PowerPoint Presentation

PowerPoint Presentation

• 1.
  Apache Web Server
• 2.
  How do Apachework? HTTP, HTTPS Web Server Web Browser i.e. apache i.e. netscape
• 3.
  Why Apache? • Free!! •Come with Linux packages (almost distribution) • Most Popular
• 4.
  Why Apache?
• 5.
  Problems & Risks •Type of Web Attacking – Denial of Service
• 6.
  Problems & Risks •Type of Web Attacking (Cont.) – Defaced Web Page
• 7.
  Problems & Risks •Type of Web Attacking – Deletion of Files
• 8.
  Problems & Risks •Type of Web Attacking – Placement of Malicious Software such as trojan horse or worm
• 9.
  Problems & Risks •Risks of Apache – From System Administrator • Think “Apache is the best!!” • Ignore Hardening – From Apache (itself) • Apache is not secure • Website Apache.org was hacked in May 2000
• 10.
  Problems & Risks
• 11.
  Hardening Apache Step-by-Step Createthe Web Server Group/User Download the Appropriate Apache Distribution Apply Latest Web Server Patches Configure/Compile/Install the Apache Distribution Edit the Apache Configuration file - httpd.conf
• 12.
  Hardening Apache Step-by-Step(Cont.) Change Ownership/Permissions on Directories and Files Clean Out Unneeded Files and Directories Update Apache Start Script for Notification Advanced Settings - Miscellaneous Security Enhancements
• 13.
  Step 1: Createthe Web Server Group/User 1.1 Create Groups for Web Server Content >> webmaster:webmaster 1.2 Create a Specific User for Web Server >> nobody:nobody 1.3 Create Quota for Web Server 1.4 Verify Quota 1.5 Lock Down the New Account
• 14.
  Step 1: Createthe Web Server Group/User user conf tools logs CGI Content webmaster RW R R RW RW >>webmaster web - - - RW RW developer web author - - - R RW Webserver - - - R R >>nobody
• 15.
  Step 1: Createthe Web Server Group/User http nobody fork start root http fork root execute fork http nobody fork fork (nobody) user http nobody http nobody http nobody
• 16.
  Step 2: Downloadthe Appropriate Apache Distribution 2.1 Download the Apache Source 2.2 Verify the PGP Signatures 2.3 Verify the MD5 Checksums
• 17.
  Step 3: ApplyLatest Web Server Patch • For Latest Patch of Apache http://www.apache.org/dist/httpd/patches/ • Apply Patch # cd apache_source_directory # patch –p0 </tmp/proxy_http1.1_chunking.patch
• 18.
  Step 4: Configure/Compile/Installthe Apache Distribution 4.1 Configure the Apache Distribution 4.2 Edit the httpd.h File #define SERVER_BASEVENDOR “Apache Group” #define SERVER_BASEPRODUCT “My-Server” #define SERVER_BASEREVISION “4.0” 4.3 Compile Apache 4.4 Install the Software
• 19.
  Step 5: Editthe Apache Configuration file - httpd.conf 5.1 Basic Web Server Settings o ServerType o HostnameLookups on o User & Group o Port o ServerAdmin o ServerRoot o ServerName
• 20.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) 5.2 Security Related Settings o LogLevel notice o CustomLog ... Combined o ErrorLog ...
• 21.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) Some of Error Messages in ErrorLog • File does not exist: access a URL that does not exist • File permissions deny server access: access a document that does not have sufficient privileges to read it. • Password mismatch: access a protected document with an incorrect password • Client denied by server configuration: access to a directory is restricted to certain IP addresses • Malformed header from script: This is a warning message showing that a bad output cannot be interpreted correctly.
• 22.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) 5.2 Security Related Settings (Cont.) o <Directory> o Options o AllowOverride None o IncludesNoExec o SymLinksIfOwnerMatch o Order and Allow/Deny from (Use IP)
• 23.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) 5.2 Security Related Settings (Cont.) o ServerSignature Off o ServerTokens ProductOnly o CoreDumpDirectory ... o Error Responses o 401/403 Errors o Other Status Codes o LimitExcept
• 24.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) 5.3 Access Control –Restrict Access to File or Directory • Host-based Authentication Is it in allow list? request authenticate compare IP Address / Hostname Is it in deny list? Server
• 25.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) 5.3 Access Control –Restrict Access to File or Directory (Cont.) • HTTP-specified Basic Authentication request authenticate check require .htpasswd username&passwd send username&passwd Server
• 26.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) 5.4 Common Attack Signatures – Mod_Rewrite Voodoo – Robots
• 27.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) 5.5 CGI Bin Mischief – Review CGI Files/Code – Fake CGIs • Foil Vulnerability Scanners • Fake PHF – <DirectoryMatch> – <FilesMatch>
• 28.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) 5.6 Denial of Service – Timeout 60 – KeepAlive On – KeepAliveTimeout 15 – StartServers 10 – MinSpareServers 10 – MaxSpareServers 20
• 29.
  Step 5: Editthe Apache Configuration file - httpd.conf (Cont.) 5.7 Buffer Overflows – LimitRequestBody 10240 – LimitRequestFields 40 – LimitRequestFieldsize 100 – LimitRequestLine 500
• 30.
  Step 6: ChangeOwnership/Permissions on Directories and Files 6.1 Server Configuration Directories # chown –R root <Conf_Dir> # chgrp –R webmaster <Conf_Dir> # chmod –R 770 <Conf_Dir> 6.2 Document Root Directory # chown –R webmaster <htdocs_Dir> # chgrp –R webmaster <htdocs_Dir> # chmod –R 775 <htdocs_Dir>
• 31.
  Step 6: ChangeOwnership/Permissions on Directories and Files 6.3 CGI-Bin Directory # chown –R root <Cgi-bin_Dir> # chgrp –R webmaster <Cgi-bin_Dir> # chmod –R 775 <Cgi-bin_Dir> 6.4 Log Files # chown –R root <Logs_Dir> # chgrp –R webmaster <Logs_Dir> # chmod –R 750 <Logs_Dir>
• 32.
  Step 6: ChangeOwnership/Permissions on Directories and Files 6.5 Bin Directory # chown –R root <Bin_Dir> # chgrp –R webmaster <Bin_Dir> # chmod –R 770 <Bin_Dir>
• 33.
  Step 7: CleanOut Unneeded Files and Directories 7.1 Src Directory 7.2 Default HTML Documents
• 34.
  Step 8: UpdateApache Start Script for Notification • To let the System Administrator know that Apache Web Server has been restarted
• 35.
  Step 9: AdvancedSettings - Miscellaneous Security Enhancements 9.1 Worms At War such as CodeRed and Nimda 9.2 Swatch 9.3 Monitor Changes in Web Content 9.4 Secure Index Pages 9.5 Chroot 9.6 Secure Socket Layer (SSL)
• 36.
  Bug/ Exploit • CERT®Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability June 17, 2002 • CERT® Advisory CA-2002-27 Apache/mod_ssl Worm September 14, 2002 • Related Link: http://httpd.apache.org/security_report.html
• 37.
  Hardening Dedicated Server& Network Diagram • Download and Install the latest versions of the Daemon • No user login account • All update do from internal network • Audit and Penetration Testing on your Server • Carefully Check your CGI Scripts • Prevent other from running their CGI Scripts • DO NOT send confidential info., etc back to the user via e-mail
• 38.
  Hardening Dedicated Server& Network Diagram Intranet Internet Router Firewall 80 3306 DMZ