Install Apache 2.2 with OpenSSL and Tomcat connector

Jephe Wu - http://linuxtechres.blogspot.com

Objective: Install Apache, Openssl and Tomcat connector with the latest version to address vulnerabilities
Environment: CentOS 4.4, use chroot configuration (/chroot)


Steps:
1. download the latest softwares from individual websites:
httpd-2.2.15
openssl 1.0.0a
tomcat connector 1.2.30

2. install openssl 1.0.0a

if you have installed previous version of openssl, rename /usr/local/ssl to /usr/local/ssl.version
cd /usr/local; mv ssl ssl.0.9.8d
cd openssl-1.0.0a
./config;make;make test;make install

note: all the files will be written to /usr/local/ssl directory.

3. install httpd 2.2.15
"./configure" \
"--prefix=/usr/local/apache2" \
"--enable-mods-shared=most ssl rewrite deflate headers expires mime-magic unique-id" \
"--with-ssl=/usr/local/ssl" \
"$@"

make;make install

note: Some basic Apache configuration in httpd.conf
LoadModule authz_host_module modules/mod_authz_host.so 

#note: without above, you will get error below when you run 'bin/apachectl configtest' under /usr/local/apache2 directory
#Syntax error on line 167 of /usr/local/apache2/conf/httpd.conf:
#Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration

LoadModule deflate_module modules/mod_deflate.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule mime_module modules/mod_mime.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
Include conf/extra/httpd-default.conf


4.  tomcat connector installation
http://tomcat.apache.org/connectors-doc/

cd /home/jephe/apache2215/tomcat-connectors-1.2.30-src/native
./configure --with-apxs=/usr/local/apache2/bin/apxs
make
cd /home/jephe/apache2215/tomcat-connectors-1.2.30-src/native/apache-2.0
cp mod_jk.so /usr/local/apache2/modules/

add the following line to /usr/local/apache2/conf/httpd.conf LoadModule directive

LoadModule jk_module modules/mod_jk.so


note:
1. you can find the building instruction at http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html

5. Hardening apache

a. change conf/extra/httpd-default.conf
ServerSignature Off
ServerTokens Prod
MaxKeepAliveRequests 10000
TraceEnable off  => disable trace method

b. disable SSL2 and weak ciphers

SSLCipherSuite ALL:!ADH:!EXPORT56:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL


c. put into chroot environment

new method: use apache 2.2. builtin chroot 
Since Apache 2.2.10,  it supports chroot, all you need to do is just put chrootdir /path in the main configuration file httpd.conf. You don't have to create anything under /path

startup Apache with command /usr/local/apache2/bin/apachectl start

Advantage: simplify chroot configuration, Apache 2.2.10 above only, it works with cronolog.
Disadvantage: it doens't work with cognos web gateway, got 'internal server error'. Also, when I tried to use Redirect index.html https://domain/path/to  in Apache virutal host configuration, it doesn't work, I have to change it to RewriteRule ^/$ https://domain/path/to to make this kind of redirection work.

old method: user manual chroot settings
search google.com for 'chroot apache', some page is at
http://www.faqs.org/docs/securing/chap29sec254.html
http://www.linux.com/archive/articles/36331

change /etc/init.d/apache starting script for $HTTPD
to  /usr/sbin/chroot /chroot $HTTPD
note: we use /chroot as chroot directory

[root@web1 conf]# ls /chroot
dev  etc  lib  opt  usr  var


note: according to my test, when you use manual chroot, if you use cronolog , you will hit  the problem, apache cannot find the path of the cronolog, so cannot start up Apache


Advantage: Apache 2.2 doesn't work with this kind of chroot if you are using cronolog, has not tried cognos web gateway, I don't think it works either, because when I was testing cronolog, it cannot find the program path
apache 2.0 is working with both cronolog and cognos web gateway
Disadvantage:  configuration is a bit difficult

6. testing Apache configuration
a.  syntax test
cd /usr/local/apache2
bin/apachectl configtest

b. Qualys SSL server test
https://www.ssllabs.com/ssldb/index.html

7. solution for Apache 2.0, chroot and cognos web gateway, cronolog
Using tranditional chroot, Apache 2.0.63, openssl 0.9.8o version.
If you using openssl 1.0.0.a version, apache 2.0.63 cannot compile successfully.

References:
http://httpd.apache.org/docs/2.2/programs/apxs.html
http://httpd.apache.org/docs/2.2/dso.html

How to restore objects for Oracle database

Jephe Wu - http://linuxtechres.blogspot.com

Objective: restore backup some tables, procedures and packages from daily night backup
Environment: RHEL 5 64bit, Oracle 11g 64bit


Steps:


1. daily cronjob backup job
put the following inside your cronjob shell script to backup the schema1 and schema2 excluding table JEPHE1



export PATH=/usr/bin:/usr/sbin:/bin:/sbin
export NLS_DATE_FORMAT='DD-MON-YYYY HH24:MI:SS' # So time is shown in logs as well as date
export ORACLE_SID=XE

ORAENV_ASK=NO
. /u01/app/oracle/product/11.2.0/xe/bin/oracle_env.sh  # or whatever path of file 
unset ORAENV_ASK

#===========program starts here

DAY=`date +%w`
for i in schema1 schema2
do
expdp userid=\"/ as sysdba\" directory=cronjob dumpfile=$i.dmpdp.$DAY logfile=$i.logdp.$DAY schemas=$i exclude=statistics parfile=/path/to/excludes.par
sync;sleep 3
rm -f $i.dmpdp.$DAY.gz $i.logdp.$DAY.gz
gzip /path/to/$i.dmpdp.$DAY /path/to/$i.logdp.$DAY
done

# more excludes.par
exclude=TABLE:"in ('JEPHE1')"

2.  restore preparation
use sql script to delete those procedures and packages first before actual restoration, for tables, you can use table replace action parameter, no need to delete tables first.

# more drop.sql
drop procedure procedure1;
drop package  package1;

# sqlplus schema1  @drop.sql


3. create database directory if necessary
I am going to conigure /home/oracle as database directory name 'oracle and copy those backup files under /home/oracle.
create [ or replace ] directory oracle as '/home/oracle’ 
grant read,write on directory oracle to system
select * from dba_directories

4. actual restoration process  (from schema1 objects backup to schema2 schema)

stop listener - lsnrctl stop

impdp system parfile=schema1.par logfile=schema1.logdp remap_schema=schema1:schema2 remap_tablespace=schema1:schema2 transform=oid:n


# more schema1.par
directory=oracle
dumpfile=schema1.dmpdp
include=PROCEDURE:"in ('PROC1')"
include=PACKAGE:"in ('PAC1')"
include=TABLE:"in ('TABLE1')"
Table_exists_action=replace


Note:
a. if you need to restore to the objects from the same schema. (from schema1 backup to schema1 schema)
impdp system parfile=schema1.par logfile=schema1.logdp schemas=schema1
or

impdp system directory=backup schemas=jephe dumpfile=jephe.dmpdp.5 logfile=jephe.logdp.5 include=TABLE:\"=\'CSTB_BACKUP_REQUEST_DET\'\" table_exists_action=replace
or
impdp system directory=cronjob schemas=jephe dumpfile=jephe.dmpdp.5 logfile=jephe.logdp.5 include=TABLE  table_exists_action=replace


5.  compile all schema objects then check invalid objects
sqlplus / as sysdba
exec dbms_utility.compile_schema('SCHEMA1');

For how to check invalid objects, refer to another article at http://linuxtechres.blogspot.com/2010/06/how-to-do-deployment-for-oracle.html


6. start listener and register services
lsnrctl start
sqlplus / as sysdba
alter system register;
exit


7. Appendix: how to restore a package from dumpfile and generate sql file without actual restoration.


impdp directory=cronjob dumpfile=jephe.dmpdp.6 schemas=JEPHE include=PACKAGE:\"=\'NAMEOFOBJECT\'\" sqlfile=NAMEOFOBJECT.sql

How to do deployment for Oracle database

Jephe Wu - http://linuxtechres.blogspot.com

Objective: how to do deployment properly for a production Oracle 11g database
Environment: RHEL 5 64bit + Oracle 11g 64bit


Steps:
1. Check if any user is using the database
The easy way to check is to go to OEM(Oracle Enterprise Manager) page, performance section, CPU usage to check if any schema user is still using database.

2. stop listener -  lsnrctl stop  (login as oracle user)
stop listener to prevent anyone from using the database during deployment.

3. proceed deployment
compile procedures, packages, table changes etc

4. re-compile all the schemas and check invalid objects
sqlplus / as sysdba
> exec dbms_utility.compile_schema('SCHEMA_NAME');

note: SCHEMA_NAME must be in capital letter, e.g. U_1000

 a. the number of invalid objects check, excluding objects beginning with FB_%
select count(*) from dba_objects where owner='U_10000' and status <> 'VALID' and object_name not like 'FB_%'  group by object_type;


b. details for invalid objects
select object_type , object_name from dba_objects where owner='U_1000' and status <> 'VALID' and object_name not like 'FB_%' order by object_type,object_name;

5. start listener  - lsnrctl start

6. register database services with listener to serve the client immediately, otherwise, need to wait for up to 1 minute to register database services with the listener.
sqlplus / as sysdba
> alter system register;

How to securely delete files or erase the whole hard disk

Jephe Wu - http://linuxtechres.blogspot.com

Objective: securely delete files for Windows and Linux or erase the whole hard disk
Environment: Windows and Linux


Steps:
1. delete files only
a. use free GUI open source tools eraser - http://eraser.heidi.ie/
note: When I use version 6.0.7 under Windows vista, it cannot start, saying 'Eraser has  stopped working', you can solve it by deleting C:\Users\Jephe\AppData\Local\Eraser 6\Task List.ersx.

b. use sdelete at http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

c. use DOS-based tool 'secure erase' at http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

d. freeraser - http://www.codyssey.com/products/freeraser.html

e. use shred for Linux


2. erase the whole hard disk
a. use http://www.dban.org ISO CD

b. use free version of Active @ killdisk at http://www.killdisk.com/downloadfree.htm

c. use dd or ddrescue command
dd if=/dev/zero of=/dev/sda

How to check openssl renegotiation and weak cipher vulnerability

Jephe Wu - http://linuxtechres.blogspot.com
Environment: Apache httpd server with openssl
Objective: check renegotiation and weak cipher vulnerability and patch them


Steps:
1. How to check if a website supports openssl renegotiation and weak cipher?
method 1: openssl s_client command
use openssl command that comes with CentOS 5.5:

openssl s_client -connect jephe.domain.com:443
it will show 'secure renegotiation is NOT supported or supported' message

use openssl ciphers to know all the ciphers on the client Linux PC, then you can use the following commands to check specific cipher support on server:
openssl s_client -connect jephe.domain.com:443 -cipher LOW:EXP  - check if it suports low or exp ciphers, for what are the low or exp ciphers, see  http://www.openssl.org/docs/apps/ciphers.html#
                                                                 
openssl s_client -connect jephe.domain.com:443 -cipher EXP-RC4-MD5 - check specific cipher

openssl s_client -connect jephe.domain.com:443 -cihper MEDIUM



method 2: use public ssl database report

https://www.ssllabs.com/ssldb/index.htm


method3: use downloaded tool
download sslciphercheck from http://www.woany.co.uk/downloads/
then use sslciphercheck -h jephe.domain.com to check all supported ciphpers



2. How to patch it
For renegotiation vulnerability, you can upgrade to openssl 1.0a version.
For weak cipher, you can use the  following ciphersuite configuration in Apache

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL

You can disable RC4 also, so it becomes:



SSLCipherSuite ALL:!ADH:!EXPORT56:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL


note:

1. you can list all ciphers the current openssl supports on the server:


/usr/local/ssl/bin/openssl ciphers | sed -e 's#:#\n#g' | sort

3. References
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
redhat knowledge base: https://access.redhat.com/kb/docs/DOC-20491

                                                      

How to disable TRACE method for Apache

Jephe Wu - http://linuxtechres.blogspot.com

Environment: Apache web server
Objective: Disable trace/track method


Steps:
1. How to test to confirm if a website supports trace/track
 a. for port 80

TRACE / HTTP/1.1
 Host: jephe.domain.com
 [CR]
If you see positive response which is 200 code, that means it supports trace. 
If it's 403 Forbidden, it means it doesn't support.
 
or if you don't have telnet, you can use nc command
 
nc jephe.domain.com 80
TRACE / HTTP/1.1
Host: jephe.domain.com 
 
or
telnet server/ipaddr 80
OPTIONS * HTTP/1.0  => capital letter.
 
if you saw 'TRACE' appear in allowed methods, then trace method is allow, although 
you can disable the echo using rewrite rule:

TRACE and OPTIONS

The OPTIONS method can be used by a client to determine which methods are allowed. Even when TRACE is disabled using the mod_rewrite method above, the OPTIONS response will report that TRACE is enabled. However, TRACE will be rejected with a 403 error before it is processed, and the potentially harmful behavior of TRACE — echoing input data to the response — won't be allowed.
 
b. for port 443
openssl s_client -connect jephe.domain.com:443
.....
TRACE / HTTP/1.1
 Host: jephe.domain.com
 [CR]
 
or 
openssl s_client -connect jephe.domain.com:443
....
OPTIONS * HTTP/1.0
[CR]
[CR]
Allow: GET,HEAD,POST,OPTIONS,TRACE 
2. How to disable it?
method 1: TraceEnable off (Available in Apache 1.3.34, 2.0.55 and later), 
put it in httpd.conf main configuration file
 
simpler, more direct, and requires less overhead than using mod_rewrite.

method 2:  mod_rewrite in every virtual host
# Block TRACE/TRACK XSS vector
 RewriteEngine On
 RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
 RewriteRule .* - [F]
 
3. why we should disable trace method

The HTTP TRACE method asks a web server to echo the contents of the request back to the client for debugging purposes.
the complete request, including HTTP headers, is returned in the entity-body of a TRACE response. Using features that provide client-side HTTP protocol support, such as XMLHTTP ActiveX or XMLDOM scripting objects, a web site can cause browsers to issue TRACE requests. The site can read the TRACE response, including sensitive header information such as cookies or authentication data.
 
4. References
a. Web servers enable HTTP TRACE method by default - http://www.kb.cert.org/vuls/id/867593
b. Secure Apache TRACE Vulnerabilities - http://cobaltfaqs.com/index.php/Secure_Apache_TRACE_Vulnerabilities
c. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable