Deploying a WebDAV Server
ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
Here we go!
Create and then sign into your Digital Ocean account at https://www.digitalocean.com/. For improved security, enable two-factor authentication on your account.
Click on the “Create Droplet” button at the top of the page.
Click “Create Droplet” in Digital Ocean
Choose the default Ubuntu release (at the time of writing this was 16.04.1), and the cheapest server option, as shown in the images below. Accept other defaults and add your SSH key for logging into your new server. Optionally, set a hostname for your server. Finally, click the big green “Create” button at the bottom of the page to create your instance.
Digital Ocean Droplet Creation Options
That was easy! Now you have a server deployed on the internet.
Successfully Created Digital Ocean Instance (aka Droplet)
First, let’s do some housekeeping on our new instance. Connect to your new instance like so:
SSH Access to Server
Disable the ability to SSH to your server using a password so that SSH access requires your private key. Edit the file at etc/ssh/sshd_config by uncommenting the “PasswordAuthentication” line and setting the value to “no”:
Disable SSH Access via Password
Then, restart the SSH service so that your changes take effect.
SSH Configuration Edit and Service Restart
You can verify that SSH access via password has been disabled by trying to SSH from a server that does not have your private key, as shown below. The first attempt was made before the configuration change and prompts the user to enter their password. The second attempt simply denies the user access.
Confirm SSH Key Access Only
Update your server with the following two commands (repeat this often to keep the system up to date):
apt-get update apt-get dist-upgrade
Install Apache with the following command:
apt-get install apache2
Enable Apache webDAV functionality:
a2enmod dav a2enmod dav_fs
Enable Apache WebDAV Modules
Create a webdav directory at /var/www and set www-data as the owner.
Create WebDAV Directory and Set Owner
Configure Apache for read-only access to files in the webdav directory by editing your /etc/apache2/sites-available/000-default.conf file to match the following (comments removed for brevity):
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /webdav /var/www/webdav <Location /webdav> Options Indexes DAV On <LimitExcept GET HEAD OPTIONS PROPFIND> Deny from all </LimitExcept> Satisfy all </Location> </VirtualHost>
Restart Apache and visit your new webDAV server from a web browser at: http:///webdav/
Command to Restart Apache
Initial WebDAV Directory Listing
Congratulations, you now have a webDAV server!. Now, put some files in there you would like to access. A simple example is given below.
Refresh your web browser to see the file listing.
WebDAV Directory Listing and File Access
The interesting thing about a webDAV server is that you can access the files from File Explorer by entering the network address as follows:
\\159.203.131.191\webdav
Access WebDAV Files Through Windows File Explorer
Be patient, as it takes a bit of time to load the directory listing after entering the network address. Attempting to open one of these files from the File Explorer gives the following error:
File Permission Error Blocks File Open
This is due to a file permission error because file ownership belongs to “root” instead of the “www-data” user under which Apache runs.
Test Files Owned by Root (Causes Permission Error)
To fix the permission issue, change the ownership of the files as shown below:
Test File Ownership Changed to www-data
The test file can now be opened by clicking on the link in File Explorer.
Test File Opened from WebDAV Server via File Explorer
Forgetting to properly set the file permissions will foil your malicious Outlook rule attempt! The image below shows an example of the pop-up the user will get when the Outlook rule attempts to fire when the permissions on the WebDAV server are not correct.
Outlook Rule Error with Incorrect File Permission on WebDAV Server
In addition, your Malicious Outlook Rule will be automatically disabled as indicated by the red text and no check mark in the check box.
Automatically Disabled Rule on Error