Disabling HTTP TRACE / TRACK in all virtual host

Discussion in 'Installation/Configuration' started by rdike, Feb 13, 2008.

  1. rdike

    rdike New Member

    Is there a standard place to put the rewrite conditions so that all of the virtual host are covered and/or so that new virtual host are covered automatically?

    Background:
    We just had a security audit and one of the few things that they found was that our ispconfig server allowed HTTP TRACE and HTTP TRACK methods. We need to disable them. 'mod_rewrite' is already part of the standard ispconfig configuration so we just need to add the following

    ...
    # disable TRACE and TRACK in the main scope of httpd.conf
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [F]
    ...
    <VirtualHost www.example.com>
    ...
    # disable TRACE and TRACK in the www.example.com virtual host
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - [F]
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [F]
    </VirtualHost>

    I know the the virtual host are configured in /etc/httpd/conf/vhosts/Vhosts_ispconfig.conf

    Is there an easier way than editing that file for each virtual host?
    Thanks,
    Reece Dike
     
  2. daveb

    daveb Member

    I think you could add in your apache2.conf or httpd.conf.
    TraceEnable off
     
  3. stirfry

    stirfry New Member

    @daveb - Unfortunately, that only works with certain versions of Apache. Furthermore, that directive is supposed to work in Apache 2.0.55, but it didn't do it for me. At least doing so didn't allow my server to pass the audit software I use and I'm not sure exactly how to test the vulnerability myself.

    @rdike - I would think that one could change the function named make_vhost in the file /root/ispconfig/scripts/lib/config.lib.php to something like this:

    Code:
        $rewrite_rule = "RewriteEngine on"; // this existed
        $rewrite_rule .= "\nRewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)"; // this was added    
        $rewrite_rule .= "\nRewriteRule .* - [F]"; // this was added
    After making this change, I went into ISPConfig Admin and "Saved" one of my sites (assuming it would re-generate the Vhosts_ispconfig.conf file). However, the Vhosts file didn't update. I thought, "Perhaps I'm missing a conditional in the PHP and it's never getting to the point where it turns on the RewriteEngine." So, I even tried a total hack by sticking it the php variable (since all my sites have php enabled), but my Vhosts file was not updating.

    So, now I've put those lines in an .htaccess file in the web root for each site, hoping that does the trick. I'll report back when the audit completes.

    So two questions here to someone who knows something*. 1) How do I update my Vhosts file? 2) How would you go about making this change? (assuming the .htaccess won't work for everyone even if it works out for me because all the sites I host are my own)

    *Edit: I should say, two questions to someone who's smarter than me, as we all know "something". Falko? Till? You out there?
     
    Last edited: May 8, 2008
  4. falko

    falko Super Moderator

    Can you go to the directory where your Vhosts_ispconfig.conf is located and run
    Code:
    ls -la
    ? What's the output?
     
  5. stirfry

    stirfry New Member

    Code:
    drwxr-xr-x 2 root root  4096 Jul 25  2007 .
    drwxr-xr-x 9 root root  4096 May  6 16:27 ..
    -rw-r--r-- 1 root root 17195 May  7 13:46 Vhosts_ispconfig.conf
     
  6. falko

    falko Super Moderator

    That's all? Nothing else? No Vhosts_ispconfig.conf~ or Vhosts_ispconfig.conf with a date at the end of the file name?
     
  7. stirfry

    stirfry New Member

    I'm sorry. :eek: Here is the entire contents of my vhosts directory:

    Code:
    drwxr-xr-x 2 root root  4096 Jul 25  2007 .
    drwxr-xr-x 9 root root  4096 May  6 16:27 ..
    -rw-r--r-- 1 root root 17195 May  7 13:46 Vhosts_ispconfig.conf
    -rw-r--r-- 1 root root  9191 Jun 20  2007 Vhosts_ispconfig.conf.old
    -rw-r--r-- 1 root root 17195 May  7 13:46 Vhosts_ispconfig.conf~
     
  8. falko

    falko Super Moderator

    Nothing else? I wonder why Vhosts_ispconfig.conf~ has the same size as Vhosts_ispconfig.conf... Vhosts_ispconfig.conf~ is a backup of the previous Vhosts_ispconfig.conf file before it got updated...
     
  9. stirfry

    stirfry New Member

    Falko,
    I'm not sure either as to why the two Vhost files are identical size. I will look into this and report back (perhaps in a new topic).

    However, in an attempt to close out this thread, I was able to disable TRACE using the "TraceEnable off" directive. The problem was that I was only turning it off on port 80 and not 81. Here is a site that made me realize I needed to do it for both ports, with some info on how to do it:

    http://adamyoung.net/ISPConfig-Disable-TRACE

    As always, thanks for your help!
     

Share This Page