SlideShare a Scribd company logo

Securing the Apache web server

W
webhostingguy
1 of 31
Download to read offline
Securing The Apache Web Server Matthew Cook http://escarpment.net/
Agenda • Background • Web Servers • Connections • Apache History • System Attacks • Securing Apache • Useful Tools • In Summary • Further Advice and Guidance
Background • The Security Service is running a number of similar courses in conjunction with Professional Development. • Details are available at: http://www.lboro.ac.uk/computing/security/ • By increasing the security of networked machines on campus, we hope to reduce the number of compromised machines and IT Support Staff workload.
Web Servers • The first operational web servers were developed in 1991. • Graphical browsers helped development. • Scaling to around 50 around the world in 1992. • Netcraft reports 59,100,880 sites in February 2005.
Web Servers… Web Server Platform: Apache - 40681140 (68.83%) IIS - 12322111 (20.85%) Sun - 1835718 (3.11%) Zeus - 618599 (1.05%)
Connections • Usually via a graphical browser Port : – 80 Standard Web Traffic – 443 SSL Web Traffic – 81, 8080, … Many other ports, 0-65535!
Connections… • Can connect via telnet: • telnet <web server> <port> • GET <document name> <HTTP-version> • Check the response text: HTTP/1.0 Nnn Response text • Nnn is the three digit code and the Response text the human readable version.
Connections… Response Codes: 200 – Document Follows 301 – Moved Permanently 302 – Moved Temporarily 403 – Forbidden 404 – Not Found 400 – Server Error
Connections… telnet www.lboro.ac.uk 80 GET /index.html HTTP/1.0 <Return Twice> HTTP/1.1 200 OK Date: Wed, 09 Feb 2005 10:04:27 GMT Server: Apache/1.3.27 (Unix) Last-Modified: Tue, 18 Jan 2005 15:23:38 GMT ETag: "1440c8-294c-41ed29fa" Accept-Ranges: bytes Content-Length: 10572 Connection: close Content-Type: text/html
Connections… An other example: HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Wed, 09 Feb 2005 10:06:33 GMT Content-Length: 4040 Content-Type: text/html
Apache History • Until 1995 the most popular web server on the Internet was the NCSA HTTPd • Apache 0.6.2 was released in April 1995 • Apache 1.0 was released in December 1995 and it became the most used. • Apache 2.0 was released in April 2002 • Apache 2.0 is a complete code base re- write
Apache Versions • Apache 1.3.33 is Current – No more releases for 1.2 and below – Supports; Unix, Linux, Windows, Netware, OS/2 and many more • Apache 2.0.53 – Supports; Unix, Linux, Windows, Netware • Download: http://httpd.apache.org/
Apache 1.3 - 2.0 Differences Core Enhancements: Module Enhancements: • Unix Threading • Mod_ssl • New Build System • Mod_dav • Multi Protocol Support • Mod_deflate • Non-Unix support • Mod_auth_ldap • Apache API • Mod_auth_digest • IPv6 Support • Mod_charset_lite • Filtering • Mod_file_cache • Multilanguage Errors • Mod_headers • Simplified Configuration • Mod_proxy • Windows Unicode Support • Mod_negotiation • Regular Expression Library • Mod_autoindex • Mod_include • Mod_auth_dbm
Apache 1.3 - 2.0 Differences… Apache 1.3.33 • Actively maintained and ‘leisurely’ developed to maintain stability • Releases made to address security issues, bug fixes or improvements. • New features are likely not to be added to 1.3 in preference to 2.0 • Most important decision is module based
System Attacks… Common Fingerprints: • Directory Traversal http://host/cgi-bin/lame.cgi?file=../../../../etc/motd • Unicode Requests http://host/cgi-bin/lame.cgi?page=ls%20/a http://host/cgi-bin/lame.cgi?page=../etc/motd%00html • Redirection Requests http://host/cgi-bin/lame.cgi?page=echo”733t”>../msg.html http://host/something.php=<b>Hi%20I'm%20Bold!</b>
System Attacks… Common Fingerprints: • Server Side Includes http://host1/something.php=<!%20--#include%20virtual="http://host2/fake- article.html"--> http://host/something.php=<!%20--#include%20virtual=".htpasswd"--> • <? Requests http://host/something.php=<? passthru("id");?> • ` Requests http://host/something.cgi=`id`
System Attacks… Common Fingerprints: • Overflows http://host/cgi- bin/helloworld?type=AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA
Securing Apache • Secure the Operating System • Offer no network services except HTTP (80/tcp) and HTTPS (443/tcp) to the Internet • Access to and from the Internet controlled by a firewall • Apache web server must be the only service running on the machine • Only necessary Apache modules to be loaded • Diagnostic web pages and automatic directory listings turned off
Securing Apache… • Minimise the amount of security disclosure • Run the Apache process under a unique UID/GID • Limit the Apache process by chrooting/sandboxing • Ensure not shell programs are in the chroot environment
Securing Apache… Notes based on Apache 1.3.33 under Fedora Core 3: • Apache that ships with Fedora is: Apache/2.0.52 (Fedora) • Apache 1.3.33 downloaded from: http://httpd.apache.org/download.cgi • I have used Apache 1.3.33 due to the nature of the web content provided.
Securing Apache… Build Apache with only the modules required: • http_core • Mod_access • Mod_auth • Mod_dir • Mod_log_config • Mod_mime Do not install: mod_autoindex and mod_info Compiled statically, which also removes the need for mod_so
Securing Apache… • Create a chroot’d directory structure – Usually /chroot/http/<blah> – Create /dev/null and other devices – Copy binaries required into the structure – Copy config files into the structure – Start Apache and test if it works in the environment – Check the logs for problems
Securing Apache… • Trim the httpd.conf file to leave only the basics – Reduce the number of modules – Stop producing server signature – Apache processes running under regular user/group permissions – Only directories/files explicitly in the config file can be accessed from the web server – Limit access using Access control – Limit MIME types supported – Apache needs to log more details about the requests
Securing Apache… • Logging: LogLevel warn LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "%h %l %u %t "%r" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ErrorLog /usr/local/apache/logs/error_log CustomLog /usr/local/apache/logs/access_log combined
Mod_security • Similar to the URL Scan concept in IIS • Intercepts HTTP requests – Filter on keywords ‘/etc/passwd/’ – Directory traversal – XSS Attacks – SQL Injection – Require HTTP_User_Agent and HTTP_Host – Formmail Spamming
Mod_security… • Support for Apache 1.3 and 2.0 • Support to statically compile module • Can convert snort rules to mod_security • Full installation documentation • Download from: http://www.modsecurity.org/
In Summary • Between 2003-2005, IIS has had no direct vulnerability. (Three concerning extensions) • Apache 2.0 has had 22, 1.3 has had 12 • Have Microsoft got things right? • …or have they removed more things from the default install? • The security of the server is only as good as the configuration by the administrator.
In Summary… • Securely configure the host OS • Audit your security settings • Remove un-necessary modules • Chroot Apache • Investigate mod_security • Request a Penetration Test from CC • Check the logs • Subscribe to the security lists • Patch and Patch and Patch some more!
Further Advice and Guidance • http://www.lboro.ac.uk/computing/security/ • http://httpd.apache.org/ • Apache Security, Ivan Ristic, O’Reilly • Mailing lists: – it-security@lists.lboro.ac.uk – unix-security@lists.lboro.ac.uk – windows-security@lists.lboro.ac.uk
Further Advice and Guidance • Introduction to I.T. Security • Securing Microsoft Windows 2000 Server • Securing Microsoft Windows 2003 Server • Securing Microsoft Internet Information Server (I.I.S.) 5 and 6 • Securing Fedora Linux • Securing RedHat Enterprise Server • Securing The Apache Web Server
Questions and Answers http://escarpment.net/

Recommended

CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
Add a web server
Add a web serverAdd a web server
Add a web serverAgCharu
 
Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardeningn|u - The Open Security Community
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Fernando Tomlinson, CISSP, MBA
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 

Recommended

CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
Add a web server
Add a web serverAdd a web server
Add a web serverAgCharu
 
Hardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinHardening Apache Web Server by Aswin
Hardening Apache Web Server by AswinAgate Studio
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardeningn|u - The Open Security Community
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Fernando Tomlinson, CISSP, MBA
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksSam Bowne
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server SecurityResellerClub
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Fernando Tomlinson, CISSP, MBA
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorSam Bowne
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Apache1.ppt
Apache1.pptApache1.ppt
Apache1.pptwebhostingguy
 
Web Packages...Internet Marketing....Hosting
Web Packages...Internet Marketing....Hosting Web Packages...Internet Marketing....Hosting
Web Packages...Internet Marketing....Hosting webhostingguy
 

More Related Content

What's hot

CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksSam Bowne
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server SecurityResellerClub
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorSam Bowne
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 

What's hot (20)

CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server Security
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Nikto
NiktoNikto
Nikto
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware Behavior
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 

Viewers also liked

Web Packages...Internet Marketing....Hosting
Web Packages...Internet Marketing....Hosting Web Packages...Internet Marketing....Hosting
Web Packages...Internet Marketing....Hosting webhostingguy
 
Configuring Apache Web Server for Single Sign-On with Likewise 5
Configuring Apache Web Server for Single Sign-On with Likewise 5Configuring Apache Web Server for Single Sign-On with Likewise 5
Configuring Apache Web Server for Single Sign-On with Likewise 5webhostingguy
 
Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...webhostingguy
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 
Detecting Typo-squatting Domains Mishari Almishari
Detecting Typo-squatting Domains Mishari AlmishariDetecting Typo-squatting Domains Mishari Almishari
Detecting Typo-squatting Domains Mishari Almishariwebhostingguy
 
Single Domain Name — Hosting with Email
Single Domain Name — Hosting with EmailSingle Domain Name — Hosting with Email
Single Domain Name — Hosting with Emailwebhostingguy
 

Viewers also liked (7)

Apache1.ppt
Apache1.pptApache1.ppt
Apache1.ppt
 
Web Packages...Internet Marketing....Hosting
Web Packages...Internet Marketing....Hosting Web Packages...Internet Marketing....Hosting
Web Packages...Internet Marketing....Hosting
 
Configuring Apache Web Server for Single Sign-On with Likewise 5
Configuring Apache Web Server for Single Sign-On with Likewise 5Configuring Apache Web Server for Single Sign-On with Likewise 5
Configuring Apache Web Server for Single Sign-On with Likewise 5
 
Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 
Detecting Typo-squatting Domains Mishari Almishari
Detecting Typo-squatting Domains Mishari AlmishariDetecting Typo-squatting Domains Mishari Almishari
Detecting Typo-squatting Domains Mishari Almishari
 
Single Domain Name — Hosting with Email
Single Domain Name — Hosting with EmailSingle Domain Name — Hosting with Email
Single Domain Name — Hosting with Email
 

Similar to Securing the Apache web server

Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsPositive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaOSSCube
 
Apache Performance Tuning: Scaling Up
Apache Performance Tuning: Scaling UpApache Performance Tuning: Scaling Up
Apache Performance Tuning: Scaling UpSander Temme
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Realtime traffic analyser
Realtime traffic analyserRealtime traffic analyser
Realtime traffic analyserAlex Moskvin
 
Apache Street Smarts Presentation (SANS 99)
Apache Street Smarts Presentation (SANS 99)Apache Street Smarts Presentation (SANS 99)
Apache Street Smarts Presentation (SANS 99)Michael Dobe, Ph.D.
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
06.m3 cms set-upwebserver
06.m3 cms set-upwebserver06.m3 cms set-upwebserver
06.m3 cms set-upwebservertarensi
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningMichel Schildmeijer
 

Similar to Securing the Apache web server (20)

Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep Sharma
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Apache Performance Tuning: Scaling Up
Apache Performance Tuning: Scaling UpApache Performance Tuning: Scaling Up
Apache Performance Tuning: Scaling Up
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
Intro apache
Intro apacheIntro apache
Intro apache
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
Apache
ApacheApache
Apache
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Realtime traffic analyser
Realtime traffic analyserRealtime traffic analyser
Realtime traffic analyser
 
Apache Street Smarts Presentation (SANS 99)
Apache Street Smarts Presentation (SANS 99)Apache Street Smarts Presentation (SANS 99)
Apache Street Smarts Presentation (SANS 99)
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
06.m3 cms set-upwebserver
06.m3 cms set-upwebserver06.m3 cms set-upwebserver
06.m3 cms set-upwebserver
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuning
 
526_topic08.ppt
526_topic08.ppt526_topic08.ppt
526_topic08.ppt
 

More from webhostingguy

Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Frameworkwebhostingguy
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guidewebhostingguy
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serverswebhostingguy
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidationwebhostingguy
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreementwebhostingguy
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...webhostingguy
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...webhostingguy
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructurewebhostingguy
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.pptwebhostingguy
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy webhostingguy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandiserswebhostingguy
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Productswebhostingguy
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mbwebhostingguy
 

More from webhostingguy (20)

File Upload
File UploadFile Upload
File Upload
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Framework
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guide
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web servers
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreement
 
Notes8
Notes8Notes8
Notes8
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructure
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.ppt
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandisers
 
OLUG_xen.ppt
OLUG_xen.pptOLUG_xen.ppt
OLUG_xen.ppt
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Products
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mb
 
Reseller's Guide
Reseller's GuideReseller's Guide
Reseller's Guide
 

Securing the Apache web server

  • 1. Securing The Apache Web Server Matthew Cook http://escarpment.net/
  • 2. Agenda • Background • Web Servers • Connections • Apache History • System Attacks • Securing Apache • Useful Tools • In Summary • Further Advice and Guidance
  • 3. Background • The Security Service is running a number of similar courses in conjunction with Professional Development. • Details are available at: http://www.lboro.ac.uk/computing/security/ • By increasing the security of networked machines on campus, we hope to reduce the number of compromised machines and IT Support Staff workload.
  • 4. Web Servers • The first operational web servers were developed in 1991. • Graphical browsers helped development. • Scaling to around 50 around the world in 1992. • Netcraft reports 59,100,880 sites in February 2005.
  • 5. Web Servers… Web Server Platform: Apache - 40681140 (68.83%) IIS - 12322111 (20.85%) Sun - 1835718 (3.11%) Zeus - 618599 (1.05%)
  • 6. Connections • Usually via a graphical browser Port : – 80 Standard Web Traffic – 443 SSL Web Traffic – 81, 8080, … Many other ports, 0-65535!
  • 7. Connections… • Can connect via telnet: • telnet <web server> <port> • GET <document name> <HTTP-version> • Check the response text: HTTP/1.0 Nnn Response text • Nnn is the three digit code and the Response text the human readable version.
  • 8. Connections… Response Codes: 200 – Document Follows 301 – Moved Permanently 302 – Moved Temporarily 403 – Forbidden 404 – Not Found 400 – Server Error
  • 9. Connections… telnet www.lboro.ac.uk 80 GET /index.html HTTP/1.0 <Return Twice> HTTP/1.1 200 OK Date: Wed, 09 Feb 2005 10:04:27 GMT Server: Apache/1.3.27 (Unix) Last-Modified: Tue, 18 Jan 2005 15:23:38 GMT ETag: "1440c8-294c-41ed29fa" Accept-Ranges: bytes Content-Length: 10572 Connection: close Content-Type: text/html
  • 10. Connections… An other example: HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Wed, 09 Feb 2005 10:06:33 GMT Content-Length: 4040 Content-Type: text/html
  • 11. Apache History • Until 1995 the most popular web server on the Internet was the NCSA HTTPd • Apache 0.6.2 was released in April 1995 • Apache 1.0 was released in December 1995 and it became the most used. • Apache 2.0 was released in April 2002 • Apache 2.0 is a complete code base re- write
  • 12. Apache Versions • Apache 1.3.33 is Current – No more releases for 1.2 and below – Supports; Unix, Linux, Windows, Netware, OS/2 and many more • Apache 2.0.53 – Supports; Unix, Linux, Windows, Netware • Download: http://httpd.apache.org/
  • 13. Apache 1.3 - 2.0 Differences Core Enhancements: Module Enhancements: • Unix Threading • Mod_ssl • New Build System • Mod_dav • Multi Protocol Support • Mod_deflate • Non-Unix support • Mod_auth_ldap • Apache API • Mod_auth_digest • IPv6 Support • Mod_charset_lite • Filtering • Mod_file_cache • Multilanguage Errors • Mod_headers • Simplified Configuration • Mod_proxy • Windows Unicode Support • Mod_negotiation • Regular Expression Library • Mod_autoindex • Mod_include • Mod_auth_dbm
  • 14. Apache 1.3 - 2.0 Differences… Apache 1.3.33 • Actively maintained and ‘leisurely’ developed to maintain stability • Releases made to address security issues, bug fixes or improvements. • New features are likely not to be added to 1.3 in preference to 2.0 • Most important decision is module based
  • 15. System Attacks… Common Fingerprints: • Directory Traversal http://host/cgi-bin/lame.cgi?file=../../../../etc/motd • Unicode Requests http://host/cgi-bin/lame.cgi?page=ls%20/a http://host/cgi-bin/lame.cgi?page=../etc/motd%00html • Redirection Requests http://host/cgi-bin/lame.cgi?page=echo”733t”>../msg.html http://host/something.php=<b>Hi%20I'm%20Bold!</b>
  • 16. System Attacks… Common Fingerprints: • Server Side Includes http://host1/something.php=<!%20--#include%20virtual="http://host2/fake- article.html"--> http://host/something.php=<!%20--#include%20virtual=".htpasswd"--> • <? Requests http://host/something.php=<? passthru("id");?> • ` Requests http://host/something.cgi=`id`
  • 17. System Attacks… Common Fingerprints: • Overflows http://host/cgi- bin/helloworld?type=AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA
  • 18. Securing Apache • Secure the Operating System • Offer no network services except HTTP (80/tcp) and HTTPS (443/tcp) to the Internet • Access to and from the Internet controlled by a firewall • Apache web server must be the only service running on the machine • Only necessary Apache modules to be loaded • Diagnostic web pages and automatic directory listings turned off
  • 19. Securing Apache… • Minimise the amount of security disclosure • Run the Apache process under a unique UID/GID • Limit the Apache process by chrooting/sandboxing • Ensure not shell programs are in the chroot environment
  • 20. Securing Apache… Notes based on Apache 1.3.33 under Fedora Core 3: • Apache that ships with Fedora is: Apache/2.0.52 (Fedora) • Apache 1.3.33 downloaded from: http://httpd.apache.org/download.cgi • I have used Apache 1.3.33 due to the nature of the web content provided.
  • 21. Securing Apache… Build Apache with only the modules required: • http_core • Mod_access • Mod_auth • Mod_dir • Mod_log_config • Mod_mime Do not install: mod_autoindex and mod_info Compiled statically, which also removes the need for mod_so
  • 22. Securing Apache… • Create a chroot’d directory structure – Usually /chroot/http/<blah> – Create /dev/null and other devices – Copy binaries required into the structure – Copy config files into the structure – Start Apache and test if it works in the environment – Check the logs for problems
  • 23. Securing Apache… • Trim the httpd.conf file to leave only the basics – Reduce the number of modules – Stop producing server signature – Apache processes running under regular user/group permissions – Only directories/files explicitly in the config file can be accessed from the web server – Limit access using Access control – Limit MIME types supported – Apache needs to log more details about the requests
  • 24. Securing Apache… • Logging: LogLevel warn LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "%h %l %u %t "%r" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ErrorLog /usr/local/apache/logs/error_log CustomLog /usr/local/apache/logs/access_log combined
  • 25. Mod_security • Similar to the URL Scan concept in IIS • Intercepts HTTP requests – Filter on keywords ‘/etc/passwd/’ – Directory traversal – XSS Attacks – SQL Injection – Require HTTP_User_Agent and HTTP_Host – Formmail Spamming
  • 26. Mod_security… • Support for Apache 1.3 and 2.0 • Support to statically compile module • Can convert snort rules to mod_security • Full installation documentation • Download from: http://www.modsecurity.org/
  • 27. In Summary • Between 2003-2005, IIS has had no direct vulnerability. (Three concerning extensions) • Apache 2.0 has had 22, 1.3 has had 12 • Have Microsoft got things right? • …or have they removed more things from the default install? • The security of the server is only as good as the configuration by the administrator.
  • 28. In Summary… • Securely configure the host OS • Audit your security settings • Remove un-necessary modules • Chroot Apache • Investigate mod_security • Request a Penetration Test from CC • Check the logs • Subscribe to the security lists • Patch and Patch and Patch some more!
  • 29. Further Advice and Guidance • http://www.lboro.ac.uk/computing/security/ • http://httpd.apache.org/ • Apache Security, Ivan Ristic, O’Reilly • Mailing lists: – it-security@lists.lboro.ac.uk – unix-security@lists.lboro.ac.uk – windows-security@lists.lboro.ac.uk
  • 30. Further Advice and Guidance • Introduction to I.T. Security • Securing Microsoft Windows 2000 Server • Securing Microsoft Windows 2003 Server • Securing Microsoft Internet Information Server (I.I.S.) 5 and 6 • Securing Fedora Linux • Securing RedHat Enterprise Server • Securing The Apache Web Server
  • 31. Questions and Answers http://escarpment.net/