powerpoint presentation
TRANSCRIPT
Apache Web Server
How do Apache work?
HTTP, HTTPS
Web Serveri.e. apache
Web Browseri.e. netscape
Why Apache?
• Free!!• Come with Linux packages (almost
distribution)• Most Popular
Why Apache?
Problems & Risks
• Type of Web Attacking– Denial of Service
Problems & Risks
• Type of Web Attacking (Cont.)– Defaced Web Page
Problems & Risks
• Type of Web Attacking– Deletion of Files
Problems & Risks
• Type of Web Attacking– Placement of Malicious Software
such as trojan horse or worm
Problems & Risks
• Risks of Apache– From System Administrator
• Think “Apache is the best!!”• Ignore Hardening
– From Apache (itself)• Apache is not secure• Website Apache.org was hacked in May
2000
Problems & Risks
Hardening Apache Step-by-Step
Create the Web Server Group/User Download the Appropriate Apache Distribution Apply Latest Web Server Patches Configure/Compile/Install the Apache Distribution Edit the Apache Configuration file -httpd.conf
Hardening Apache Step-by-Step (Cont.)
Change Ownership/Permissions on Directories and Files Clean Out Unneeded Files and Directories Update Apache Start Script for Notification Advanced Settings - Miscellaneous Security Enhancements
Step 1: Create the Web Server Group/User
1.1 Create Groups for Web Server Content >> webmaster:webmaster1.2 Create a Specific User for Web Server>> nobody:nobody
1.3 Create Quota for Web Server 1.4 Verify Quota 1.5 Lock Down the New Account
Step 1: Create the Web Server Group/User
RR---Webserver>>nobody
RWR---web author
RWRW---web developer
RWRWRRRWwebmaster>>webmaster
ContentCGIlogstoolsconfuser
Step 1: Create the Web Server Group/User
user
execute(nobody)
root
starthttproot
http
http
httphttphttp
fork
fork
fork fork
fork
nobodynobody nobody
nobody
nobody
Step 2: Download the Appropriate Apache Distribution
2.1 Download the Apache Source 2.2 Verify the PGP Signatures 2.3 Verify the MD5 Checksums
Step 3: Apply Latest Web Server Patch
• For Latest Patch of Apachehttp://www.apache.org/dist/httpd/patches/
• Apply Patch# cd apache_source_directory# patch –p0 \</tmp/proxy_http1.1_chunking.patch
Step 4: Configure/Compile/Install the Apache Distribution
4.1 Configure the Apache Distribution 4.2 Edit the httpd.h File #define SERVER_BASEVENDOR “Apache Group”#define SERVER_BASEPRODUCT “My-Server”#define SERVER_BASEREVISION “4.0”
4.3 Compile Apache 4.4 Install the Software
Step 5: Edit the Apache Configuration file - httpd.conf
5.1 Basic Web Server Settings o ServerType o HostnameLookups ono User & Group o Port o ServerAdmin o ServerRoot o ServerName
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.2 Security Related Settings o LogLevel noticeo CustomLog ... Combinedo ErrorLog ...
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
Some of Error Messages in ErrorLog• File does not exist: access a URL that does not exist• File permissions deny server access: access a
document that does not have sufficient privileges to read it.
• Password mismatch: access a protected document with an incorrect password
• Client denied by server configuration: access to a directory is restricted to certain IP addresses
• Malformed header from script: This is a warning message showing that a bad output cannot be interpreted correctly.
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.2 Security Related Settings (Cont.)o <Directory> o Options
o AllowOverride Noneo IncludesNoExec o SymLinksIfOwnerMatch
o Order and Allow/Deny from (Use IP)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.2 Security Related Settings (Cont.)o ServerSignature Offo ServerTokens ProductOnlyo CoreDumpDirectory ...
o Error Responses o 401/403 Errors o Other Status Codes
o LimitExcept
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.3 Access Control –Restrict Access to File or Directory
• Host-based Authentication
Server
request
IP Address / Hostname
authenticate
Is it in allow list?
Is it in deny list?
compare
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.3 Access Control –Restrict Access to File or Directory
(Cont.)• HTTP-specified Basic Authentication
Server
request authenticaterequire
username&passwd
sendusername&passwd
.htpasswdcheck
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.4 Common Attack Signatures – Mod_Rewrite Voodoo – Robots
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.5 CGI Bin Mischief – Review CGI Files/Code – Fake CGIs
• Foil Vulnerability Scanners • Fake PHF
– <DirectoryMatch> – <FilesMatch>
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.6 Denial of Service – Timeout 60– KeepAlive On– KeepAliveTimeout 15– StartServers 10– MinSpareServers 10– MaxSpareServers 20
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.7 Buffer Overflows – LimitRequestBody 10240– LimitRequestFields 40– LimitRequestFieldsize 100– LimitRequestLine 500
Step 6: Change Ownership/Permissions on Directories and Files
6.1 Server Configuration Directories # chown –R root <Conf_Dir># chgrp –R webmaster <Conf_Dir># chmod –R 770 <Conf_Dir>
6.2 Document Root Directory # chown –R webmaster <htdocs_Dir># chgrp –R webmaster <htdocs_Dir># chmod –R 775 <htdocs_Dir>
Step 6: Change Ownership/Permissions on Directories and Files
6.3 CGI-Bin Directory # chown –R root <Cgi-bin_Dir># chgrp –R webmaster <Cgi-bin_Dir># chmod –R 775 <Cgi-bin_Dir>
6.4 Log Files # chown –R root <Logs_Dir># chgrp –R webmaster <Logs_Dir># chmod –R 750 <Logs_Dir>
Step 6: Change Ownership/Permissions on Directories and Files
6.5 Bin Directory # chown –R root <Bin_Dir># chgrp –R webmaster <Bin_Dir># chmod –R 770 <Bin_Dir>
Step 7: Clean Out Unneeded Files and Directories
7.1 Src Directory 7.2 Default HTML Documents
Step 8: Update Apache Start Script for Notification
• To let the System Administrator know that Apache Web Server has been restarted
Step 9: Advanced Settings - Miscellaneous Security Enhancements
9.1 Worms At War such as CodeRed and Nimda
9.2 Swatch 9.3 Monitor Changes in Web Content 9.4 Secure Index Pages 9.5 Chroot 9.6 Secure Socket Layer (SSL)
Bug/ Exploit
• CERT® Advisory CA-2002-17Apache Web Server Chunk Handling VulnerabilityJune 17, 2002
• CERT® Advisory CA-2002-27Apache/mod_ssl WormSeptember 14, 2002
• Related Link:http://httpd.apache.org/security_report.html
Hardening Dedicated Server & Network Diagram
• Download and Install the latest versions of the Daemon
• No user login account• All update do from internal network• Audit and Penetration Testing on your Server• Carefully Check your CGI Scripts• Prevent other from running their CGI Scripts• DO NOT send confidential info., etc back to
the user via e-mail
Hardening Dedicated Server & Network Diagram
FirewallRouter
Internet
DMZ
Intranet
DMZ
8080
3306