Durkee apache 2009_v7


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Durkee apache 2009_v7

  1. 1. Securing Apache Web Serverswith Mod Security & CIS BenchmarkRalph Durkee, CISSP, GSEC, GCIH, GSNA, GPENPrincipal Security Consultantrd@rd1.net
  2. 2. 2Sep 21, 2009 www.RD1.netAbout Ralph Durkee25+ years of experience Systems and Network Security Software Development and Systems AdministrationIndependent Consultant and Trainer since 1996SANS GIAC Certified since 2000 GSEC, GCIH, GSNA, GPENLead Developer, Author and Maintainer for the Center forInternet Security: RedHat Linux, DNS BIND, ApacheCommunity Instructor for SANSCISSP Certified CISSP InstructorRochester OWASP President & ISSA VP
  3. 3. 3Sep 21, 2009 www.RD1.netAgendaNeed A Secure FoundationMinimizing the Attack SurfaceLimiting HTTP Request MethodsAccess ControlMod_Security –Web Application Fire WallLogging and Monitoring
  4. 4. 4Sep 21, 2009 www.RD1.netCenter for Internet SecurityBenchmarksCenter for Internet Security Non-profit Organization Develops Technical Security Standards Uses Consensus of Industry Experts www.CISecurity.orgBenchmarks for: Most Unix and Windows Operating Systems Several Servers such as Apache and BIND Oracle and MS SQL Server Databases Others applications are in the works
  5. 5. 5Need A Secure FoundationSep 21, 2009 www.RD1.net
  6. 6. 6Sep 21, 2009 www.RD1.netStart with a Security Hardened OSUnix or Linux recommended for InternetApply appropriate CIS OS BenchmarkDon’t mix other high risk, or criticalservicesRegularly Apply OS and Apache updatesSecure Foundation –OS Security
  7. 7. 7Sep 21, 2009 www.RD1.netSecure Foundation –DNS Cache Poisoning AttacksDNS Level attacks against your clients /customersSecure your Authoritative and Caching DNSServers with CIS BIND BenchmarkDNS Pharming Attacks Uses DNS Cache poisoning to harvest victims Bogus IP Addresses provided to Vulnerable DNSCache Typically requires guessing DNS Query-ID and port Clients resolve domain name are directed to a spoofedhostile website instead of trusted website
  8. 8. 8Dan Kaminsky’s - DNS AttackMuch more effective than traditional DNS cachepoisoning. Uses: Requests many random nonexistent host names Send many negative responses with guessed QID Response: Go to server NAME & IP has the answer. Victim caches the IP address of “DNS” server Game over the “DNS” server was the targetOnly Complete Prevention requires DNSSECSecuring the Caching DNS Server helpsSep 21, 2009 www.RD1.net
  9. 9. 9Sep 21, 2009 www.RD1.netApache User AccountDon’t run Apache as root Use dedicated locked Account Account with Invalid Shell such as /dev/null Locked, with no valid passwordExample Server ConfigurationUser apacheGroup apache# grep apache /etc/passwd /etc/shadowapache:x:48:48:Apache:/var/www:/dev/nullapache:!!:14428:0:99999:7:::
  10. 10. 10Sep 21, 2009 www.RD1.netSet Minimal PermissionsOwnership and PermissionsApache Configuration Files Read-write by group Web Admin Owned by Root No access for Other Apache reads these as root, before startingDocument Root (and most sub-directories) Read-write by group Web Development Readable by Other Owned by root
  11. 11. 11Sep 21, 2009 www.RD1.netSet Minimal Permissions (2)More Ownership and PermissionsCGI-BIN Directories Read-write by group Web Admin Readable & Executable by Other Owned by rootApache bin files (apachectl and httpd) Read & Execute by Wed Admin Read & Execute by root
  12. 12. 12Sep 21, 2009 www.RD1.netSubscribe to Security AdvisoriesWeb Admin and System Admin should subscribedto appropriate advisoriesApachehttp://httpd.apache.org/lists.htmlCERThttps://forms.us-cert.gov/maillists/Sunhttps://subscriptions.sun.comFedora Corehttps://www.redhat.com/mailman/listinfo/fedora-announce-list
  13. 13. 13Minimize the Attack SurfaceSep 21, 2009 www.RD1.net
  14. 14. 14Sep 21, 2009 www.RD1.netDisable Unnecessary ModulesModules you probably DON’T need mod_dav - Distributed Authoring andVersioning (WebDAV) functionality mod_dav_fs – File System for mod_dav mod_status – Provide Web Server status info. mod_proxy – HTTP Proxy mod_autoindex - Directory listings mod_cern_meta - CERN HTTPD Meta filesemantics (old not used)
  15. 15. 15Sep 21, 2009 www.RD1.netUse only Necessary ModulesModules you might need mod_log_config – Provides flexible forLogging of Requests mod_logio – Provides I/O bytes per request mod_mime – Determines MIME type /Handler by file extension mod_env – Controls environment passed toCGI mod_expires - Generation of Expires andCache-Control HTTP headers
  16. 16. 16Sep 21, 2009 www.RD1.netCheck Config Include DirectoriesCheck any config include directories Red Hat Linux uses /etc/httpd/conf.d All *.conf files are auto included Remove the rpm, not just the file Or comment out the file contentExample:rpm –qf /etc/httpd/conf.d/manual.confhttpd-manual-2.2.xx-xx.xrpm -e httpd-manual
  17. 17. 17Sep 21, 2009 www.RD1.netRemove Any Default FilesDefault HTML Files Manual Welcome page Directory Index iconsSample CGI files (e.g. printenv)Apache source code filesApache user files (.bashrc etc)
  18. 18. 18Sep 21, 2009 www.RD1.netOther Resources for ModulesModules list available On-linehttp://httpd.apache.org/docs/2.0/mod/http://httpd.apache.org/docs/2.2/mod/Also Review Module recommendations in CISBenchmark AppendixSome Modules have their own website, (such asmodsecurity.org) check your favorite searchengine.
  19. 19. 19Sep 21, 2009 www.RD1.netOptions DirectiveApache 2.2 docsDescription: Configures what features are availablein a particular directorySyntax: Options [+|-]option [[+|-]option] ...Default: Options AllContext: server config, virtual host, directory,.htaccessOverride: OptionsModule: core
  20. 20. 20Sep 21, 2009 www.RD1.netOptions DirectiveExample 1 - Top Level Root<Directory />. . .Options None</Directory>Example 2 – cgi-bin DirectoryScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/<Directory /usr/lib/mailman/cgi-bin/>. . .Options ExecCGI</Directory>
  21. 21. 21Sep 21, 2009 www.RD1.netOptions DirectiveOptions All – Everything except Multiviews ExecCGI – Execution of CGI scripts FollowSymLinks – Will follow symbolic links SymLinksIfOwnerMatch –only if owner matches Includes - Enables Server Side include IncludesNOEXEC – SSI without #exec AllowOverride – Allow usage of .htaccess files. Multiviews - Content negotiation (e.g. Language)
  22. 22. 22Access ControlsSep 21, 2009 www.RD1.net
  23. 23. 23Auth and Authz Modules mod_authz_host (was mod_access) - Accessbased on IP address or hostname. mod_authz_user , mod_authz_groupfileMod_auth - user authentication using text filesSep 21, 2009 www.RD1.net
  24. 24. 24Sep 21, 2009 www.RD1.netAccess Control Directives (1)Protecting Root (httpd.conf)<Directory />Options NoneAllowOverride Nonedeny from all</Directory>Allowing All Access<Directory "/var/www/html/">Order allow,denyallow from all</Directory>
  25. 25. 25Sep 21, 2009 www.RD1.netAccess Control Directives (2)Allowing Limited AccessUsage of IP Address or partial IP Address<Directory "/var/www/html/">Order allow,denydeny from allallow from 10.10.2.</Directory>Domain and Host names also work
  26. 26. 26Sep 21, 2009 www.RD1.netHTTP Basic AuthenticationRequires mod_auth enabledSend base64 encoded username and password sentwith every request.Needs SSL to protect username/passwordNo password guessing protection built-inSample Configuration<Directory /var/www/html/members>AuthType BasicAuthName “Memebers Access"AuthUserFile /path/to/passwordfileRequire valid-user</Directory>
  27. 27. 27Sep 21, 2009 www.RD1.netHTTP Basic Authentication (2)Setup Apache Password filehtpasswd -c /path/to/passwordfile jsmithNew password: passwordRe-type new password: passwordAdding password for user jsmithDon’t place Password file in the DocRootApache needs Read-only accessDon’t allow other read access.
  28. 28. 28Sep 21, 2009 www.RD1.netHTTP Digest AuthenticationRequires mod_auth and mod_digest enabledUses Challenge – ResponseResponse is encrypted with the passwordDoes not protect data, still needs SSLNo password guessing protection built-inSample Configuration<Directory /var/www/html/members>AuthType DigestAuthName “Members Access"AuthUserFile /path/to/passwordfileRequire valid-user</Directory>
  29. 29. 29New ChrootDir DirectiveDescription: Directory for apache to run chroot(8) afterstartup.Syntax: ChrootDir /path/to/directoryDefault: noneContext: server configModule: event, prefork, workerCompatibility: Available in Apache 2.2.10 and laterExample:ChrootDir /var/www/chrootSep 21, 2009 www.RD1.net
  30. 30. 30New ChrootDir Directive (2)Apache Disclaimer:Note that running the server under chroot is notsimple, and requires additional setup, particularly ifyou are running scripts such as CGI or PHP. Pleasemake sure you are properly familiar with theoperation of chroot before attempting to use thisfeature.Sep 21, 2009 www.RD1.net
  31. 31. 31New ChrootDir Directive (3)Makes chroot easier, but still work required.Some typical directories required:CHR=/var/www/chroot/mkdir –p $CHR/var/wwwmv /var/www/* /var/www/chroot/var/www/mkdir $CHR/var/runmkdir $CHR/tmpmkdir –p $CHR/ /var/lib/php/sessionUsually others? Your Mileage Will vary!Sep 21, 2009 www.RD1.net
  32. 32. 32Apache and SELinuxan Alternative to chrootA different (easier?) approach to chrootImplements Mandatory Access ControlsUse SELinux in targeted modeIn /etc/selinux/config, setSELINUXTYPE=targetedTo test, start withSELINUX=permissiveSwitch toSELINUX=enforcingSep 21, 2009 www.RD1.net
  33. 33. 33Apache SELinux Policeshttpd_selinux(8) man page defines contexts types: httpd_sys_content_t - all content access httpd_sys_script_exec_t – for scripts/etc/selinux/targeted/contexts/files/file_contexts – labels directories with types /var/www/cgi-bin(/.*)?system_u:object_r:httpd_sys_script_exec_t:s0 /var/www(/.*)?system_u:object_r:httpd_sys_content_t:s0Sep 21, 2009 www.RD1.net
  34. 34. 34Checking SELinux LabelsUse –Z option on ls to see SELinux labelsls -Z /var/wwwdrwxr-xr-x root rootsystem_u:object_r:httpd_sys_script_exec_t cgi-bindrwxr-xr-x root rootsystem_u:object_r:httpd_sys_content_t errordrwxr-xr-x root rootsystem_u:object_r:httpd_sys_content_t htmldrwxr-xr-x root rootsystem_u:object_r:httpd_sys_content_t iconsdrwxr-xr-x webalizer rootsystem_u:object_r:httpd_sys_content_t usageSep 21, 2009 www.RD1.net
  35. 35. 35Limiting HTTP Request MethodsSep 21, 2009 www.RD1.net
  36. 36. 36HTTP Request Methods?RFC 2616 defines HTTP/1.1 Methods GET - Most used – retrieves content HEAD – Doesn’t return body, used to checkfor existence and updates POST – Typically used for FORM submissions PUT – Push a resource up to the server DELETE – Remove a resource TRACE – For Debugging CONNECT – for SSL Proxy connectionsSep 21, 2009 www.RD1.net
  37. 37. 37Sep 21, 2009 www.RD1.netLimiting HTTP Request MethodsLimit Methods to HEAD, GET and POST<Directory "/var/www/html">Order allow,denyAllow from all<LimitExcept GET POST>deny from all</LimitExcept>Options NoneAllowOverride None</Directory>TRACE is not limited by this!HEAD is included with GET
  38. 38. 38Sep 21, 2009 www.RD1.netDeny HTTP TraceMod_Rewrite TechniqueTRACE method part of RFC HTTP protocolReflects the request back to the clientIntended for DebugUsed for XST (Cross-Site Tracing vulnerabilities)Use mod_rewrite to deny TRACE Method[F] Flag returns 403 ForbiddenRewriteEngine OnRewriteCond %{REQUEST_METHOD} ^TRACERewriteRule .* - [F]
  39. 39. 39Sep 21, 2009 www.RD1.netDeny HTTP TraceNew TraceEnable DirectiveDescription: Determines the behavior on TRACE requestsSyntax: TraceEnable [on|off|extended]Default: TraceEnable onContext: server configModule: coreCompatibility: Available in Apache 1.3.34, 2.0.55 and laterExample:TraceEnable off
  40. 40. 40Mod Security –The Web Application FirewallSep 21, 2009 www.RD1.net
  41. 41. 41Sep 21, 2009 www.RD1.netMod_Security FeaturesOpen Source Web Application FirewallFeatures: Request filtering Anti-evasion techniques - paths and parametersare normalized Understands the HTTP protocol Performs very specific and fine grain filtering. POST payload analysis
  42. 42. 42Sep 21, 2009 www.RD1.netMod_Security Features (2)More Features: Audit logging - Full details can be logged forlater analysis HTTPS – Analysis performed after decryption Inspect and Filter Any Headers Buffer Overflow Protection Attack Detection and Prevention
  43. 43. 43Sep 21, 2009 www.RD1.netMod_security ConfigurationEasily Installed via package, or build fromsource.Configuration mod_security.confRename file if using include conf.d/LoadModule security_module modules/mod_security.so<IfModule mod_security.c># Turn the Filtering and Audit engine, OnSecFilterEngine OnSecAuditEngine RelevantOnly
  44. 44. 44Sep 21, 2009 www.RD1.netMod_security Configuration (2)More Basic Feature Configuration# Make sure that URL encoding is validSecFilterCheckURLEncoding On# Unicode encoding checkSecFilterCheckUnicodeEncoding On# Only allow bytes from this rangeSecFilterForceByteRange 1 255# Cookie format checks.SecFilterCheckCookieFormat On# The name of the audit log fileSecAuditLog logs/audit_log# Should mod_security inspect POST payloadsSecFilterScanPOST On# Default action setSecFilterDefaultAction "deny,log,status:406"
  45. 45. 45Sep 21, 2009 www.RD1.netMod_security Filters (1)Basic Recommended Filters# Require HTTP_USER_AGENT and HTTP_HOST headersSecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"# Only accept request encodings we how handle# we exclude GET requests because some (automated)# clients supply "text/html" as Content-TypeSecFilterSelective REQUEST_METHOD "!^GET$" chainSecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
  46. 46. 46Sep 21, 2009 www.RD1.netMod_security Filters (2)More Basic Recommended Filters# Require Content-Length to be provided with# every POST requestSecFilterSelective REQUEST_METHOD "^POST$" chainSecFilterSelective HTTP_Content-Length "^$"# Dont accept transfer encodings we dont handleSecFilterSelective HTTP_Transfer-Encoding "!^$"
  47. 47. 47Logging and MonitoringSep 21, 2009 www.RD1.net
  48. 48. 48Sep 21, 2009 www.RD1.netLogging DirectivesLogLevel Controls Verbosity Values are emerg, alert, crit, error, warn, notice,info and debug Notice is recommendedErrorLog – File name for logging errorsLogFormat – Defined format of log entriesCustomLog logs/acces_log combined
  49. 49. 49Sep 21, 2009 www.RD1.netLogging Directives (2)Sample Logging ConfigurationLogLevel noticeErrorLog logs/error_logLogFormat "%h %l %u %t "%r" %>s %b "%{Accept}i" "%{Referer}i" "%{User-Agent}i"" combinedCustomLog logs/access_log combinedCombined format is fairly standard and handledwell by log analysis softwareUse Swatch or LogWatch for log monitoring.
  50. 50. 50Sep 21, 2009 www.RD1.netLog MonitoringSample LogWatch output with Web AttacksRequests with error response codes404 Not Found//README: 2 Time(s)//chat/messagesL.php3: 1 Time(s)//graph_image.php: 1 Time(s)/PhpMyChat//chat/messagesL.php3: 1 Time(s)/horde-3.0.5//README: 2 Time(s)406 Not Acceptable/: 2 Time(s)/robots.txt: 1 Time(s)
  51. 51. 51Log Monitoring (2)More Samples of Web Scans / AttacksLooking for open proxy & phone apps?400 Bad Requesthttp://www.wantsfly.com/prx.php?hash=457F6 ...404 Not Found/apple-touch-icon.png: 1 Time(s)/iphone/: 2 Time(s)/mobi/: 2 Time(s)/mobile/: 2 Time(s)/pda/: 2 Time(s)/sql/: 1 Time(s)Sep 21, 2009 www.RD1.net
  52. 52. 52Abuse ReportsWhy Report Attacks on your Servers? Makes it a more difficult for the attacker(Yeah, mostly for the script kiddies) Educates organizations on the state of their system and their needfor response Helps make the Internet a better placeChoose your “favorites” to reportUse whois on IP address of the source IP to abuse emailcontactReporting to questionable organizations may not behelpful, or helpful in the wrong way.Sep 21, 2009 www.RD1.net
  53. 53. 53Abuse Reports – How to (2)Keep it Simple Just the facts.To: abuse@example.comSubject: web vulnerability attack from IP xx.xx.xx.xxLogs are included below of a web vulnerability attack from the aboveaddress. This system may have been compromised or infected. Pleasetake action to prevent further abuse. An e-mail reply is appreciated.Thank you for taking action on this.-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPENInformation Security ConsultantUSA 585-624-9551Logs are NTP time synced in USA EDT TZSep 21, 2009 www.RD1.net
  54. 54. 54Abuse Reports (2)Send Sample of Access Web Logsxx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /scripts/setup.phpHTTP/1.1" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows98)"xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /scripts/setup.phpHTTP/1.1" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows98)"xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /phpMyAdmin/HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows98)"xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /sql/ HTTP/1.1" 404202 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)”Sep 21, 2009 www.RD1.net
  55. 55. 55Abuse Reports (3)Some Recent Interesting User Agent in Logsxx.xx.xx.xx - - [03/Sep/2009:20:04:50 -0400] "GET/ HTTP/1.0" 200 67 "-" "Mozilla/5.0 (iPhone; U;CPU like Mac OS X; en) AppleWebKit/420+(KHTML, like Gecko) Version/3.0 Mobile/1A543aSafari/419.3“xx.xx.xx.xx - - [03/Sep/2009:20:05:01 -0400] "GET/apple-touch-icon.pngHTTP/1.0" 404 218 "-" "Mozilla/5.0 (iPhone; U;CPU like Mac OS X; en)AppleWebKit/420+ (KHTML, like Gecko)Version/3.0 Mobile/1A543a Safari/419.3"Sep 21, 2009 www.RD1.net
  56. 56. 56Abuse ResponsesFrom: Amazon EC2 Abuse ec2-abuse-team@amazon.comThank you for submitting your abuse report.We have received your report of Intrusion Attempts originating from our network.We have completed an initial investigation of the issue and learned that theactivity you noticed did indeed originate from an Amazon EC2 instance. Theseintrusion attempts that you report were not, however, initiated by Amazon.One of the biggest advantages of Amazon EC2 is that developers are givencomplete control of their instances. . . .That said, we do take reports of unauthorized network activity from ourenvironment very seriously. It is specifically forbidden in our terms of use. Thisinstance has since been terminated.Sep 21, 2009 www.RD1.net
  57. 57. 57OSSEC.netOSSEC – Open Source HIDS, central logging andmonitoring solution – aka SIM/SEM/SIEMSupports most platformsLinux/Unix/Windows/MacReal-time alertingActive response - blocking of attacksAgent and Agentless monitoringFile Integrity MonitoringRootkit detectionSep 21, 2009 www.RD1.net
  58. 58. Durkee Consulting, Inc.www.rd1.net rd@rd1.netQuestions?