Udgivet i Skriv en kommentar

Location /var/www is not writable – Fedora 22

First, put all your web content data under /var/www/html/. However, Fedora does not allow Apache to write anything anywhere by default, unless you explicitly permit that.
For that, proper file/directory permissions are required, but not enough.
Fedora uses SELinux (Security Enhanced Linux) to provide more robust security, and it doesn’t allow Apache to write anything by default too.

Now, for each file and/or directory which should be writable (for which you receive ... is not writable errors) you should set unconfined_u:object_r:httpd_sys_rw_content_t:s0 SELinux label to tell SELinux that these files/directories are allowed to be modified by Apache. For example, to make /var/www/moodledata and /var/www/html/moodle/theme writable, you should run (you can use -R so that this lable is set recursively if these directories contain subdirectories which should be writable):

chcon -R unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/whatever

Now, you can run setenforce 1 and see if the webiste is working properly. This is the solution.

But, what about setenforce 0 command? This command changes SELinux mode into permissive mode. In this mode, SELinux doesn’t prevent any activity and only generates error messages in system’s audit logs. This is why you didn’t receive error messages anymore. However, putting SELinux in permissive mode is NOT a proper solution to make things work, I used it to see if your problem is related to SELinux. And, setenforce changes SELinux mode temporarily (until next shutdown/reboot). setenforce 1 changes the SELinux mode to the default one, which is enforcing mode in which SELinux does actually prevent un-allowed activities.

This is the workflow that I would suggest when setting up a new thing in Fedora:

  1. Put SELinux into Permissive mode (setenforce 0)
  2. Set up the system as you like and make sure that it works correctly as intended
  3. Put SELinux back to Enforcing mode (setenforce 1)
  4. See if your system is still working fine. If not, check for SELinux errors in system audit logs (/var/log/audit) and try to solve the errors appropriately (it usually involves changing file/directory SELinux lables, or changing SELinux boolean parameters). A more user friendly approach is to use SELinux Troubleshooter GUI application rather than inspecting audit logs. It shows SELinux related errors along with suggested solutions.

Notice that you can modify SELinux configuration file (/etc/selinux/config) to completely disable SELinux or permanently set it into Permissive mode, but please don’t. While many will suggest it as a solution to SELinux related problems, it is more like removing the problem rather than a solution for itu. However, for a development system where security is not important, you might decide to do that (In that case, I would personally prefer using permissive mode rather than completely disabling SELinux, so that you can still know about SELinux permission erros). When you decided to deploy your web application to production servers, you should know how to properly configure SELinux so that your web application works correctly even when SELinux is in Enfrocing mode.

Udgivet i Skriv en kommentar

Gennemsøg og teste din server inden hackers gør det.

Nikto er et gratis, open source, commando prompts værktøj/script som kan bruges til at teste din webservers sikkerhed.
Den kontrollerer for tusindvis af sårbarheder og potentielle svagheder i sikkerheden som standard filer og programmer, forældede servere, usikre filer,
server og software fejlkonfigurationer.

Hvis du skal bruge Nikto så gør det på din egen server.

Webservers logfiler viser IP-adresse på den som scanner serveren, og at du bruger Nikto til at scanne for sårbarheder.
Af denne grund, foreslår jeg, du bruger Nikto at scanne websteder, som du styrer og lader de andre vare fri fra det.

Dine skanninger opfattes som en aggressiv handling.

Nikto er ikke et våben, det er heller ikke et middel som kan lave skader, der allerede har fundet sted.
Det er en vurderings værktøj, når det anvendes korrekt, kan forhindre en lang række potentielle sikkerheds trusler fra at blive virkelighed.
Nikto’s installationen er enkel og smertefri ikke noget ”Linuxmyssel”

Du skal have følgende forudsætninger opfylde for at bruge SSL-understøttelse:
Net:: SSLeay, openssl-perl, perl-MD5 og perl-libwhisker2.
Afhængig af din distribution, kan det findes afhængigheder for disse pakker.
Når du har opfyldt de forudsætninger og afhængigheder,
grib nyeste tarball fra CIRT hjemmeside på http://cirt.net/Nikto2.

Hente, untar og du er klar til at begynde din sikkerhed scanninger.

tar xvf nikto-current.tar.gz

Ellers, Hente med:

wget http://www.cirt.net/nikto/nikto-current.tar.gz

og sen

tar xvf nikto-current.tar.gz


Nikto Tests

På en kommandoprompt skriv følgende ind for at starte en simpel port 80 scanning på website.com (website.com som eksempel.
$ ./nikto.pl -h website.com

– Nikto v2.1.1
—————————————————————————
+ Target IP:          192.168.1.240
+ Target Hostname:    website.dk
+ Target Port:        80
+ Start Time:         2010-05-05 15:46:22
—————————————————————————
+ Server: Apache/2.2.3 (CentOS)
+ Number of sections in the version string differ from those in the database, the server reports: apache/2.2.3 while the database has: 2.2.14. This may cause false positives.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing is enabled: /icons
+ OSVDB-3233: /icons/README: Apache default file found.
+ 3818 items checked: 5 item(s) reported on remote host
+ End Time:           2010-03-01 13:42:54 (31 seconds)
—————————————————————————
+ 1 host(s) tested

Manualen finder du her http://cirt.net/nikto2-docs/