-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathlab11_web_security_access_controls.txt
More file actions
373 lines (289 loc) · 10.5 KB
/
lab11_web_security_access_controls.txt
File metadata and controls
373 lines (289 loc) · 10.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
RHCE RH254 HANDS-ON LAB: WEB SERVER SECURITY AND ACCESS CONTROLS
================================================================
LAB OBJECTIVE:
Configure Apache web server security features and implement access controls for directories and resources
PREREQUISITES:
- Apache HTTP Server installed and configured
- Root access to RHEL system
- Understanding of web security concepts
LAB SCENARIO:
Implement comprehensive security controls for Apache web server including authentication, authorization, and access restrictions.
EQUIPMENT NEEDED:
- RHEL system with Apache installed
- Multiple client systems for testing access controls
LAB TASKS:
PART A: BASIC SECURITY CONFIGURATION
-------------------------------------
1. Configure server information hiding:
# Install Apache and Enable port
# yum install httpd -y
# systemctl start httpd
# systemctl enable httpd
# firewall-cmd --permanent --add-service=http
# firewall-cmd --permanent --add-service=https
# firewall-cmd --reload
# Install Vim
# yum install vim -y
# vim /etc/httpd/conf/httpd.conf
# Hide server information
ServerTokens Prod
ServerSignature Off
# Security headers
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
2. Disable unnecessary modules:
# vim /etc/httpd/conf.modules.d/00-base.conf
# Comment out unused modules:
#LoadModule userdir_module modules/mod_userdir.so
#LoadModule autoindex_module modules/mod_autoindex.so
3. Configure directory browsing restrictions:
# vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
Options -Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>
PART B: CONFIGURE BASIC AUTHENTICATION
---------------------------------------
1. Create protected directory:
# mkdir -p /var/www/html/secure
# echo "<h1>Secure Area</h1>" > /var/www/html/secure/index.html
2. Create password file: (Pending )
# htpasswd -c /etc/httpd/.htpasswd admin
# htpasswd /etc/httpd/.htpasswd user1
# htpasswd /etc/httpd/.htpasswd user2
# chmod 640 /etc/httpd/.htpasswd
# chown root:apache /etc/httpd/.htpasswd
3. Configure basic authentication:
# vim /etc/httpd/conf.d/auth-basic.conf
<Directory "/var/www/html/secure">
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
PART C: CONFIGURE DIGEST AUTHENTICATION
----------------------------------------
1. Create digest password file:
# htdigest -c /etc/httpd/.htdigest "Secure Realm" admin
# htdigest /etc/httpd/.htdigest "Secure Realm" user1
# chmod 640 /etc/httpd/.htdigest
# chown root:apache /etc/httpd/.htdigest
2. Create directory for digest authentication:
# mkdir -p /var/www/html/digest-secure
# echo "<h1>Digest Secure Area</h1>" > /var/www/html/digest-secure/index.html
3. Configure digest authentication:
# vim /etc/httpd/conf.d/auth-digest.conf
<Directory "/var/www/html/digest-secure">
AuthType Digest
AuthName "Secure Realm"
AuthDigestProvider file
AuthUserFile /etc/httpd/.htdigest
Require valid-user
</Directory>
PART D: CONFIGURE IP-BASED ACCESS CONTROLS
-------------------------------------------
1. Create IP-restricted directory:
# mkdir -p /var/www/html/admin
# echo "<h1>Admin Area</h1>" > /var/www/html/admin/index.html
2. Configure IP-based restrictions:
# vim /etc/httpd/conf.d/ip-access.conf
<Directory "/var/www/html/admin">
Options -Indexes
AllowOverride None
Require ip 20.192.245.25
Require ip 127.0.0.1
</Directory>
3. Configure host-based restrictions:
# vim /etc/httpd/conf.d/host-access.conf
<Directory "/var/www/html/internal">
Options -Indexes
AllowOverride None
Require host example.com
Require host .trusted-domain.com
</Directory>
PART E: CONFIGURE TIME-BASED ACCESS CONTROLS
---------------------------------------------
1. Install mod_evasive for DoS protection:
# yum install mod_evasive -y
2. Configure mod_evasive:
# vim /etc/httpd/conf.d/evasive.conf
<IfModule mod_evasive24.c>
DOSHashTableSize 2048
DOSPageCount 2
DOSPageInterval 1
DOSSiteCount 50
DOSSiteInterval 1
DOSBlockingPeriod 600
DOSLogDir /var/log/httpd
DOSEmailNotify admin@example.com
</IfModule>
3. Configure rate limiting:
# vim /etc/httpd/conf.d/rate-limit.conf
<Directory "/var/www/html/api">
SetEnvIf Request_URI "^/api/" api_request
SetEnvIf Remote_Addr "^20\.192\.245\.25" local_network (Use Your Ip) 20.192.245.25
<RequireAll>
Require env local_network
</RequireAll>
</Directory>
PART F: CONFIGURE SSL CLIENT CERTIFICATES
------------------------------------------
1. Create client certificate directory:
# mkdir -p /var/www/html/client-cert
# echo "<h1>Client Certificate Required</h1>" > /var/www/html/client-cert/index.html
# chmod 755 /var/www/html/client-cert
2. Install and Enable SSL Module
# yum install mod_ssl -y
# /usr/libexec/httpd-ssl-gencerts
#
# mv /etc/httpd/conf.d/autoindex.conf \
/etc/httpd/conf.d/autoindex.conf.disabled
# httpd -M | grep ssl
3. Prepare SSL directory structure
# mkdir -p /etc/ssl/private /etc/ssl/csr /etc/ssl/certs
# chmod 700 /etc/ssl/private
# mkdir -p /etc/ssl/ca/private /etc/ssl/ca/certs
# chmod 700 /etc/ssl/ca/private
4. Create local Certificate Authority
# openssl genrsa -out /etc/ssl/ca/private/ca.key.pem 4096
# chmod 600 /etc/ssl/ca/private/ca.key.pem
# openssl req -new -x509 \
-key /etc/ssl/ca/private/ca.key.pem \
-out /etc/ssl/ca/certs/ca.cert.pem \
-days 3650
2. Generate client certificate:
# openssl genrsa -out /etc/ssl/private/client.key 2048
# chmod 600 /etc/ssl/private/client.key
# openssl req -new -key /etc/ssl/private/client.key -out /etc/ssl/csr/client.csr
# openssl x509 -req -in /etc/ssl/csr/client.csr -CA /etc/ssl/ca/certs/ca.cert.pem \
-CAkey /etc/ssl/ca/private/ca.key.pem -CAcreateserial -out /etc/ssl/certs/client.crt -days 365
3. Configure client certificate authentication:
# vim /etc/httpd/conf.d/client-cert.conf
SSLCACertificateFile /etc/ssl/ca/certs/ca.cert.pem
<Directory "/var/www/html/client-cert">
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +StdEnvVars
Require all granted
</Directory>
PART G: CONFIGURE .HTACCESS SECURITY
-------------------------------------
1. Enable .htaccess processing:
# vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
AllowOverride AuthConfig Limit
</Directory>
2. Create .htaccess file for directory protection:
# mkdir -p /var/www/html/protected
# chmod 755 /var/www/html/protected
# vim /var/www/html/protected/.htaccess
AuthType Basic
AuthName "Protected Directory"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
# Deny access to sensitive files
<Files "*.conf">
Require all denied
</Files>
<Files "*.log">
Require all denied
</Files>
3. Configure global .htaccess restrictions:
# vim /etc/httpd/conf/httpd.conf
<Files ".ht*">
Require all denied
</Files>
PART H: CONFIGURE ADVANCED SECURITY FEATURES
---------------------------------------------
1. Configure mod_security (Web Application Firewall):
# yum install mod_security -y
# vim /etc/httpd/conf.d/mod_security.conf
<IfModule mod_security2.c>
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
</IfModule>
2. Configure custom error pages:
# mkdir -p /var/www/html/errors
# echo "<h1>403 - Access Forbidden</h1>" > /var/www/html/errors/403.html
# echo "<h1>404 - Page Not Found</h1>" > /var/www/html/errors/404.html
# vim /etc/httpd/conf/httpd.conf
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
3. Configure log monitoring:
# vim /etc/httpd/conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" combined_with_time
CustomLog logs/access_log combined_with_time
PART I: TESTING ACCESS CONTROLS
--------------------------------
1. Test basic authentication:
# curl -u admin:password http://localhost/secure/
# curl http://localhost/secure/ # Should return 401
2. Test IP-based restrictions:
# curl http://localhost/admin/ # From allowed IP
# curl -H "X-Forwarded-For: 10.0.0.1" http://localhost/admin/ # Should be denied
3. Test digest authentication:
# curl --digest -u admin:password http://localhost/digest-secure/
4. Test SSL client certificates:
# curl --cert /etc/ssl/certs/client.crt --key /etc/ssl/private/client.key \
https://localhost/client-cert/
PART J: MONITORING AND LOGGING
-------------------------------
1. Monitor authentication attempts:
# tail -f /var/log/httpd/access_log | grep "401\|403"
2. Monitor security events:
# tail -f /var/log/httpd/error_log | grep -i security
3. Set up log rotation:
# vim /etc/logrotate.d/httpd
/var/log/httpd/*log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 640 apache apache
postrotate
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
endscript
}
TROUBLESHOOTING COMMANDS:
-------------------------
# httpd -t
# tail -f /var/log/httpd/error_log
# curl -I http://localhost/secure/
# htpasswd -v /etc/httpd/.htpasswd admin
# ls -la /etc/httpd/.htpasswd
EXPECTED RESULTS:
-----------------
- Authentication required for protected directories
- IP-based access controls working
- Security headers present in responses
- Unauthorized access properly blocked
- Comprehensive logging of security events
VALIDATION CHECKLIST:
---------------------
□ Basic authentication working Done
□ Digest authentication configured Done
□ IP-based restrictions functional Done
□ SSL client certificates working Done
□ Security headers implemented Done
□ Error pages customized
□ Logging captures security events
CLEANUP:
--------
# rm /etc/httpd/conf.d/auth-*.conf
# rm /etc/httpd/conf.d/ip-access.conf
# rm /etc/httpd/conf.d/client-cert.conf
# rm /etc/httpd/.htpasswd /etc/httpd/.htdigest
# systemctl reload httpd