HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   Disabling HTTP TRACE / TRACK in all virtual host (http://www.howtoforge.com/forums/showthread.php?t=20371)

rdike 13th February 2008 00:55

Disabling HTTP TRACE / TRACK in all virtual host
 
Is there a standard place to put the rewrite conditions so that all of the virtual host are covered and/or so that new virtual host are covered automatically?

Background:
We just had a security audit and one of the few things that they found was that our ispconfig server allowed HTTP TRACE and HTTP TRACK methods. We need to disable them. 'mod_rewrite' is already part of the standard ispconfig configuration so we just need to add the following

...
# disable TRACE and TRACK in the main scope of httpd.conf
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
...
<VirtualHost www.example.com>
...
# disable TRACE and TRACK in the www.example.com virtual host
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
</VirtualHost>

I know the the virtual host are configured in /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf

Is there an easier way than editing that file for each virtual host?
Thanks,
Reece Dike

daveb 13th February 2008 07:37

I think you could add in your apache2.conf or httpd.conf.
TraceEnable off

stirfry 7th May 2008 21:50

@daveb - Unfortunately, that only works with certain versions of Apache. Furthermore, that directive is supposed to work in Apache 2.0.55, but it didn't do it for me. At least doing so didn't allow my server to pass the audit software I use and I'm not sure exactly how to test the vulnerability myself.

@rdike - I would think that one could change the function named make_vhost in the file /root/ispconfig/scripts/lib/config.lib.php to something like this:

Code:

    $rewrite_rule = "RewriteEngine on"; // this existed
    $rewrite_rule .= "\nRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)"; // this was added   
    $rewrite_rule .= "\nRewriteRule .* - [F]"; // this was added

After making this change, I went into ISPConfig Admin and "Saved" one of my sites (assuming it would re-generate the Vhosts_ispconfig.conf file). However, the Vhosts file didn't update. I thought, "Perhaps I'm missing a conditional in the PHP and it's never getting to the point where it turns on the RewriteEngine." So, I even tried a total hack by sticking it the php variable (since all my sites have php enabled), but my Vhosts file was not updating.

So, now I've put those lines in an .htaccess file in the web root for each site, hoping that does the trick. I'll report back when the audit completes.

So two questions here to someone who knows something*. 1) How do I update my Vhosts file? 2) How would you go about making this change? (assuming the .htaccess won't work for everyone even if it works out for me because all the sites I host are my own)

*Edit: I should say, two questions to someone who's smarter than me, as we all know "something". Falko? Till? You out there?

falko 8th May 2008 22:08

Quote:

Originally Posted by stirfry
So two questions here to someone who knows something*. 1) How do I update my Vhosts file? 2) How would you go about making this change? (assuming the .htaccess won't work for everyone even if it works out for me because all the sites I host are my own)

Can you go to the directory where your Vhosts_ispconfig.conf is located and run
Code:

ls -la
? What's the output?

stirfry 8th May 2008 22:51

Code:

drwxr-xr-x 2 root root  4096 Jul 25  2007 .
drwxr-xr-x 9 root root  4096 May  6 16:27 ..
-rw-r--r-- 1 root root 17195 May  7 13:46 Vhosts_ispconfig.conf


falko 9th May 2008 15:05

That's all? Nothing else? No Vhosts_ispconfig.conf~ or Vhosts_ispconfig.conf with a date at the end of the file name?

stirfry 9th May 2008 15:30

I'm sorry. :o Here is the entire contents of my vhosts directory:

Code:

drwxr-xr-x 2 root root  4096 Jul 25  2007 .
drwxr-xr-x 9 root root  4096 May  6 16:27 ..
-rw-r--r-- 1 root root 17195 May  7 13:46 Vhosts_ispconfig.conf
-rw-r--r-- 1 root root  9191 Jun 20  2007 Vhosts_ispconfig.conf.old
-rw-r--r-- 1 root root 17195 May  7 13:46 Vhosts_ispconfig.conf~


falko 10th May 2008 16:49

Nothing else? I wonder why Vhosts_ispconfig.conf~ has the same size as Vhosts_ispconfig.conf... Vhosts_ispconfig.conf~ is a backup of the previous Vhosts_ispconfig.conf file before it got updated...

stirfry 11th May 2008 03:41

Falko,
I'm not sure either as to why the two Vhost files are identical size. I will look into this and report back (perhaps in a new topic).

However, in an attempt to close out this thread, I was able to disable TRACE using the "TraceEnable off" directive. The problem was that I was only turning it off on port 80 and not 81. Here is a site that made me realize I needed to do it for both ports, with some info on how to do it:

http://adamyoung.net/ISPConfig-Disable-TRACE

As always, thanks for your help!


All times are GMT +2. The time now is 07:35.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.