Apache Server Status–> Status Secured

You know, working at F5 has some real perks. Cool gatherings, good workspace and my favorite part, really really REALLY smart people. I often tell people who as why I love working at F5

“The best part about it, is standing up, looking around, and realizing, I am surrounded by really smart, knowledgeable people.”

A great example of this came across my virtual desk in the tubes just last friday. A group of our FSE (Field support engineers) and SA’s (Solution Architects) put out a great advisory regarding in information disclosure vulnerability from Apache server status.  Check out the highlights below:

------------------------------------------------------------------------------

Apache has a very useful functionality called server-status that allows administrators to easily find how well their servers are performing.

It is basically an HTML page that displays the number of process working, status of each request, IP addresses that are visiting the site, pages that are being queried and things like that. All good.

However, this feature can also have security implications if you leave it wide open to the world. Anyone would be able to see who is visiting the site, the URLs, and sometimes even find hidden (obscure) admin panels or files that should not be visible to the outside.

http://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html

http://urlfind.org/?server-status

 

Below is a simple iRule to mitigate against this issue.

This was written for v11 F5 TMOS.

Step 1

Create a String-type data group called “bad_uris” containing the string of “/server-status/” (without quotations). No value is necessary. Also if you wanted to block other common attacks you could add /cmd.exe to this list…

ltm data-group internal /Common/bad_uris {

records {

/server-status/ { }

}

type string

}

Step 2

Create the following irule and modify the page below to point to an errorpage or maintenance page on your site

when HTTP_REQUEST {

if { [class match [URI::decode [string tolower [HTTP::uri]]] contains bad_uris] } {

HTTP::respond 302 Location "http://company.com/errorpage.html" Cache-Control No-Cache Pragma No-Cache

}

Step 3

Apply the irule to your web app Virtual Server, under resources.

Example of Apache Server Status Data:

------------------------------------------------------------------------------

End of Original Transmission

Pretty cool eh?  What this really allows us to do is protect all the apache servers in the environment that come through the F5.  This helps protect us from the little mistakes that can/are made spinning up a new server. If the new intern spins up the new server and forgets that they left this page out there, the F5 can make sure that external forces can’t access it.

Give it a shot, it’s a very low overhead iRule.

Major shoutouts to the crew:

Matt Fearnow

Rob Eberhardt

Aaron Hooley

David Remington

for this great doc!

 

Peace out all!

Josh

Published Nov 05, 2012
Version 1.0
No CommentsBe the first to comment