powerpoint presentation

Apache Web Server

How do Apache work?

HTTP, HTTPS

Web Serveri.e. apache

Web Browseri.e. netscape

Why Apache?

• Free!!• Come with Linux packages (almost

distribution)• Most Popular

Why Apache?

Problems & Risks

• Type of Web Attacking– Denial of Service

Problems & Risks

• Type of Web Attacking (Cont.)– Defaced Web Page

Problems & Risks

• Type of Web Attacking– Deletion of Files

Problems & Risks

• Type of Web Attacking– Placement of Malicious Software

such as trojan horse or worm

Problems & Risks

• Risks of Apache– From System Administrator

• Think “Apache is the best!!”• Ignore Hardening

– From Apache (itself)• Apache is not secure• Website Apache.org was hacked in May

2000

Problems & Risks

Hardening Apache Step-by-Step

Create the Web Server Group/User Download the Appropriate Apache Distribution Apply Latest Web Server Patches Configure/Compile/Install the Apache Distribution Edit the Apache Configuration file -httpd.conf

Hardening Apache Step-by-Step (Cont.)

Change Ownership/Permissions on Directories and Files Clean Out Unneeded Files and Directories Update Apache Start Script for Notification Advanced Settings - Miscellaneous Security Enhancements

Step 1: Create the Web Server Group/User

1.1 Create Groups for Web Server Content >> webmaster:webmaster1.2 Create a Specific User for Web Server>> nobody:nobody

1.3 Create Quota for Web Server 1.4 Verify Quota 1.5 Lock Down the New Account

Step 1: Create the Web Server Group/User

RR---Webserver>>nobody

RWR---web author

RWRW---web developer

RWRWRRRWwebmaster>>webmaster

ContentCGIlogstoolsconfuser

Step 1: Create the Web Server Group/User

user

execute(nobody)

root

starthttproot

http

http

httphttphttp

fork

fork

fork fork

fork

nobodynobody nobody

nobody

nobody

Step 2: Download the Appropriate Apache Distribution

2.1 Download the Apache Source 2.2 Verify the PGP Signatures 2.3 Verify the MD5 Checksums

Step 3: Apply Latest Web Server Patch

• For Latest Patch of Apachehttp://www.apache.org/dist/httpd/patches/

• Apply Patch# cd apache_source_directory# patch –p0 \</tmp/proxy_http1.1_chunking.patch

Step 4: Configure/Compile/Install the Apache Distribution

4.1 Configure the Apache Distribution 4.2 Edit the httpd.h File #define SERVER_BASEVENDOR “Apache Group”#define SERVER_BASEPRODUCT “My-Server”#define SERVER_BASEREVISION “4.0”

4.3 Compile Apache 4.4 Install the Software

Step 5: Edit the Apache Configuration file - httpd.conf

5.1 Basic Web Server Settings o ServerType o HostnameLookups ono User & Group o Port o ServerAdmin o ServerRoot o ServerName

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

5.2 Security Related Settings o LogLevel noticeo CustomLog ... Combinedo ErrorLog ...

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

Some of Error Messages in ErrorLog• File does not exist: access a URL that does not exist• File permissions deny server access: access a

document that does not have sufficient privileges to read it.

• Password mismatch: access a protected document with an incorrect password

• Client denied by server configuration: access to a directory is restricted to certain IP addresses

• Malformed header from script: This is a warning message showing that a bad output cannot be interpreted correctly.

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

5.2 Security Related Settings (Cont.)o <Directory> o Options

o AllowOverride Noneo IncludesNoExec o SymLinksIfOwnerMatch

o Order and Allow/Deny from (Use IP)

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

5.2 Security Related Settings (Cont.)o ServerSignature Offo ServerTokens ProductOnlyo CoreDumpDirectory ...

o Error Responses o 401/403 Errors o Other Status Codes

o LimitExcept

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

5.3 Access Control –Restrict Access to File or Directory

• Host-based Authentication

Server

request

IP Address / Hostname

authenticate

Is it in allow list?

Is it in deny list?

compare

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

5.3 Access Control –Restrict Access to File or Directory

(Cont.)• HTTP-specified Basic Authentication

Server

request authenticaterequire

username&passwd

sendusername&passwd

.htpasswdcheck

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

5.4 Common Attack Signatures – Mod_Rewrite Voodoo – Robots

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

5.5 CGI Bin Mischief – Review CGI Files/Code – Fake CGIs

• Foil Vulnerability Scanners • Fake PHF

– <DirectoryMatch> – <FilesMatch>

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

5.6 Denial of Service – Timeout 60– KeepAlive On– KeepAliveTimeout 15– StartServers 10– MinSpareServers 10– MaxSpareServers 20

Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

5.7 Buffer Overflows – LimitRequestBody 10240– LimitRequestFields 40– LimitRequestFieldsize 100– LimitRequestLine 500

Step 6: Change Ownership/Permissions on Directories and Files

6.1 Server Configuration Directories # chown –R root <Conf_Dir># chgrp –R webmaster <Conf_Dir># chmod –R 770 <Conf_Dir>

6.2 Document Root Directory # chown –R webmaster <htdocs_Dir># chgrp –R webmaster <htdocs_Dir># chmod –R 775 <htdocs_Dir>

Step 6: Change Ownership/Permissions on Directories and Files

6.3 CGI-Bin Directory # chown –R root <Cgi-bin_Dir># chgrp –R webmaster <Cgi-bin_Dir># chmod –R 775 <Cgi-bin_Dir>

6.4 Log Files # chown –R root <Logs_Dir># chgrp –R webmaster <Logs_Dir># chmod –R 750 <Logs_Dir>

Step 6: Change Ownership/Permissions on Directories and Files

6.5 Bin Directory # chown –R root <Bin_Dir># chgrp –R webmaster <Bin_Dir># chmod –R 770 <Bin_Dir>

Step 7: Clean Out Unneeded Files and Directories

7.1 Src Directory 7.2 Default HTML Documents

Step 8: Update Apache Start Script for Notification

• To let the System Administrator know that Apache Web Server has been restarted

Step 9: Advanced Settings - Miscellaneous Security Enhancements

9.1 Worms At War such as CodeRed and Nimda

9.2 Swatch 9.3 Monitor Changes in Web Content 9.4 Secure Index Pages 9.5 Chroot 9.6 Secure Socket Layer (SSL)

Bug/ Exploit

• CERT® Advisory CA-2002-17Apache Web Server Chunk Handling VulnerabilityJune 17, 2002

• CERT® Advisory CA-2002-27Apache/mod_ssl WormSeptember 14, 2002

• Related Link:http://httpd.apache.org/security_report.html

Hardening Dedicated Server & Network Diagram

• Download and Install the latest versions of the Daemon

• No user login account• All update do from internal network• Audit and Penetration Testing on your Server• Carefully Check your CGI Scripts• Prevent other from running their CGI Scripts• DO NOT send confidential info., etc back to

the user via e-mail

Hardening Dedicated Server & Network Diagram

FirewallRouter

Internet

DMZ

Intranet

DMZ

8080

3306