Your SlideShare is downloading. ×
HARDENING IN APACHE WEB SERVER
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

HARDENING IN APACHE WEB SERVER

1,514
views

Published on

This apresentation part of course Utah Networxs Hardening Web Servers. …

This apresentation part of course Utah Networxs Hardening Web Servers.

The target is show any options to configure security apache web server and protect to possible hackers attacks.

The package debian_hardening-0.1_beta.deb is available in http://www.utah.com.br/deb/debian_hardening-0.1_beta.deb and source code to change or generate a new debian available in http://www.utah.com.br/src/debian_hardening-0.1_beta.tar.gz

Thanks...

Utah Networxs
Walking to Giants

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,514
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
51
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. “Mapping threats, Mitigating risk andImplementing Correctiveactivities in Web Servers”
  • 2. WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
  • 3. SOCIAL MEDIAFollow! @fabioandpiresFollow! @utah_networxs Enjoy! Utah Networxs
  • 4. Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPICTeacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
  • 5. TARGET “PRESENT ONE AMONG SEVERAL SOLUTION FOR BUILDING WEB SERVER"hardening "THROUGH THE USE OF TOOLSFREE TO MINIMIZE IMPACTS OF ATTACKS."
  • 6. VULNERABILITY STACK
  • 7. WEBSERVER MARKET SHARES
  • 8. OPEN SOURCE WEB SERVER ARCHITECTURE
  • 9. VULNERABILITY WEB APPLICATIONS
  • 10. WHY WEB SERVER ARE COMPROMISED?
  • 11. TOOLSHTTP PRINT – BANNER WEB SERVER NIKTO - VULNERABILITIES NESSUS – VULNERABILITIES W3AF - AUDITY E EXPLORATION NMAP – SCAN PORT
  • 12. MITIGATING RISKS DoS Attack DDoS Attack Brutal Force (ssh, telnet) Port Scanning Attack Ping Flooding Attack Elevation of Privilege Man in the Middle Attack Directory TransversalPassword Cracking (Spoofing, Phising, Trojar Horse)
  • 13. DEPLOYING CORRETION What’s Hardening ? Is a process of mapping of threats,risk mitigation and implementation of corrective activities, focusing on infrastructure and primary goal to make it ready to face attempts to attack.
  • 14. PRATICE IN WEB SERVER APACHEWhere you search packages ? - Packages Repository - Md5SUM Verified - Security Update - Pré-Compiled Package or SourcePackage
  • 15. PRATICE IN WEB SERVER APACHE#CHROOT JAIL
  • 16. CHROOT ARCHITETURE APACHE / bin boot chroot dev dev etc etc home lib lib mnt opt usr proc root var sbin tmp usr var
  • 17. DISABLE UNUSED MODULES suexec userdir cgi / cgid autoindex
  • 18. RESTRICT RESOURCES Number Of Process:With RES=7000k, SHR=2500k and 400M available for Apache, the result is: 400/(7-2.5) = 89. RES=Resident
  • 19. MITIGATE MEMORY LEAKSMaxRequestsPerChild 10000
  • 20. RESTRICT INCOMMING CONNECTIONS# iptables -I INPUT -p tcp --syn --dport 80-m connlimit --connlimit-above 25 -jREJECT --reject-with tcp-reset
  • 21. FILE PERMISSIONS# find /srv/www -user utahuser# find /srv/www ! -type l ( -perm /o=w -o -perm/g=w -group utahgroup )
  • 22. SEARCH FILES AND SSL * Search hidden files# find /var/www -name .?* -not-name .ht* -or -name *~ -or -name*.bak* -or -name *.old*‘ * SSL key files * Make sure your SSL keys are only readable by the root user.
  • 23. OTHER APACHE CONFIG * Bewarec of certain RewriteRules# INSECURE configuration, dont use!RewriteRule ^/old/directory/(.*)$ /$1Use this# SECURE - UseRewriteRule ^/old/directory/(.*)$ /$1[PT] * Dont use Limit/LimitExcept (conf.d/security) TraceEnable off
  • 24. OTHER APACHE CONFIG * ServerSignature Off * ServerTokens Prod * Remove PHP scripts (test.php, info.php, i.php, php.info) * Disable directory indexing * Disable WebDAV * Enable PHP basedir * Install a Web Firewall (mod_security)l * Suhosin PHP
  • 25. SUHOSIN PHP - BASICsuhosin.executor.include.max_traversal=4 (../../../../)suhosin.executor.disable_emodifier=Off(exec function)suhosin.mail.protect=2(protect spammers attack)suhosin.memory_limit=256Msuhosin.filter.action=402(return code detect error)suhosin.upload.max_uploads=100
  • 26. SUHOSIN PHP - BASICsuhosin.request.max_array_depth=4096suhosin.request.max_array_index_length=2048suhosin.request.max_name_length=2048suhosin.request.max_value_length=650000suhosin.request.max_vars=4096suhosin.post.max_array_depth=8048suhosin.post.max_array_index_length=1024suhosin.post.max_name_length=2048suhosin.post.max_totalname_length=8048suhosin.post.max_vars=4096
  • 27. OTHER APACHE CONFIG* ErrorDocument 404 errors/404.html* ErrorDocument 500 errors/500.html* ServerAdmin (Use Alias Mail)* UserDir disabled root
  • 28. INSTALL PACKAGE# dpkg -i hardening-apache_beta-01.deb Albert Einstein
  • 29. PROBLEMS l UNIQUE USER l INSERT DIALOGl PORTABLE OTHER DISTROS
  • 30. DOBTS ?
  • 31. SOURCES OF RESEARCHAPACHE FOUNDATION www.apache.orgECCOUNCIL www.eccouncil.orgUTAH HARDENING COURSE www.utah.com.brIMAGES - ECCOUNCIL www.eccouncil.org