0
 
fpoyavoAuthor Commented:
What happend is that they mapped port 80 from outside to our Tomcat port 8080.  
0
 
IceRavenCommented:
So port 8080 has always had these problems?  Or you don't know because you just discovered them?

IceRaven.
0
 
fpoyavoAuthor Commented:
Or you don't know because you just discovered them?

TRUE.
0
 
fpoyavoAuthor Commented:
I assume 8080 might have this problem before it was mapped.
0
 
fpoyavoAuthor Commented:
How do I fix it ?
0
 
IceRavenCommented:
Can you post your httpd.conf file.

IceRaven.
0
 
IceRavenCommented:
This is what I am looking for....

--Snip--

How do I turn automatic directory listings on or off?
If a client requests a URL that designates a directory and the directory does not contain a filename that matches the DirectoryIndex directive, then mod_autoindex can be configured to present a listing of the directory contents.

To turn on automatic directory indexing, find the Options directive that applies to the directory and add the Indexes keyword. For example:

<Directory /path/to/directory>
   Options +Indexes
</Directory>
To turn off automatic directory indexing, remove the Indexes keyword from the appropriate Options line. To turn off directory listing for a particular subdirectory, you can use Options -Indexes. For example:

<Directory /path/to/directory>
   Options -Indexes
</Directory>

--Snip--

Hope it helps.

IceRaven.
0
 
fpoyavoAuthor Commented:
How do I protect 8080 ?
0
 
IceRavenCommented:
Turn off automatic directory listings.

IceRaven.
0
 
fpoyavoAuthor Commented:
IceRaven ,

I did that but it is still the same. If I remove index.html from directory it can be browsed.

What's next guys ?
0
 
IceRavenCommented:
I can't think of anything else, sorry.

If you could post your httpd.conf file, I might see something there.  
Otherwise, Hope someone helps you out!

Cheers,
IceRaven.
0
 
MercantilumCommented:
1 - Try

<Directory />
   Options -Indexes
</Directory>

for any case not covered (link...) by previous directives.

2 - Do a "grep -i index httpd.conf" to detect any +Indexes you may have somewhere you did not see.

3 - If still does not work, check for an apache update (stay in 1.x or 2.x, the change from 1 to 2 is not that straight...)
0
 
fpoyavoAuthor Commented:
I did for all <Directory> tags the only some left are:

<IfModule mod_autoindex.c>
IndexOptions FancyIndexing
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

Should I do something with these ones ?
0
 
fpoyavoAuthor Commented:
Is anything has to be done for Tomcat ? I believe our stuff running on Tomcat /Webapps.
 
0
 
fpoyavoAuthor Commented:
How can I see if apache or tomcat using updated httpd.conf ?
0
 
fpoyavoAuthor Commented:
Here is httpd.conf :

ServerType standalone


ServerRoot "/opt/testapp/apache"


PidFile /opt/testapp/apache/logs/httpd.pid


ScoreBoardFile /opt/testapp/apache/logs/httpd.scoreboard


Timeout 300


KeepAlive On


MaxKeepAliveRequests 100


KeepAliveTimeout 15


MinSpareServers 5
MaxSpareServers 10


StartServers 5


MaxClients 150


MaxRequestsPerChild 0


LoadModule fastcgi_module     libexec/mod_fastcgi.so


Port 8081


User testapp
Group testapp


ServerAdmin testapp@localhost.localdomain


DocumentRoot "/opt/testapp/www"


<Directory "/opt/testapp/tomcat/webapps">
      Options -Indexes
</Directory>

<Directory "/opt/testapp/tomcat/webapps/sample">
      Options -Indexes
</Directory>


<Directory "/opt/testapp/tomcat/webapps/sample">
      Options -Indexes
      AuthType Basic
      AuthName "Please provide user and password"
      AuthUserFile /opt/testapp/apache/passwd/passwords
        Require user testuser
</Directory>


<Directory "/opt/testapp/tomcat">
      Options -Indexes
</Directory>


<Directory />
    Options -Indexes
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/opt/testapp/www/cgi-bin">
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
      <ifModule mod_fastcgi.c>
            AddHandler fastcgi-script .fcgi
      </ifModule>
</Directory>


<IfModule mod_userdir.c>
    UserDir public_html
</IfModule>


<IfModule mod_dir.c>
    DirectoryIndex index.html
</IfModule>


AccessFileName .htaccess


<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>


UseCanonicalName On


<IfModule mod_mime.c>
    TypesConfig /opt/testapp/apache/conf/mime.types
</IfModule>


DefaultType text/plain


<IfModule mod_mime_magic.c>
    MIMEMagicFile /opt/testapp/apache/conf/magic
</IfModule>


HostnameLookups Off


ErrorLog /opt/testapp/apache/logs/error_log


LogLevel warn


LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent


CustomLog /opt/testapp/apache/logs/access_log common


ServerSignature On




<IfModule mod_alias.c>

   

    <Directory "/opt/testapp/apache/icons">
        Options -Indexes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

   
    ScriptAlias /cgi-bin/ "/opt/testapp/www/cgi-bin/"

   
    <Directory "/opt/testapp/apache/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>

</IfModule>

 
<IfModule mod_autoindex.c>

    #
    # FancyIndexing is whether you want fancy directory indexing or standard
    #
    IndexOptions FancyIndexing

    #
    # AddIcon* directives tell the server which icon to show for different
    # files or filename extensions.  These are only displayed for
    # FancyIndexed directories.
    #
    AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

    AddIconByType (TXT,/icons/text.gif) text/*
    AddIconByType (IMG,/icons/image2.gif) image/*
    AddIconByType (SND,/icons/sound2.gif) audio/*
    AddIconByType (VID,/icons/movie.gif) video/*

    AddIcon /icons/binary.gif .bin .exe
    AddIcon /icons/binhex.gif .hqx
    AddIcon /icons/tar.gif .tar
    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
    AddIcon /icons/a.gif .ps .ai .eps
    AddIcon /icons/layout.gif .html .shtml .htm .pdf
    AddIcon /icons/text.gif .txt
    AddIcon /icons/c.gif .c
    AddIcon /icons/p.gif .pl .py
    AddIcon /icons/f.gif .for
    AddIcon /icons/dvi.gif .dvi
    AddIcon /icons/uuencoded.gif .uu
    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
    AddIcon /icons/tex.gif .tex
    AddIcon /icons/bomb.gif core

    AddIcon /icons/back.gif ..
    AddIcon /icons/hand.right.gif README
    AddIcon /icons/folder.gif ^^DIRECTORY^^
    AddIcon /icons/blank.gif ^^BLANKICON^^

    #
    # DefaultIcon is which icon to show for files which do not have an icon
    # explicitly set.
    #
    DefaultIcon /icons/unknown.gif

    #
    # AddDescription allows you to place a short description after a file in
    # server-generated indexes.  These are only displayed for FancyIndexed
    # directories.
    # Format: AddDescription "description" filename
    #
    AddDescription "GZIP compressed document" .gz
    AddDescription "tar archive" .tar
    AddDescription "GZIP compressed tar archive" .tgz

    #
    # ReadmeName is the name of the README file the server will look for by
    # default, and append to directory listings.
    #
    # HeaderName is the name of a file which should be prepended to
    # directory indexes.
    #
    # If MultiViews are amongst the Options in effect, the server will
    # first look for name.html and include it if found.  If name.html
    # doesn't exist, the server will then look for name.txt and include
    # it as plaintext if found.
    #
    ReadmeName README
    HeaderName HEADER

    #
    # IndexIgnore is a set of filenames which directory indexing should ignore
    # and not include in the listing.  Shell-style wildcarding is permitted.
    #
    IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

</IfModule>
# End of indexing directives.

#
# Document types.
#
<IfModule mod_mime.c>

    #
    # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
    # information on the fly. Note: Not all browsers support this.
    # Despite the name similarity, the following Add* directives have nothing
    # to do with the FancyIndexing customization directives above.
    #
    AddEncoding x-compress Z
    AddEncoding x-gzip gz tgz

    #
    # AddLanguage allows you to specify the language of a document. You can
    # then use content negotiation to give a browser a file in a language
    # it can understand.  
    #
    # Note 1: The suffix does not have to be the same as the language
    # keyword --- those with documents in Polish (whose net-standard
    # language code is pl) may wish to use "AddLanguage pl .po" to
    # avoid the ambiguity with the common suffix for perl scripts.
    #
    # Note 2: The example entries below illustrate that in quite
    # some cases the two character 'Language' abbreviation is not
    # identical to the two character 'Country' code for its country,
    # E.g. 'Danmark/dk' versus 'Danish/da'.
    #
    # Note 3: In the case of 'ltz' we violate the RFC by using a three char
    # specifier. But there is 'work in progress' to fix this and get
    # the reference data for rfc1766 cleaned up.
    #
    # Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
    # French (fr) - German (de) - Greek-Modern (el)
    # Italian (it) - Korean (kr) - Norwegian (no) - Norwegian Nynorsk (nn)
    # Portugese (pt) - Luxembourgeois* (ltz)
    # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
    # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
    # Russian (ru)
    #
    AddLanguage da .dk
    AddLanguage nl .nl
    AddLanguage en .en
    AddLanguage et .ee
    AddLanguage fr .fr
    AddLanguage de .de
    AddLanguage el .el
    AddLanguage he .he
    AddCharset ISO-8859-8 .iso8859-8
    AddLanguage it .it
    AddLanguage ja .ja
    AddCharset ISO-2022-JP .jis
    AddLanguage kr .kr
    AddCharset ISO-2022-KR .iso-kr
    AddLanguage nn .nn
    AddLanguage no .no
    AddLanguage pl .po
    AddCharset ISO-8859-2 .iso-pl
    AddLanguage pt .pt
    AddLanguage pt-br .pt-br
    AddLanguage ltz .lu
    AddLanguage ca .ca
    AddLanguage es .es
    AddLanguage sv .sv
    AddLanguage cz .cz
    AddLanguage ru .ru
    AddLanguage zh-tw .tw
    AddLanguage tw .tw
    AddCharset Big5         .Big5    .big5
    AddCharset WINDOWS-1251 .cp-1251
    AddCharset CP866        .cp866
    AddCharset ISO-8859-5   .iso-ru
    AddCharset KOI8-R       .koi8-r
    AddCharset UCS-2        .ucs2
    AddCharset UCS-4        .ucs4
    AddCharset UTF-8        .utf8

    # LanguagePriority allows you to give precedence to some languages
    # in case of a tie during content negotiation.
    #
    # Just list the languages in decreasing order of preference. We have
    # more or less alphabetized them here. You probably want to change this.
    #
    <IfModule mod_negotiation.c>
        LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
    </IfModule>

    #
    # AddType allows you to tweak mime.types without actually editing it, or to
    # make certain files to be certain types.
    #
    AddType application/x-tar .tgz
    AddType image/x-icon .ico

    #
    # AddHandler allows you to map certain file extensions to "handlers",
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action command (see below)
    #
    # If you want to use server side includes, or CGI outside
    # ScriptAliased directories, uncomment the following lines.
    #
    # To use CGI scripts:
    #
    AddHandler cgi-script .pl

    #
    # To use server-parsed HTML files
    #
    #AddType text/html .shtml
    #AddHandler server-parsed .shtml

    #
    # Uncomment the following line to enable Apache's send-asis HTTP file
    # feature
    #
    #AddHandler send-as-is asis

    #
    # If you wish to use server-parsed imagemap files, use
    #
    #AddHandler imap-file map

    #
    # To enable type maps, you might want to use
    #
    #AddHandler type-map var

</IfModule>
 

 
<IfModule mod_setenvif.c>

     
    BrowserMatch "Mozilla/2" nokeepalive
    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

     
    BrowserMatch "RealPlayer 4\.0" force-response-1.0
    BrowserMatch "Java/1\.0" force-response-1.0
    BrowserMatch "JDK/1\.0" force-response-1.0

</IfModule>
# End of browser customization directives

 
#
# There have been reports of people trying to abuse an old bug from pre-1.1
# days.  This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org.  Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#
#<Location /cgi-bin/phf*>
#    Deny from all
#    ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#    ProxyRequests On

#    <Directory proxy:*>
#        Order deny,allow
#        Deny from all
#        Allow from .your-domain.com
#    </Directory>

    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block
    #
#    ProxyVia On

    #
    # To enable the cache as well, edit and uncomment the following lines:
    # (no cacheing without CacheRoot)
    #
#    CacheRoot "/opt/testapp/apache/proxy"
#    CacheSize 5
#    CacheGcInterval 4
#    CacheMaxExpire 24
#    CacheLastModifiedFactor 0.1
#    CacheDefaultExpire 1
#    NoCache a-domain.com another-domain.edu joes.garage-sale.com

#</IfModule>
# End of proxy directives.

### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

#
# Use name-based virtual hosting.
#
#NameVirtualHost *

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *>
#    ServerAdmin webmaster@dummy-host.example.com
#    DocumentRoot /www/docs/dummy-host.example.com
#    ServerName dummy-host.example.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>


0
 
willy134Commented:
<Directory />
    Options -Indexes
    Options FollowSymLinks
    AllowOverride None
</Directory>

Comment out this section.  See if that will hide it.
0
 
IceRavenCommented:
Willy134 How is this possible!
Options - Indexes is supposed to Turn Automatic Directory Browsing OFF not ON.  Why did it work?

Cheers,
IceRaven.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now