Linux HackFest Series: Evil /etc/hosts file

Lisa Kachold lisakachold at obnosis.com
Thu Dec 11 20:25:07 MST 2008 

Actually, in Windows you set the Default ServerName to localhost and use name based virtuals, using the ip address 127.0.0.1.

Again, layering on php.ini and my.cnf or whatever else, with a good security test of all configurations, is ESSENTIAL!

Using 127.0.0.1 for the Apache ServerName in httpd.conf is a common "tool", generally used with name based virtual hosting where you don't have a FQDN for the server.
 
But all of the security around localhost is lost if the hostname resolves for both the trusted 127.0.0.1 and via DNS for the IPaddress.  Additionally, if the firewall is not filtering ip addresses based on externally routed subnets disallowing spoofing from packets with headers reporting they are from 127.0.0.1, well you get the idea?

Apache Name Based Virtual localhost "Hack" Seen in many HowTo's:

If you do not have a FQDN for your server, when starting and stopping Apache there may be a complaint such as "Could not determine the server's fully qualified
domain name, using 127.0.1.1 for ServerName".  If this applies to you, go into your /etc/hosts file and make the following hacks.
Basically, we'll be adding "localhost.localdomain" to the 127.0.0.1 IP and whatever system name you chose when you
installed Ubuntu (assuming you've not changed it).  The final line below should be there if you have a static IP, and
corresponding DNS name registered to it.  If this is the case, earlier steps that wanted ServerName should have a value
which corresponds to the DNS name also indicated here.





127.0.0.1 localhost localhost.localdomain {your system name}

127.0.1.1 {your system name}

{static IP if you you have one} {fully qualified DNS host name if you have one}




If
you don't have a fully qualified domain name (FQDN) for your box, you may need to make
an additional tweak.  In your /etc/apache2/apache2.conf file, you may want to add the following
line at the very end of the file if Apache is still complaining about lacking a fully
qualified domain name at startup:        ServerName localhost


==============end hack========

It's just as easy to set the server hostname and ip address staticly to a standard hosts file?  Name based virtualhosting still works!


For 443 certificate based virtuals, you MUST have your SSL cert FQDN match the csr, and crt.  

www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |  (503)754-4452
Catch the January PLUG HackFest!   Kristy Westphal, CSO for the AZ Department of Economic
Security will provide a one hour
presentation on forensics 1/10/09 Noon at UAT.edu.




> From: alex at crackpot.org
> To: plug-discuss at lists.plug.phoenix.az.us
> Subject: Re: Linux HackFest Series:  Evil /etc/hosts file
> Date: Thu, 11 Dec 2008 19:50:47 -0700
> 
> 
> On Dec 10, 2008, at 12:27 PM, Lisa Kachold wrote:
> 
> > Trust is the basis for all security.
> >
> > The "evil" /etc/hosts file would look like this:
> >
> > # /etc/hosts
> > 127.0.0.1   hostname localhost localhost.localdomain
> >
> > # end
> >
> > A good /etc/hosts file appears:
> >
> > # /etc/hosts
> > 127.0.0.1   localhost localhost.localdomain
> > 192.168.6.66   hostname
> >
> > # end
> 
> BTW, an /etc/hosts file like the first one will also mess up an Apache  
> SSL virtual host for hostname.
> 
> Given something like this:
> <VirtualHost *:443>
>    ServerName hostname
> </VirtualHost>
> 
> Apache will resolve 'hostname' to 127.0.0.1 when it starts up.  When a  
> new SSL request comes in for 192.168.6.66, you've got breakage.
> 
>   sudo httpd -t -D DUMP_VHOSTS
> 
> will let you see how Apache has parsed your virtual hosts, and you  
> would be able to see an SSL site reported as 127.0.0.1 in this  
> situation.

_________________________________________________________________
Suspicious message? There’s an alert for that. 
http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad2_122008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081212/5a203dd1/attachment.htm

More information about the PLUG-discuss mailing list