Managing Apache2 on Debian Etch

arkin — Sun, 03 Aug 2008 15:32:21 +0000

Thought i’d write a quick guide on managing apache2 once installed and running under debian.

Covers log file management, adding virtual hosts (with subdomains) and basic security.

During this tutorial, it is important that you have root SSH access to your server.

Although this guide is written for Debian, it can be used across many Linux distributions, you will just need to find the locations of the files mentioned and may need to create some additional files.

Part 1 – Log File Management

First of all, we will navigate to our log file directory. Log files in debian are normally kept in /var/log and apache log files have their own directory, so /var/log/apache2.

mars:~# cd /var/log/apache2
mars:/var/log/apache2# ls
access.log  access.log.1  error.log  error.log.1

You may also have seperate log files for specific sites on your server.

Error log is normally the most useful and contains all the errors caught by Apache.
It helps us determine hackers and exploiters and general errors from within our site.

We will use the cat and more commands to view & limit the output of the log.

mars:/var/log/apache2# cat error.log | more
[Sun Aug 03 14:39:11 2008] [error] [client 125.65.112.135] File does not exist: /var/www/site/cms/favicon.ico
[Sun Aug 03 14:39:14 2008] [error] [client 125.65.112.135] File does not exist: /var/www/site/cms/favicon.ico
[Sun Aug 03 14:44:11 2008] [error] [client 125.65.112.135] File does not exist: /var/www/site/robots.txt, referer: http://your.site.com/
[Sun Aug 03 14:49:11 2008] [error] [client 125.65.112.135] File does not exist: /var/www/site/robots.txt, referer: http://your.site.com/
--More--

and/or

mars:/var/log/apache2# cat access.log | grep 404 | more
mars:/var/log/apache2# cat access.log | grep 404
129.241.50.34 - - [01/Aug/2008:20:11:51 +0100] "GET /support.html HTTP/1.1" 404 359 "-" "boitho.com-dc/0.86 ( http://www.boitho.com/dcbot.html )"
82.36.220.196 - - [01/Aug/2008:20:29:03 +0100] "GET /favicon.ico HTTP/1.1" 404 358 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.36.220.196 - - [01/Aug/2008:20:29:06 +0100] "GET /favicon.ico HTTP/1.1" 404 358 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
--More--

This shows us that robots.txt is missing and being requests (by search engines) and your favicon.ico is also not present (used for bookmark icons & webpage icon in firefox).

If you want to continue through the error log press your space bar, if you want to cancel and do something else, press control+c.

Now we will investigate the above IP address using cat, grep and more to pull specific entires from the file and limit them (incase theres alot).

mars:/var/log/apache2# cat access.log | grep 125.65.112.135 | more
125.65.112.135 - - [02/Aug/2008:07:21:27 +0100] "GET http://www.wantsfly.com/prx1.php?hash=FF6E471372BF51AF4E81E79401BB2C0AFB6111933982 HTTP/1.0" 404 356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
125.65.112.135 - - [02/Aug/2008:07:21:27 +0100] "GET http://www.wantsfly.com/prx1.php?hash=E8DA0FF096B5A4DF4E81E794005023B09FEDA25BA2F8 HTTP/1.0" 404 356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
125.65.112.135 - - [02/Aug/2008:07:21:27 +0100] "GET http://www.wantsfly.com/prx1.php?hash=12FC7BCD3E2683FB4E81E79601BB61BEC3540BEC7B0D HTTP/1.0" 404 356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
125.65.112.135 - - [02/Aug/2008:07:21:27 +0100] "GET http://www.wantsfly.com/prx1.php?hash=AC0D7A2AC9C426304E81E797005052BD8A83720EF4F0 HTTP/1.0" 404 356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
 
125.65.112.135 - - [02/Aug/2008:07:21:27 +0100] "GET http://www.wantsfly.com/prx1.php?hash=ED17C0488BDCD4C34E81E7990050BFA51AADCB0A9512 HTTP/1.0" 404 356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
125.65.112.135 - - [02/Aug/2008:07:21:27 +0100] "GET http://www.wantsfly.com/prx1.php?hash=B58AD75AA8EF6EDA4E81E79A01BB2B30977E22A9B821 HTTP/1.0" 404 356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
125.65.112.135 - - [02/Aug/2008:07:21:30 +0100] "GET http://www.wantsfly.com/prx1.php?hash=FF9A1DBB63B403CE4E81E79801BBEF64B8651E15FF6B HTTP/1.0" 404 356 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

So now we can see, this user has been naughty trying to referal spam us using a website that doesn’t exist on our server. This is quite common, and the suspected user is obviously forging his user agent (as internet explorer).

If there is one particular IP address or Browser you want to “count” you can use the word count wc command.

For this example, I am going to count all pageviews from the IP range 127.0.0….

mars:/var/log/apache2# cat access.log | grep 127.0.0 | wc -l
78

This shows that 127.0.0.* has accessed 78 files on our server in the log period. The ip address could be replaced with MSIE to count Internet Explorer accesses or Firefox etc.

If you require more examples or additional information, please leave questions in the comments section.

Part 2 – Adding Apache Virtual Hosts

So, if you are dealing with a default apache2 setup (like I am), your virtual hosts can be found in /etc/apache2/sites-enabled/ directory and all these files are loaded as apache reloads. If you do not have this directory, add the entries to the end of your main Apache configuration file, and make sure NameVirtualHost * is above them all.

I try and create my virtual hosts in numeric sequence order.

mars:/etc/apache2/sites-enabled# ls
000-default

So were gonna create 001-example for example.com. I add all my domains in /var/www and give them all a single letter prefix also, so /var/www/e/example for our example site.

mars:/etc/apache2/sites-enabled# mkdir -p /var/www/e/example
mars:/etc/apache2/sites-enabled# nano 001-example

This creates a new file using nano. You can then start adding the configuration.

<VirtualHost *%gt;
        ServerAdmin webmaster@localhost
        ServerName www.example.com
        ServerAlias example.com example.net  www.example.net
        DocumentRoot /var/www/e/example
 
#        ErrorLog /var/log/apache2/error.log
 
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
#        LogLevel warn
 
#        CustomLog /var/log/apache2/access.log combined
#        ServerSignature On
</VirtualHost>

This adds www.example.com as the main domain, and also adds example.com example.net www.example.net as addon domains. You could also add *.example.com under ServerAlias to pick up anything.example.com.

If you are getting permission errors, dont forget to chown and chmod your /var/www/e/example directory to the right user with the right permssions.

You will also need to reload apache2 for the changes to take effect.

mars:/etc/apache2/sites-enabled# /etc/init.d/apache2 restart
Forcing reload of web server (apache2)... waiting .
mars:/etc/apache2/sites-enabled#

Part 3 – Basic Security

In the last part of this guide we will review basic security, the following lines can be added in the configuration, in the main configuration file, or even in a .htaccess in the desired directory.

How to block all users except 1 IP address:

# If the REMOTE_ADDR (Ip address) isn't 127.0.0.1.
RewriteCond %{REMOTE_ADDR} !^127.0.0.1$
# On any page (.*), F=Forbidden, L=Last Rule.
RewriteRule .* - [F,L]

How to block users to the downloads directory who didn’t come from your site.

# If the user didn't come from www.mydomain.com or sub.mydomain.com
RewriteRule %{HTTP_REFERER} !^www.mydomain.com [NC,OR]
RewriteRule %{HTTP_REFERER} !^sub.mydomain.com [NC]
# And they are trying to access anything under the downloads/ folder.
# Then redirect them to http://www.mydomain.com/invalid-referer.html
RewriteRule downloads/(.*) /invalid-referer.html [R=302,L]

I hope you enjoyed reading this guide, please leave comments if you need help.

arkinEx Codex » apache2

Managing Apache2 on Debian Etch