Advanced SSL configuration on IBM Http Server – Restrict unused HTTP methods and Verbose HTTP headers

Restricting unused HTTP methods

The HTTP method is supplied in the request line and specifies the operation that the client has requested. Browsers will generally just use two methods to access and interact with web sites; GET for queries that can be safely repeated and POST for operations that may have side effects. This means, we need to disable unused http methods. some of them are:(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL). Check with the application teams, if they need any of these methods for the application to work, before disabling them.

Testing before limiting http methods:

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx…
Connected to josephamrithraj.mp.
Escape character is ‘^]’.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:11:57 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

Connection closed by foreign host.

your IBM http servers configuration file [httpd.conf] has 2 sections named main and virtualhost sections. you need to add the following code at both the places. I am explaining this task using mod_rewrite module. So, first make sure that… mod_rewrite is enabled. then, add the following lines to your http.conf files main and virtualhost sections.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL)
RewriteRule .* – [F]

Restart the web server after adding the above lines.


Now, when someone tried to use one of these http methods, they will get forbidden response since we specified [F] in the rewrite rule.

Testing after adding and restarting web server

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx...
Connected to josephamrithraj.mp.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:15:44 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, POST
Connection closed by foreign host.
Testing TRACE methods

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx...
Connected josephamrithraj.mp
Escape character is '^]'.
TRACE / HTTP/1.0
Host: josephamrithraj.mp
testing... <- ENTER twice HTTP/1.1 403 Forbidden Date: Thu, 14 Sep 2010 00:18:31 GMT Server: Apache Web Server Content-Length: 320 Connection: close Content-Type: text/html; charset=iso-8859-1

Forbidden

You don't have permission to access / on this server.

Connection closed by foreign host.
Disable verbose HTTP headers:


you might have seen this … when the web server [apache or ibm http server] throws errors page, sometimes it might show the information related to its version, build, modules etc. This is a security issue since you are giving away the details about your web server. for example, take a look at this:

Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80
The line in the server header expose important version and variant information about the Linux operating system and Apache software used on the machine, indirectly expose the possible security holes that are existed to the hackers, or at least make malicious attackers easier to identify your system for available attack points.
To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf configuration file.

ServerTokens

This directive configures what you return as the Server HTTP response Header. The built-in default is ‘Full’ which sends information about the OS-type and compiled in modules. The recommended value is ‘Prod’ which sends the least information.

Options: Full | OS | Minor | Minimal | Major | Prod

“ServerTokens Prod”

This configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.

ServerSignature

This directive lets you add a line containing the server version and virtual host name to server-generated pages. It is recommended to set it to OFF and Set to "EMail" to also include a mailto: link to the ServerAdmin.

Options: On | Off | EMail

“ServerSignature Off”

This instructs Apache not to display a trailing footer line under server-generated documents, which displays server version number, ServerName of the serving virtual host, email setting etc..


Courtesy:http://josephamrithraj.wordpress.com/2010/09/16/advanced-ssl-configuration-on-ibm-http-server-restrict-unused-http-methods-and-verbose-http-headers/

Advanced SSL configuration on IBM Http Server – Client Authentication and Ciphers

The Advanced SSL Configuration settings are

Client Authentication
Setting Ciphers
SSL for multiple IP virtual Hosts
Client Authentication:

If you enable client authentication, the server validates clients by checking for trusted certificate authority, Known as CA root certificates in the local key database. To enable client authentication, you need to use SSLClientAuth directive. The options to use with this stanza are:

None – The server requests no client certificate from the client.
Optional – The server requests, but does not require, a client certificate. If presented, the client certificate must prove valid.
Required – The server requires a valid certificate from all clients and returns a 403 status code if no certificate is present.
Required_reset – The server requires a valid certificate from all clients, and if no certificate is available, the server sends an SSL alert to the client. This enables the client to understand that the SSL failure is client-certificate related, and will cause browsers to re-prompt for client certificate information on subsequent access. make sure you have GSKit version 7.0.4.19 or later when you choose this option.
For example, If i want all the clients to be authenticated, then i need to add the following stanza
SSLClientAuth required

Ciphers

We set the cipher specification to use during secure transactions. The specified cipher specifications validate against the level of the Global Security Kit (GSK) toolkit that is installed on your system. Invalid cipher specifications cause an error to log in the error log. If the client issuing the request does not support the ciphers specified, the request fails and the connection closes to the client. IBM HTTP Server has a built-in list of cipher specifications to use for communicating with clients over Secure Sockets Layer (SSL). The actual cipher specification that is used for a particular client connection is selected from those which are supported by both IBM HTTP Server and the client.

Some cipher specifications provide a weaker level of security than others, and might need to be avoided for security reasons. Some of the stronger cipher specifications are more computationally intensive than weaker cipher specifications and might be avoided if required for performance reasons. When an SSL connection is established, the client (web browser) and the web server negotiate the cipher to use for the connection. The web server has an ordered list of ciphers, and the first cipher in that list which is supported by the client will be selected.

IBM HTTP Server supports the following SSL ciphers: SSLv3 and TLS and SSLv2

IBM recommends the following setting, keeping in mind both strong security and performance

## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers
## These can still be used, but only if the client does
## not support any of the ciphers listed above.
SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2. Excluding it in the presence of
## the SSLv3 configuration above disables SSLv2 support.

## Uncomment to enable SSLv2 (with 128 bit Ciphers)
#SSLCipherSpec SSL_RC4_128_WITH_MD5
#SSLCipherSpec SSL_RC4_128_WITH_SHA
#SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
View the Ciphers which the server uses for Secure transactions

Set the LogLevel to info in the configuration file. Look in the error log for messages in this format: TimeStamp info_message mod_ibm_ssl: Using Version 2/3 Cipher: longname|shortname. The order that the cipher specifications are displayed in the error log from top to bottom represents the attempted order of the cipher specifications.

View the Ciphers were used for negotiating a connection

You can use the following LogFormat directive to view and log the SSL cipher negotiated for each connection:

LogFormat “%h %l %u %t \”%r\” %>s %b \”SSL=%{HTTPS}e\” \”%{HTTPS_CIPHER}e\” \”%{HTTPS_KEYSIZE}e\” \”%{HTTPS_SECRETKEYSIZE}e\”" ssl_common

CustomLog logs/ssl_cipher.log ssl_common

This logformat will produce an output to the ssl_cipher.log that looks something like this:

127.0.0.1 – - [01/Sep/2010:00:02:05 -0800] “GET / HTTP/1.1″ 200 1582 “SSL=ON” “SSL_RSA_WITH_RC4_128_MD5″ “128″ “128″

SSL for multiple IP virtual hosts

When you do not define an SSL directive on a virtual host, the server uses the directive default. You can define different (SSL) options for various virtual hosts. To enable SSL:

Specify the SSLEnable directive on the virtual host stanza in the configuration file, to enable SSL for a virtual host.
Specify a Keyfile directive and
Any SSL directives you want enabled for that particular virtual host.
Restart the server.
With all the above security options enabled, your virtual host may look like this:



SSLEnable

Keyfile keyfile.kdb

SSLCientAuth required

## SSLv3 128 bit Ciphers

SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5

SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers

## These can still be used, but only if the client does not support any of the ciphers listed above.

SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2.
## Excluding it in the presence of the SSLv3 configuration above disables SSLv2 support.

## Uncomment to enable SSLv2 (with 128 bit Ciphers)

#SSLCipherSpec SSL_RC4_128_WITH_MD5

#SSLCipherSpec SSL_RC4_128_WITH_SHA

#SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5



Courtesy:http://josephamrithraj.wordpress.com/2010/09/04/advanced-ssl-configuration-on-ibm-http-server-client-authentication-and-ciphers/

How to find Apache Version in Oracle Application Server

Oracle HTTP Server is developed using Apache server as base. So if you have Oracle Application Server installed in your environment and if you want to know the in built Apache version then you can use either of the approaches.

1. Goto $ORACLE_HOME/Apache/Apache/bin and execute ./httpd -v or ./httpd -version.

In most of the environments you may not be succesful with the above command then you can use 2nd approach as given below.

2. UNIX:

$ORACLE_BASE/oraInventory/Components/oracle.apache.apache/

or

$ORACLE_HOME/inventory/Components/oracle.apache.apache/

WINDOWS:

INST_LOC\Components\oracle.apache.apache\

INST_LOC is a regitry entry, which was used by the Installation:

HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\inst_loc

More Here

Courtesy:http://talkidentity.blogspot.com/2011/01/how-to-find-apache-version-in-oracle.html

Using Apache to simulate an SSL Load balancer

The numbers indicate the TCP port used on the server side. All of the red lines are HTTP. The green line (from OHS to the OAM Server) is the OAM NAP protocol.

1. SSLProxyEngine on

2.
3. Order deny,allow
4. Allow from all
5.

6.

7. RewriteEngine on

8. ProxyPreserveHost on

9.

10. NameVirtualHost *:443

11.

12.
13. ServerName login.oracledemo.com
14.
15. SSLEngine on
16. SSLProtocol all -SSLv2
17. SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
18. SSLCertificateFile /home/oracle/simpleCA/login.oracledemo.com.crt
19. SSLCertificateKeyFile /home/oracle/simpleCA/login.oracledemo.com.key
20.
21. ProxyPass / http://localhost:14100/
22. ProxyPassReverse / http://localhost:14100/
23.

24.

25.
26. ServerName idm11g.oracledemo.com
27.
28. SSLEngine on
29. SSLProtocol all -SSLv2
30. SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
31. SSLCertificateFile /home/oracle/simpleCA/idm11g.oracledemo.com.crt
32. SSLCertificateKeyFile /home/oracle/simpleCA/idm11g.oracledemo.com.key
33.
34. RequestHeader set IS_SSL ssl
35.
36. ProxyPass / http://localhost:7777/
37. ProxyPassReverse / http://localhost:7777/
38.

SSLProxyEngine on

Order deny,allow
Allow from all

RewriteEngine on

ProxyPreserveHost on

NameVirtualHost *:443

ServerName login.oracledemo.com

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /home/oracle/simpleCA/login.oracledemo.com.crt
SSLCertificateKeyFile /home/oracle/simpleCA/login.oracledemo.com.key

ProxyPass / http://localhost:14100/
ProxyPassReverse / http://localhost:14100/

ServerName idm11g.oracledemo.com

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /home/oracle/simpleCA/idm11g.oracledemo.com.crt
SSLCertificateKeyFile /home/oracle/simpleCA/idm11g.oracledemo.com.key

RequestHeader set IS_SSL ssl

ProxyPass / http://localhost:7777/
ProxyPassReverse / http://localhost:7777/

There are a couple of interesting bits in that configuration...

First is that when you use mod_proxy Apache will use the host name in the URL specified in ProxyPass when it talks to the back end server. In this case that means that the OHS server would see a request with a host header that said "localhost:7777". Which can confuse the application and isn't at all what a conventional load balancer would do. Adding "ProxyPreserveHost on" to the configuration makes mod_proxy use the same name when it talks to the backend server (again OHS in my case) as the browser sent in the original request.

More Here

Courtesy:http://fusionsecurity.blogspot.com/2011/04/using-apache-to-simulate-ssl-load.html

Mod_auth_kerb Apache

Mod_auth_kerb is an Apache module designed to provide Kerberos authentication to the Apache web server. Using the Basic Auth mechanism, it retrieves a username/password pair from the browser and checks them against a Kerberos server as set up by your particular organization. The module also supports the Negotiate authentication method, which performs full Kerberos authentication based on ticket exchanges, and does not require users to insert their passwords to the browser. In order to use the Negotiate method you need a browser supporting it (currently standard IE6.0 or Mozilla with the negotiateauth extension).


The module supports both kerberos4 and kerberos5 protocols for password verification. The Negotiate mechanism can be only used with Kerberos v5. The module supports both 1.x and 2.x versions of Apache.




Configuration


This page describes configuration of module version 5.0. Configuration guide for the older module 4.x can be found here.


Before starting configuring the module make sure your Kerberos enviroment is properly configured (i.e. KDC, /etc/krb5.conf, etc.). The easiest way to check is using the kinit command from the apache machine to get a ticket for some known principal (preferably that one who will be used to test the module).


Now you have to create an service key for the module, which is needed to perform client authentication. Verification of the kerberos password has two steps. In the first one the KDC is contacted using the password trying to receive a ticket for the client. After this ticket is sucessfuly acquired, the module must also verify that KDC hasn't been deliberately faked and the ticket just received can be trusted. If this check would haven't been done any attacker capable of spoofing the KDC could impersonate any principal registered with the KDC. In order to do this check the apache module must verify that the KDC knows its service key, which the apache shares with the KDC. This service key must be created during configuration the module. This service key is also needed when the Negotiate method is used. In this case the module acts as a standard kerberos service (similarly to e.g. kerberized ssh or ftp servers). Default name of the service key is HTTP/@REALM, another name of the first instance can be set using the KrbServiceName option. The key must be stored in a keytab on a local disk, the Krb5Keytab and Krb4Srvtab options are used to specify the filename with the keytab. This file should be only readable for the apache process and contain only the key used for www authentication.


In order to get the module loaded on start of apache add following line to your httpd.conf:


LoadModule auth_kerb_module libexec/mod_auth_kerb.so


Summary of Supported Directives
AuthType type


For Kerberos authentication to work, AuthType must be set to


*


Kerberos


For the reasons of backwards compatibility the values KerberosV4 and KerberosV5 are also supported. Their use is not recommended though, for finer setting use following three options.




KrbMethodNegotiate on | off


(set to on by default)


To enable or disable the use of the Negotiate method. You need a special support on the browser side to support this mechanism.


KrbMethodK5Passwd on | off


(set to on by default)



To enable or disable the use of password based authentication for Kerberos v5.


KrbMethodK4Passwd on | off


(set to on by default)


To enable or disable the use of password based authentication for Kerberos v4.


KrbAuthoritative on | off


(set to on by default)


If set to off this directive allow authentication controls to be pass on to another modules. Use only if you really know what you are doing.


KrbAuthRealms realm1 [realm2 ... realmN]


This option takes one or more arguments (separated by spaces), specifying the Kerberos realm(s) to be used for authentication. This defaults to the default realm taken from the local Kerberos configuration.


KrbVerifyKDC on | off


(set to on by default)


This option can be used to disable the verification tickets against local keytab to prevent KDC spoofing atacks. It should be used only for testing purposes. You have been warned.


KrbServiceName service


(set to HTTP by default)


For specification the service name that will be used by Apache for authentication. Corresponding key of this name must be stored in the keytab.


Krb4Srvtab /path/to/srvtab


This option takes one argument, specifying the path to the Kerberos V4 srvtab. It will simply use the "default srvtab" from Kerberos V4's configuration if this option is not specified. The srvtab must be readable for the apache process, and should be different from srvtabs containing keys for other services.

More Here

Courtesy:http://modauthkerb.sourceforge.net/configure.html

Configuring Apache with Open SSL

Downloading Resources
1- Download Apache Server from the following location with SSL Support
http://mirror.cloudera.com/apache//httpd/binaries/win32/httpd-2.2.17-win32-x86-openssl-0.9.8o.msi
2- Down load OpenSSL from the following location:
http://www.thompsonbd.com/files/apache/Openssl-0.9.7e-Win32.zip
Installing Apache
Install Apcher Server with Default settings and make sure no other application is running on ports 80 and 443.

Installing OpenSSL
Unzip the file Openssl-0.9.7e-Win32.zip and copy the extracted folder on drive C and rename it a Openssl.
Certificate Generation
1- Navigate to Openssl folder using command line.
2- Execute the following:

• openssl req -config openssl.cnf -new -out mycert.csr -keyout mycert.pem
• openssl rsa -in mycert.pem -out mycert.key
• openssl x509 -in mycert.csr -out mycert.cert -req -signkey mycert.key -days 365

Copy the .cert and .key files to C:\Program Files\Apache Software Foundation\Apache2.2\conf
Enable SSL on Apache
1- Open httpd.conf file available at C:\Program Files\Apache Software Foundation\Apache2.2\conf and uncomment the following lines by removing #:

• #LoadModule ssl_module modules/mod_ssl.so
• #Include conf/extra/httpd-ssl.conf

2- Open httpd-ssl.conf file available at  and enter certificate and key values as given below:
#   Server Certificate:
SSLCertificateFile “C:/Program Files/Apache Software Foundation/Apache2.2/conf/mycert.cert”
#   Server Private Key:

More Here

Courtesy:http://abrarhashmi.wordpress.com/2011/01/09/configuring-apache-with-open-ssl/

Hide your Apache Version Number

Folks, Do you know showing the version number of a software installed in your machine can bring more hacker attacks.
Hiding your original version from Apache 2.3.2 to Apache can reduce this attack.
You can hide the version number by changing the apache httpd.conf configuration file.

Steps:
1. Go to the Apache conf directory.
Example : /usr/local/apache/conf
2. Open the file httpd.conf
3. Edit the line ServerTokens to ServerToken ProductOnly/Prod
4. Restart the apache server.

More Here

Courtesy:http://kishur.wordpress.com

LDAP Authentication with Apache2 & .htaccess Files

Protecting web accessible directories with .htaccess and htpasswd files is a relatively simple process, it works great but when you’re maintaining 300 different htpasswd files all over the place it can become a slight ballache. If you have a LDAP server configured and in place, a nice alternative is to point all your .htaccess files to your LDAP server to handle the authentication.

Before you continue reading, this article assumes you already have the following in place:

* Apache2 server installed and configured
* OpenLDAP server installed and configured

First we need LDAP support for Apache2, so enable it & restart apache:

beer:~# a2enmod authnz_ldap
Considering dependency ldap for authnz_ldap:
Enabling module ldap.
Enabling module authnz_ldap.
Run '/etc/init.d/apache2 restart' to activate new configuration!
beer:~# /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .
beer:~#

Next configure your Apache2 virtual host file with the following:


ServerAdmin bartender@example.com
ServerName beer.example.com
DocumentRoot /var/www/

Options FollowSymLinks
AllowOverride None


Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
Deny from all
Allow from 10.100.0.1

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined


Your vhost configuration does not have to look exactly like the above, but just make sure that you have the AllowOverride All option set as this tells Apache to enable .htaccess files. I’ve also restricted access to 10.100.0.1 and disabled index listings, call me paranoid but I see nothing wrong with adding as many security layers as possible.

Next, assuming you are trying to protect the /var/www directory, dump a .htaccess file into that directory with the following contents:

Order deny,allow
Deny from All
AuthName "Restricted - Barmen Only"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://127.0.0.1/ou=people,dc=example,dc=com?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-user dave
Satisfy any

The above config allows the user dave to authenticate, all other users are denied access. You can append additional user names to the Require ldap-user line or you could just allow all users in a specific LDAP group like so:

Order deny,allow
Deny from All
AuthName "Restricted - Barmen Only"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://127.0.0.1/ou=people,dc=example,dc=com?uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=barmen,ou=group,dc=example,dc=com
Require ldap-attribute gidNumber=1234
Satisfy any

Now all users in the barmen LDAP group will be able to authenticate and access this web directory. Remember to update the GID above with the GID of the barmen group.

You can also combine these 2 methods, for example to allow all users in the barmen group and also user fred (who is not in the barmen group) just use the following:

Require ldap-group cn=barmen,ou=group,dc=example,dc=com
Require ldap-attribute gidNumber=1234

More Here

Courtesy:http://writequit.co.za/2011/01/05/ldap-apache-htaccess/