Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Whitelisting File Extensions in Apache

Published: 2017-01-15
Last Updated: 2017-01-16 07:12:45 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Last week, Xavier published a great diary about the dangers of leaving behind backup files on your web server. There are a few different ways to avoid this issues, and as usual, defense in depth applies and one should consider multiple controls to prevent these files from hurting you. Many approaches blacklist specific extensions, but as always with blacklists, it is dangerous as it may miss some files. For example, different editors will use different extensions to marks backups files, and Emacs (yes... I am an Emacs fan),  may not only leave a backup file by appending a ~ at the end, but it may also leave a second file with a '#' prefix and postfix if you abort the editor.

For all these reasons, it is nice if you can actually white list extensions that are required for your application.

As a first step, enumerate what file extensions are in use on your site (I am assuming that "/srv/www/html" is the document root):

find /srv/www/html -type f | sort | sed 's/.*\.//' | sort | uniq -c | sort -n

     19 html~
     20 css
     20 pdf
     23 js
     50 gif
     93 html
    737 png
   3012 jpg

As you see in the abbreviated output above, most of the extensions are what you would expect from a normal web server. We also got a few Emacs backup HTML files (html~). 

We will set up a simple text file "goodext.txt" with a list of all allowed extensions. This file will then help us create the Apache configuration, and we can use it for other configuration files as well (anybody knows how to do this well in mod_security?) . The output of the command above can be used to get us started, but of course, we have to remove extensions we don't want to see.

find . -type f | sort | sed 's/.*\.//' | sort -u > ~/goodext.txt

Next, let's run a script to delete all the files that do not match these extensions. I posted a script that I have used in the past on GitHub.

The script does use the "goodext.txt" file we created above. The first couple lines can be used to configure it. Of course, run it in "debug" mode first, to see what files will be deleted, and make a backup of your site first!

Next, we create an Apache configuration file. Currently, the script only works for Apache 2.2. Apache 2.4 changed the syntax somewhat, and I need to test if the order of the directives needs to change. Include it as part of the Directory section of the configuration file:

Order allow,deny
Allow from all 
Include www.goodext     

(I don't name the extension file ".conf" so it will not be included automatically but only in this one specific spot).

The two, rather simple, bash scripts to delete the "bad files" and then create the Apache configuration files, can be found here: https://github.com/jullrich/fixbadwebfiles

Why use a script for this vs. just editing the files manually?

  1. typos
  2. faster if you have multiple servers
  3. there are two kinds of sysadmins: those that script, and those that will be replaced by a script.

Note that the scripts are strictly in the "works for me" state. Any bug reports and comments are welcome (use GitHub for bugs)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Backup Files Are Good but Can Be Evil
Jan 14th 2017
2 days ago by Xme (2 comments)

Who's Attacking Me?
Jan 13th 2017
3 days ago by Xme (2 comments)

System Resource Utilization Monitor
Jan 12th 2017
4 days ago by Mark (7 comments)

Some tools updates
Jan 12th 2017
4 days ago by Mark (1 comment)

Hancitor/Pony/Vawtrak malspam
Jan 11th 2017
5 days ago by Brad (1 comment)

January 2017 Microsoft Patch Tuesday
Jan 10th 2017
5 days ago by Johannes (2 comments)

Adobe January 2017 Patches
Jan 10th 2017
5 days ago by Johannes (2 comments)

Port 37777 "MapTable" Requests
Jan 10th 2017
5 days ago by Johannes (1 comment)

Realtors Be Aware: You Are a Target
Jan 10th 2017
5 days ago by Johannes (2 comments)

Merry X-Mas ransomware from Sunday 2017-01-08
Jan 9th 2017
1 week ago by Brad (1 comment)

View All Diaries →

Latest Discussions

New Incident Response/Forensics tool : srum-dump.exe
created Jan 12th 2017
3 days ago by Mark (1 reply)

How to make the social media accounts safe from hacking?
created Jan 6th 2017
1 week ago by Brad4333 (2 replies)

Time Warner Cable IMAP SSL certificate expired
created Dec 31st 2016
2 weeks ago by Paul (2 replies)

SonicWALL Setup
created Dec 29th 2016
2 weeks ago by HateTheSnow (3 replies)

Multiple "failed logon" attempts
created Dec 20th 2016
3 weeks ago by William (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Dyn.com DDoS Attack
Oct 21st 2016
2 months ago by Johannes (9 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
1 month ago by Johannes (21 comments)

Increase in Protocol 47 denys
Dec 29th 2016
2 weeks ago by Rick (9 comments)

TR-069 NewNTPServer Exploits: What we know so far
Nov 29th 2016
1 month ago by Johannes (12 comments)

One, if by email, and two, if by EK: The Cerbers are coming!
Dec 16th 2016
1 month ago by Brad (4 comments)