Posts Tagged ‘webserver’

Newer Entries »

Allow Directory Listing in Apache Webserver / Get around Directory index forbidden by Options directive

Thursday, October 4th, 2012

I have configured Apache VirtualHost, inside the VirtualHost hosted domain, it is supposed to be a directory, where Directory Listing has to be allowed. My VirtualHost configuration looks like so:


NameVirtualHost *

ServerAdmin my-email@domain-name.com
ServerName www.pc-freak.net
ServerAlias www.domain-name.com domain-name.com
DocumentRoot /var/www
DirectoryIndex index.html index.htm index.php index.html.var

Options FollowSymLinks
AllowOverride All
Order allow,deny
allow from all


Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all


Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all

ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined

I have a directory (/var/www/directory), there I store various files and I prefer this directory to be enabled to support Directory listing. I have the whole situation on Debian Linux. By default in Debian Apache is configured to disable directory listing for subdirectories to both default host and Virtualhosts

In order to enable /var/www/directory, accessed inside browser via web address http://wwww.domain-name.com/directory/ I had to add inside my Virtualhost /etc/apache2/sites-available/domain-name.com following Apache directive:



AddDefaultCharset UTF-8
Options FollowSymLinks Indexes
AllowOverride All

As you can see I included also AddDefaultCharset UTF-8, because inside /directory I have files in cyrillic and, if I don’t explicitly set the encoding to UTF-8, the htmls are improperly shown in browsers.

The exact directive that enables directory listing in Apache is:


Options Indexes

Setting Indexes to -Indexes disables directory listing, e.g.



Options -Indexes

BTW if you need to make certain directory accessible for default set Apache Options (permissions) should be set in /etc/apache2/apache2.conf



Options Indexes
...

This will set Apache directory permissions for all Virtualhost, useful if all virtualhosts share common ServerRoot and the directory has to be accessible via all vhosts.
Well that’s all Cheers 😉

Tags: , , , , ,
Posted in Web and CMS | No Comments »

How to block IP address with pf on FreeBSD, NetBSD and OpenBSD

Wednesday, July 27th, 2011

Pf Firewall BSD logo

I’ve noticed some IPs which had a kind of too agressive behaviour towards my Apache webserver and thus decided to filter them out with the Firewall.
As the server is running FreeBSD and my firewall choise is bsd’s pf I added the following lines to my /etc/pf.conf to filter up the abiser IP:

table persist file "/etc/pf.blocked.ip.conf"
EXT_NIC="ml0" # interface connected to internet
block drop in log (all) quick on $EXT_NIC from to any
 echo '123.123.123.123' >> /etc/pf.blocked.ip.conf

As you see I’m adding the malicious IP to /etc/pf.blocked.ip.conf, if I later decide to filter some other IPs I can add them up there and they will be loaded and filtered by pf on next pf restart.

Next I restarted my pf firewall definitions to make the newly added rules in pf.conf to load up.

freebsd# pfctl -d
freebsd# pfctl -e -f /etc/pf.conf

To show all IPs which will be inside the blockips filtering tables, later on I used:

pfctl -t blockips -T show

I can also later use pf to add later on new IPs to be blocked without bothering to restart the firewall with cmd:

freebsd# pfctl -t blockedips -T add 111.222.333.444

Deleting an IP is analogous and can be achieved with:

freebsd# pfctl -t blockedips -T delete 111.222.333.444

There are also logs stored about pf IP blocking as well as the other configured firewall rules in /var/log/pflog file.
Hope this is helpful to somebody.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in FreeBSD, System Administration | 2 Comments »

How to defend against slowloris Webserver Denial of Service Attack

Tuesday, February 2nd, 2010

Like you can read in my previous post, there is a terrible DoS attack dating back,
from the previous year. It’s a real shit and it was really annoying for me to figure out
that my Apache running on top of FreeBSD is vulnerable as well.
Therefore I needed desperately a fix, I was not really keen at the idea of installing
mod_qos, because I really hate third party software to mess up my Apache official module list.
Therefore I needed another approach, after some walk through google I found the following
How to best defend against a “slowloris” attack against Apache web server There are a couple of pathways
to follow as you can read in the post above. However the one that fit me best was through:
Varnish state-of-the-art high-performance HTTP accelerator (proxy) , it’s truely a wonderful piece of soft.
Installing it on FreeBSD was a piece of cake:
All I had to do was:

# cd /usr/ports/www/varnish# make install clean# echo 'varnishd_enable="YES"' >> /etc/rc.conf And last but not least, I had to alter my /usr/local/etc/apache2/httpd.conf
and change everywhere the Listen port to 8080 instead of the default 80, the same
procedure goes for VirtualHosts ports as well.

Last thing to do was:
Restart Apache# /usr/local/etc/rc.d/apache2 restartStart varnishd# /usr/local/etc/rc.d/varnishd start That’s it now varnishd handles the incoming connections to my Port 80, and passes whatever thinks appropriateto the apache server. Hip, Hip Hooray no more slowloris worries!
Another possible approach to Apache Denial of Service issues is to limit the maximum
allowed connections per host to be no more than 20.

On GNU/Linux this could be done with the following iptables rule:
# iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 40 -j DROP
On FreeBSD or OpenBSD with packet filter, you might bother to take a look at the following:
Howto: Basic Denial of Service Protection Using PF

But wait there is even more options to handle the slowloris DoS attack. It looks some enthusiast
has created even Apache module that handles the loris attack, sources of the non-official
mod_antiloris module release as well asprecompiled binaries in rpm can be obtained here.

Tags: , , , , ,
Posted in Computer Security | No Comments »

Newer Entries »