Securing the Apache web server

836 views
746 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
836
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing the Apache web server

  1. 1. Securing The Apache Web Server Matthew Cook http://escarpment.net/
  2. 2. Agenda • Background • Web Servers • Connections • Apache History • System Attacks • Securing Apache • Useful Tools • In Summary • Further Advice and Guidance
  3. 3. Background • The Security Service is running a number of similar courses in conjunction with Professional Development. • Details are available at: http://www.lboro.ac.uk/computing/security/ • By increasing the security of networked machines on campus, we hope to reduce the number of compromised machines and IT Support Staff workload.
  4. 4. Web Servers • The first operational web servers were developed in 1991. • Graphical browsers helped development. • Scaling to around 50 around the world in 1992. • Netcraft reports 59,100,880 sites in February 2005.
  5. 5. Web Servers… Web Server Platform: Apache - 40681140 (68.83%) IIS - 12322111 (20.85%) Sun - 1835718 (3.11%) Zeus - 618599 (1.05%)
  6. 6. Connections • Usually via a graphical browser Port : – 80 Standard Web Traffic – 443 SSL Web Traffic – 81, 8080, … Many other ports, 0-65535!
  7. 7. Connections… • Can connect via telnet: • telnet <web server> <port> • GET <document name> <HTTP-version> • Check the response text: HTTP/1.0 Nnn Response text • Nnn is the three digit code and the Response text the human readable version.
  8. 8. Connections… Response Codes: 200 – Document Follows 301 – Moved Permanently 302 – Moved Temporarily 403 – Forbidden 404 – Not Found 400 – Server Error
  9. 9. Connections… telnet www.lboro.ac.uk 80 GET /index.html HTTP/1.0 <Return Twice> HTTP/1.1 200 OK Date: Wed, 09 Feb 2005 10:04:27 GMT Server: Apache/1.3.27 (Unix) Last-Modified: Tue, 18 Jan 2005 15:23:38 GMT ETag: "1440c8-294c-41ed29fa" Accept-Ranges: bytes Content-Length: 10572 Connection: close Content-Type: text/html
  10. 10. Connections… An other example: HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Wed, 09 Feb 2005 10:06:33 GMT Content-Length: 4040 Content-Type: text/html
  11. 11. Apache History • Until 1995 the most popular web server on the Internet was the NCSA HTTPd • Apache 0.6.2 was released in April 1995 • Apache 1.0 was released in December 1995 and it became the most used. • Apache 2.0 was released in April 2002 • Apache 2.0 is a complete code base re- write
  12. 12. Apache Versions • Apache 1.3.33 is Current – No more releases for 1.2 and below – Supports; Unix, Linux, Windows, Netware, OS/2 and many more • Apache 2.0.53 – Supports; Unix, Linux, Windows, Netware • Download: http://httpd.apache.org/
  13. 13. Apache 1.3 - 2.0 Differences Core Enhancements: Module Enhancements: • Unix Threading • Mod_ssl • New Build System • Mod_dav • Multi Protocol Support • Mod_deflate • Non-Unix support • Mod_auth_ldap • Apache API • Mod_auth_digest • IPv6 Support • Mod_charset_lite • Filtering • Mod_file_cache • Multilanguage Errors • Mod_headers • Simplified Configuration • Mod_proxy • Windows Unicode Support • Mod_negotiation • Regular Expression Library • Mod_autoindex • Mod_include • Mod_auth_dbm
  14. 14. Apache 1.3 - 2.0 Differences… Apache 1.3.33 • Actively maintained and ‘leisurely’ developed to maintain stability • Releases made to address security issues, bug fixes or improvements. • New features are likely not to be added to 1.3 in preference to 2.0 • Most important decision is module based
  15. 15. System Attacks… Common Fingerprints: • Directory Traversal http://host/cgi-bin/lame.cgi?file=../../../../etc/motd • Unicode Requests http://host/cgi-bin/lame.cgi?page=ls%20/a http://host/cgi-bin/lame.cgi?page=../etc/motd%00html • Redirection Requests http://host/cgi-bin/lame.cgi?page=echo”733t”>../msg.html http://host/something.php=<b>Hi%20I'm%20Bold!</b>
  16. 16. System Attacks… Common Fingerprints: • Server Side Includes http://host1/something.php=<!%20--#include%20virtual="http://host2/fake- article.html"--> http://host/something.php=<!%20--#include%20virtual=".htpasswd"--> • <? Requests http://host/something.php=<? passthru("id");?> • ` Requests http://host/something.cgi=`id`
  17. 17. System Attacks… Common Fingerprints: • Overflows http://host/cgi- bin/helloworld?type=AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA
  18. 18. Securing Apache • Secure the Operating System • Offer no network services except HTTP (80/tcp) and HTTPS (443/tcp) to the Internet • Access to and from the Internet controlled by a firewall • Apache web server must be the only service running on the machine • Only necessary Apache modules to be loaded • Diagnostic web pages and automatic directory listings turned off
  19. 19. Securing Apache… • Minimise the amount of security disclosure • Run the Apache process under a unique UID/GID • Limit the Apache process by chrooting/sandboxing • Ensure not shell programs are in the chroot environment
  20. 20. Securing Apache… Notes based on Apache 1.3.33 under Fedora Core 3: • Apache that ships with Fedora is: Apache/2.0.52 (Fedora) • Apache 1.3.33 downloaded from: http://httpd.apache.org/download.cgi • I have used Apache 1.3.33 due to the nature of the web content provided.
  21. 21. Securing Apache… Build Apache with only the modules required: • http_core • Mod_access • Mod_auth • Mod_dir • Mod_log_config • Mod_mime Do not install: mod_autoindex and mod_info Compiled statically, which also removes the need for mod_so
  22. 22. Securing Apache… • Create a chroot’d directory structure – Usually /chroot/http/<blah> – Create /dev/null and other devices – Copy binaries required into the structure – Copy config files into the structure – Start Apache and test if it works in the environment – Check the logs for problems
  23. 23. Securing Apache… • Trim the httpd.conf file to leave only the basics – Reduce the number of modules – Stop producing server signature – Apache processes running under regular user/group permissions – Only directories/files explicitly in the config file can be accessed from the web server – Limit access using Access control – Limit MIME types supported – Apache needs to log more details about the requests
  24. 24. Securing Apache… • Logging: LogLevel warn LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "%h %l %u %t "%r" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ErrorLog /usr/local/apache/logs/error_log CustomLog /usr/local/apache/logs/access_log combined
  25. 25. Mod_security • Similar to the URL Scan concept in IIS • Intercepts HTTP requests – Filter on keywords ‘/etc/passwd/’ – Directory traversal – XSS Attacks – SQL Injection – Require HTTP_User_Agent and HTTP_Host – Formmail Spamming
  26. 26. Mod_security… • Support for Apache 1.3 and 2.0 • Support to statically compile module • Can convert snort rules to mod_security • Full installation documentation • Download from: http://www.modsecurity.org/
  27. 27. In Summary • Between 2003-2005, IIS has had no direct vulnerability. (Three concerning extensions) • Apache 2.0 has had 22, 1.3 has had 12 • Have Microsoft got things right? • …or have they removed more things from the default install? • The security of the server is only as good as the configuration by the administrator.
  28. 28. In Summary… • Securely configure the host OS • Audit your security settings • Remove un-necessary modules • Chroot Apache • Investigate mod_security • Request a Penetration Test from CC • Check the logs • Subscribe to the security lists • Patch and Patch and Patch some more!
  29. 29. Further Advice and Guidance • http://www.lboro.ac.uk/computing/security/ • http://httpd.apache.org/ • Apache Security, Ivan Ristic, O’Reilly • Mailing lists: – it-security@lists.lboro.ac.uk – unix-security@lists.lboro.ac.uk – windows-security@lists.lboro.ac.uk
  30. 30. Further Advice and Guidance • Introduction to I.T. Security • Securing Microsoft Windows 2000 Server • Securing Microsoft Windows 2003 Server • Securing Microsoft Internet Information Server (I.I.S.) 5 and 6 • Securing Fedora Linux • Securing RedHat Enterprise Server • Securing The Apache Web Server
  31. 31. Questions and Answers http://escarpment.net/

×