• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
HARDENING IN APACHE WEB SERVER
 

HARDENING IN APACHE WEB SERVER

on

  • 1,723 views

This apresentation part of course Utah Networxs Hardening Web Servers. ...

This apresentation part of course Utah Networxs Hardening Web Servers.

The target is show any options to configure security apache web server and protect to possible hackers attacks.

The package debian_hardening-0.1_beta.deb is available in http://www.utah.com.br/deb/debian_hardening-0.1_beta.deb and source code to change or generate a new debian available in http://www.utah.com.br/src/debian_hardening-0.1_beta.tar.gz

Thanks...

Utah Networxs
Walking to Giants

Statistics

Views

Total Views
1,723
Views on SlideShare
1,675
Embed Views
48

Actions

Likes
2
Downloads
35
Comments
0

2 Embeds 48

http://www.twylah.com 43
https://twitter.com 5

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    HARDENING IN APACHE WEB SERVER HARDENING IN APACHE WEB SERVER Presentation Transcript

    • “Mapping threats, Mitigating risk andImplementing Correctiveactivities in Web Servers”
    • WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
    • SOCIAL MEDIAFollow! @fabioandpiresFollow! @utah_networxs Enjoy! Utah Networxs
    • Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPICTeacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
    • TARGET “PRESENT ONE AMONG SEVERAL SOLUTION FOR BUILDING WEB SERVER"hardening "THROUGH THE USE OF TOOLSFREE TO MINIMIZE IMPACTS OF ATTACKS."
    • VULNERABILITY STACK
    • WEBSERVER MARKET SHARES
    • OPEN SOURCE WEB SERVER ARCHITECTURE
    • VULNERABILITY WEB APPLICATIONS
    • WHY WEB SERVER ARE COMPROMISED?
    • TOOLSHTTP PRINT – BANNER WEB SERVER NIKTO - VULNERABILITIES NESSUS – VULNERABILITIES W3AF - AUDITY E EXPLORATION NMAP – SCAN PORT
    • MITIGATING RISKS DoS Attack DDoS Attack Brutal Force (ssh, telnet) Port Scanning Attack Ping Flooding Attack Elevation of Privilege Man in the Middle Attack Directory TransversalPassword Cracking (Spoofing, Phising, Trojar Horse)
    • DEPLOYING CORRETION What’s Hardening ? Is a process of mapping of threats,risk mitigation and implementation of corrective activities, focusing on infrastructure and primary goal to make it ready to face attempts to attack.
    • PRATICE IN WEB SERVER APACHEWhere you search packages ? - Packages Repository - Md5SUM Verified - Security Update - Pré-Compiled Package or SourcePackage
    • PRATICE IN WEB SERVER APACHE#CHROOT JAIL
    • CHROOT ARCHITETURE APACHE / bin boot chroot dev dev etc etc home lib lib mnt opt usr proc root var sbin tmp usr var
    • DISABLE UNUSED MODULES suexec userdir cgi / cgid autoindex
    • RESTRICT RESOURCES Number Of Process:With RES=7000k, SHR=2500k and 400M available for Apache, the result is: 400/(7-2.5) = 89. RES=Resident
    • MITIGATE MEMORY LEAKSMaxRequestsPerChild 10000
    • RESTRICT INCOMMING CONNECTIONS# iptables -I INPUT -p tcp --syn --dport 80-m connlimit --connlimit-above 25 -jREJECT --reject-with tcp-reset
    • FILE PERMISSIONS# find /srv/www -user utahuser# find /srv/www ! -type l ( -perm /o=w -o -perm/g=w -group utahgroup )
    • SEARCH FILES AND SSL * Search hidden files# find /var/www -name .?* -not-name .ht* -or -name *~ -or -name*.bak* -or -name *.old*‘ * SSL key files * Make sure your SSL keys are only readable by the root user.
    • OTHER APACHE CONFIG * Bewarec of certain RewriteRules# INSECURE configuration, dont use!RewriteRule ^/old/directory/(.*)$ /$1Use this# SECURE - UseRewriteRule ^/old/directory/(.*)$ /$1[PT] * Dont use Limit/LimitExcept (conf.d/security) TraceEnable off
    • OTHER APACHE CONFIG * ServerSignature Off * ServerTokens Prod * Remove PHP scripts (test.php, info.php, i.php, php.info) * Disable directory indexing * Disable WebDAV * Enable PHP basedir * Install a Web Firewall (mod_security)l * Suhosin PHP
    • SUHOSIN PHP - BASICsuhosin.executor.include.max_traversal=4 (../../../../)suhosin.executor.disable_emodifier=Off(exec function)suhosin.mail.protect=2(protect spammers attack)suhosin.memory_limit=256Msuhosin.filter.action=402(return code detect error)suhosin.upload.max_uploads=100
    • SUHOSIN PHP - BASICsuhosin.request.max_array_depth=4096suhosin.request.max_array_index_length=2048suhosin.request.max_name_length=2048suhosin.request.max_value_length=650000suhosin.request.max_vars=4096suhosin.post.max_array_depth=8048suhosin.post.max_array_index_length=1024suhosin.post.max_name_length=2048suhosin.post.max_totalname_length=8048suhosin.post.max_vars=4096
    • OTHER APACHE CONFIG* ErrorDocument 404 errors/404.html* ErrorDocument 500 errors/500.html* ServerAdmin (Use Alias Mail)* UserDir disabled root
    • INSTALL PACKAGE# dpkg -i hardening-apache_beta-01.deb Albert Einstein
    • PROBLEMS l UNIQUE USER l INSERT DIALOGl PORTABLE OTHER DISTROS
    • DOBTS ?
    • SOURCES OF RESEARCHAPACHE FOUNDATION www.apache.orgECCOUNCIL www.eccouncil.orgUTAH HARDENING COURSE www.utah.com.brIMAGES - ECCOUNCIL www.eccouncil.org