Utah Networxs Consultoria e Treinamento, profile picture
Uploaded byUtah Networxs Consultoria e Treinamento
2,627 views

HARDENING IN APACHE WEB SERVER

The document discusses threat mapping, risk mitigation, and corrective activities for web servers, focusing on hardening techniques and tools to protect against various types of attacks. It highlights the importance of proper server configurations and provides detailed practices for securing Apache servers, including permissions, vulnerabilities, and the use of security tools. Additionally, it outlines an educational background and experience of the author, Fabio Pires, in Linux and web server consulting in Brazil.

Embed presentation

Downloaded 81 times
“Mapping threats, Mitigating risk and Implementing Corrective activities in Web Servers”
WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
SOCIAL MEDIA Follow! @fabioandpires Follow! @utah_networxs Enjoy! Utah Networxs
Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
TARGET “PRESENT ONE AMONG SEVERAL SOLUTION FOR BUILDING WEB SERVER" hardening "THROUGH THE USE OF TOOLS FREE TO MINIMIZE IMPACTS OF ATTACKS."
VULNERABILITY STACK
WEBSERVER MARKET SHARES
OPEN SOURCE WEB SERVER ARCHITECTURE
VULNERABILITY WEB APPLICATIONS
WHY WEB SERVER ARE COMPROMISED?
TOOLS HTTP PRINT – BANNER WEB SERVER NIKTO - VULNERABILITIES NESSUS – VULNERABILITIES W3AF - AUDITY E EXPLORATION NMAP – SCAN PORT
MITIGATING RISKS DoS Attack DDoS Attack Brutal Force (ssh, telnet) Port Scanning Attack Ping Flooding Attack Elevation of Privilege Man in the Middle Attack Directory Transversal Password Cracking (Spoofing, Phising, Trojar Horse)
DEPLOYING CORRETION What’s Hardening ? Is a process of mapping of threats, risk mitigation and implementation of corrective activities, focusing on infrastructure and primary goal to make it ready to face attempts to attack.
PRATICE IN WEB SERVER APACHE Where you search packages ? - Packages Repository - Md5SUM Verified - Security Update - Pré-Compiled Package or Source Package
PRATICE IN WEB SERVER APACHE #CHROOT JAIL
CHROOT ARCHITETURE APACHE / bin boot chroot dev dev etc etc home lib lib mnt opt usr proc root var sbin tmp usr var
DISABLE UNUSED MODULES  suexec  userdir  cgi / cgid  autoindex
RESTRICT RESOURCES Number Of Process: With RES=7000k, SHR=2500k and 400M available for Apache, the result is: 400/(7-2.5) = 89. RES=Resident
MITIGATE MEMORY LEAKS MaxRequestsPerChild 10000
RESTRICT INCOMMING CONNECTIONS # iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j REJECT --reject-with tcp-reset
FILE PERMISSIONS # find /srv/www -user utahuser # find /srv/www ! -type l ( -perm /o=w -o -perm /g=w -group utahgroup )
SEARCH FILES AND SSL * Search hidden files # find /var/www -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*‘ * SSL key files * Make sure your SSL keys are only readable by the root user.
OTHER APACHE CONFIG * Bewarec of certain RewriteRules # INSECURE configuration, don't use! RewriteRule ^/old/directory/(.*)$ /$1 Use this # SECURE - Use RewriteRule ^/old/directory/(.*)$ /$1 [PT] * Don't use Limit/LimitExcept (conf.d/security) TraceEnable off
OTHER APACHE CONFIG * ServerSignature Off * ServerTokens Prod * Remove PHP scripts (test.php, info.php, i.php, php.info) * Disable directory indexing * Disable WebDAV * Enable PHP basedir * Install a Web Firewall (mod_security) l * Suhosin PHP
SUHOSIN PHP - BASIC suhosin.executor.include.max_traversal =4 (../../../../) suhosin.executor.disable_emodifier=Off (exec function) suhosin.mail.protect=2 (protect spammers attack) suhosin.memory_limit=256M suhosin.filter.action=402 (return code detect error) suhosin.upload.max_uploads=100
SUHOSIN PHP - BASIC suhosin.request.max_array_depth=4096 suhosin.request.max_array_index_length=2048 suhosin.request.max_name_length=2048 suhosin.request.max_value_length=650000 suhosin.request.max_vars=4096 suhosin.post.max_array_depth=8048 suhosin.post.max_array_index_length=1024 suhosin.post.max_name_length=2048 suhosin.post.max_totalname_length=8048 suhosin.post.max_vars=4096
OTHER APACHE CONFIG * ErrorDocument 404 errors/404.html * ErrorDocument 500 errors/500.html * ServerAdmin (Use Alias Mail) * UserDir disabled root
INSTALL PACKAGE # dpkg -i hardening-apache_beta-01.deb Albert Einstein
PROBLEMS l UNIQUE USER l INSERT DIALOG l PORTABLE OTHER DISTROS
DOBTS ?
SOURCES OF RESEARCH APACHE FOUNDATION www.apache.org ECCOUNCIL www.eccouncil.org UTAH HARDENING COURSE www.utah.com.br IMAGES - ECCOUNCIL www.eccouncil.org

More Related Content

PPTX
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
byNahidul Kibria
 
PDF
Velocity 2011 - Our first DDoS attack
byCosimo Streppone
 
PDF
Approach to find critical vulnerabilities
byAshish Kunwar
 
PDF
TLS State of the Union
bySander Temme
 
PDF
SSL State of the Union
bySander Temme
 
PDF
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
byJosephTesta9
 
PDF
Security and Privacy on the Web in 2016
byFrancois Marier
 
PDF
Sinn und Unsinn von SSL
byWalter Ebert
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
byNahidul Kibria
 
Velocity 2011 - Our first DDoS attack
byCosimo Streppone
 
Approach to find critical vulnerabilities
byAshish Kunwar
 
TLS State of the Union
bySander Temme
 
SSL State of the Union
bySander Temme
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
byJosephTesta9
 
Security and Privacy on the Web in 2016
byFrancois Marier
 
Sinn und Unsinn von SSL
byWalter Ebert
 

What's hot

PDF
Secure Your Wordpress
byn|u - The Open Security Community
 
PDF
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
PDF
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
byPhilippe De Ryck
 
PDF
D-DAY 2015 Hawkular powers REDHAT
byDEVOPS D-DAY
 
PPT
How hackers do it
byChris Hammond-Thrasher
 
PDF
JSConfBR - Securing Node.js App, by the community and for the community
byDavid Dias
 
PDF
rsa_usa_2019_paula_januszkiewicz
byZuzannaKornecka
 
PDF
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
byHackIT Ukraine
 
Secure Your Wordpress
byn|u - The Open Security Community
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
byPhilippe De Ryck
 
D-DAY 2015 Hawkular powers REDHAT
byDEVOPS D-DAY
 
How hackers do it
byChris Hammond-Thrasher
 
JSConfBR - Securing Node.js App, by the community and for the community
byDavid Dias
 
rsa_usa_2019_paula_januszkiewicz
byZuzannaKornecka
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
byHackIT Ukraine
 

Similar to HARDENING IN APACHE WEB SERVER

PDF
APACHE WEB SERVER FOR LINUX
bywebhostingguy
 
PDF
PowerPoint Presentation
bywebhostingguy
 
PDF
Secure PHP environment
bySpeedPartner GmbH
 
KEY
Site Performance - From Pinto to Ferrari
byJoseph Scott
 
PPTX
Apache
byranj_mb
 
PPT
Securing Your Webserver By Pradeep Sharma
byOSSCube
 
PPTX
Apache Performance Tuning: Scaling Up
bySander Temme
 
PPTX
Secure programming with php
byMohmad Feroz
 
PPTX
Apache Performance Tuning: Scaling Out
bySander Temme
 
PDF
Session10-PHP Misconfiguration
byzakieh alizadeh
 
PDF
Confining the Apache Web Server with Security-Enhanced Linux
bywebhostingguy
 
PDF
Confining the Apache Web Server with Security-Enhanced Linux
bywebhostingguy
 
KEY
Apache Wizardry - Ohio Linux 2011
byRich Bowen
 
PDF
Meeting 14. web server ii
bySyaiful Ahdan
 
PDF
Apache course contents
bydarshangosh
 
PDF
Scale Apache with Nginx
byBud Siddhisena
 
PDF
E gov security_tut_session_4_lab
byMustafa Jarrar
 
PPTX
Apache_Web_Server_Overviewlklklklklk -.pptx
byaashimait
 
PDF
Securing and Managing the Oracle HTTP Server
bySecureDBA
 
PDF
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
byBIOVIA
 
APACHE WEB SERVER FOR LINUX
bywebhostingguy
 
PowerPoint Presentation
bywebhostingguy
 
Secure PHP environment
bySpeedPartner GmbH
 
Site Performance - From Pinto to Ferrari
byJoseph Scott
 
Apache
byranj_mb
 
Securing Your Webserver By Pradeep Sharma
byOSSCube
 
Apache Performance Tuning: Scaling Up
bySander Temme
 
Secure programming with php
byMohmad Feroz
 
Apache Performance Tuning: Scaling Out
bySander Temme
 
Session10-PHP Misconfiguration
byzakieh alizadeh
 
Confining the Apache Web Server with Security-Enhanced Linux
bywebhostingguy
 
Confining the Apache Web Server with Security-Enhanced Linux
bywebhostingguy
 
Apache Wizardry - Ohio Linux 2011
byRich Bowen
 
Meeting 14. web server ii
bySyaiful Ahdan
 
Apache course contents
bydarshangosh
 
Scale Apache with Nginx
byBud Siddhisena
 
E gov security_tut_session_4_lab
byMustafa Jarrar
 
Apache_Web_Server_Overviewlklklklklk -.pptx
byaashimait
 
Securing and Managing the Oracle HTTP Server
bySecureDBA
 
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
byBIOVIA
 

Recently uploaded

PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PPTX
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PPT
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PDF
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 

HARDENING IN APACHE WEB SERVER

  • 1.
    “Mapping threats, Mitigating risk and Implementing Corrective activities in Web Servers”
  • 2.
    WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
  • 3.
    SOCIAL MEDIA Follow! @fabioandpires Follow!@utah_networxs Enjoy! Utah Networxs
  • 4.
    Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
  • 5.
    TARGET “PRESENT ONE AMONG SEVERAL SOLUTION FOR BUILDING WEB SERVER" hardening "THROUGH THE USE OF TOOLS FREE TO MINIMIZE IMPACTS OF ATTACKS."
  • 6.
  • 7.
  • 8.
    OPEN SOURCE WEBSERVER ARCHITECTURE
  • 9.
    VULNERABILITY WEB APPLICATIONS
  • 10.
    WHY WEB SERVERARE COMPROMISED?
  • 11.
    TOOLS HTTP PRINT –BANNER WEB SERVER NIKTO - VULNERABILITIES NESSUS – VULNERABILITIES W3AF - AUDITY E EXPLORATION NMAP – SCAN PORT
  • 12.
    MITIGATING RISKS DoS Attack DDoS Attack Brutal Force (ssh, telnet) Port Scanning Attack Ping Flooding Attack Elevation of Privilege Man in the Middle Attack Directory Transversal Password Cracking (Spoofing, Phising, Trojar Horse)
  • 13.
    DEPLOYING CORRETION What’s Hardening ? Is a process of mapping of threats, risk mitigation and implementation of corrective activities, focusing on infrastructure and primary goal to make it ready to face attempts to attack.
  • 14.
    PRATICE IN WEBSERVER APACHE Where you search packages ? - Packages Repository - Md5SUM Verified - Security Update - Pré-Compiled Package or Source Package
  • 15.
    PRATICE IN WEBSERVER APACHE #CHROOT JAIL
  • 16.
    CHROOT ARCHITETURE APACHE / bin boot chroot dev dev etc etc home lib lib mnt opt usr proc root var sbin tmp usr var
  • 17.
    DISABLE UNUSED MODULES  suexec  userdir  cgi / cgid  autoindex
  • 18.
    RESTRICT RESOURCES Number Of Process: With RES=7000k, SHR=2500k and 400M available for Apache, the result is: 400/(7-2.5) = 89. RES=Resident
  • 19.
  • 20.
    RESTRICT INCOMMING CONNECTIONS # iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j REJECT --reject-with tcp-reset
  • 21.
    FILE PERMISSIONS # find/srv/www -user utahuser # find /srv/www ! -type l ( -perm /o=w -o -perm /g=w -group utahgroup )
  • 22.
    SEARCH FILES ANDSSL * Search hidden files # find /var/www -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*‘ * SSL key files * Make sure your SSL keys are only readable by the root user.
  • 23.
    OTHER APACHE CONFIG * Bewarec of certain RewriteRules # INSECURE configuration, don't use! RewriteRule ^/old/directory/(.*)$ /$1 Use this # SECURE - Use RewriteRule ^/old/directory/(.*)$ /$1 [PT] * Don't use Limit/LimitExcept (conf.d/security) TraceEnable off
  • 24.
    OTHER APACHE CONFIG * ServerSignature Off * ServerTokens Prod * Remove PHP scripts (test.php, info.php, i.php, php.info) * Disable directory indexing * Disable WebDAV * Enable PHP basedir * Install a Web Firewall (mod_security) l * Suhosin PHP
  • 25.
    SUHOSIN PHP -BASIC suhosin.executor.include.max_traversal =4 (../../../../) suhosin.executor.disable_emodifier=Off (exec function) suhosin.mail.protect=2 (protect spammers attack) suhosin.memory_limit=256M suhosin.filter.action=402 (return code detect error) suhosin.upload.max_uploads=100
  • 26.
    SUHOSIN PHP -BASIC suhosin.request.max_array_depth=4096 suhosin.request.max_array_index_length=2048 suhosin.request.max_name_length=2048 suhosin.request.max_value_length=650000 suhosin.request.max_vars=4096 suhosin.post.max_array_depth=8048 suhosin.post.max_array_index_length=1024 suhosin.post.max_name_length=2048 suhosin.post.max_totalname_length=8048 suhosin.post.max_vars=4096
  • 27.
    OTHER APACHE CONFIG * ErrorDocument 404 errors/404.html * ErrorDocument 500 errors/500.html * ServerAdmin (Use Alias Mail) * UserDir disabled root
  • 28.
    INSTALL PACKAGE # dpkg-i hardening-apache_beta-01.deb Albert Einstein
  • 29.
    PROBLEMS l UNIQUE USER l INSERT DIALOG l PORTABLE OTHER DISTROS
  • 30.
  • 31.
    SOURCES OF RESEARCH APACHEFOUNDATION www.apache.org ECCOUNCIL www.eccouncil.org UTAH HARDENING COURSE www.utah.com.br IMAGES - ECCOUNCIL www.eccouncil.org