Your SlideShare is downloading. ×
0
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
PowerPoint Presentation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

PowerPoint Presentation

653

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
653
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Apache Web Server
  2. How do Apache work? HTTP, HTTPS Web Server Web Browser i.e. apache i.e. netscape
  3. Why Apache? • Free!! • Come with Linux packages (almost distribution) • Most Popular
  4. Why Apache?
  5. Problems & Risks • Type of Web Attacking – Denial of Service
  6. Problems & Risks • Type of Web Attacking (Cont.) – Defaced Web Page
  7. Problems & Risks • Type of Web Attacking – Deletion of Files
  8. Problems & Risks • Type of Web Attacking – Placement of Malicious Software such as trojan horse or worm
  9. Problems & Risks • Risks of Apache – From System Administrator • Think “Apache is the best!!” • Ignore Hardening – From Apache (itself) • Apache is not secure • Website Apache.org was hacked in May 2000
  10. Problems & Risks
  11. Hardening Apache Step-by-Step Create the Web Server Group/User Download the Appropriate Apache Distribution Apply Latest Web Server Patches Configure/Compile/Install the Apache Distribution Edit the Apache Configuration file - httpd.conf
  12. Hardening Apache Step-by-Step (Cont.) Change Ownership/Permissions on Directories and Files Clean Out Unneeded Files and Directories Update Apache Start Script for Notification Advanced Settings - Miscellaneous Security Enhancements
  13. Step 1: Create the Web Server Group/User 1.1 Create Groups for Web Server Content >> webmaster:webmaster 1.2 Create a Specific User for Web Server >> nobody:nobody 1.3 Create Quota for Web Server 1.4 Verify Quota 1.5 Lock Down the New Account
  14. Step 1: Create the Web Server Group/User user conf tools logs CGI Content webmaster RW R R RW RW >>webmaster web - - - RW RW developer web author - - - R RW Webserver - - - R R >>nobody
  15. Step 1: Create the Web Server Group/User http nobody fork start root http fork root execute fork http nobody fork fork (nobody) user http nobody http nobody http nobody
  16. Step 2: Download the Appropriate Apache Distribution 2.1 Download the Apache Source 2.2 Verify the PGP Signatures 2.3 Verify the MD5 Checksums
  17. Step 3: Apply Latest Web Server Patch • For Latest Patch of Apache http://www.apache.org/dist/httpd/patches/ • Apply Patch # cd apache_source_directory # patch –p0 </tmp/proxy_http1.1_chunking.patch
  18. Step 4: Configure/Compile/Install the Apache Distribution 4.1 Configure the Apache Distribution 4.2 Edit the httpd.h File #define SERVER_BASEVENDOR “Apache Group” #define SERVER_BASEPRODUCT “My-Server” #define SERVER_BASEREVISION “4.0” 4.3 Compile Apache 4.4 Install the Software
  19. Step 5: Edit the Apache Configuration file - httpd.conf 5.1 Basic Web Server Settings o ServerType o HostnameLookups on o User & Group o Port o ServerAdmin o ServerRoot o ServerName
  20. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.2 Security Related Settings o LogLevel notice o CustomLog ... Combined o ErrorLog ...
  21. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) Some of Error Messages in ErrorLog • File does not exist: access a URL that does not exist • File permissions deny server access: access a document that does not have sufficient privileges to read it. • Password mismatch: access a protected document with an incorrect password • Client denied by server configuration: access to a directory is restricted to certain IP addresses • Malformed header from script: This is a warning message showing that a bad output cannot be interpreted correctly.
  22. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.2 Security Related Settings (Cont.) o <Directory> o Options o AllowOverride None o IncludesNoExec o SymLinksIfOwnerMatch o Order and Allow/Deny from (Use IP)
  23. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.2 Security Related Settings (Cont.) o ServerSignature Off o ServerTokens ProductOnly o CoreDumpDirectory ... o Error Responses o 401/403 Errors o Other Status Codes o LimitExcept
  24. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.3 Access Control –Restrict Access to File or Directory • Host-based Authentication Is it in allow list? request authenticate compare IP Address / Hostname Is it in deny list? Server
  25. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.3 Access Control –Restrict Access to File or Directory (Cont.) • HTTP-specified Basic Authentication request authenticate check require .htpasswd username&passwd send username&passwd Server
  26. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.4 Common Attack Signatures – Mod_Rewrite Voodoo – Robots
  27. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.5 CGI Bin Mischief – Review CGI Files/Code – Fake CGIs • Foil Vulnerability Scanners • Fake PHF – <DirectoryMatch> – <FilesMatch>
  28. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.6 Denial of Service – Timeout 60 – KeepAlive On – KeepAliveTimeout 15 – StartServers 10 – MinSpareServers 10 – MaxSpareServers 20
  29. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.7 Buffer Overflows – LimitRequestBody 10240 – LimitRequestFields 40 – LimitRequestFieldsize 100 – LimitRequestLine 500
  30. Step 6: Change Ownership/Permissions on Directories and Files 6.1 Server Configuration Directories # chown –R root <Conf_Dir> # chgrp –R webmaster <Conf_Dir> # chmod –R 770 <Conf_Dir> 6.2 Document Root Directory # chown –R webmaster <htdocs_Dir> # chgrp –R webmaster <htdocs_Dir> # chmod –R 775 <htdocs_Dir>
  31. Step 6: Change Ownership/Permissions on Directories and Files 6.3 CGI-Bin Directory # chown –R root <Cgi-bin_Dir> # chgrp –R webmaster <Cgi-bin_Dir> # chmod –R 775 <Cgi-bin_Dir> 6.4 Log Files # chown –R root <Logs_Dir> # chgrp –R webmaster <Logs_Dir> # chmod –R 750 <Logs_Dir>
  32. Step 6: Change Ownership/Permissions on Directories and Files 6.5 Bin Directory # chown –R root <Bin_Dir> # chgrp –R webmaster <Bin_Dir> # chmod –R 770 <Bin_Dir>
  33. Step 7: Clean Out Unneeded Files and Directories 7.1 Src Directory 7.2 Default HTML Documents
  34. Step 8: Update Apache Start Script for Notification • To let the System Administrator know that Apache Web Server has been restarted
  35. Step 9: Advanced Settings - Miscellaneous Security Enhancements 9.1 Worms At War such as CodeRed and Nimda 9.2 Swatch 9.3 Monitor Changes in Web Content 9.4 Secure Index Pages 9.5 Chroot 9.6 Secure Socket Layer (SSL)
  36. Bug/ Exploit • CERT® Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability June 17, 2002 • CERT® Advisory CA-2002-27 Apache/mod_ssl Worm September 14, 2002 • Related Link: http://httpd.apache.org/security_report.html
  37. Hardening Dedicated Server & Network Diagram • Download and Install the latest versions of the Daemon • No user login account • All update do from internal network • Audit and Penetration Testing on your Server • Carefully Check your CGI Scripts • Prevent other from running their CGI Scripts • DO NOT send confidential info., etc back to the user via e-mail
  38. Hardening Dedicated Server & Network Diagram Intranet Internet Router Firewall 80 3306 DMZ

×