Just patched Apache HTTP Server 2.2.21

Nothing special. I reviewed Apache HTTP Server mod_proxy reverse proxy issue [Reverse proxy feature (mod_proxy) has a new vulnerability] and "Patch is available for 2.2.21". I was just curious to patch Apache HTTP Server (Source) and then...

# /usr/local/apache/bin/httpd -v
Server version: Apache/2.2.21 (Unix)
Server built: Sep 30 2011 22:54:45

*** Go to Source ***

# cd httpd-2.2.21
# cat config.nice
#! /bin/sh
#
# Created by configure

"./configure" \
"--prefix=/usr/local/apache" \
"--enable-unique-id" \
"--with-included-apr" \
"$@"

*** Download patch for 2.2.21 at http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ ***

# wget http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
--2011-10-07 02:33:18-- http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
Resolving www.apache.org... 140.211.11.131
Connecting to www.apache.org|140.211.11.131|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1123 (1.1K)
Saving to: CVE-2011-3368.patch

100%[======================================>] 1,123 --.-K/s in 0s
2011-10-07 02:33:19 (34.7 MB/s) - CVE-2011-3368.patch

# ls -l CVE-2011-3368.patch
-rw-r--r--. 1 root root 1123 Oct 5 21:27 CVE-2011-3368.patch

# cat CVE-2011-3368.patch
SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
reverse proxy configurations by strictly validating the request-URI.

http://svn.apache.org/viewvc?rev=1179239&view=rev

--- httpd-2.2.21/server/protocol.c
+++ httpd-2.2.21/server/protocol.c
@@ -640,6 +640,25 @@

ap_parse_uri(r, uri);

+ /* RFC 2616:
+ * Request-URI = "*" | absoluteURI | abs_path | authority
+ *
+ * authority is a special case for CONNECT. If the request is not
+ * using CONNECT, and the parsed URI does not have scheme, and
+ * it does not begin with '/', and it is not '*', then, fail
+ * and give a 400 response. */
+ if (r->method_number != M_CONNECT
+ && !r->parsed_uri.scheme
+ && uri[0] != '/'
+ && !(uri[0] == '*' && uri[1] == '\0')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "invalid request-URI %s", uri);
+ r->args = NULL;
+ r->hostname = NULL;
+ r->status = HTTP_BAD_REQUEST;
+ r->uri = apr_pstrdup(r->pool, uri);
+ }
+
if (ll[0]) {
r->assbackwards = 0;
pro = ll;

*** Patch Apache HTTP Server source and recompile + reinstall it ***

# patch -p1 < CVE-2011-3368.patch
patching file server/protocol.c

# ls -la server/protocol.c
-rw-r--r--. 1 root cgred 57874 Oct 7 02:35 server/protocol.c

# make clean
# make
# /usr/local/apache/bin/apachectl stop
# make install
# /usr/local/apache/bin/httpd -v
Server version: Apache/2.2.21 (Unix)
Server built: Oct 7 2011 02:59:09

# /usr/local/apache/bin/apachectl start

*** Checked log files, make sure no error ***
Remark:
patch - it's shell-command and takes a patch file patchfile containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions.

Install ModSecurity CRS

I posted Deploy modsecurity-apache in Apache HTTP. I interested ModSecurity Core Rule Set as well. How to install it?
*** Make sure, modsecurity-apache was deployed in Apache HTTP before***

In conf/httpd.conf file, It should have ...

LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so

- Download ModSecurity Core Rule Set
- Install it *** should read INSTALL file ***

# ls modsecurity-crs_2.2.2.tar.gz
# tar zxvf modsecurity-crs_2.2.2.tar.gz
# mv modsecurity-crs_2.2.2 /usr/local/apache/conf/crs
# cd /usr/local/apache/conf/crs/
# cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf
# ln -s /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf
# for f in `ls base_rules/` ; do ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done
# for f in `ls optional_rules/ | grep comment_spam` ; do ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done
# ls -l activated_rules

- Modify conf/httpd.conf

<IfModule security2_module>
Include conf/crs/modsecurity_crs_10_config.conf
Include conf/crs/activated_rules/*.conf
</IfModule>

- Modify conf/crs/modsecurity_crs_10_config.conf

SecRuleEngine DetectionOnly

- Restart Apache HTTP

# /usr/local/apache/bin/apachectl restart
# ps -aef | grep http
root 21240 1 1 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21241 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21242 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21243 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21244 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21245 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start

- Test browsed http://192.168.1.35 and then checked logs/error_log file.

[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]
[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]
[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2.2.2"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.1.35"] [uri "/"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]
[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Host header is a numeric IP address"] [hostname "192.168.1.35"] [uri "/index.html"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]
[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to store collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/index.html"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]

-Test More..., Modify conf/crs/modsecurity_crs_10_config.conf

SecRule REMOTE_ADDR "@ipMatch 192.168.1.91" "phase:1,t:none,nolog,pass,ctl:ruleEngine=On,setvar:tx.regression_testing=1"

Browsed http://192.168.1.35 and then checked logs/error_log file again.

[Sat Oct 01 01:05:10 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYE1sCoASgAAFnHD0oAAAAE"]
[Sat Oct 01 01:05:10 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYE1sCoASgAAFnHD0oAAAAE"]
[Sat Oct 01 01:05:15 2011] [error] [client 192.168.1.91] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2.2.2"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYEy8CoASgAAFnDDqsAAAAA"]
[Sat Oct 01 01:05:15 2011] [error] [client 192.168.1.91] ModSecurity: Unable to store collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYEy8CoASgAAFnDDqsAAAAA"]
[Sat Oct 01 01:05:26 2011] [error] [client 192.168.1.91] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2.2.2"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYE1sCoASgAAFnHD0oAAAAE"]
[Sat Oct 01 01:05:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to store collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYE1sCoASgAAFnHD0oAAAAE"]
[Sat Oct 01 01:05:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/favicon.ico"] [unique_id "ToYE5sCoASgAAFnHD0sAAAAE"]
[Sat Oct 01 01:05:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/favicon.ico"] [unique_id "ToYE5sCoASgAAFnHD0sAAAAE"]
[Sat Oct 01 01:05:28 2011] [error] [client 192.168.1.91] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2.2.2"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.1.35"] [uri "/favicon.ico"] [unique_id "ToYE5sCoASgAAFnHD0sAAAAE"]
[Sat Oct 01 01:05:28 2011] [error] [client 192.168.1.91] ModSecurity: Unable to store collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/favicon.ico"] [unique_id "ToYE5sCoASgAAFnHD0sAAAAE"]

On Browser: It showed "403 Forbidden".

Related Post:
Deploy modsecurity-apache in Apache HTTP

Deploy modsecurity-apache in Apache HTTP

It's free time for me. To learn something new. I read about ModSecurity and interested about it, So I wanted to install ModSecurity for Apache. It's native implementation of the web application firewall, working as an Apache module. Both major Apache branches are supported.

I just deployed modsecurity-apache in Apache HTTP 2.2. Download modsecurity-apache
This post, I used Apache HTTP 2.2.21 (source).
*** modsecurity 2.x works with Apache 2.0.x or better ***

# ls httpd-2.2.21.tar.bz2
httpd-2.2.21.tar.bz2
# tar jxvf httpd-2.2.21.tar.bz2
# cd httpd-2.2.21
# ./configure --prefix=/usr/local/apache --enable-unique-id --with-included-apr

*** mod_unique_id should be installed --enable-unique-id ***

# make
# make install

*** make sure about pcre-devel, apr-devel, libxml2-devel, libcurl-devel, expat-devel packages installed ***
- Deploy modsecurity-apache

# ls modsecurity-apache_2.6.1.tar.gz
modsecurity-apache_2.6.1.tar.gz
# tar zxvf modsecurity-apache_2.6.1.tar.gz
# cd modsecurity-apache_2.6.1
# ./configure --with-apxs=/usr/local/apache/bin/apxs --with-apr=/usr/local/apache/bin/apr-1-config --with-apu=/usr/local/apache/bin/apu-1-config
# make
# make CFLAGS=-DMSC_TEST test
# make mlogc
# make install

- Check mod_security2.so file

# ls /usr/local/apache/modules/mod_security2.so
/usr/local/apache/modules/mod_security2.so

- Modify httpd.conf file.
A. Load libxml2 and lua5.1

LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua-5.1.so

B. Load the ModSecurity module

LoadModule security2_module modules/mod_security2.so

C. Demo for SecAuditEngine

SecAuditEngine On
SecAuditLog logs/audit/audit.log
SecAuditLogParts ABCFHZ
SecAuditLogType Serial
SecAuditLogStorageDir logs/audit
SecAuditLogRelevantStatus ^(?:5|4(?!04))

*** read more at modsecurity-apache_2.6.1/doc/Reference_Manual.html file ***

- Start Apache and test

# /usr/local/apache/bin/apachectl start

In /usr/local/apache/logs/error_log file.

[Fri Sep 30 23:19:47 2011] [notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) configured.
[Fri Sep 30 23:19:47 2011] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[Fri Sep 30 23:19:47 2011] [notice] ModSecurity: PCRE compiled version="7.8"; loaded version="5.0 13-Sep-2004"
[Fri Sep 30 23:19:47 2011] [warn] ModSecurity: Loaded PCRE do not match with compiled!
[Fri Sep 30 23:19:47 2011] [notice] ModSecurity: LIBXML compiled version="2.7.6"
[Fri Sep 30 23:19:48 2011] [notice] Apache/2.2.21 (Unix) configured -- resuming normal operations

Test about SecAuditEngine : Open browser with URL http://192.168.1.35
Check: /usr/local/apache/logs/audit/audit.log

--4aef2215-A--
[30/Sep/2011:23:20:38 +0700] ToXsVsCoASgAAE3BE10AAAAB 192.168.1.91 54316 192.168.1.35 80
--4aef2215-B--
GET /favicon.ico HTTP/1.1
Host: 192.168.1.35
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

--4aef2215-F--
HTTP/1.1 200 OK
Last-Modified: Fri, 30 Sep 2011 16:20:24 GMT
ETag: "7202-0-4ae2b00a92976"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/x-icon

--4aef2215-H--
Stopwatch: 1317399638159608 16789 (- - -)
Stopwatch2: 1317399638159608 16789; combined=46, p1=0, p2=0, p3=0, p4=0, p5=44, sr=0, sw=2, l=0, gc=0
Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/).
Server: Apache/2.2.21 (Unix)

--4aef2215-Z--

That's simple to deploy modsecurity-apache in HTTP.

How to install HTTP Server + PHP + InstantClient

1. Softwares.
- HTTP Server http://httpd.apache.org/
httpd-2.2.11.tar.gz

- PHP http://www.php.net/downloads.php
php-5.2.9.tar.gz (oci8 1.2.5)

- OCI8 (if need new OCI8 version) http://pecl.php.net/package/oci8/download/
oci8-1.3.5.tgz

- InstantClient http://www.oracle.com/technology/software/tech/oci/instantclient/index.html
basic-11.1.0.70-linux-x86_64.zip
sdk-11.1.0.7.0-linux-x86_64.zip

2. Install Softwares. 
- InstantClient (on /oracle/instantclient_11_1 PATH)
$ mkdir /oracle

$ cd /oracle

$ unzip SOURCE/basic-11.1.0.70-linux-x86_64.zip
Archive: SOURCE/basic-11.1.0.70-linux-x86_64.zip
inflating:
instantclient_11_1/BASIC_README
.
.
.

$ unzip SOURCE/sdk-11.1.0.7.0-linux-x86_64.zip
Archive: SOURCE/sdk-11.1.0.7.0-linux-x86_64.zip
creating:
instantclient_11_1/sdk/
.
.
.

$ ls
instantclient_11_1

$ cd instantclient_11_1

###make link soft file ###

$ ln -s libclntsh.so.11.1 libclntsh.so

$ ln -s libocci.so.11.1 libocci.so

- Install HTTP Server (Increase DEFAULT_SERVER_LIMIT > 256)
$ cd SOURCE

$ tar zxvf httpd-2.2.11.tar.gz
httpd-2.2.11/
.
.
.

$ cd httpd-2.2.11

###Increase default server limit of prefork > 256###

$ vi server/mpm/prefork/prefork.c
#define DEFAULT_SERVER_LIMIT 256 => #define DEFAULT_SERVER_LIMIT 1024
$ ./configure --prefix=/usr/local/apache --with-config-file-path=/usr/local/apache/conf --enable-ssl

$ make

$ su

# make install

- Install PHP (new oci8)
$ cd SOURCE

$ tar zxvf oci8-1.3.5.tgz
.
.
.

$ tar zxvf php-5.2.9.tar.gz
php-5.2.9/
.
.
.

$ cd php-5.2.9

###change to use new oci8###

$ mv ext/oci8 ext/oci8-old

$ mv ../oci8-1.3.5 ext/oci8

$ ./configure --prefix=/usr/local/apache --with-config-file-path=/usr/local/apache/conf \
--with-oci8=share,instantclient,/oracle/instantclient_11_1 --enable-sigchild \
--with-apxs2=/usr/local/apache/bin/apxs --disable-cli --disable-cgi

$ make

$ su

# make install

3. Configure HTTP Server and Etc.
- Add some Environments in /usr/local/apache/bin/apachectl file.

#

ARGV="$@"

#

export ORACLE_HOME=/oracle/instantclient_11_1

export NLS_LANG=AMERICAN_AMERICA.TH8TISASCII

export TNS_ADMIN=/oracle/instantclient_11_1

- Modified /usr/local/apache/conf/httpd.conf file to use .php type.

AddType application/x-httpd-php .php

- Modified Etc... on /usr/local/apache/conf/httpd.conf file.

Example:
ServerName server.domain.com
ServerAdmin admin@domain.com
User oracle
Group dba
.
.
.

- Harden Some... on HTTP Sever.
Example: (uncomment "Include conf/extra/httpd-default.conf" in /usr/local/apache/conf/httpd.conf file before)

ServerTokens Prod
ServerSignature Off
.
.
.

4. Create TNSNAME File (check "TNS_ADMIN" on HTTP Server before).
Example: /oracle/instantclient_11_1/tnsnames.ora (Because -> TNS_ADMIN=/oracle/instantclient_11_1)

DB =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST =
db_host)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = DB)
)
)

5. Start HTTP Server(root).
# /usr/local/apache/bin/apachectl start


### write PHP connect Oracle DB and Test at /usr/local/apache/htdocs PATH (default)###

refer: http://docs.google.com/Doc?id=dhg2wncg_12ddc9f3tn

Apache HTTP Log + X-Forwarded-For

We use HTTP (Apache) behind F5 Application Firewall (or Reverse Proxy ... blah blah),

F5 IP = 10.0.0.1
Client = 100.100.100.100

So when we check Common log, we find

10.0.0.1 - - [22/Jul/2008:11:33:15 +0700] "GET /index.html HTTP/1.1" 304 -


that doesn't show IP from client, It show F5's IP

httpd.conf file:

LogFormat "%h %l %u %t \"%r\" %>s %b" common

We need "X-Forwarded-For" variable on Apache Log.

So, modified httpd.conf file:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{X-Forwarded-For}i\"" common

Check log again access_log (common)

10.0.0.1 - - [22/Jul/2008:11:41:49 +0700] "GET /index.html" 200 1685 "100.100.100.100"

...
Enjoy!