Tag Archives: ihs

Log Login Errors of IBM Connections with IBM HTTP Server

You can log login errors within IBM Http Server.

One way would be to get use SetEnvIf, but then you can’t get the querystring of the error page. When you type a wrong password the URL changes from https://connectionshost/application/login/ to https://connectionshost/application/login/?error=true.

SetEnvIf Request_URI "/login$" log

This set the environment variable to log, but when you read the Apache documentation you find:

The resource requested on the HTTP request line — generally the portion of the URL following the scheme and host portion without the query string. See the RewriteCond directive of mod_rewrite for extra information on how to match your query string

So we need a way to get ?error=true, with mod_rewrite we can access the query_string:

LoadModule rewrite_module modules/mod_rewrite.so
RewriteCond %{QUERY_STRING} "error=true"
RewriteRule (.*) $1 [E=log:yes] 
CustomLog "D:/IBM/HTTPServer/logs/loginpage.log" combined env=log

Now we can access the login page, type a wrong password and check the log:

192.168.110.190 - - [15/Apr/2014:10:40:15 +0200] "GET /homepage/login/?error=true HTTP/1.1" 200 2763 "https://cnxwin.stoeps.local/homepage/login/?error=true" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
192.168.110.190 - - [15/Apr/2014:11:00:49 +0200] "GET /communities/login?error=true HTTP/1.1" 200 2766 "https://cnxwin.stoeps.local/communities/login" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
192.168.110.190 - - [15/Apr/2014:11:00:56 +0200] "GET /blogs/login?error=true&lang=en_us HTTP/1.1" 200 2763 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"

Hardening Connections – Part 1: IBM HTTP Server

Preamble

Before i begin with my securing article, i want to say something on security on IBM Connections. Mainly i don’t like the thing, that IBM only support very special versions of software.

So we must use WebSphere 7.0.0.21, DB2 9.7.0.5, IHS 7.0.0.11 and so on. Each product had updates the last months and i think we won’t get support when we use other versions.

So i have to chances. On the first side i can update my software to limit vulnerabilities and get perhaps no support, or i will have vulerable software with support.

Just my 2 cent and i hope i will get answer, if i will get support with higher program versions.

SSL and IHS

One of our customers had a pentest the last months and had some vulnerabilities with IBM HTTP Server (IHS), which is used to access IBM Connections.

I used a 2048 Bit key for ssl which was generated with iKeyman, but the pentest doc told me, that short keys were used for encryption (smaller 112 bit). So i read a little bit.

This 2048 bit mean the public key of my hostkey. SSL uses this key to encrypt the connection between browser and webserver. Within the ssl handshake session keys are generated on basis of this hostkey. Browser and Server check which protocols are enabled on both sides and use one of the protocols both support.

You can check your SSL enabled server here: https://www.ssllabs.com/ssltest/index.html.

Information on ciphers with IHS: http://www-01.ibm.com/software/webservers/httpservers/doc/v10/ibm/9acdciph.htm

You can limit the available ciphers and protocols on your IBM HTTP Server.

First you should disable SSL v2: SSLProtocolDisable SSLv2

I configure the directives in my virtual hosts section:
...

<ifmodule mod_ibm_ssl.c>
Listen 0.0.0.0:443
<virtualhost *:443>
ServerNameĀ  connections.example.com
SSLEnable
SSLProtocolDisable SSLv2
SSLCipherSpec 3A
SSLCipherSpec 34
SSLCipherSpec 35
SSLCipherSpec 2F
SSLCipherSpec 35b
</virtualhost>
</ifmodule>

...

Poorly TLS v1.1 and v1.2 support comes with IHS 8 and we can’t use it with IHS 7.

This is my first article on securing IHS and Connections. Next part will continue with IHS, i want to disable some parts, which comes with the default httpd.conf and are not used with connections.