Security - Recommended update to httpd.conf files via custombuild

Thank you for the information, John. I am in middle of migration a dns server to new server, so I am not able to do any testing today. But I will try to find a solution based on your information.

What happens is that if you look at the error messages provided in above post this line:

Starting httpd: Syntax error on line 26 of
/usr/local/directadmin/data/users/adv

adv is the three first letters in the alphabetical first user name in /users/, it is not the complete user name, I do not know why it only list the three first letter in error message. Then none of the users httpd.conf files get changed, I think it is because ./build rewrite_confs is stopping at the first user with this error and can't complete rewrite_confs

The thing that changes is my httpd.conf file, and httpd is down. To fix it I must add back all the missing lines that was overwrittinge in httpd.conf file, then I can start httpd again. In httpd.conf file I have lines like this that is removed, and I must add them back:

LoadModule evasive20_module /usr/lib/apache/mod_evasive20.so
LoadModule dav_svn_module /usr/lib/apache/mod_dav_svn.so
LoadModule authz_svn_module /usr/lib/apache/mod_authz_svn.so
Include /etc/httpd/conf/extra/httpd-phpmodules.conf

and longer down in the httpd.conf file:

Include /etc/httpd/conf/extra/httpd-h264.conf

It is not easy as I am not so skilled at this, and the server admins that I pay to assist me, does not have soo good knowledge of DirectAdmin, so I have to figure it out myself.
 
I do not see any errors in Apache error log or Directadmin error log, I also did not rewrite my config, how can I check if harden-symlinks-patch is working? Is rewriting configs needed? What 'code' needs to be added to the httpd config files? Or is it something lower, because you guys said it was a source code edit.
 
Login as root via SSH and create a symlink in public_html of any regular user, so symlink should be owned by root, and try to access it via HTTP.
 
Login as root via SSH and create a symlink in public_html of any regular user, so symlink should be owned by root, and try to access it via HTTP.

Thanks, symlink-harden-patch works for me (without rewriting configs).
 
Since my last post, I haven't seen any segmentation faults with 5.2.17 running with CGI and suPHP. I recompiled PHP, Apache and the configuration files while migrating, so most likely the issue has been resolved due to the latter actions. I didn't recompile PHP, the modules or rewrite the configurations the first time around I applied the patch.
 
i think its better to close this topic. it was start on 2003 :)
any way, is there any solution to disable server signature on apache?
 
If the thread is closed how will you get the reply to your question? It appears to me that this thread was started last month.

Anyway, here's how to do it under both apache 1 and under apache 2, copied from one of my checklists:
<httpd 1.x>
* Edit /etc/httpd/conf/httpd.conf
* Find:
ServerSignature On
* Change to:
ServerSignature Off
* Immediately under this line add line:
ServerTokens ProductOnly
</httpd 1.x>

<httpd 2.x>
* Edit /etc/httpd/conf/extra/httpd-default.conf
ServerSignature On
* Change to:
ServerSignature Off
ServerTokens Full
* Change to:
ServerTokens Prod
</httpd 2.x>

* Save changes

* Restart Apache
Jeff
 
thanks, work

Hello,

Done.

If you wish to use the StevenC/Rack911 patch, it's now in custombuild. It's off by default.
Right now, it's just in files1, so please allow 24 hours if you're using a files mirror for rsync propogation.

To use it:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build set harden-symlinks-patch yes
./build set secure_htaccess no
./build apache
./build rewrite_confs
Some cases, ./build apache will delete modules from /usr/lib/apache... so if that happens, you'll also need to do
Code:
./build php n
and for any other missing modules.

What this patch does, is allows Users to use everything as it was before, including the FollowSymLinks option.
However, the functionality of FollowSymLinks is no longer the insecure type as it was before.
The new functionality of FollowSymLinks with this patch will simply duplicate the functionality of the more secure SymLinksIfOwnerMatch.
This will allow the secure_htaccess option to be set to "no" (old httpd config setup), but still solve the linking issue with regards to security.

Once testing is under the belt for this patch, we'll set secure_htaccess=no as the default, and harden-symlinks-patch=yes as the default.

John

Thanks John
 
Hello,

For symlink-harden-patch , we have one concern -
As the current patch is for Apache 2.2.21 (version-specific),
although the patch content is relatively not-difficult,
can we keep using it for future version, e.g. apache 2.2.22+ (or even apache 2.4 in future)?

Thank you very much for your kind attention.
 
If/when that happens, we'll simply update the patch file to show the new version.
It amounts to editing the version in the file (assuming nothing code-related was changed between those apache versions)

John
 
Today Apache 2.2.22 was released, it has several security fix: http://www.apache.org/dist/httpd/Announcement2.2.html

I was trying to see if any of the fix from announcement would fix the issue with FollowSymLinks, but it does not looks like it fix it? I could be wrong. I wish Apache project themself would make a fix for FollowSymLinks, so that DirectAdmin did not need to apply custom patch.
 
I want to replace all Options +FollowSymLinks code with Options SymLinksIfOwnerMatch in the .htaccess file in all users
how to do it?
 
Find the files, and then do a oneline edit. Something like this:
Code:
# find /home -name .htaccess | xargs perl -i.bak -p -e 's/+FollowSymLinks/SymLinksIfOwnerMatch/ig'
NOTE: This code is NOT TESTED and it may break every site on your server. It should create a .bak copy of all the files that match the name .htaccess, but it will do that even if it doesn't make any changes.

If you want and don't feel comfortable doing it yourself, you can hire me or one of the other contract administrators who advertise on these forums to do it for you. I, and others, can create a tested working solution, and implement it on your server(s) for you and guarantee our work. Note the best way to reach me is by email, not by private message.

Jeff
 
Hello,

FYI, I've converted the harden-symlinks.patch.2.2.22 patch and created the harden-symlinks-2.4.patch for apache 2.4, so apache 2.4 can also make use of it.
The 2.4 version is minor version independant, so it's simply applies from within that apache versions directory, instead of above it.
Custombuild has been updated, and the options.conf value: harden-symlinks-patch=yes option still applies.

John
 
Thanks for update, John.

Is it still needed to run ./build rewrite_confs after applying the patch? I am not able to do ./build rewrite_confs without getting much trouble and downtime, therfor I have not yet applied the patch to my production server.
 
The patch is for apache, not it's configs. If you're already running 2.4, you don't need to run ./build rewrite_confs.
As usual, if you recompile apache, since /usr/lib/apache is emptied with apache compiles, you'll likely need to follow up with a ./build php n, and if you're running suphp: ./build suphp

John
 
Hi John. I am running Apache 2.2.22 not 2.4. Does I still don't need to run ./build rewrite_confs ? Like described here:
http://www.directadmin.com/forum/showthread.php?t=42332&p=214681#post214681

Can I instead only do all the other steps without running ./build rewrite_confs ? Just like this:

Code:
cd /usr/local/directadmin/custombuild
./build update
./build set harden-symlinks-patch yes
./build set secure_htaccess no
./build apache
./build php n
./build suphp

If I don't have to run ./build rewrite_confs after apply the pach, that would be good news for me and it would be much much less complicated. Please confirm. Thanks!
 
If you've changed the secure_htaccess=yes|no setting, then you would need to run the ./build rewrite_confs.
So if secure_htaccess=yes was set, and you've just set it to "no", then you would need to issue the ./build rewrite_confs.

However, the change I've just added doesn't touch secure_htaccess. It only affects harden-symlinks-patch, and only applies if you're running apache 2.4.
Apache 2.2 already had the harden-symlinks-patch option in place.

John
 
Now I am confused. I have not added the harden-symlinks-patch yet, and I have not added secure_htaccess. I am running Apache 2.2.22 and have this in options.conf:

Code:
secure_htaccess=no
harden-symlinks-patch=no

Can I apply harden-symlinks-patch without running ./build rewrite_confs and only do this?:

Code:
cd /usr/local/directadmin/custombuild
./build update
./build set harden-symlinks-patch yes
./build set secure_htaccess no
./build apache
./build php n
./build suphp
 
Back
Top