Web Server Administration

Chapter 10Securing the Web

Environment

Overview

Identify threats and vulnerabilities Secure data transmission Secure the operating system Secure server applications

Overview

Authenticate Web users Use a firewall Use a proxy server Use intrusion detection software

Identifying Threats and Vulnerabilities Focus is on threats from the Internet Hackers sometimes want the challenge

of penetrating a system and vandalizing it – other times they are after data Data can be credit card numbers, user

names and passwords, other personal data Information can be gathered while it is

being transmitted Often, operating system flaws can assist

the hacker

Examining TCP/IP Hackers often take advantage of the

intricacy of TCP/IP The following are parts of the IP header

most relevant to security Source address Destination address Packet identification, flags, fragment offset Total length Protocol – TCP, UDP, ICMP

TCP-Delivering Data to Applications Important header fields

Source and destination ports Sequence number, data offset Flags, such as SYN, ACK, FIN

Establishing a TCP connection

Vulnerabilities of DNS

Historically DNS has had security problems

BIND is the most common implementation of DNS and some older version had serious bugs

BIND 9, the current version, has been more secure

Vulnerabilities in Operating Systems Operating systems are large and complex

which means that there are more opportunities for attack

Although Windows has had its share of problems, often inattentive administrators often fail to implement patches when available

Some attacks, such as buffer overruns, can allow the attacker to take over the computer

Vulnerabilities in Web servers

Static HTML pages pose virtually no problem

Programming environments and databases add complexity that a hacker can exploit

Programmers often do not have time to focus on security

Vulnerabilities of E-mail Servers By design, e-mail servers are open E-mail servers can be harmed by a

series of very large e-mail messages Sending an overwhelming number of

messages at the same time can prevent valid users from accessing the server

Viruses can be sent to e-mail users Retrieving e-mail over the Internet often

involves sending your user name and password as clear text

Securing Data Transmission To secure data on a network that is

accessible to others, you need to encrypt the data

SSL is the most common method of encrypting data between a browser and Web server

Secure Shell (SSH) is a secure replacement for Telnet

Secure Sockets Layer (SSL) A digital certificate issued by a certification

authority (CA) identifies an organization The public key infrastructure (PKI) defines

the system of CAs and certificates Public key cryptography depends on two

keys A public key is shared with everyone The public key can be used to encrypt data Only the owner of the public key has the

corresponding private key which is needed to decrypt the data

Establishing an SSL Connection

Using SSH for Tunneling Tunneling allows you to use an unsecure

protocol, such as POP3, through a secure connection, such as SSH

To set up tunneling Configure the SSH client so the local port is

55555 (or another port between 1024 and 65535)

Configure the SSH client to connect to POP3 port 110

Log in to the SSH client Direct the e-mail client to port 5555 and log

in to the e-mail server

Securing the Operating System Use the server for only necessary tasks Minimize user accounts Disable services that are not needed Make sure that you have a secure password

In addition to using upper case, lower case numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255

Check a table of ALT values to avoid common characters

The use of the ALT key will thwart most hackers

Securing Windows There are many services that are not needed

in Windows for most Internet-based server applications

Alerter Computer browser DHCP client DNS client Messenger Server Workstation

Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names

Securing Linux As with Windows, make sure that you only

run daemons (services) that you need Generally, daemons are disabled by

default The command netstat -l gives you a list of

daemons that are running Use chkconfig to enable and disable

daemons chkconfig imap on would enable imap

Securing E-mail You have already seen the ability

to tunnel POP3 which would prevent data from being seen

Exchange 2000 can also use SSL for the protocols it uses

To prevent someone from sending large e-mail messages until the disk is full, set a size limit for each mailbox

Securing the Web Server

Enable the minimum features If you don't need a programming

language, do not enable it Make sure programmers

understand security issues Implement SSL where appropriate

Securing the Web ServerApache Directories You can restrict access to directories by

using "allow" and "deny" The following only allows computers

with the two IP addresses to access the directory

<Directory "/var/www/html/reports">

order allow, deny

allow from 10.10.10.5 192.168.0.3

deny from all

</Directory>

Securing the Web Server-IIS The URLScan utility blocks potentially harmful

page requests The IIS Lockdown utility has templates to

ensure that you only enable what you need Change NTFS permissions in \inetpub\wwwroot

from Everyone Full Control to Everyone Execute

In IIS 5, delete \samples \IISHelp and \MSADC folders

Delete extensions you do not use, such as .htr, .idc, .stm, and others

Authenticating Web Users

Both Apache and IIS use HTTP to enable authentication HTTP tries to access a protected

directory and fails Then it requests authentication from the

user in a dialog box Accesses directory with user information

Used in conjunction with SSL

Configuring User Authentication in IIS Four types of authenticated access

Windows integrated authentication Most secure – requires IE

Digest authentication for Windows domain servers

Works with proxy servers Requires Active Directory and IE

Basic authentication User name and password in clear text Works with IE, Netscape, and others

Passport authentication Centralized form of authentication Only available on Windows Server 2003

User Authentication in Apache Basic authentication is most

common User names and passwords are kept

in a separate file Create password file -c creates the users file -b adds a password when creating user

htpasswd –c users mnoiahtpasswd users fpessoahtpasswd users lcamoes –b lusiades

ApacheUser Authentication Directives

Directive Description

AuthName Specifies descriptive text for user authentication that appears on the user’s browser when the request is made to log on. Example: AuthName Internal Product Information

AuthType Specifies the authentication type. Digest not supported so use Basic. Example: AuthType Basic

AuthUserFile Specifies the complete path to the user authentication file.Example: AuthUserFile /var/www/users

AuthGroupFile Specifies the complete path to the text file that associates users with groups.

require Defines which users in the user authentication file are allowed access to the directory. Examples:

require user fpessoa lcamoesrequire group developers designersrequire valid-user

ApacheUser Authentication Assume you want to restrict the

/newprods directory to any user in the users file

<Location /newprods>AuthName "New Product Information"AuthType BasicAuthUserFile /var/www/usersrequire valid-user</Location>

Using a Firewall A firewall implements a security

policy between networks Our focus is between the Internet and

an organization's network You need to limit access, especially

from the Internet to your internal computers Restrict access to Web servers, e-mail

servers, and other related servers

Types of Filtering Packet filtering

Looks at each individual packet Based on rules, it determines whether to let it pass

through the firewall Circuit-level filtering (stateful or dynamic

filtering) Controls complete communication session, not just

individual packets Allows traffic initialized from within the organization

to return, yet restricts traffic initialized from outside Application-level

Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e-mail

A Packet-filtering Firewall Consists of a list of acceptance and

denial rules A firewall independently filters what

comes in and what goes out It is best to start with a default policy

that denies all traffic, in and out We can reject or drop a failed packet

Drop – (best) thrown away without response Reject – ICMP message sent in response

Firewall on Linux - iptables Connections can be logged Initializing the firewall

Remove any pre-existing rules iptables --flush

Set default policy to drop packets iptables --policy INPUT DROP iptables --policy OUTPUT DROP

At this point nothing comes in and nothing goes out

Describing the Packets to Accept -A (Append rule) INPUT or OUTPUT -i eth0 (input interface) or –o eth0

(output) -p tcp or -p udp (protocol type) -s , -d (source, destination address) --sport, --dport (source, destination port) -j ACCEPT (this is a good rule)

Allowing Access to Web Server Allow packets from any address with an

unprivileged port to the address on our server destined to port 80 The following should be on a single line

iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 80 –j ACCEPT

Allow packets to go out port 80 from our server to any unprivileged port at any address

iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 --sport 80 --dport 1024:65535 –j ACCEPT

Allowing Access to DNS

DNS uses port 53 UDP for resolving, TCP for zone

transfersiptables –A INPUT –i eth0 –p udp --sport

1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT

iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10

--sport 53 --dport 1024:65535 –j ACCEPT

iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT

iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10

--sport 53 --dport 1024:65535 –j ACCEPT

Allowing Access to FTP Port 21 for data, port 20 for control Data is transferred through unprivileged

ports Opening unprivileged ports can be a problem

iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 21 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 21 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 20 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 20 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 1024:65535 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 1024:65535 --dport 1024:65535 -j ACCEPT

Using a Proxy Server A proxy server delivers content on behalf of a

user or server application Proxy servers need to understand the protocol of

the application that they proxy such as HTTP or FTP

Forward proxy servers isolate users from the Internet

Users contact proxy server which gets Web page Reverse proxy servers isolate Web server

environment from the Internet When a Web page is requested from the Internet, the

proxy server retrieves the page from the internal server

Using Intrusion Detection Software

Intrusion detection is designed to show you that your defenses have been penetrated

With Microsoft ISA Server, it only detects specific types of intrusion

In Linux, Tripwire tracks changes to files

Tripwire Tripwire allows you to set policies that

allow you to monitor any changes to the files on the system

Tripwire can detect file additions, file deletions, and changes to existing files

By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the change

Tripwire After installing Tripwire, you configure

the policy file to determine which files to monitor

A default list of files is included but it will take time to refine the list

A report can be produced to find out which files have been added, changed, and deleted Usually, it runs automatically at night

Intrusion Detection in ISA Server The following intrusions are tracked Windows out-of-band (WinNuke)–A specific type of Denial-

of-Service attack Land–A spoofed packet is sent with the SYN flag set so that

the source address is the same as the destination address, which is the address of the server. The server can then try to connect to itself and crash.

Ping of death –The server receives ICMP packets that include large files attachments, which can cause a server to crash.

IP half scan –If a remote computer attempts to connect to a port by sending a packet with the SYN flag set and the port is not available, the RST flag is set on the return packet. When the remote computer does not respond to the RST flag, this is called an IP half scan. In normal situations, the TCP connection is closed with a packet containing a FIN flag.

UDP bomb –A UDP packet with an illegal configuration. Port scan –You determine the threshold for the number of

ports that are scanned (checked) before an alert is issued.

Summary Every computer connected to the Internet

represents a potential target for attack Hackers can gather data and modify

systems SSL can secure data transmission Keep each server to a single purpose such

as Web server or e-mail Keep applications and services to a

minimum

Summary User authentication controls access to

one or more Web server directories Firewalls control access policies

between networks A proxy server delivers content on

behalf of a user or server application Intrusion detection software identifies

intrusions but typically does not prevent them