Apache Web Server Setup 4


Published on


Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Apache Web Server Setup 4

  1. 1. Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers University Internet Institute Instructor: Chris Uriarte (CU520-03- WMPUPDT)
  2. 2. Today’s Session <ul><li>Protecting your Web server against attacks. </li></ul><ul><li>Providing authenticated access to your Web site. </li></ul><ul><li>Overview of SSL-enabled Web Servers </li></ul><ul><li>Apache Performance Tuning </li></ul><ul><li>Wrap-up and Evaluations </li></ul>
  3. 3. Levels of Web Server Security <ul><li>Protecting data supplied through client browsers. </li></ul><ul><li>Protecting or restricting access to data stored on your Web server. </li></ul><ul><li>Protecting the Web server software. </li></ul><ul><li>Protecting the server that houses your Web server. </li></ul>
  4. 4. Common Attacks on Systems that Run Web Servers <ul><li>CGI exploits </li></ul><ul><ul><li>Badly-written or buggy web applications (CGIs) programs allow access to restricted resources or consume server resources. </li></ul></ul><ul><li>DoS (Denial of Service) </li></ul><ul><ul><li>Software or operating system server exploits </li></ul></ul><ul><li>Packet sniffers </li></ul><ul><ul><li>Hackers ‘sniff’ clear-text passwords </li></ul></ul><ul><li>Buffer overflows </li></ul><ul><ul><li>Attacks that cause a piece of software to crash and possibly give unprivileged users privileged access </li></ul></ul>
  5. 5. Securing Your Web Server <ul><li>Restrict access (by location or authentication) to file systems and resources. </li></ul><ul><ul><li>Password or IP authentication/authorization </li></ul></ul><ul><li>Disable server-side technologies if they are not required. </li></ul><ul><ul><li>Disable CGI Access and Server Side Includes </li></ul></ul><ul><ul><li>Remove ExecCGI and Includes from the Options directive of your httpd.conf </li></ul></ul><ul><li>Do not run your server as “root.” </li></ul><ul><ul><li>The User directive in the httpd.conf should specify a user other than root (e.g. nobody, www, etc.) </li></ul></ul>
  6. 6. Securing Your Web Server, con’t. <ul><li>Filter traffic with a firewall. </li></ul><ul><ul><li>Use of a network device that only allows access to particular resources on a network </li></ul></ul><ul><li>Use encryption technologies (ssh, ssl). </li></ul><ul><li>Monitor your logs for problems. </li></ul><ul><li>Secure the system that hosts your Web server: disable ports and services not in use, install security patches, take preventative measures against popular exploits. </li></ul><ul><ul><li>Websites like http://www.cert.org and www.securityfocus.com have information on current exploits </li></ul></ul>
  7. 7. Access by Authentication <ul><li>Standard Authentication Modules – mod_auth, mod_auth_anon, mod_auth_dbm, mod_auth_db, mod_digest </li></ul><ul><li>Access in Apache can be defined by user or group: </li></ul><ul><li>For Basic Authentication: </li></ul><ul><li><Directory /home/iti1234/htdocs/restricted> </li></ul><ul><li>AuthType Basic </li></ul><ul><li>AuthName “Restricted Access” </li></ul><ul><li>AuthUserFile/usr/local/apache/passwd.file </li></ul><ul><li>AuthGroupFile /usr/local/apache/group.file </li></ul><ul><li>require user1 group1 group2 </li></ul><ul><li></Directory> </li></ul>
  8. 8. Authentication, con’t. <ul><li>Authenticated access often setup through a .htaccess file in the directory you want to protect, but can be setup via httpd.conf. </li></ul><ul><li>Passwords sent in the clear for basic authentication. </li></ul>
  9. 9. Basic Authentication: Line by Line <ul><li>You can keep authentication info in a <DIRECTORY> block in the httpd.conf or in an .htaccess file </li></ul><ul><li>First, specify the AuthType, which is Basic </li></ul><ul><ul><li>AuthType Basic </li></ul></ul><ul><li>Next, Specify the text string that will be displayed when the username/pw box is presented to the user: </li></ul><ul><ul><li>AuthName “My Secret Webpages” </li></ul></ul><ul><li>Next, specify the path to a file that will contain the usernames and passwords of your users: </li></ul><ul><ul><li>AuthUserFile /home/apache/passwd.file </li></ul></ul><ul><li>(best to keep this file out of the DocumentRoot) </li></ul>
  10. 10. Basic Authentication: con’t. <ul><li>Finally, add a require statement within a <Limit GET> block, which can limit the access to a specific username, or group. This can contain a list of groups, user names or the text “valid-user” to represent any valid user in the password file </li></ul><ul><ul><li><Limit GET> </li></ul></ul><ul><ul><li>require valid-user </li></ul></ul><ul><ul><li></Limit> </li></ul></ul>
  11. 11. Basic Authentication: con’t <ul><li>The final block looks like this: </li></ul><ul><li><Directory /home/iti1234/htdocs/restricted> </li></ul><ul><li>AuthType Basic </li></ul><ul><li>AuthName “My Secret Webpage” </li></ul><ul><li>AuthUserFile/home/apache/passwd.file </li></ul><ul><li><Limit GET> </li></ul><ul><li>require valid-user </li></ul><ul><li><Limit GET> </li></ul><ul><li></Directory> </li></ul><ul><li>… which will prompt a user for a username/pw when any document under /home/iti1234/htdocs/restricted is requested. </li></ul>
  12. 12. Creating a Password File <ul><li>htpasswd is a utility for generating encrypted passwords and creating a password file </li></ul><ul><li>Part of apache distribution, located in : {SERVER ROOT}/bin/htpasswd </li></ul><ul><li>Usage: htpasswd [-c] password-file username </li></ul><ul><li>The –c flag creates a new password file. </li></ul><ul><li>Example, adds a user myname and creates a new password file (type all on one line): </li></ul><ul><ul><li>/home/iti1234/bin/htpasswd -c /home/iti1234/apache/passwdfile username </li></ul></ul>
  13. 13. Exercise: Password Protecting Your Website <ul><li>For this exercise, you will make the Website running on your workstation password restricted using a .htaccess file. </li></ul><ul><li>In the directory container for your document root (/home/itiXXXX/apache/htdocs), in httpd.conf set the following: AllowOverride AuthConfig </li></ul>
  14. 14. Exercise, con’t: <ul><li>In /home/itiXXX/apache/htdocs, create a .htaccess file with the following contents: </li></ul><ul><ul><li>AuthUserFile /home/itiXXXX/apache/.htpasswd </li></ul></ul><ul><ul><li>AuthGroupFile /dev/null </li></ul></ul><ul><ul><li>AuthName “My Protected Site” </li></ul></ul><ul><ul><li>AuthType Basic </li></ul></ul><ul><ul><li><Limit GET> </li></ul></ul><ul><ul><li>require valid-user </li></ul></ul><ul><ul><li></Limit> </li></ul></ul>
  15. 15. Exercise, con’t. <ul><li>Next, create a password file using htpasswd: </li></ul><ul><ul><li>htpasswd –c /home/itiXXXX/apache/.htpasswd guest </li></ul></ul><ul><li>Provide the password for the guest user when prompted. </li></ul><ul><li>Access your website ( http://iti.rutgers.edu:PORT/ ) and provide the username/password. </li></ul>
  16. 16. Restrict Access by Location Authorization <ul><li>As discussed in Meeting 2, you can restrict access to web resources by IP address, hostname, domain name and IP block by using a <DIRECTORY> block in the httpd.conf or an .htaccess file: </li></ul><ul><ul><li><Directory /home/itiXX/htdocs/restricted> order deny,allow deny from all allow from .rutgers.edu </li></ul></ul><ul><ul><li></Directory> </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.