Our first task will be the installation of pkg-get. At Blastwave you’ll find a complete guide on how to undertake this task. Briefly:

cd /tmp
/usr/sfw/bin/wget http://www.blastwave.org/pkg_get.pkg
pkgadd -d pkg_get.pkg all
/usr/sfw/bin/wget http://www.blastwave.org/wget-i386.bin
chmod 755 wget-i386.bin

PATH=/tmp:/opt/csw/bin:/usr/sbin:/usr/bin:

/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin
export PATH

vi /opt/csw/etc/pkg-get.conf

Pick a mirror next to you. Then:

pkg-get -i wget

PATH=/opt/csw/bin:/usr/sbin:/usr/bin:/usr/dt/bin:

/usr/openwin/bin:/usr/ccs/bin
export PATH

And now you may install other packages. But let’s focus in our target.

As Solaris 10 comes with MySQL and Apache installed by default, first we are going to uninstall them. Take a look at your system:

pkginfo | grep -i apache

system SUNWaclg Apache Common Logging
system SUNWapch2d Apache Web Server V2 Documentation
system SUNWapch2r Apache Web Server V2 (root)
system SUNWapch2u Apache Web Server V2 (usr)
system SUNWapchd Apache Web Server Documentation
system SUNWapchr Apache Web Server (root)
system SUNWapchu Apache Web Server (usr)

pkginfo | grep -i mysql

system SUNWmysqlr mysql – MySQL Database Management System (root component)
system SUNWmysqlt mysql – MySQL Database Management System (test component)
system SUNWmysqlu mysql – MySQL Database Management System (usr component)

Next task would be to uninstall these packages. Proceed as follows:

pkgrm SUNWaclg SUNWapch2d SUNWapch2r SUNWapch2u SUNWapchd SUNWapchr SUNWapchu
pkgrm SUNWmysqlr SUNWmysqlt SUNWmysqlu

Finally, install Apache, MySQL and PHP from pkg-get:

pkg-get -i apache2 mysql4 php4 mod_php

That’s all. Now configure the software as usual. Note that packages installed with pkg-get reside in /opt/csw, so I recommed adding something like this to your /etc/profile:

PATH=/opt/csw/bin:/opt/csw/mysql4/bin:$PATH
export PATH

More info:

pkg-get installation howto
pkg-get users guide
Customizing Your Working Environment

Add this directives to you configuration file:

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]

RewriteEngine on
RewriteCond %{TIME_HOUR}%{TIME_MIN} >2300
RewriteCond %{TIME_HOUR}%{TIME_MIN} <1900
RewriteRule ^index.php$ day.html
RewriteRule ^index.php$ night.html

When request for index.php is made then to corresponding time day.html or night.html page is served.

For more information:

• Georgi Guninski security advisory #70, 2004
• Gentoo GLSA 200407-03 / Apache
• Apache 2.0 Security Vulnerabilities

apachectl restart

or

/etc/init.d/apache restart

the httpd daemon is stopped and started again closing currently open connections.

There is a way to restart Apache’s http daemon keeping current connections opened. Simply type:

apachectl graceful

This is useful if you changed the httpd.conf configuration file and want Apache to re-read it keeping connections.

a.b.c.d – - [24/Apr/2004:23:00:00 +0200] “GET http://www.google.com/” 200 46124

This means that a.b.c.d is trying to access www.google.com using your Apache as a proxy. As you can see the response status 200 indicates success and the data returned is 46124 bytes long.

If you don’t want your server to be used as a forward proxy make sure that ProxyRequests directive is set to Off, even better do not load mod_proxy module.

Despite the fact the entry shown in the previous example says that the request succeded, this is not necessarily true. Try the following to test your server:

telnet www.yoursite.com 80
GET http://www.google.com/

Watch the access.log file. If you see the code status 200, compare the bytes returned by Apache (the last field in the log entry) with your homepage size (your index.html). If they match, Apache is serving your homepage instead of forwarding the request to google. If they don’t, probably your Apache is an open forwarding proxy.

References:

• Apache FAQ

To watch the activity of your Apache webserver edit httpd.conf or apache2.conf or whatever is named in your environment and add the following:

…..
LoadModule status_module modules/mod_status.so
…..

ExtendedStatus On
…..

<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 192.168.10.
</Location>

Now point your browser to…

http://your_server/server-status

You can force the page to refresh automatically every, say, 60 seconds by requesting the following:

http://your_server/server-status?refresh=60

And even make the output suitable for your scripts to be parsed:

lynx -dump “http://192.168.10.2/server-status?auto”

References:

• Apache’s mod_status

Apache can log the process ID of the child that serviced a request. It’s very easy. Simply edit your httpd.conf configuration file and add or modify the following:

LogFormat “%h %l %u %t %P “%r” %>s %b “%{Referer}i” “%{User-Agent}i”" combined

Then tell Apache to reload the configuration file:

/etc/init.d/apache reload

Note the %P directive in the format string, which is replaced in the log file by the value of the process ID that processes the request.
References:

• Custom log formats
• LogFormat directive
• CustomLog directive

The easiest way to start is by simply adding the following lines to your httpd.conf configuration file:

Alias /error “/path/to/documentroot/custom_err”

<Directory “/path/to/documentroot/custom_err”>
AllowOverride None
Options IncludesNoExec
Order allow,deny
Allow from all
</Directory>

ErrorDocument 403 /error/http_err_403.html
ErrorDocument 404 /error/http_err_404.html

Now go to your document root directory (see DocumentRoot directive in your httpd.conf) and make a directory called custom_err:

cd /path/to/documentroot
mkdir custom_err
cd custom_err

Now create the HTML files that would display custom error messages. Here goes a sample:

<html>
<head>
<title>HTTP ERROR 404</title>
<meta http-equiv=”Content-Type” content=”text/html; charset=ISO-8859-1″>
</head>
<body>
<center>
<h3>Ummm… Where are you trying to go?</h3>
<h4>Try <a href=”http://www.karkomaonline.com”>here</a></h4>
</center>
</body>
</html>

Finally restart the Apache daemon and point your browser to a nonexistent page… Et voila!

You can do more sophisticated things such as creating scripts to handle errors, redirections to other sites, etc… but this is your homework for today (see references below).

References:

• Apache ErrorDocument directive
• Custom errors

As many worms/viruses check the Server header before attempting an exploit in order to choose the best attack available, it could be a good idea to provide the minimal information possible (the default is to provide full information). Edit your httpd.conf and add the following:

ServerTokens Prod

This will only send the string Apache in the Server header.

Note that this would not stop skilled bad guys, but would slow down those kiddies playing around.