This apresentation part of course Utah Networxs Hardening Web Servers.
The target is show any options to configure security apache web server and protect to possible hackers attacks.
The package debian_hardening-0.1_beta.deb is available in http://www.utah.com.br/deb/debian_hardening-0.1_beta.deb and source code to change or generate a new debian available in http://www.utah.com.br/src/debian_hardening-0.1_beta.tar.gz
Thanks...
Utah Networxs
Walking to Giants
1. “Mapping threats,
Mitigating risk and
Implementing Corrective
activities in Web Servers”
2. WHO WE ARE?
FIRST SCHOOL AND CONSULTING
LINUX IN BRAZIL.
17 YEARS OF PRATICE IN LINUX
12 YEARS WITH BEST LINUX IN BRAZIL
MORE THAN 50.000 STUDENTS
TRAINED
MORE THEAN 5.000 CLIENTS TO
DIFERENT PROJECTS
LPI-C ATP IN BRAZIL
MORE: www.utah.com.br
4. Speaker: Fabio Pires
Mini Curriculum:
Graduated in Computer Science
Graduated in Bachelor of Computing
Post Graduate in Project Analysis and
Systems - FATEC
Post Graduate in S.O. Linux - UFLA
LPIC
Teacher of Undergraduate and Graduate
Twitter in Spare Time
Contact: fpires@utah.com.br
5. TARGET
“PRESENT ONE AMONG SEVERAL
SOLUTION FOR BUILDING WEB SERVER"
hardening "THROUGH THE USE OF TOOLS
FREE TO MINIMIZE IMPACTS OF ATTACKS."
11. TOOLS
HTTP PRINT – BANNER WEB SERVER
NIKTO - VULNERABILITIES
NESSUS – VULNERABILITIES
W3AF - AUDITY E EXPLORATION
NMAP – SCAN PORT
12. MITIGATING RISKS
DoS Attack
DDoS Attack
Brutal Force (ssh, telnet)
Port Scanning Attack
Ping Flooding Attack
Elevation of Privilege
Man in the Middle Attack
Directory Transversal
Password Cracking (Spoofing,
Phising, Trojar Horse)
13. DEPLOYING CORRETION
What’s Hardening ?
Is a process of mapping of threats,
risk mitigation and implementation of
corrective activities, focusing on
infrastructure and primary goal to
make it ready to face attempts to
attack.
14. PRATICE IN WEB SERVER APACHE
Where you search packages ?
- Packages Repository
- Md5SUM Verified
- Security Update
- Pré-Compiled Package or Source
Package
22. SEARCH FILES AND SSL
* Search hidden files
# find /var/www -name '.?*' -not
-name .ht* -or -name '*~' -or -name
'*.bak*' -or -name '*.old*‘
* SSL key files
* Make sure your SSL keys are only
readable by the root user.
23. OTHER APACHE CONFIG
* Bewarec of certain RewriteRules
# INSECURE configuration, don't use!
RewriteRule ^/old/directory/(.*)$ /$1
Use this
# SECURE - Use
RewriteRule ^/old/directory/(.*)$ /$1
[PT]
* Don't use Limit/LimitExcept
(conf.d/security)
TraceEnable off
24. OTHER APACHE CONFIG
* ServerSignature Off
* ServerTokens Prod
* Remove PHP scripts (test.php,
info.php, i.php, php.info)
* Disable directory indexing
* Disable WebDAV
* Enable PHP basedir
* Install a Web Firewall (mod_security)
l
* Suhosin PHP