How to protect web server on Kali Linux from unauthorized access
Suppose you installed Mutillidae, or DVWA, or something similar for penetration test training (by the way, see “How to install OWASP Mutillidae II and Damn Vulnerable Web Application (DVWA) in Kali Linux”).
These applications have various vulnerabilities, some of them allow file uploading (backdoors) and SQL injection. Such scripts can lead to complete compromise of your the web server as well as the entire computer. Therefore, the most secure is to restrict access to the web server from outside.
Access control (which IP addresses are allowed or not allowed to connect) is configured in the .htaccess file. But by default, support for this file is disabled – that is, settings from this file are not taken into account.
To enable .htaccess on Kali Linux, open the /etc/apache2/apache2.conf file:
sudo gedit /etc/apache2/apache2.conf
Find the lines there:
<Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
And replace them with:
<Directory /var/www/> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory>
Now restart the web server for the changes to take effect:
sudo systemctl restart apache2
The root folder of the sites is /var/www/html/, so create a .htaccess file there:
sudo gedit /var/www/html/.htaccess
In fact, a .htaccess file can be created in any folder with sites. Remember that access to any folder on the web server is affected by both the .htaccess file in the current directory and the .htaccess files in the parent directories.
If you need to restrict access for all IPs, except for local ones, then use:
Require ip 10 172.20 192.168.2
You can prohibit all remote connections with the directive:
Require local
Please note that despite the name local, only connections from the same computer (localhost) are allowed and any other remote connections are prohibited, even from the local network.
Using “Require ip”, you can specify single IP or network ranges in various notations:
Require ip 10.1.2.3 # OR Require ip 10.1 # OR Require ip 10.1.0.0/16 # OR Require ip 10.1.0.0/255.255.0.0 # OR Require ip ::1
It is allowed multiple use of “Require ip” directive.
Vulnerable web applications for penetration testing:
- bWAPP
- Damn Vulnerable Web Application (DVWA)
- Damn Vulnerable Web Services
- OWASP Broken Web Applications Project
- OWASP Mutillidae II
- Samurai Web Testing Framework
- Web security dojo
Related articles:
- How to detect and identify the type of Web Application Firewall (WAF) (50.5%)
- Kali Linux web server shows blank pages (SOLVED) (44%)
- Basics of working with a web server for a pentester (40.8%)
- How to install and run Apache Real Time Logs Analyzer System (ARTLAS) (40.3%)
- How to configure Kali Linux to use a static IP address (35.5%)
- Hacking websites training in Windows (RANDOM - 26.4%)