SlideShare a Scribd company logo
1 of 38
Download to read offline
Apache Web Server
How do Apache work?




                HTTP, HTTPS



Web Server                    Web Browser
  i.e. apache                   i.e. netscape
Why Apache?
• Free!!
• Come with Linux packages (almost
  distribution)
• Most Popular
Why Apache?
Problems & Risks
• Type of Web Attacking
  – Denial of Service
Problems & Risks
• Type of Web Attacking (Cont.)
  – Defaced Web Page
Problems & Risks
• Type of Web Attacking
  – Deletion of Files
Problems & Risks
• Type of Web Attacking
  – Placement of Malicious Software
    such as trojan horse or worm
Problems & Risks
• Risks of Apache
  – From System Administrator
    • Think “Apache is the best!!”
    • Ignore Hardening
  – From Apache (itself)
    • Apache is not secure
    • Website Apache.org was hacked in May
      2000
Problems & Risks
Hardening Apache Step-by-Step
Create the Web Server Group/User
Download the Appropriate Apache
Distribution
Apply Latest Web Server Patches
Configure/Compile/Install the Apache
Distribution
Edit the Apache Configuration file -
httpd.conf
Hardening Apache Step-by-Step (Cont.)
Change Ownership/Permissions on
Directories and Files
Clean Out Unneeded Files and
Directories
Update Apache Start Script for
Notification
Advanced Settings - Miscellaneous
Security Enhancements
Step 1: Create the Web Server Group/User

1.1 Create Groups for Web Server Content
>> webmaster:webmaster
1.2 Create a Specific User for Web Server
>> nobody:nobody
1.3 Create Quota for Web Server
1.4 Verify Quota
1.5 Lock Down the New Account
Step 1: Create the Web Server Group/User

   user       conf tools logs CGI Content
webmaster
              RW     R    R    RW      RW
>>webmaster
web
               -     -     -   RW      RW
developer
web author     -     -     -    R      RW
Webserver
               -     -     -    R       R
>>nobody
Step 1: Create the Web Server Group/User


                                    http
                                   nobody
                          fork
       start      root
                  http
                            fork
root                                       execute
        fork                         http
                                   nobody
               fork      fork             (nobody)
                                                     user
 http
nobody
            http
           nobody         http
                         nobody
Step 2: Download the Appropriate Apache Distribution

 2.1 Download the Apache Source
 2.2 Verify the PGP Signatures
 2.3 Verify the MD5 Checksums
Step 3: Apply Latest Web Server Patch

• For Latest Patch of Apache
 http://www.apache.org/dist/httpd/patches/
• Apply Patch
  # cd apache_source_directory
  # patch –p0 
  </tmp/proxy_http1.1_chunking.patch
Step 4: Configure/Compile/Install the Apache Distribution


 4.1 Configure the Apache Distribution
 4.2 Edit the httpd.h File
 #define SERVER_BASEVENDOR “Apache Group”
 #define SERVER_BASEPRODUCT “My-Server”
 #define SERVER_BASEREVISION “4.0”
 4.3 Compile Apache
 4.4 Install the Software
Step 5: Edit the Apache Configuration file - httpd.conf

 5.1 Basic Web Server Settings
    o ServerType
    o HostnameLookups on
    o User & Group
    o Port
    o ServerAdmin
    o ServerRoot
    o ServerName
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

   5.2 Security Related Settings
      o LogLevel notice
      o CustomLog ... Combined
      o ErrorLog ...
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
   Some of Error Messages in ErrorLog
   • File does not exist: access a URL that does not exist
   • File permissions deny server access: access a
     document that does not have sufficient privileges to
     read it.
   • Password mismatch: access a protected document
     with an incorrect password
   • Client denied by server configuration: access to a
     directory is restricted to certain IP addresses
   • Malformed header from script: This is a warning
     message showing that a bad output cannot be
     interpreted correctly.
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

   5.2 Security Related Settings (Cont.)
       o <Directory>
       o Options
           o AllowOverride None
           o IncludesNoExec
           o SymLinksIfOwnerMatch
       o Order and Allow/Deny from (Use IP)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

   5.2 Security Related Settings (Cont.)
      o ServerSignature Off
      o ServerTokens ProductOnly
      o CoreDumpDirectory ...
      o Error Responses
          o 401/403 Errors
          o Other Status Codes
      o LimitExcept
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

   5.3 Access Control
      –Restrict Access to File or Directory
         • Host-based Authentication
                                         Is it in allow list?

         request              authenticate
                                                      compare
       IP Address
       / Hostname
                                         Is it in deny list?

                     Server
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
   5.3 Access Control
      –Restrict Access to File or Directory
        (Cont.)
         • HTTP-specified Basic Authentication
          request
                               authenticate   check
          require                                     .htpasswd
     username&passwd
         send
   username&passwd
                      Server
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

    5.4 Common Attack Signatures
        – Mod_Rewrite Voodoo
        – Robots
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

   5.5 CGI Bin Mischief
       – Review CGI Files/Code
       – Fake CGIs
           • Foil Vulnerability Scanners
           • Fake PHF
       – <DirectoryMatch>
       – <FilesMatch>
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

   5.6 Denial of Service
       – Timeout 60
       – KeepAlive On
       – KeepAliveTimeout 15
       – StartServers 10
       – MinSpareServers 10
       – MaxSpareServers 20
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)

   5.7 Buffer Overflows
       – LimitRequestBody 10240
       – LimitRequestFields 40
       – LimitRequestFieldsize 100
       – LimitRequestLine 500
Step 6: Change Ownership/Permissions on Directories and Files

    6.1 Server Configuration Directories
    # chown –R root <Conf_Dir>
    # chgrp –R webmaster <Conf_Dir>
    # chmod –R 770 <Conf_Dir>
    6.2 Document Root Directory
    # chown –R webmaster <htdocs_Dir>
    # chgrp –R webmaster <htdocs_Dir>
    # chmod –R 775 <htdocs_Dir>
Step 6: Change Ownership/Permissions on Directories and Files

    6.3 CGI-Bin Directory
    # chown –R root <Cgi-bin_Dir>
    # chgrp –R webmaster <Cgi-bin_Dir>
    # chmod –R 775 <Cgi-bin_Dir>
    6.4 Log Files
    # chown –R root <Logs_Dir>
    # chgrp –R webmaster <Logs_Dir>
    # chmod –R 750 <Logs_Dir>
Step 6: Change Ownership/Permissions on Directories and Files

    6.5 Bin Directory
    # chown –R root <Bin_Dir>
    # chgrp –R webmaster <Bin_Dir>
    # chmod –R 770 <Bin_Dir>
Step 7: Clean Out Unneeded Files and Directories

7.1 Src Directory
7.2 Default HTML Documents
Step 8: Update Apache Start Script for Notification

• To let the System Administrator know
  that Apache Web Server has been
  restarted
Step 9: Advanced Settings - Miscellaneous Security Enhancements


    9.1 Worms At War such as CodeRed and
      Nimda
    9.2 Swatch
    9.3 Monitor Changes in Web Content
    9.4 Secure Index Pages
    9.5 Chroot
    9.6 Secure Socket Layer (SSL)
Bug/ Exploit
• CERT® Advisory CA-2002-17
  Apache Web Server Chunk Handling
  Vulnerability
  June 17, 2002
• CERT® Advisory CA-2002-27
  Apache/mod_ssl Worm
  September 14, 2002
• Related Link:
  http://httpd.apache.org/security_report.html
Hardening Dedicated Server & Network Diagram
• Download and Install the latest versions of
  the Daemon
• No user login account
• All update do from internal network
• Audit and Penetration Testing on your Server
• Carefully Check your CGI Scripts
• Prevent other from running their CGI Scripts
• DO NOT send confidential info., etc back to
  the user via e-mail
Hardening Dedicated Server & Network Diagram



                                                 Intranet
     Internet
                Router
                                Firewall

                                 80

                         3306



                                           DMZ

More Related Content

What's hot

Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Toni de la Fuente
 
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsRed Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsStudy Material
 
F03 a history of (open) conversation alfresco at university of zaragoza
F03   a history of (open) conversation alfresco at university of zaragozaF03   a history of (open) conversation alfresco at university of zaragoza
F03 a history of (open) conversation alfresco at university of zaragozaAngel Borroy López
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataChristopher Grayson
 
Bee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingBee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingAngel Borroy López
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Angel Borroy López
 
WordPress Development Environments
WordPress Development Environments WordPress Development Environments
WordPress Development Environments Ohad Raz
 
Deploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows ContainersDeploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows ContainersBen Hall
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Toni de la Fuente
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
under the covers -- chef in 20 minutes or less
under the covers -- chef in 20 minutes or lessunder the covers -- chef in 20 minutes or less
under the covers -- chef in 20 minutes or lesssarahnovotny
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containersBen Hall
 
Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017Chris Tankersley
 
Nginx internals
Nginx internalsNginx internals
Nginx internalsliqiang xu
 

What's hot (20)

Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012
 
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsRed Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
 
F03 a history of (open) conversation alfresco at university of zaragoza
F03   a history of (open) conversation alfresco at university of zaragozaF03   a history of (open) conversation alfresco at university of zaragoza
F03 a history of (open) conversation alfresco at university of zaragoza
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big Data
 
Bee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installingBee con2016 presentation_20160125004_installing
Bee con2016 presentation_20160125004_installing
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1
 
WordPress Development Environments
WordPress Development Environments WordPress Development Environments
WordPress Development Environments
 
Deploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows ContainersDeploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows Containers
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
How Flipkart scales PHP
How Flipkart scales PHPHow Flipkart scales PHP
How Flipkart scales PHP
 
Rh401 rhel5.2
Rh401 rhel5.2Rh401 rhel5.2
Rh401 rhel5.2
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
under the covers -- chef in 20 minutes or less
under the covers -- chef in 20 minutes or lessunder the covers -- chef in 20 minutes or less
under the covers -- chef in 20 minutes or less
 
The How and Why of Windows containers
The How and Why of Windows containersThe How and Why of Windows containers
The How and Why of Windows containers
 
Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017
 
Nginx internals
Nginx internalsNginx internals
Nginx internals
 

Similar to PowerPoint Presentation

Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Rich Bowen
 
Apache server configuration & optimization
Apache server configuration & optimizationApache server configuration & optimization
Apache server configuration & optimizationGokul Muralidharan
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web serverwebhostingguy
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server TutorialJagat Kothari
 
Stress Free Deployment - Confoo 2011
Stress Free Deployment  - Confoo 2011Stress Free Deployment  - Confoo 2011
Stress Free Deployment - Confoo 2011Bachkoutou Toutou
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2Vincent Mercier
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Serverswebhostingguy
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software DeploymentGong Haibing
 
Deploying to Ubuntu on Linode
Deploying to Ubuntu on LinodeDeploying to Ubuntu on Linode
Deploying to Ubuntu on LinodeWO Community
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2Vincent Mercier
 
Apache logs monitoring
Apache logs monitoringApache logs monitoring
Apache logs monitoringUmair Amjad
 

Similar to PowerPoint Presentation (20)

Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
Apache server configuration & optimization
Apache server configuration & optimizationApache server configuration & optimization
Apache server configuration & optimization
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
Securing the Apache web server
Securing the Apache web serverSecuring the Apache web server
Securing the Apache web server
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hosting
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server Tutorial
 
Web server
Web serverWeb server
Web server
 
Stress Free Deployment - Confoo 2011
Stress Free Deployment  - Confoo 2011Stress Free Deployment  - Confoo 2011
Stress Free Deployment - Confoo 2011
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardening
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
 
Deploying to Ubuntu on Linode
Deploying to Ubuntu on LinodeDeploying to Ubuntu on Linode
Deploying to Ubuntu on Linode
 
Web server
Web serverWeb server
Web server
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2
 
Lecture 7: Server side programming
Lecture 7: Server side programmingLecture 7: Server side programming
Lecture 7: Server side programming
 
Apache logs monitoring
Apache logs monitoringApache logs monitoring
Apache logs monitoring
 

More from webhostingguy

Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Frameworkwebhostingguy
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guidewebhostingguy
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serverswebhostingguy
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidationwebhostingguy
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreementwebhostingguy
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...webhostingguy
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...webhostingguy
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructurewebhostingguy
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.pptwebhostingguy
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy webhostingguy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandiserswebhostingguy
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Productswebhostingguy
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mbwebhostingguy
 

More from webhostingguy (20)

File Upload
File UploadFile Upload
File Upload
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Framework
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guide
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web servers
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreement
 
Notes8
Notes8Notes8
Notes8
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructure
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.ppt
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandisers
 
OLUG_xen.ppt
OLUG_xen.pptOLUG_xen.ppt
OLUG_xen.ppt
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Products
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mb
 
Reseller's Guide
Reseller's GuideReseller's Guide
Reseller's Guide
 

PowerPoint Presentation

  • 2. How do Apache work? HTTP, HTTPS Web Server Web Browser i.e. apache i.e. netscape
  • 3. Why Apache? • Free!! • Come with Linux packages (almost distribution) • Most Popular
  • 5. Problems & Risks • Type of Web Attacking – Denial of Service
  • 6. Problems & Risks • Type of Web Attacking (Cont.) – Defaced Web Page
  • 7. Problems & Risks • Type of Web Attacking – Deletion of Files
  • 8. Problems & Risks • Type of Web Attacking – Placement of Malicious Software such as trojan horse or worm
  • 9. Problems & Risks • Risks of Apache – From System Administrator • Think “Apache is the best!!” • Ignore Hardening – From Apache (itself) • Apache is not secure • Website Apache.org was hacked in May 2000
  • 11. Hardening Apache Step-by-Step Create the Web Server Group/User Download the Appropriate Apache Distribution Apply Latest Web Server Patches Configure/Compile/Install the Apache Distribution Edit the Apache Configuration file - httpd.conf
  • 12. Hardening Apache Step-by-Step (Cont.) Change Ownership/Permissions on Directories and Files Clean Out Unneeded Files and Directories Update Apache Start Script for Notification Advanced Settings - Miscellaneous Security Enhancements
  • 13. Step 1: Create the Web Server Group/User 1.1 Create Groups for Web Server Content >> webmaster:webmaster 1.2 Create a Specific User for Web Server >> nobody:nobody 1.3 Create Quota for Web Server 1.4 Verify Quota 1.5 Lock Down the New Account
  • 14. Step 1: Create the Web Server Group/User user conf tools logs CGI Content webmaster RW R R RW RW >>webmaster web - - - RW RW developer web author - - - R RW Webserver - - - R R >>nobody
  • 15. Step 1: Create the Web Server Group/User http nobody fork start root http fork root execute fork http nobody fork fork (nobody) user http nobody http nobody http nobody
  • 16. Step 2: Download the Appropriate Apache Distribution 2.1 Download the Apache Source 2.2 Verify the PGP Signatures 2.3 Verify the MD5 Checksums
  • 17. Step 3: Apply Latest Web Server Patch • For Latest Patch of Apache http://www.apache.org/dist/httpd/patches/ • Apply Patch # cd apache_source_directory # patch –p0 </tmp/proxy_http1.1_chunking.patch
  • 18. Step 4: Configure/Compile/Install the Apache Distribution 4.1 Configure the Apache Distribution 4.2 Edit the httpd.h File #define SERVER_BASEVENDOR “Apache Group” #define SERVER_BASEPRODUCT “My-Server” #define SERVER_BASEREVISION “4.0” 4.3 Compile Apache 4.4 Install the Software
  • 19. Step 5: Edit the Apache Configuration file - httpd.conf 5.1 Basic Web Server Settings o ServerType o HostnameLookups on o User & Group o Port o ServerAdmin o ServerRoot o ServerName
  • 20. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.2 Security Related Settings o LogLevel notice o CustomLog ... Combined o ErrorLog ...
  • 21. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) Some of Error Messages in ErrorLog • File does not exist: access a URL that does not exist • File permissions deny server access: access a document that does not have sufficient privileges to read it. • Password mismatch: access a protected document with an incorrect password • Client denied by server configuration: access to a directory is restricted to certain IP addresses • Malformed header from script: This is a warning message showing that a bad output cannot be interpreted correctly.
  • 22. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.2 Security Related Settings (Cont.) o <Directory> o Options o AllowOverride None o IncludesNoExec o SymLinksIfOwnerMatch o Order and Allow/Deny from (Use IP)
  • 23. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.2 Security Related Settings (Cont.) o ServerSignature Off o ServerTokens ProductOnly o CoreDumpDirectory ... o Error Responses o 401/403 Errors o Other Status Codes o LimitExcept
  • 24. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.3 Access Control –Restrict Access to File or Directory • Host-based Authentication Is it in allow list? request authenticate compare IP Address / Hostname Is it in deny list? Server
  • 25. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.3 Access Control –Restrict Access to File or Directory (Cont.) • HTTP-specified Basic Authentication request authenticate check require .htpasswd username&passwd send username&passwd Server
  • 26. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.4 Common Attack Signatures – Mod_Rewrite Voodoo – Robots
  • 27. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.5 CGI Bin Mischief – Review CGI Files/Code – Fake CGIs • Foil Vulnerability Scanners • Fake PHF – <DirectoryMatch> – <FilesMatch>
  • 28. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.6 Denial of Service – Timeout 60 – KeepAlive On – KeepAliveTimeout 15 – StartServers 10 – MinSpareServers 10 – MaxSpareServers 20
  • 29. Step 5: Edit the Apache Configuration file - httpd.conf (Cont.) 5.7 Buffer Overflows – LimitRequestBody 10240 – LimitRequestFields 40 – LimitRequestFieldsize 100 – LimitRequestLine 500
  • 30. Step 6: Change Ownership/Permissions on Directories and Files 6.1 Server Configuration Directories # chown –R root <Conf_Dir> # chgrp –R webmaster <Conf_Dir> # chmod –R 770 <Conf_Dir> 6.2 Document Root Directory # chown –R webmaster <htdocs_Dir> # chgrp –R webmaster <htdocs_Dir> # chmod –R 775 <htdocs_Dir>
  • 31. Step 6: Change Ownership/Permissions on Directories and Files 6.3 CGI-Bin Directory # chown –R root <Cgi-bin_Dir> # chgrp –R webmaster <Cgi-bin_Dir> # chmod –R 775 <Cgi-bin_Dir> 6.4 Log Files # chown –R root <Logs_Dir> # chgrp –R webmaster <Logs_Dir> # chmod –R 750 <Logs_Dir>
  • 32. Step 6: Change Ownership/Permissions on Directories and Files 6.5 Bin Directory # chown –R root <Bin_Dir> # chgrp –R webmaster <Bin_Dir> # chmod –R 770 <Bin_Dir>
  • 33. Step 7: Clean Out Unneeded Files and Directories 7.1 Src Directory 7.2 Default HTML Documents
  • 34. Step 8: Update Apache Start Script for Notification • To let the System Administrator know that Apache Web Server has been restarted
  • 35. Step 9: Advanced Settings - Miscellaneous Security Enhancements 9.1 Worms At War such as CodeRed and Nimda 9.2 Swatch 9.3 Monitor Changes in Web Content 9.4 Secure Index Pages 9.5 Chroot 9.6 Secure Socket Layer (SSL)
  • 36. Bug/ Exploit • CERT® Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability June 17, 2002 • CERT® Advisory CA-2002-27 Apache/mod_ssl Worm September 14, 2002 • Related Link: http://httpd.apache.org/security_report.html
  • 37. Hardening Dedicated Server & Network Diagram • Download and Install the latest versions of the Daemon • No user login account • All update do from internal network • Audit and Penetration Testing on your Server • Carefully Check your CGI Scripts • Prevent other from running their CGI Scripts • DO NOT send confidential info., etc back to the user via e-mail
  • 38. Hardening Dedicated Server & Network Diagram Intranet Internet Router Firewall 80 3306 DMZ