[users@httpd] OT: questions on SSL certs for server to server communications, where to install & penetration testing them
a vendor is setting up on-prem internal servers for us: vendor told us he needs SSL certs for the 5 servers (there's 5 URLs given) not for users to access but for server to server communications Q1: Shall we use self-signed certs in this case & usually for how long these certs should be valid (every 1-3 yearly or permanently)? Q2: Should these servers sit behind the WAF (or suppose these 5 URLs are not for users access but server to server communications) or in front of the WAF? Q3: If they sit behind the WAF, shd the self-signed certs be installed in the WAF or in the servers? If they sit in front of WAF, certainly the certs have to be installed in the servers Q4: For penetration tests, we should test the 5 URLs (vendor said they're for server to server comms), through the WAF or position the penetration scanners directly on the servers without going through WAF? Sun - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: CVE-2019-0211/0215/0217
Also, can we safely say CVE-2019-0217 & CVE-2019-0215 affects "2.4.17 through 2.4.38 with MPM event, worker or prefork" only (just like CVE-2019-0211)? How do I check if we have "MPM event, worker or prefork" in our Apache? On Sat, Apr 6, 2019 at 10:59 PM Sunhux G wrote: > > Are above CVEs affecting Apache httpd (ie web servers) 2.4.x only > & other lower versions (eg: our Solaris 10's Apache/2.0.63) are not > affected? > > Can point me to where to get the patches for RHEL7/RHEL6 > in Red Hat support portal or anywhere else that's reliable?? > > Sun >
[users@httpd] CVE-2019-0211/0215/0217
Are above CVEs affecting Apache httpd (ie web servers) 2.4.x only & other lower versions (eg: our Solaris 10's Apache/2.0.63) are not affected? Can point me to where to get the patches for RHEL7/RHEL6 in Red Hat support portal or anywhere else that's reliable?? Sun
[users@httpd] Offtopic: Apache Struts vulnerability: how to detect Struts & will DB encryption help
Understand Apache web servers (runs on Unix only) & Apache Struts (can run in Windows & appliances) are different things: Q1: Can the various VA scanners (like Nessus & McAfee Vulnerability Manager) detect the presence of Struts or you'll need to login to individual servers/ endpoints or have an agent running in them (like SCCM or MS Desktop Central) to check for the presence of Struts? Q2: Will DB encryption help stop Struts vulnerabilities eg, the recent one? Is the following true (someone told me): If hackers directly access the database (say using sql query tools/command to get sensitive data) on an encrypted DB, they would be stopped; if they hacked a user password or exploited a website (that had vulnerable Struts to the encrypted DB, it would be no help. It's kinda saying if my PC's HDD is encrypted (with a PBA password required), hackers can't access a powered down HDD but if the PC is powered up & logged in & there's a remote execution vulnerability to my OS, hackers can still get data out of my encrypted HDD via this remote execution vulnerability : is this a fair analogy? Sun
Re: [users@httpd] Syntax to replace Diffie-Hellman with RSA encryption
After making changes to httpd.conf, can I just issue 1) "kill -HUP httpd_instance_pid" for the change to take effect or 2) "service httpd reload" or 3) "service httpd restart" Select one or more of the above correct options Thanks Sun - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Syntax to replace Diffie-Hellman with RSA encryption
Thanks. I'll verify on Mon using the tool Zeek suggested or openssl: openssl s_client -cipher '!DH:!ADH:RC4+RSA:HIGH:MEDIUM: !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM' - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Syntax to replace Diffie-Hellman with RSA encryption
Hi Further to the post, what's the correct syntax to replace DH with RSA encryption? Choose which of the options below are correct: 1) SSLCipherSuite ALL:!ADH:RC4+RSA:HIGH:MEDIUM: !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 2) SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM: !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 3) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM: !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 4) SSLCipherSuite !ADH:RC4+RSA:+HIGH:+MEDIUM: !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 5) SSLCipherSuite !ADH:RC4+RSA: !aNULL:+SHA1:+MD5:+HIGH:+MEDIUM What does ALL represent? Thanks On Sun, May 29, 2011 at 10:48 PM, sunhux G wrote: > I'm newbie to encryption & beginner to Apache. > > > Length: 81 > Handshake Protocol: Server Hello > Handshake Type: Server Hello (2) > Length: 77 > Version: TLS 1.0 (0x0301) > Random > gmt_unix_time: May 23, 2011 11:01:51.00 > random_bytes: C0C48BA2. > Session ID Length: 32 > Session ID: 53283989... > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0X0039) <== > > Above is an extract of a data traffic sniffed using a product which > I'm evaluating. > > I have a requirement to use a sniffing product (which I connect to our > internal LAN) to capture users access to our website portal to check > which pages the user access & the time a user login / logout & SSL > https encryption is involved. However, to do this, I'll need to do > decryption. > > My Apache web servers appear to be configured to use "Diffie-Hellman" key > exchange. This can be verified by looking at the Server Hello packets and > viewing the Cipher Suite (as shown in above traffic capture). "DHE" means > Diffie-Hellman key exchange. > > I suppose this means the shared private key from the web server is not used. > In Diffie-Hellman key exchange, the private key for each session is created > dynamically between the client and server, and is therefore technically > impossible to decrypt : correct me if I'm wrong. Refer to links / urls below > on why DH key exchange makes SSL decryption impossible: > - http://www.unleashnetworks.com/blog/?p=28 > - > http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/ > > In my Apache config file, there's a line below: > SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM > > > Question: > Which alternative cipher provides the same encryption/key strength - > just doesn't use Diffie-Hellman for key exchange? > > How should I amend my Apache config file so that it replaces Diffie-Hellman > with this new encryption? Pls provide as precise the instruction as possible > & whether I need to do "service httpd restart" or "service httpd reload"? > > Any alternative proposed should not flag out as vulnerability during a > vulnerability scan. > > > Then I would be able to use the promiscuous mode sniffing device to see a > user logins & the slow pages that he accessed etc > > > Thanks > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache 2.x configuration for high load servers
I'm new to Apache & to my environment too. We run 4 Apache V2.0.52 & I've seeing high load averages (of 3 to 13) reported by "top" on the Linux RHES 4.6 for the 1, 5 & 15 minutes avgs on 3 of our webservers. All the servers' CPU are generally idle except one webserver which sometimes hit 90-100% CPU utilization. Our active F5 BIG-2400 LB had been setting 3 of the Apache servers as "Down" frequently (like 5-30 times/day per websvr on various Apache tcp ports, ie 80, 86, 443, 444 as shown by the LB's bigd logs). I login to our LB (which run a customized BSD Unix) & found that whenever the LB set an Apache server (which LB monitors using http every 5 secs with 16 secs as timeout) as down, the 1 minute load average on the LB itself would spike above 1 too (yes, I ran "top" on the LB's command line). Perhaps I'll run tmstat on the LB as well tomorrow. When the LB reported an Apache webserver as down, icmp ping from the LB to the webserver still responds but "telnet websvr_IP port#" would not respond. Our network chaps had set the LB to use round-robin algorithm (was previously & all these while BIG LB's special algorithm, don't know what it was). It stabilized for a few hours before the symptoms happen again. Our webservers are all Proliant DL380 G4 dual processor with 2GB RAM. This frequent "non-response" situation started around first week of May. All these years, we used the same hardware with only minor changes to the Apache (security patches) & never had this frequent flapping. One thing I noted was the LB would flag out a message that it had FAN 2 rotation error every 20 secs. This fan error surfaced around early Apr this year; haven't manage to get downtime to replace yet. Appreciate any inputs on what I can do other than upgrading the hardware. Let me know any prefork or any settings you would like me to post here. Honestly, I don't know how to obtain those prefork & other settings you chaps have been discussing in this thread. Sun - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: Alternative for Apache webserver Diffie-Hellman encryption to permit SSL decryption
Note that in my current Apache config file, there's a line below which does not mention anything on Diffie-Hellman, so my guess is Apache must have selected /enabled DH by default. How can I explicitly turn it off? SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM I'm thinking of using TLS_RSA_WITH_AES_256_CBC_SHA encryption. Kindly advise what's the syntax to put into the Apache .conf file. Any security consequence or network performance impact from using this new encryption? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Alternative for Apache webserver Diffie-Hellman encryption to permit SSL decryption
I'm newbie to encryption & beginner to Apache. Length: 81 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 77 Version: TLS 1.0 (0x0301) Random gmt_unix_time: May 23, 2011 11:01:51.00 random_bytes: C0C48BA2. Session ID Length: 32 Session ID: 53283989... Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0X0039)<== Above is an extract of a data traffic sniffed using a product which I'm evaluating. I have a requirement to use a sniffing product (which I connect to our internal LAN) to capture users access to our website portal to check which pages the user access & the time a user login / logout & SSL https encryption is involved. However, to do this, I'll need to do decryption. My Apache web servers appear to be configured to use "Diffie-Hellman" key exchange. This can be verified by looking at the Server Hello packets and viewing the Cipher Suite (as shown in above traffic capture). "DHE" means Diffie-Hellman key exchange. I suppose this means the shared private key from the web server is not used. In Diffie-Hellman key exchange, the private key for each session is created dynamically between the client and server, and is therefore technically impossible to decrypt : correct me if I'm wrong. Refer to links / urls below on why DH key exchange makes SSL decryption impossible: - http://www.unleashnetworks.com/blog/?p=28 - http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/ In my Apache config file, there's a line below: SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM Question: Which alternative cipher provides the same encryption/key strength - just doesn't use Diffie-Hellman for key exchange? How should I amend my Apache config file so that it replaces Diffie-Hellman with this new encryption? Pls provide as precise the instruction as possible & whether I need to do "service httpd restart" or "service httpd reload"? Any alternative proposed should not flag out as vulnerability during a vulnerability scan. Then I would be able to use the promiscuous mode sniffing device to see a user logins & the slow pages that he accessed etc Thanks - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Is Apache ports unstable or my CA Unicentre giving false alerts
Yes, there are entries. So I have to get our monitoring team to tune CA to poll every 30 secs for 10 mins to be sure we don't get false alerts? U On Sun, Dec 26, 2010 at 2:40 AM, Joost de Heer wrote: > On 12/25/2010 05:08 PM, sunhux G wrote: > >> Question is how do I determine if it's my Apache that's not responding >> or it's the CA tool not being configured well or not fine-tuned? I'm sure >> our network has no issue. >> > > Do you see entries in the access log during the period your monitor tool > reports as downtime? > > Joost > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
[us...@httpd] Is Apache ports unstable or my CA Unicentre giving false alerts
I configured my Apache to listen on tcp 83, 446 & 86. Our monitoring team uses CA Unicentre (awservices) to monitor the Apache's ports & I often get the alerts below which always recover within 2-5 minutes. Our monitoring team asserts that there's nothing wrong with their monitoring tool (CA) as it polls the port(s) for response once every 30 seconds for 10 times & only if 10 out of 10 polls fail to respond, then only the alert (like the ones shown below) are sent out. Question is how do I determine if it's my Apache that's not responding or it's the CA tool not being configured well or not fine-tuned? I'm sure our network has no issue. Thanks U === sample alerts == 13/12/10 06:26 E5NKK1S-ABCDWEB8 ABCDWEB8 port iProject_Apache (83) port OK 13/12/10 06:23 E5NKK1S-ABCDWEB8 ABCDWEB8 port iProject_Apache (83) is not responding 13/12/10 06:26 E5NKK1S-ABCDWEB8 ABCDWEB8 port Micro Focus (tcp 446) port OK 13/12/10 06:23 E5NKK1S-ABCDWEB8 ABCDWEB8 port Micro Focus (tcp 446) is not responding 13/12/10 03:35 E5NKK1S-ABCDWEB8 ABCDWEB8 port DDM-Remote Relational (tcp 86) port OK 13/12/10 03:33 E5NKK1S-ABCDWEB8 ABCDWEB8 port DDM-Remote Relational (tcp 86) is not responding
