Working with Apache Web Server
Time Required: 35 minutes
Objective: Explore basic settings and tasks in Apache Web Server.
Description: Without a doubt, youll run across Apache Web Server systems when conducting a
security test. Because Apache is a sophisticated, modular Web server, mastering its features and
options can take considerable time. Apaches layout varies, depending on the OS. For example,
Apache in Fedora Linux is different from Apache in Ubuntu Linux. In this activity, you explore
basic Apache Web Server commands and learn how to find and modify some configuration
options (called Apache directives). The goal of this activity is to configure a Web server with a
directory that requires authentication.
1.
Boot your computer into Linux with the Kali Linux DVD.
2.
Open a Terminal shell. At the command prompt, type apache2ctl start and press Enter. You can
safely ignore the Could not reliably determine the servers fully qualified domain name error.
3.
Start the Iceweasel Web browser. In the address bar, type localhost and press Enter. The Web
site displays instructions on how to manipulate the default apache configuration. Read over this
page.
4.
Open a Terminal shell. At the command prompt, type apache2ctl stop and press Enter.
5.
Now, well view the default apache configuration files. In the Terminal shell, type cd/etc/apache2
and press Enter to change directories. Then type grep Include apache2.conf and press Enter to
see a listing of files and directories where the Apache server searches for additional directives at
startup (see Figure 10-5). Note the next to last line, IncludeOptional sites-enabled/*.conf. This
directory is where Apache checks for Web site configuration files. You can add a Web site by
adding its configuration file in this directory without having to change the main configuration
file apache2.conf.
Figure 10-5
Viewing files and directories with an Include statement
Source: GNU GPL
6.
Type cd /etc/apache2/sites-enabled && ls and press Enter.
7.
Open the file in the gvim editor by typing gvim 000-default.conf and pressing Enter.
8.
Enter the following lines at the end of the file, below the line :
9.
Save your changes and exit the gvim editor by pressing Esc, typing :wq, and pressing Enter.
10.
In the Terminal shell, create a new directory by typing mkdir /var/www/html/restricted and
pressing Enter.
11.
Type cd /var/www/html/restricted to change to the directory you created in Step 12 and press
Enter. Then type touch secret.txt and press Enter to create a file in this directory.
12.
Next, you create the .htaccess file in the same directory. This file is the local directory
configuration file specified in apache2.conf by the AccessFileName directive. If .htaccess exists
in any Web site directory, Apache checks it first. In this .htaccess file, you point Apache to the
location of AuthUserFile (essentially, a password file). Type gvim.htaccess and press Enter.
Type the following for the files contents:
13.
Exit and save.
Working with Apache Web ServerTime Required 35 minutesObjective.pdf
1. Working with Apache Web Server
Time Required: 35 minutes
Objective: Explore basic settings and tasks in Apache Web Server.
Description: Without a doubt, youll run across Apache Web Server systems when conducting a
security test. Because Apache is a sophisticated, modular Web server, mastering its features and
options can take considerable time. Apaches layout varies, depending on the OS. For example,
Apache in Fedora Linux is different from Apache in Ubuntu Linux. In this activity, you explore
basic Apache Web Server commands and learn how to find and modify some configuration
options (called Apache directives). The goal of this activity is to configure a Web server with a
directory that requires authentication.
1.
Boot your computer into Linux with the Kali Linux DVD.
2.
Open a Terminal shell. At the command prompt, type apache2ctl start and press Enter. You can
safely ignore the Could not reliably determine the servers fully qualified domain name error.
3.
Start the Iceweasel Web browser. In the address bar, type localhost and press Enter. The Web
site displays instructions on how to manipulate the default apache configuration. Read over this
page.
4.
Open a Terminal shell. At the command prompt, type apache2ctl stop and press Enter.
5.
Now, well view the default apache configuration files. In the Terminal shell, type cd/etc/apache2
and press Enter to change directories. Then type grep Include apache2.conf and press Enter to
see a listing of files and directories where the Apache server searches for additional directives at
startup (see Figure 10-5). Note the next to last line, IncludeOptional sites-enabled/*.conf. This
directory is where Apache checks for Web site configuration files. You can add a Web site by
adding its configuration file in this directory without having to change the main configuration
file apache2.conf.
Figure 10-5
Viewing files and directories with an Include statement
Source: GNU GPL
6.
2. Type cd /etc/apache2/sites-enabled && ls and press Enter.
7.
Open the file in the gvim editor by typing gvim 000-default.conf and pressing Enter.
8.
Enter the following lines at the end of the file, below the line :
9.
Save your changes and exit the gvim editor by pressing Esc, typing :wq, and pressing Enter.
10.
In the Terminal shell, create a new directory by typing mkdir /var/www/html/restricted and
pressing Enter.
11.
Type cd /var/www/html/restricted to change to the directory you created in Step 12 and press
Enter. Then type touch secret.txt and press Enter to create a file in this directory.
12.
Next, you create the .htaccess file in the same directory. This file is the local directory
configuration file specified in apache2.conf by the AccessFileName directive. If .htaccess exists
in any Web site directory, Apache checks it first. In this .htaccess file, you point Apache to the
location of AuthUserFile (essentially, a password file). Type gvim.htaccess and press Enter.
Type the following for the files contents:
13.
Exit and save the file by pressing Esc and then pressing : (a colon). At the : prompt, type wq and
press Enter. In the Terminal shell, create a password file by typing htpasswd -c
/etc/apache2/.htpasswd tester and pressing Enter. When prompted, enter a password and confirm,
and then make note of the password. The .htaccess file you created in Step 12 tells Apache to
look in the .htpasswd file for the tester users password. You can run the command
cat/etc/apache2/.htpasswd to view the password hash for your new user.
14.
Restart Apache by typing apache2ctl restart and pressing Enter. In Iceweasel, go to
http://localhost/restricted, and enter the username tester and the password you confirmed in Step
13. What file is displayed? If you want to be prompted again for a password, youll have to close
and reopen your browser.
15.
See whether others in the class can access your restricted folder by having them enter
http://yourIPaddress/restricted in their browsers (replacing yourIPaddress with your IP address).
3. If necessary, type ifconfig eth0 and press Enter to find your IP address.
16.
Why is entering your credentials on a Web site not secured with SSL, such as this site, a
problem? What is the fix for this problem?
17.
Close the Terminal shell, exit Firefox, and log off Linux for the next activity.
Question 14 and 16