System Advancements at the Monastery

“Clocks slay time… time is dead as long as it is being clicked off by little wheels; only when the clock stops does time come to life.” — William Faulkner

In honor of ApacheCon Europe, held this past week, we will be going over a very basic implementation of an Apache web server. Ivan Ristic, author of “Apache Security” spoke at ApacheCon where he presented “Web Intrusion Detection with ModSecurity.” Rich Bowen, author of “The Definitive Guide to Apache mod_rewrite” (and a few other titles) on his blog DrBacchus Journal did a post titled “ApacheCon EU 2008 so far.” Rich had this to say about Ivan’s talk, “His talk was fabulous.” He goes on to elaborate, “I’m sure that everything Ivan talked about is in the docs, but his talk was amazingly valuable anyway, since it showed me things in one hour that would probably have taken me months to discover. And I’ve been using mod_security for years already, and wasn’t aware of them, or didn’t quite understand the syntax.” Nick Kew agrees with Rich. On Nick’s blog NIQ’s Soapbox, his posting “Putting ones money where ones mouth is ….” had this to say, “The highlight of today was Ivan Ristic’s mod_security talk: that module is getting seriously interesting.”

If you are interested in hearing more about ApacheCon, the keynote sessions have been made available for free off the Linux Magazine web site. The available presentations consist of:

• Jim Jagielski, Chairman of the Apache Software Foundation, starts off with his talk “State of the Feather.” To quote from the program, “Join ASF Chairman Jim Jagielski for a review of events and progress over the last 12 months within the Apache Software Foundation. Jim will detail the growth of the ASF, both in members as well as projects, discuss the noteworthy achievements of the ASF during that time period, and preview what the next 12 months likely hold for the pre-eminent open source foundation.“
• Cliff Schmidt, Executive Director of Literacy Bridge, discusses “Using Audio Technology and Open Content to Reduce Global Illiteracy.” To quote from the program, “During this talk, Cliff will share his observations from Ghana and discuss Literacy Bridge’s Talking Book Project. Literacy Bridge was founded to empower children and adults with tools for scalable knowledge sharing and literacy learning. The Talking Book Project is Literacy Bridge’s major program, developing new and affordable digital audio technology to provide vital, locally generated information and literacy training to people with limited access to either.”
• Rishab Aiyer Ghosh, Open Source Initiative Board Member, presents “Apache and Steam Engines: the Magic of Collaborative Innovation.” To quote from the program, “Rishab looks at collaborative model of creativity, from 18th century steam engines to the human genome project and discusses why and how collaborative creativity works. Using data from the FLOSS studies, he shows how this makes free software a continuing source of economic value and innovation around the world.”
• Roy Fielding, Co-founder of The Apache Software Foundation, and Vice President, Apache HTTP Server, discussed “Apache 3.0 (a Tall Tale)”. To quote from the program, “Thirteen years ago, the Apache Group founders finished the first beta release of Apache httpd, having reached the end of their initial pile of small improvements, and began to look forward to a complete rewrite of the server architecture. Suddenly, our forward progress slowed to a trickle, mailing list traffic dropped by two-thirds, and our focus diverged…Today, we face a new chasm, and our past successes have only made it wider and deeper than before. This talk is about the other side.“

I am with Rich and Nick, Ivan’s work with ModSecurity is extremely interesting and we will build towards implementing it. First, we need to start simple for there are many steps in the process. This post will provide references for setting up an Apache server, followed by a simple implementation. For additional information, particularly in the area of security, see my previous post “Securing Apache: References.”

Some folks might ask, “why not simply install XAMPP or MAMPP (depending on your system)?” Installing binaries is one way to go. With something as important as the web server, taking the easiest path is not necessary the best option. Compiling from source provides the most power and flexibility to change things according to your priorities. You gain control over such issues as compile time options, modules, and when to upgrade (verses waiting for security patches and upgrades to come out in binary format). While it might not be the easiest path, it is vital in learning what is going on with your system and helping avoid integration problems in the future.

Documents and Articles

Below are a few documents and articles that are most helpful when setting up Apache.

• Apache Security by Ivan Ristic. When it comes to the Apache web server, Ivan is the man to listen to. His book, truly is the complete guide to securing your Apache web server. It is an excellent resource.
• Compiling and Installing document created by The Apache Software Foundation. A great deal of information on Apache is available, not surprisingly, off the Apache HTTP server site.
• Securing Apache 2: Step-by-Step by Ivan Ristic. This is a shorter, more compact article appearing in SecurityFocus.
• Security Tips document created by The Apache Software Foundation. A very good source of information on securing the Apache HTTP server. The best place to go to ensure you have the most up-to-date information on securing the server.

Benchmarks

The Center for Internet Security is a non-profit enterprise that helps develop security configuration benchmarks. The stated mission of CIS is to “reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.” They have created the document “CIS Level 1 & 2 Benchmark and Scoring Tool for the Apache Web Server.” The document was last updated, as of this writing, on January 2008. The download file consists of:

• CIS_Apache_Benchmark_v2.1.pdf - the Benchmark document contains detailed instructions for implementing the steps necessary for CIS Level 1 and Level 2 sec.
• cis_score_tool_apache_v2.10.sh.gz - a Host-based Scoring Tool scores the security of a system against the Benchmark and creates a variance report.

Additional information is available off the site.

Forums and Blogs

Most of the forums and blogs that I am familiar with deal with security issues involved with web servers. See my “Securing Apache: References” post for those links.

Installing Apache

If Apache was not installed with your operating system, or if you wish to compile from source, you will need to download the latest Apache from the Apache web site. For this document, I will go through pulling down Apache version 2.2. Please consult the Apache HTTP Server Version 2.2 Compiling and Installing documentation for additional information.

 root# cd /usr/local/src
 /usr/local/src root# wget http://mirrors.isc.org/pub/apache/httpd/httpd-2.2.8.tar.gz
 /usr/local/src root# tar xzf httpd-2.2.8.tar.gz

At this point, you need to check the integrity. There as two ways to do this. First, is by calculating the MD5 sum of the source and comparing it to the signature file. Mac OS X users, please note use the command /sbin/md5 instead of md5sum.

 /usr/local/src root# md5sum httpd-2.2.8.tar.gz
39a755eb0f584c279336387b321e3dfc  httpd-2.2.8.tar.gz

 /usr/local/src root# wget -O - -q http://www.apache.org/dist/httpd/httpd-2.2.8.tar.gz.md5
39a755eb0f584c279336387b321e3dfc  httpd-2.2.8.tar.gz

The second method, uses public-key cryptography to verify the integrity of the files. This is more complicated, but more secure. The MD5 sums can be circumvented if an intruder compromises the main distribution site and replaces the signature files. Using public-key cryptography can be done using GnuPG, the free software version of the OpenPGP. Most Unix systems has it installed by default. The installation is fairly straight forward, no matter what OS you are using:

1. Install GnuPG. For Mac OS X, you would want to install Mac GnuPG. For Windows, you will need WinPT.
2. Optionally, under Unix you might want to install a graphical front-end for GnuPG.
3. Generate a pair of keys.

Apache developers use their cryptographic keys to sign the distributions digitally. We are going to download the PGP signature, fetch the GnuPG unique key ID (DE885DD3), and then check the signature.

 /usr/local/src root# wget http://www.apache.org/dist/httpd/httpd-2.2.8.tar.gz.asc
 /usr/local/src root# gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
gpg: requesting key DE885DD3 from HKP keyserver pgpkeys.mit.edu
gpg: trustdb created
gpg: key DE885DD3: public key "Sander Striker " imported
gpg: Total number processed: 1
gpg:               imported: 1

 /usr/local/src root# gpg httpd-2.2.8.tar.gz.asc
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Good signature from "Sander Striker "
gpg:                 aka "Sander Striker "
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Fingerprint: 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3

 /usr/local/src root# gpg --fingerprint DE885DD3
pub  1024D/DE885DD3 2002-04-10 Sander Striker 
     Key fingerprint = 4C1E ADAD B4EF 5007 579C  919C 6635 B6C0 DE88 5DD3
uid                            Sander Striker 
sub  2048g/532D14CA 2002-04-10

To verify DE885DD3 was created by the real Sander Striker, download public keys for the Apache HTTP Server developers from the Apache HTTP Server Project website. Officially, you should validate by face-to-face communication with multiple government-issued photo identification confirmations. Trust can be a complicated issue. For more information on determining what level of trust, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.

Let us get back to compiling Apache.

 /usr/local/src root# cd httpd-2.2.8
 /usr/local/src/httpd-2.2.8 root# ./configure --prefix=/usr/local/apache
 /usr/local/src/httpd-2.2.8 root# make
 /usr/local/src/httpd-2.2.8 root# make install

There is more to be done. The above configuration was to help in determining the Apache modules that are compiled be default. The following modules, should not be used unless needed:

The following modules will be require for use with later postings. If you are sure you do not need theses modules, do not include them, and make sure not to include them in the below configuration.

To determine which modules would be installed by default, issue the following command.

 /usr/local/src/httpd-2.2.8 root# ./httpd -l
Compiled in modules:
  core.c
  mod_authn_file.c
  mod_authn_default.c
  mod_authz_host.c
  mod_authz_groupfile.c
  mod_authz_user.c
  mod_authz_default.c
  mod_auth_basic.c
  mod_include.c
  mod_filter.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c

Now, we are going to change the modules that get installed. We are going to add Secure Sockets Layer (SSL) support with the “–enable-ssl” switch. In a later post, we will discuss how to use this cryptographic protocols to provide secure communications between clients and our web browser. Unless you are sure you do not want SSL support, include the “–enable-ssl” switch.

For folks compiling on Mac OS X 10.5, the “–enable-ssl” switch will give you problems. As of this writing, Leopard is using OpenSSL version 0.9.71 from September 2006. There have been some changes made since then. You could upgrade, but as mentioned before, you do not know what installed software is dependent on that library. It would be nice if Apple had upgraded with the release of a new OS, but you have to play the cards Steve Jobs has dealt. The MacPorts Project have the latest version of OpenSSL, 0.9.8g from October 2007. In order to get Apache to compile, I would recommend using the most recent OpenSSL library. If you need help with MacPorts, please see my posting “MacPorts Under Mac OS X Leopard.” Special Mac OS X installation instruction follow.

For non Mac OS X operating systems, do the following to configure, compile and install Apache:

 /usr/local/src/httpd-2.2.8 root# make clean
 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache
 /usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
./configure --prefix=/usr/local/apache \
--enable-rewrite \
--enable-so \
--disable-imap \
--disable-userdir --with-mpm=worker --enable-ssl
 /usr/local/src/httpd-2.2.8 root# make
 /usr/local/src/httpd-2.2.8 root# make install

For Mac OS X, you need to tell the compiler which libraries to use so the more recent OpenSSL is used. Do that with the following commands:

 /usr/local/src/httpd-2.2.8 root# make clean
 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache
 /usr/local/src/httpd-2.2.8 root# CC=gcc \
CFLAGS="-O3 -fno-omit-frame-pointer" \
LDFLAGS="-L/opt/local/lib -L/usr/lib" \
./configure --prefix=/usr/local/apache --enable-rewrite \
--enable-so --disable-imap --disable-userdir \
--with-mpm=worker --enable-ssl
 /usr/local/src/httpd-2.2.8 root# make
 /usr/local/src/httpd-2.2.8 root# make install

Configuration

It is time to configure and make the Apache server more secure. Ivan Ristic have made available “Chapter 2: Installation and configuration.” Follow the chapter, do not just copy. For demonstration purposes, I’ll be using what is written in that chapter to configure the Apache web server. There are various configuration options and you want to configure the server for your environment. It is very important to understand what is contained in your configuration file.

Create the user and group httpd, from which the Apache web server will run. Under most versions of Unix (not Mac OS X), this is a simple matter of executing the following commands:

 /usr/local/src/httpd-2.2.8 root# cd /usr/local/apache
 /usr/local/apache root# /usr/sbin/groupadd httpd
 /usr/local/apache root# /usr/sbin/useradd httpd -g httpd -d /dev/null -s /sbin/nlogin

Under Mac OS X, there is no groupadd or useradd command. Things are always more interesting under Mac OS X. Prior to Leopard (10.5), you would have to determine which group ids (gid) have been used, choose an unused gid, and then create the httpd group using that gid. This would be accomplished with the commands:

 root# nireport . /groups gid name
 root# nicl . -create /groups/httpd
 root# nicl . -append /groups/httpd unique-gid
 root# nicl . -append /groups/httpd passwd "*"
 root# nireport . /groups gid name

Once creating the group, you would need to create a new user by finding an unused uid, create the user, fill in the user attributes, add a password, create a home area, and finally set permissions. This would be accomplished with the commands:

 root# nireport / /users name uid
 root# niutil -create / /users/httpd
 root# niutil -createprop / /users/httpd uid uid-from-above
 root# niutil -createprop / /users/httpd gid gid-from-above
 root# niutil -createprop / /users/httpd realname "Web Server"
 root# niutil -createprop / /users/httpd home "/dev/null"
 root# niutil -createprop / /users/httpd shell "/sbin/nologin"
 root# niutil -createprop / /users/httpd passwd "*"

NetInfo, the system configuration database, no longer exists in Mac OS X 10.5 (Leopard). The entire structure for managing local users, groups, and other such things has been completely replaced by Local Directory Services. In Leopard, the DirectoryService daemon does the job of the DirectoryService, lookupd, and the memberd daemons. Please see previous posting, “Backing Up Using Amanda on Mac OS X Leopard Part I” for additional details. There is now a command line utility dscl to perform some advanced functions formerly covered by NetInfo Manager. Creating the group httpd and user httpd would be done with the following commands:

 root# dscl . list /groups PrimaryGroupID | sort -k 2,2 -n
 root# dscl . create /groups/httpd gid gid-of-httpd
 root# dscl . create /groups/httpd passwd '*'
 root# dscl . read /groups/httpd
AppleMetaNodeLocation: /Local/Default
Password: *
PrimaryGroupID: gid-of-httpd
RecordName: httpd
RecordType: dsRecTypeNative:groups

 root# dscl . list /users UniqueID | sort -k 2,2 -n
 root# dscl localhost -create /Local/Default/Users/httpd
 root# dscl localhost -create /Local/Default/Users/httpd RecordName httpd
 root# dscl localhost -create /Local/Default/Users/httpd UserShell /sbin/nologin
 root# dscl localhost -create /Local/Default/Users/httpd RealName "Web Server"
 root# dscl localhost -create /Local/Default/Users/httpd UniqueID a-unique-uid
 root# dscl localhost -create /Local/Default/Users/httpd PrimaryGroupID gid-of-httpd
 root# dscl localhost -create /Local/Default/Users/httpd NFSHomeDirectory /dev/null
 root# dscl . read /users/httpd
AppleMetaNodeLocation: /Local/Default
GeneratedUID: generated-unique-id
NFSHomeDirectory: /dev/null
PrimaryGroupID: gid-of-httpd
RealName:
 Web Server
RecordName: httpd
RecordType: dsRecTypeNative:users
UniqueID: a-unique-uid
UserShell: /sbin/nologin

As part of the installation, the file /usr/local/apache/conf/httpd.conf is created. Move that configuration for safe keeping and start with an empty configuration file. Add the required functionality to ensure only the needed directives and modules are included. Also, adjust file permissions. Mac OS X users note that there is no group “root.” Please use the group “admin” instead.

 /usr/local/src/httpd-2.2.8 root# cd /usr/local/apache
 /usr/local/apache root# mv /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.orig
 /usr/local/apache root# chown -R root:root /usr/local/apache
 /usr/local/apache root# find /usr/local/apache -type d | xargs chmod 755
 /usr/local/apache root# find /usr/local/apache -type f | xargs chmod 644
 /usr/local/apache root# chmod u+x  /usr/local/apache/bin/*
 /usr/local/apache root# mkdir -p /var/www/logs
 /usr/local/apache root# mv /usr/local/apache/htdocs /var/www/htdocs
 /usr/local/apache root# find /var/www/ -type d | xargs chmod 755
 /usr/local/apache root# find /var/www/ -type f | xargs chmod 644
 /usr/local/apache root# chmod -R go-r /usr/local/apache/conf
 /usr/local/apache root# chmod -R go-r /usr/local/apache/logs
 /usr/local/apache root# chmod -R go-r /var/www/logs
 /usr/local/apache root# vi /usr/local/apache/conf/httpd.conf

Create a configuration file /usr/local/apache/conf/httpd.conf similar to the following file (adjust to your requirements):

# Location of the web server files
ServerRoot /usr/local/apache
# Location of the wev server tree
DocumentRoot /var/www/htdocs
# Listen on which port
Listen 80
# Store the PID of the main Apache process
PidFile /var/www/logs/httpd.pid
# Do not enables DNS lookups on client IP addresses
HostNameLookups Off
#
User httpd
Group httpd
# Deny access to the complete filesystem and then allow access
# to the document root.
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www/htdocs>
Order Allow,Deny
Allow from all
</Directory>
# Enable CGI Scripts
<Directory /var/www/cgi-bin>
Options ExecCGI
SetHandler cgi-script
</Directory>
# Logging
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog /var/www/logs/access_log combined
LogLevel info
ErrorLog /var/www/logs/error_log
# Setting Server Configuration Limits
# wait up to 300 seconds for slow clients
TimeOut 60
# allow connections to be reused between requests
KeepAlive On
# allow a maximum of 100 requests per connection
MaxKeepAliveRequests 100
# wait up to 15 seconds for the next
# request on an open connection
KeepAliveTimeout 15
# impose no limits on the request body
LimitRequestBody 64000
# allow up to 100 headers in a request
LimitRequestFields 100
# each header may be up to 8190 bytes long
LimitRequestFieldsize 8190
# the first line of the request can be
# up to 8190 bytes long
LimitRequestLine 8190
# limit the XML request body to 1 million bytes(Apache 2.x only)
LimitXMLRequestBody 1000000
# the maximum number of processes
ServerLimit 16
# how many processes to start with
StartServers 2
# how many threads per process to create
ThreadsPerChild 25
# minimum spare threads across all processes
MinSpareThreads 25
# maximum spare threads across all processes
MaxSpareThreads 75
# maximum clients at any given time
MaxClients 150
# Preventing Information Leaks
ServerSignature Off
ServerTokens ProductOnly
<FilesMatch "(^\.ht|~$|\.bak$|\.BAK$)">
Order Allow,Deny
Deny from all
</FilesMatch>

At this point, you are ready to bring up the Apache web server. Clean up any unnecessary files.

 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache/cgi-bin
 /usr/local/src/httpd-2.2.8 root# /bin/rm -r /usr/local/apache/manual
 /usr/local/src/httpd-2.2.8 root# /usr/local/apache/bin/apachectl configtest
 /usr/local/src/httpd-2.2.8 root# /usr/local/apache/bin/apachectl start

If you have any problems, take a look at /var/www/logs/error_log. This is a very basic and clean Apache web server configuration. It is a starting point from which we will build upon in future postings.

Conclusion

I started this post with a quote from William Faulkner concerning how “only when the clock stops does time come to life.” Or if you prefer the despair.com quote, “Get to work: You aren’t being paid to believe in the power of your dreams.” I’ll be honest with you, doing a post on Apache implementation is not my idea of an exciting post. I would much rather jump ahead and start talking about securing web applications at a higher level. Sometimes, one has to build up to the more exciting stuff in order to demonstrate that one is not just selling pipe dreams with no real way to make those ideas a reality. That is the difference between science and science fiction. Bernard of Chartres once wrote, “We are like dwarfs standing upon the shoulders of giants, and so able to see more and see farther than the ancients.” Only the hard work of the ancients has allowed us to see further and dream bigger. At some point, to make those dreams a reality, getting to work in the annoying details of life is a requirement.