Package: apache2 Version: 2.4.10-9 Severity: wishlist Tags: security Hello When one install a tor hidden service, a local proxy is installed. This is an example from default /etc/tor/torrc [1] (This is commented out in the example) #HiddenServicePort 80 127.0.0.1:80 This means that all httpd connections seem to come from localhost. This is a problem for mod_status, enabled by default, whose access is based on incoming IP. Compromised information sometimes includes IP public address, which is annoying for a hidden server, patch level, URL being served, source IP addresses ... [2] The obvious solution is to disable the module when using tor, but then you loose the command "apache2ctl status", which is a pity. Note that "service apache2 status" does work ok, however. Some people have suggested that this url might be protected by a password, and I believe it's the "lesser bad" idea. This is what I think would be needed: - Have postint generate a random strong password. Store it in a file readable by apache & apache2ctl. - Have default mod_status protected by that password. - Have apache2ctl use that user/password. I did not test if all packages providing www-browser supports the http://user:password@localhost:80/server-status syntax. This requires some auth modules to be enabled, which is probably a bad idea. And exposes the password in "ps", too. A variant of that solution would be to randomize the /server-status URL, to include a secret suffix. Another more simple and radical solution would be to disable mod_status by default. Then, and actually in all cases, apache2ctl should test "a2query -q -m status" and print a better error message than "The requested URL /server-status was not found on this server." suggesting the user to enable the module if he wants that. What is your opinion on that problem? Do you see a more generic way to restrict tor incoming connections so that it doesn't match "require local" filter? Fell free to adjust tags/severity. [1] https://sources.debian.net/src/tor/0.2.6.2-alpha-1/src/config/torrc.sample.in/ [2] https://lists.torproject.org/pipermail/tor-talk/2015-February/036781.html -- Package-specific info: -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages apache2 depends on: ii apache2-bin 2.4.10-9 ii apache2-data 2.4.10-9 ii apache2-utils 2.4.10-9 ii dpkg 1.17.23 ii lsb-base 4.1+Debian13+nmu1 ii mime-support 3.58 ii perl 5.20.1-5 ii procps 2:3.3.9-8 Versions of packages apache2 recommends: ii ssl-cert 1.0.35 Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec-custom <none> ii chromium [www-browser] 40.0.2214.91-1 ii iceweasel [www-browser] 31.4.0esr-1 ii lynx-cur [www-browser] 2.8.9dev1-2+b1 ii w3m [www-browser] 0.5.3-19 Versions of packages apache2-bin depends on: ii libapr1 1.5.1-3 ii libaprutil1 1.5.4-1 ii libaprutil1-dbd-sqlite3 1.5.4-1 ii libaprutil1-ldap 1.5.4-1 ii libc6 2.19-13 ii libldap-2.4-2 2.4.40-3 ii liblua5.1-0 5.1.5-7.1 ii libpcre3 2:8.35-3.3 ii libssl1.0.0 1.0.1k-1 ii libxml2 2.9.1+dfsg1-4 ii perl 5.20.1-5 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages apache2 is related to: ii apache2 2.4.10-9 ii apache2-bin 2.4.10-9 -- no debconf information
Attachment:
signature.asc
Description: OpenPGP digital signature