Re: [users@httpd] SSL setup assistance

2024-09-18 Thread j...@k6ccc.org 
Thanks guys for the pointers.  I will play with this in the next day or two.  
Also take the opportunity to update to the latest version (I'm one behind).

Jim




-Original Message-
From: "Sean Conner" 
Sent: Wednesday, September 18, 2024 13:27
To: users@httpd.apache.org
Subject: Re: [users@httpd] SSL setup assistance

It was thus said that the Great j...@k6ccc.org once stated:
> So can someone either point me to a good step by step or walk me through
> what I need to do to get this working.  I had gotten the cert back then
> via Let's Encrypt, and that was the easy part.




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] SSL setup assistance

2024-09-18 Thread j...@k6ccc.org 
I know this is going to be very basic for most of you.

I am running Apache on a Windows server with at least close to latest release.  
It host my personal website and a website for my home Christmas light show.  
Just simple static web pages - nothing fancy at all.  There is absolutely 
nothing that needs any degree of security.  As such I have never made any 
attempt to set up SSL on the server.

This is becoming an issue because more and more browsers are getting picky 
about http only traffic - in particular imbedding an image from a http website 
into an otherwise https website (lighting forums running https with images 
imbedded from my website is the specific issue).

I tried to set up SSL on my server a couple years ago and after whatever 
changes were made, Apache would not even start (and I don't remember what error 
message were logged).  So I reverted the Apache config back to what it had been 
and ignored the issue for a few more years.

So can someone either point me to a good step by step or walk me through what I 
need to do to get this working.  I had gotten the cert back then via Let's 
Encrypt, and that was the easy part.

73
-
Jim Walls - K6CCC
j...@k6ccc.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Re: Apache server v2.4.58 - suexec issue

2024-04-08 Thread j...@k6ccc.org 
2.4.59 was released a few days ago to address these...

Jim




-Original Message-
From: "Christophe JAILLET" 
Sent: Monday, April 8, 2024 13:26
To: users@httpd.apache.org, "Abdullah Adnan" 
Subject: [users@httpd] Re: Apache server v2.4.58 - suexec issue

Le 07/04/2024 à 19:55, Abdullah Adnan a écrit :
> Good day dears,
> 
> Recently we have installed Apache server v2.4.58 in our CentOS 9, when 
> make vulnerability scan with Nessus on the server the Nessus shows this 
> vulnerability:
> 
> The remote host appears to be running Apache and is potentially
> 
> affected by the following vulnerabilities:
> 
>    - Multiple race conditions exist in suexec between the
> 
>      validation and usage of directories and files. Under
> 
>      certain conditions local users are able to escalate
> 
>      privileges and execute arbitrary code through the
> 
>      renaming of directories or symlink attacks.
> 
>      (CVE-2007-1741)
> 
>    - Apache's suexec module only performs partial
> 
>      comparisons on paths, which could result in privilege
> 
>      escalation. (CVE-2007-1742)
> 
>    - Apache's suexec module does not properly verify user
> 
>      and group IDs on the command line. When the '/proc'
> 
>      filesystem is mounted, a local user can utilize suexec
> 
>      to escalate privileges. (CVE-2007-1743)
> 
> Note that this plugin only checks for the presence of Apache, and does
> 
> not actually check the configuration.

Hi,

looking at theses CVE, they all include "the vendor disputes the issue 
because "the attacks described rely on an insecure server configuration" 
in which the user "has write access to the document root.""

So considering them as security issues is up to you.

> 
> So we need your support to disable suexec in the server.

Disabling a module in Apache looks like a really basic task.
(just comment the corresponding line in the conf file)

CJ

> 
> Thanks,
> 
> Best regards
> 
>   
> 
> *Abdullah Adnan *
> 
> *IT System Administrator|**Arab Payment Services*
> 
> Mobile:   00964-7735387734
> 
> Ext.:   74
> 
> Email: a.ad...@aps.iq 
> 
> Skype:  Abdullah Adnan
> 
> Website: www.aps.iq 
> 
> Address:Iraq *| *Baghdad*| *Abu Nuwas*| *District (102) *|*Street (26) 
> *|*BLDG.(13/66)
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Controlling access to web site based on domain name

2022-12-16 Thread j...@k6ccc.org 
Brian beat me to it.  Set up virtual hosts with the desired domain listed and 
the default (what someone will get if they access via IP) goes to your desired 
"wrong way to get here" page.

Jim




-Original Message-
From: "Rose, John B" 
Sent: Friday, December 16, 2022 13:00
To: "users@httpd.apache.org" 
Subject: [users@httpd] Controlling access to web site based on domain name

We would like to control access to a web site based on a listed domain and 
redirect any accesses from domains not
listed to a particular web page.

We need to be able to use the domain names and not IP addresses.

Is this something we should be able to do within .htaccess and using Rewrite 
for the redirect or do we need to use something else?

Thanks





-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Re: How Do I Prevent Repetitive Hits

2022-08-25 Thread j...@k6ccc.org 
On 25/08/2022 17:27, j...@k6ccc.org wrote:
> Or add that IP to a blacklist in your router so your Apache server never even 
> sees it.

Then Good Guy asked:

> Is this possible if your server is in the cloud platform such as Azure, 
> GCP, IBM or Oracle? What is needed is a solution to block certain IP 
> addresses from within Apache itself. For example. I might want to block 
> all incoming traffic from Russia or China or North Korea so how do I 
> achieve this?


Good point.  I was thinking from my perspective, which is Apache running on my 
server at home where I completely control the router.  I have some rules in the 
router that Blacklist certain IPs based on obvious bad activity.  The blacklist 
IPs are blocked from doing anything into or through the router.  Now the real 
trick would be to write a way to scrub the Apache log and find obvious attacks 
and add those IPs to the Router blacklist...

73
-----
Jim Walls - K6CCC
j...@k6ccc.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] How Do I Prevent Repetitive Hits

2022-08-25 Thread j...@k6ccc.org 
Or add that IP to a blacklist in your router so your Apache server never even 
sees it.

Jim
K6CCC


-Original Message-
From: "John Iliffe" 
Sent: Thursday, August 25, 2022 09:16
To: "Apache Help" 
Subject: [users@httpd] How Do I Prevent Repetitive Hits

For the last week we have been getting hit on average about every 3 seconds by a
machine that appears to be in Panama.  There should be no reason why this
machine would want to connect to us.

193.29.60.97 - - [25/Aug/2022:12:12:04 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"
193.29.60.97 - - [25/Aug/2022:12:12:05 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"
193.29.60.97 - - [25/Aug/2022:12:12:06 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"
193.29.60.97 - - [25/Aug/2022:12:12:07 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"
193.29.60.97 - - [25/Aug/2022:12:12:08 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"
193.29.60.97 - - [25/Aug/2022:12:12:10 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"
193.29.60.97 - - [25/Aug/2022:12:12:11 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"
193.29.60.97 - - [25/Aug/2022:12:12:24 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"
193.29.60.97 - - [25/Aug/2022:12:12:26 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"
193.29.60.97 - - [25/Aug/2022:12:12:33 -0400] "GET /favicon.ico HTTP/1.1" 200
3262 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/104.0.5112.102 Safari/537.36"

While it doesn't appear to be causing us any harm I am wondering why someone
would spend the time/money to do so and if there is any way to lock out this one
source.

Does anyone have any suggestions?

Thanks in advance,

John
==


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org