JBOSS - EAP 6.x Windows new service

Configure JBoss EAP 6 as a Service in Windows 

IBM HTTPServer - HTTP 메소드 차단

WebServer 메소드 차단 방법

---

• Test OS : CentOS 7.2
• Test Version : IBM HTTPServer v8.5

---

IBM HTTPServer 에서 보안상의 이유로 HTTP 메소드 차단 요청이 들어와 테스트한 내용 정리.

• IHS의 경우 apache 기반이기 때문에 해당 설정은 apache에서도 같이 적용이 가능.

httpd.conf 파일 수정

#GET, POST를 제외한 메소드 제한
<Directory />
Options FollowSymLinks
AllowOverride None
 <LimitExcept GET POST>
 Order allow,deny
 Deny from all
 </LimitExcept>
</Directory>

보통 디렉토리 속성안에 넣어서 사용하지만 디렉토리 속성을 안사용할경우 로케이션을 사용.

<Location "/*">
  <LimitExcept GET POST>
  Order allow,deny
  Deny from all
  </LimitExcept>
</Location>

다른 방안으로 rewrite 사용하는 방법도 있다.

LoadModule rewrite_module modules/mod_rewrite.so
<IfModule mod_rewrite.c>
 RewriteEngine On
 # GET, POST를 제외하고 모두 405 페이지로 이동
 RewriteCond %{REQUEST_METHOD} !^(GET|POST)
 RewriteRule .* - [R=405,L]
</IfModule>

메소드 차단 테스트로는 해당 메소드 파일을 만들어서 요청하는 방법도 있지만, 간단하게 telnet으로 테스트 가능.

$telnet {domain_address} 80
OPTIONS http://{domain_address}/ HTTP/1.0
OPTIONS http://google.com/ HTTP/1.0
Enter Enter

#모든 메소드 허용의 경우
HTTP/1.1 200 OK
Date: Wed, 04 Jul 2018 01:44:40 GMT
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 0
Connection: close
Content-Type: text/html

#메소드가 차단된 경우
HTTP/1.0 405 Method Not Allowed
Allow: GET, HEAD
#
HTTP/1.1 403 Forbidden
Allow: GET, HEAD

위와 같은 방법으로 안대는 경우

web.xml에 secutity-constraint 속성으로 해당 메소드 제한

#web.xml 아래와 같이 메소드 제한 설정
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
</security-constraint>

IBM HTTPServer version info

IHS v8.5, v9.0 apache version Info

PS E:\app\was\HTTPServer\bin> .\apache.exe -V

Server version: IBM_HTTP_Server/8.5.5.0 (Win32)

Apache version: 2.2.8 (with additional fixes)

Server built:   Feb 20 2013 13:50:05

Build level:    IHS90/webIHS1307.02

Server's Module Magic Number: 20051115:21

Server loaded:  APR 1.2.12, APR-Util 1.2.12

Compiled using: APR 1.2.12, APR-Util 1.2.12

Architecture:   32-bit

Server MPM:     WinNT

  threaded:     yes (fixed thread count)

    forked:     no

Server compiled with....

 -D APACHE_MPM_DIR="server/mpm/winnt"

 -D APR_HAS_SENDFILE

 -D APR_HAS_MMAP

 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)

 -D APR_HAS_OTHER_CHILD

 -D AP_HAVE_RELIABLE_PIPED_LOGS

 -D DYNAMIC_MODULE_LIMIT=128

 -D HTTPD_ROOT="/apache"

 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"

 -D DEFAULT_ERRORLOG="logs/error.log"

 -D AP_TYPES_CONFIG_FILE="conf/mime.types"

 -D SERVER_CONFIG_FILE="conf/httpd.conf"

Apache vulnerability fixes included:

  CVE-2005-3352  CVE-2005-3357  CVE-2006-3918  CVE-2006-3747

  CVE-2007-4465  CVE-2007-1862  CVE-2006-5752  CVE-2007-3304

  CVE-2007-1863  CVE-2007-3847  CVE-2008-0005  CVE-2007-5000

  CVE-2007-6388  CVE-2007-6422  CVE-2007-6421  CVE-2006-7225

  CVE-2007-6420  CVE-2008-2364  CVE-2008-2939  CVE-2009-1195

  CVE-2009-1955  CVE-2009-0023  CVE-2009-1956  CVE-2009-1890

  CVE-2009-1891  CVE-2009-2412  CVE-2009-1191  CVE-2009-3094

  CVE-2009-3095  CVE-2009-3555  CVE-2010-0408  CVE-2010-0434

  CVE-2010-1452  CVE-2010-1623  CVE-2009-3560  CVE-2009-3720

  CVE-2011-0419  CVE-2011-1928  CVE-2011-3192  CVE-2011-3348

  CVE-2011-3368  CVE-2011-3639  CVE-2011-4317  CVE-2011-3607

  CVE-2012-0717  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883

  CVE-2012-2190  CVE-2012-2191  CVE-2012-2687  CVE-2012-4558

  CVE-2012-3499  CVE-2012-4557  

PS E:\software\IBM\HTTPServer9\bin> .\apache.exe -V

Server version: IBM_HTTP_Server/9.0.0.0-PI56034 (Win32)

Apache version: 2.4.12 (with additional fixes)

Server built:   Apr 18 2016 20:28:53

Build level:    RIHSX.IHS/webIHS1616.01

Server's Module Magic Number: 20120211:57

Server loaded:  APR 1.5.1, APR-UTIL 1.5.2

Compiled using: APR 1.5.1, APR-UTIL 1.5.2

Architecture:   32-bit

Operating System: Windows

Server MPM:     WinNT

  threaded:     yes (fixed thread count)

    forked:     no

Server compiled with....

 -D APR_HAS_SENDFILE

 -D APR_HAS_MMAP

 -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)

 -D APR_HAS_OTHER_CHILD

 -D AP_HAVE_RELIABLE_PIPED_LOGS

 -D DYNAMIC_MODULE_LIMIT=256

 -D HTTPD_ROOT="/apache"

 -D DEFAULT_PIDLOG="logs/httpd.pid"

 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"

 -D DEFAULT_ERRORLOG="logs/error.log"

 -D AP_TYPES_CONFIG_FILE="conf/mime.types"

 -D SERVER_CONFIG_FILE="conf/httpd.conf"

Apache vulnerability fixes included:

  CVE-2009-1191  CVE-2009-1890  CVE-2009-3094  CVE-2009-3095

  CVE-2010-0434  CVE-2010-0425  CVE-2010-0408  CVE-2009-3555

  CVE-2010-1452  CVE-2010-1623  CVE-2011-3368  CVE-2011-3607

  CVE-2011-3192  CVE-2011-3348  CVE-2011-4317  CVE-2012-0021

  CVE-2012-0031  CVE-2012-0053  CVE-2012-0883  CVE-2012-2687

  CVE-2012-3502  CVE-2012-4558  CVE-2012-3499  CVE-2013-2249

  CVE-2013-1896  CVE-2013-4352  CVE-2013-6438  CVE-2014-0098

  CVE-2014-0963  CVE-2014-0231  CVE-2014-0118  CVE-2014-0226

  CVE-2014-3523  CVE-2014-0117  CVE-2013-5704  CVE-2014-8109

  CVE-2014-3581  CVE-2014-3583  CVE-2015-0253  CVE-2015-3185

  CVE-2015-3183  CVE-2015-1829  CVE-2014-8730  CVE-2015-0228

  CVE-2015-4947  CVE-2015-1283  CVE-2015-7420  CVE-2016-0201