The FreeBSD Diary |
(TM) | Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link. |
FrontPage 2000: What you NEED to know!
3 December 1999
|
This article was written and submitted by J.C. Frazier <sttng@lonetree.com>. Thanks. See also other FrontPage articles especially FrontPage 2000 - installing the extensions. |
Resources
|
These links might prove helpful:
The above link contains the latest tarball... |
Installing FrontPage 2000: What you NEED to know!
|
FrontPage is a very exploited, bug ridden piece of @&@#$&software! When
I first started this great adventure into the world of MS meets FreeBSD, I had no idea
what I was getting in to. Here is the story and the instructions on what you NEED to
know! When I started there were no FrontPage ports, only some BSDI sources that I found on the Microsoft page and a short tutorial on FreeBSD'zine. I followed the instructions to a tee. I myself believed that everything was fine, however a week or so later I received complaints from customers that they could not publish pages from their client. I checked the logs and sure enough "password mismatch". I checked the passwords and everything was right. Hmmm... I'll save that kind of work for another day, I suppose. Four days later I came back and visited Undernet's #FreeBSD channel. I inquired about FrontPage and if there was anyone who knew anything about it. (the documentation that MS provides leaves a LOT to be desired, and newsgroup support is almost as good. btw, MS charges $395/incident if you require their help). There was a nice guy that said he knew about it and would help me in the channel. As I was sitting there at my terminal, I started getting messages of su being used and passwords being changed. I issued a watch on the terminal real quick and discovered someone trying to get into my root directory and mount partitions. I disconnected him and changed the password on the effected account as fast as I could. I then went back to the channel where there was this "once thought to be nice" guy choking on his words trying to explain to me he was just trying to "show me the exploits in FP and how bad it was". Not too much comfort those many nights of work restoring my system for fear of backdoors placed that night. Well, eventually I found a little page called http://www.rtr.com/ where they have a discussion group dedicated to each version of FrontPage. I read every letter and problem on the page and came to the conclusion that FP can be made to be semi secure, however the method of installation shown in FreeBSD Zine comes no where close. There is a patched version that definitely needs to be installed in the source before compilation to obtain any degree of security. And, lucky for me, on that night's cvsup, I noticed that apache-fp ports have been made and were in use. Pre-patched fp. Just what I needed. This time when the FP installation began after apache's compilation, the install script actually worked for virtual hosts, per-user webs, and everything ran much smoother. You can chose the default on just about every option and it more or less installs itself for you. Afterwards I borrowed a friends copy of FP 2000 and made a test page to publish to the server. No such luck. "password mismatch" I was paranoid so I did some other security tests, and ran some exploits I found at http://insecure.org/. The security was much better and the FP extensions had a lot more functionality over the former ones I had tried in the past without success. Time to hit Undernet and the newsgroups again. After 3 days and 4 nights without sleep I finally came to the realization that no one on IRC cares about FrontPage, and definitely no one that runs FreeBSD. I visited 10 networks and every #freebsd, #linux, #frontpage, #bsdi, and #unix channel that I could find. No luck! No one's ever had these problems (mainly because I think not too many people use FrontPage that use unix operating systems). I got blown off or called names in ever channel I visited, even #freebsd....and the reason I believe was the cause of such criticism was more the fact that no one knew the answer then the fact they actually thought the question was stupid. People tend to criticize the things they don't understand....anyways, back to my story. No one knew, no one cared. MS wanted $395 to care. I started posting to newsgroups and finally on the third newsgroup I received a reply. Message after message poured in and I finally realized I was in the right place. NOTE: a little off the subject I would like to compliment the subscribers of the freebsd-isp news group. They were the most friendly and knowledgeable people I found on this little quest of mine and they should be commended for their dedication and people skills. ANYWAYS: I told them the problem and that I thought it had something to do with encryption and that the passwords were fine and gave all the information about my system and configuration. Message after message contained great information and suggestions which I tried and then would post back to the board. After 9 days of being in MS FrontPage world (hell) I finally figured it out, with the help of freebsd-isp. FrontPage uses DES encryption. However the default install and apache use md5. Even after installing the "secure" package, it won't work correctly. You must first install the secure source, and then change the libcrypt() links from libscrypt() to libdescrypt(). There are four links that need changed, by the way. After that you must recompile apache. This will make also apache use DES encryption instead of MD5. Once this is done, you can run FrontPage and everything should be perfect. A few notes: once you do this, all passwords including (but not limited to your master.passwd file) will start encrypting in DES instead of md5. However, this is of little concern. libscrypt() only supports md5, libdescrypt() however supports not only DES, but md5 also. Your old passwords will be fine, yet all new ones will be DES unless you create a user with a MD5 salt ($1$xx) in /etc/master.passwd prior to making the new user. Try it once, it's a little interesting. Here's how to install DES. An easy way to get the des source, if you don't already have it, is to create a file like this one called secure.cvsup: *default host=cvsup3.freebsd.org *default base=/usr *default prefix=/usr *default release=cvs tag=RELENG_3 *default delete use-rel-suffix *default compress src-secure ports-all release=cvs tag=. Then you run: cvsup /directory/to/secure.cvsup This specific file will also sync your ports tree. Once you cvsup the newest source, cd /usr/src/secure/lib/libdes, then make all install. After that has been completed you will have the des libraries, however the correct links still need to be made. /usr/lib/libcrypt* needs to be linked to /usr/lib/lidbescrypt* instead of libscrypt* as the default is set up as. There are 4 files and the commands are as shown below: First see if the des libraries exists after your build: ls -l /usr/lib/libdes* Then delete the current links from MD5: rm /usr/lib/libcrypt* Finally add the new links to DES: ln -s /usr/lib/libdescrypt.a /usr/lib/libcrypt.a ln -s /usr/lib/libdescrypt.so /usr/lib/libcrypt.so ln -s /usr/lib/libdescrypt.so.2 /usr/lib/libcrypt.so.2 ln -s /usr/lib/libdescrypt_p.a /usr/lib/libcrypt_p.a After which all new passwords will be in DES, changes and old passwords will remain in MD5. You need to rebuild apache*-fp to assure apache is in des and will be compatible with FP. In conclusion, I'd just like to say that FreeBSD is great. Sometimes we have heartaches and problems...but it only teaches us more, and we learn what this whole thing is supposed to be about. Making things work. Nine days later and I'm almost (not quite but almost) glad that I was broken into, so that I could find some of the problems and take care of them. FrontPage isn't the devil it's made out to be. It's making me lots of money because not too many other UNIX providers will support it's insecurities. If you consult those that know, and you take your time, and you compile the patch into apache source or get the port, FrontPage can be a good experience. Just remember, do NOT follow the instructions on FreeBSD'zine if you don't like rebuilding systems! And....check out http://www.rtr.com/! Other people's problems help us all. And not to forget the saviors of freebsd-isp. Salutations and thanks for everything! J.C. Frazier sttng@lonetree.com |