HARDENING IN APACHE WEB SERVER

2,555 views

Published on

This apresentation part of course Utah Networxs Hardening Web Servers.

The target is show any options to configure security apache web server and protect to possible hackers attacks.

The package debian_hardening-0.1_beta.deb is available in http://www.utah.com.br/deb/debian_hardening-0.1_beta.deb and source code to change or generate a new debian available in http://www.utah.com.br/src/debian_hardening-0.1_beta.tar.gz

Thanks...

Utah Networxs
Walking to Giants

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,555
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
72
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

HARDENING IN APACHE WEB SERVER

  1. 1. “Mapping threats, Mitigating risk andImplementing Correctiveactivities in Web Servers”
  2. 2. WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
  3. 3. SOCIAL MEDIAFollow! @fabioandpiresFollow! @utah_networxs Enjoy! Utah Networxs
  4. 4. Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPICTeacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
  5. 5. TARGET “PRESENT ONE AMONG SEVERAL SOLUTION FOR BUILDING WEB SERVER"hardening "THROUGH THE USE OF TOOLSFREE TO MINIMIZE IMPACTS OF ATTACKS."
  6. 6. VULNERABILITY STACK
  7. 7. WEBSERVER MARKET SHARES
  8. 8. OPEN SOURCE WEB SERVER ARCHITECTURE
  9. 9. VULNERABILITY WEB APPLICATIONS
  10. 10. WHY WEB SERVER ARE COMPROMISED?
  11. 11. TOOLSHTTP PRINT – BANNER WEB SERVER NIKTO - VULNERABILITIES NESSUS – VULNERABILITIES W3AF - AUDITY E EXPLORATION NMAP – SCAN PORT
  12. 12. MITIGATING RISKS DoS Attack DDoS Attack Brutal Force (ssh, telnet) Port Scanning Attack Ping Flooding Attack Elevation of Privilege Man in the Middle Attack Directory TransversalPassword Cracking (Spoofing, Phising, Trojar Horse)
  13. 13. DEPLOYING CORRETION What’s Hardening ? Is a process of mapping of threats,risk mitigation and implementation of corrective activities, focusing on infrastructure and primary goal to make it ready to face attempts to attack.
  14. 14. PRATICE IN WEB SERVER APACHEWhere you search packages ? - Packages Repository - Md5SUM Verified - Security Update - Pré-Compiled Package or SourcePackage
  15. 15. PRATICE IN WEB SERVER APACHE#CHROOT JAIL
  16. 16. CHROOT ARCHITETURE APACHE / bin boot chroot dev dev etc etc home lib lib mnt opt usr proc root var sbin tmp usr var
  17. 17. DISABLE UNUSED MODULES suexec userdir cgi / cgid autoindex
  18. 18. RESTRICT RESOURCES Number Of Process:With RES=7000k, SHR=2500k and 400M available for Apache, the result is: 400/(7-2.5) = 89. RES=Resident
  19. 19. MITIGATE MEMORY LEAKSMaxRequestsPerChild 10000
  20. 20. RESTRICT INCOMMING CONNECTIONS# iptables -I INPUT -p tcp --syn --dport 80-m connlimit --connlimit-above 25 -jREJECT --reject-with tcp-reset
  21. 21. FILE PERMISSIONS# find /srv/www -user utahuser# find /srv/www ! -type l ( -perm /o=w -o -perm/g=w -group utahgroup )
  22. 22. SEARCH FILES AND SSL * Search hidden files# find /var/www -name .?* -not-name .ht* -or -name *~ -or -name*.bak* -or -name *.old*‘ * SSL key files * Make sure your SSL keys are only readable by the root user.
  23. 23. OTHER APACHE CONFIG * Bewarec of certain RewriteRules# INSECURE configuration, dont use!RewriteRule ^/old/directory/(.*)$ /$1Use this# SECURE - UseRewriteRule ^/old/directory/(.*)$ /$1[PT] * Dont use Limit/LimitExcept (conf.d/security) TraceEnable off
  24. 24. OTHER APACHE CONFIG * ServerSignature Off * ServerTokens Prod * Remove PHP scripts (test.php, info.php, i.php, php.info) * Disable directory indexing * Disable WebDAV * Enable PHP basedir * Install a Web Firewall (mod_security)l * Suhosin PHP
  25. 25. SUHOSIN PHP - BASICsuhosin.executor.include.max_traversal=4 (../../../../)suhosin.executor.disable_emodifier=Off(exec function)suhosin.mail.protect=2(protect spammers attack)suhosin.memory_limit=256Msuhosin.filter.action=402(return code detect error)suhosin.upload.max_uploads=100
  26. 26. SUHOSIN PHP - BASICsuhosin.request.max_array_depth=4096suhosin.request.max_array_index_length=2048suhosin.request.max_name_length=2048suhosin.request.max_value_length=650000suhosin.request.max_vars=4096suhosin.post.max_array_depth=8048suhosin.post.max_array_index_length=1024suhosin.post.max_name_length=2048suhosin.post.max_totalname_length=8048suhosin.post.max_vars=4096
  27. 27. OTHER APACHE CONFIG* ErrorDocument 404 errors/404.html* ErrorDocument 500 errors/500.html* ServerAdmin (Use Alias Mail)* UserDir disabled root
  28. 28. INSTALL PACKAGE# dpkg -i hardening-apache_beta-01.deb Albert Einstein
  29. 29. PROBLEMS l UNIQUE USER l INSERT DIALOGl PORTABLE OTHER DISTROS
  30. 30. DOBTS ?
  31. 31. SOURCES OF RESEARCHAPACHE FOUNDATION www.apache.orgECCOUNCIL www.eccouncil.orgUTAH HARDENING COURSE www.utah.com.brIMAGES - ECCOUNCIL www.eccouncil.org

×