Il web server a cui si appoggia SugarCrm \u00e8 Apache2,\u00a0 di seguito le note di configurazione e hardening.
\napt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 libapache2-mod-php5 php5-common php5-gd php5-idn php-pear php5-imap php5-mcrypt php5-mhash php5-mysql php5-sqlite php5-xmlrpc php5-xsl php5-curl libapache-mod-security,
\nche si tirano dietro tutte le necessarie dipendenze,\u00a0 poich\u00e9 questo sito lavorer\u00e0 solo in https genero le chiavi necessarie come spiegato qui.
\nabilito il modulo ssl con a2enmod ssl.
\nRiprendo dopo qualche giorno questa configurazione per renderla un pochino piu’ flessibile visto che mi son trovato davvero male a fare degli aggiornamenti.<\/p>\n
Sotto \/etc\/apache2 creo la directory myconf e li sotto metteo tutte le personalizzazioni possibili, in modo che siano facilmente escludibili aggiungendo al file apache2.con la direttiva\u00a0 “Include” myconf\/ che all’occorenza pu\u00f2 essere commentata.<\/p>\n
In \/etc\/apache2\/myconf creo il file mod_security che contiene:
\n<IfModule mod_security.c>
\n# mod_security configuration directives
\n# …
\n# Turn the filtering engine On or Off
\nSecFilterEngine On
\n# The audit engine works independently and
\n# can be turned On of Off on the per-server or
\n# on the per-directory basis
\nSecAuditEngine RelevantOnly
\n# Some sane defaults
\n#Check if URL characters where encoded
\nSecFilterCheckURLEncoding On
\n#Check UTF-8 encoding
\nSecFilterCheckUnicodeEncoding Off
\n#Allow 1 byte characters
\n# Accept almost all byte values
\nSecFilterForceByteRange 0 255
\n# Should mod_security inspect POST payloads
\nSecFilterScanPOST On
\n# Server masking is optional
\n# SecServerSignature “Microsoft-IIS\/0.0”
\nSecAuditEngine RelevantOnly
\n# The name of the audit log file
\nSecAuditLog \/var\/log\/apache2\/audit_log
\n# Require HTTP_USER_AGENT and HTTP_HOST headers
\nSecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”
\n# You normally won’t need debug logging
\n# Debug level set to a minimum
\nSecFilterDebugLog \/var\/log\/apache2\/modsec_debug_log
\nSecFilterDebugLevel 0
\n# Should mod_security inspect POST payloads
\nSecFilterScanPOST On
\n# By default log and deny suspicious requests
\n# with HTTP status 500
\nSecFilterDefaultAction “deny,log,status:500”
\n# Only accept request encodings we know how to handle
\n# we exclude GET requests from this because some (automated)
\n# clients supply “text\/html” as Content-Type
\nSecFilterSelective REQUEST_METHOD “!^GET$” chain
\nSecFilterSelective HTTP_Content-Type “!(^$|^application\/x-www-form-urlencoded$|^multipart\/form-data)”
\n# Require Content-Length to be provided with
\n# every POST request
\nSecFilterSelective REQUEST_METHOD “^POST$” chain
\nSecFilterSelective HTTP_Content-Length “^$”
\n# Don’t accept transfer encodings we know we don’t handle
\n# (and you don’t need it anyway)SecFilterSelective HTTP_Transfer-Encoding “!^$”
\n# Some common application-related rules from
\n# http:\/\/modsecrules.monkeydev.org\/rules.php?safety=safe
\n#Nuke Bookmarks XSS
\nSecFilterSelective THE_REQUEST “\/modules\\.php\\?name=Bookmarks\\&file=(del_cat\\&catname|del_mark\\&markname|edit_cat\\&catname|edit_cat\\&catcomment|marks\\&catname|uploadbookmarks\\&category)=(<[[:space:]]*script|(http|https|ftp)\\:\/)”
\n#Nuke Bookmarks Marks.php SQL Injection Vulnerability
\nSecFilterSelective THE_REQUEST “modules\\.php\\?name=Bookmarks\\&file=marks\\&catname=.*\\&category=.*\/\\*\\*\/(union|select|delete|insert)”
\n#PHPNuke general XSS attempt
\n#\/modules.php?name=News&file=article&sid=1&optionbox=
\nSecFilterSelective THE_REQUEST “\/modules\\.php\\?*name=<[[:space:]]*script”
\n# PHPNuke SQL injection attempt
\nSecFilterSelective THE_REQUEST “\/modules\\.php\\?*name=Search*instory=”
\n#phpnuke sql insertion
\nSecFilterSelective THE_REQUEST “\/modules\\.php*name=Forums.*file=viewtopic*\/forum=.*\\’\/”
\n# WEB-PHP phpbb quick-reply.php arbitrary command attempt
\nSecFilterSelective THE_REQUEST “\/quick-reply\\.php” chain
\nSecFilter “phpbb_root_path=”
\n#Topic Calendar Mod for phpBB Cross-Site Scripting Attack
\nSecFilterSelective THE_REQUEST “\/calendar_scheduler\\.php\\?start=(<[[:space:]]*script|(http|https|ftp)\\:\/)”
\n# phpMyAdmin: Safe
\n#phpMyAdmin Export.PHP File Disclosure Vulnerability
\nSecFilterSelective SCRIPT_FILENAME “export\\.php$” chain
\nSecFilterSelective ARG_what “\\.\\.”
\n#phpMyAdmin path vln
\nSecFilterSelective REQUEST_URI “\/css\/phpmyadmin\\.css\\.php\\?GLOBALS\\[cfg\\]\\[ThemePath\\]=\/etc”<\/p>\n
#SQL injection
\nSecFilter “delete[[:space:]]+from”
\nSecFilter “insert[[:space:]]+into”
\nSecFilter “select.+from”
\nSecFilter “drop[[:space:]]table”
\nSecFilter “<script”
\nSecFilter “<.+>”
\n<\/IfModule><\/p>\n
creo\u00a0 il file \/etc\/apache2\/myconf\/myapache2.conf\u00a0 che contiene:<\/p>\n
<IfModule mod_security.c>
\n# Turn the filtering engine On or Off
\nSecFilterEngine On<\/p>\n
# Make sure that URL encoding is valid
\nSecFilterCheckURLEncoding On<\/p>\n
# Unicode encoding check
\nSecFilterCheckUnicodeEncoding Off<\/p>\n
# Only allow bytes from this range
\nSecFilterForceByteRange 0 255<\/p>\n
# Only log suspicious requests
\nSecAuditEngine RelevantOnly<\/p>\n
# The name of the audit log file
\nSecAuditLog \/var\/log\/apache2\/audit_log
\n# Debug level set to a minimum
\nSecFilterDebugLog \/var\/log\/apache2\/modsec_debug_log
\nSecFilterDebugLevel 0<\/p>\n
# Should mod_security inspect POST payloads
\nSecFilterScanPOST On<\/p>\n
# By default log and deny suspicious requests
\n# with HTTP status 500
\nSecFilterDefaultAction “deny,log,status:500”<\/p>\n
<\/IfModule>
\nOra posso modificare il file \/etc\/apache2\/conf.d\/security modificando le due voci
\n[orig] ServerTokens OS
\n[mod] ServerTokens Prod
\ne
\n[orig] ServerSignature On
\n[mod] ServerSignature Off
\nche rispettivamente indicano negli header che il server trasmette al client che sistema operativo hosta il sito e la versione di apache2, informazioni utili a un possibile attacker per sfruttare vulnerabilit\u00e0 note o meno note di quegli elementi specifici.<\/p>\n
Creo in \/etc\/apache2\/sites-avaible il virtual-host crm.myfirm.com che contiene:
\n<VirtualHost *:443>
\nServerAdmin webmaster@myfirml.com
\nServerName crm.myfirm.com
\nDocumentRoot \/var\/www\/crm.myfirm.com\/
\nphp_admin_value open_basedir \/var\/www\/crm.myfirm.com
\nOptions +FollowSymLinks
\nSSLEngine on
\nSSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
\nSSLCertificateFile \/etc\/ssl\/myfirm\/crm.myfirm.com.crt
\nSSLCertificateKeyFile \/etc\/ssl\/myfirm\/crm.myfirm.com.key
\nSSLCACertificateFile \/etc\/ssl\/myfirm\/myfirm-CA.crt
\n<\/VirtualHost><\/p>\n
Con a2ensite\u00a0 lo rendo disponibile e il sito e’ pronto.<\/p>\n
Per pura paranoia (qualcuno disse: “non \u00e8 in dubbio se tu sia paranoico o meno, piuttosto quanto tu lo sia), mi sono posto il quesito e\u00a0 se per puro sbaglio qualcuno ci capita sopra?
\nCio\u00e8 se Mr Murphy. quel giorno \u00e8 particolarmente in vena e il gatto della Signora Giusy (che non idea di chi sia) camminando sulla tastiera digita https:\/\/crm.myfirm.com?
\nla Signora in questione potrebbe accorgersi che c’\u00e8\u00a0 un sito che richiede nome e password…
\nCi\u00f2 \u00e8 MALE!
\nNecessita un filtro di prima istanza per poterti loggare al crm devi sapere che c’\u00e8 e non solo devi anche dire chi sei prima di poterti loggare e operare.
\nLa soluzione la troviamo in htpasswd, possiamo ipotizzare una unica login e password per avere accesso alla login vera e propria che poi sar\u00e0 a seconda dei casi con permessi di varia natura ma questo a livello di applicativo, Io voglio che per arrivare all’applicativo il sistema riconosca che si e’ autorizzati e quindi htpasswd -cbs \/etc\/apache2\/.htpasswd\u00a0 agent passwordcomune
\nCosi’ facendo creiamo sotto \/etc\/apache2 il file .htpasswd che conterr\u00e0 la login agent e la password passwordcomune criptata in SHA<\/p>\n
Configurazione finita e hardenizzata per quanto possibile.<\/p>\n
files di configurazione: Per comodit\u00e0 allego qui i files di configurazione di apache2<\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Il web server a cui si appoggia SugarCrm \u00e8 Apache2,\u00a0 di seguito le note di configurazione e hardening. apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 libapache2-mod-php5 php5-common php5-gd php5-idn php-pear php5-imap php5-mcrypt php5-mhash php5-mysql php5-sqlite php5-xmlrpc php5-xsl php5-curl libapache-mod-security, che si tirano dietro tutte le necessarie dipendenze,\u00a0 poich\u00e9 questo sito lavorer\u00e0 solo in https genero […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,7,6],"tags":[],"class_list":["post-353","post","type-post","status-publish","format-standard","hentry","category-linux","category-sistemi-operativi","category-work"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=353"}],"version-history":[{"count":20,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions"}],"predecessor-version":[{"id":581,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions\/581"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=353"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\napache2.conf.tar<\/a>
\nmyapache2.conf.tar<\/a>
\n<\/a>mod_security.tar<\/a>
\n<\/a>security.tar
\n<\/a>crm.myfirm.com.tar<\/a>
\n<\/a><\/p>\n