PowerPoint Presentation
-
Upload
webhostingguy -
Category
Documents
-
view
1.022 -
download
1
Transcript of PowerPoint Presentation
![Page 1: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/1.jpg)
Apache Web Server
![Page 2: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/2.jpg)
How do Apache work?
HTTP, HTTPS
Web Serveri.e. apache
Web Browseri.e. netscape
![Page 3: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/3.jpg)
Why Apache?
• Free!!• Come with Linux packages (almost
distribution)• Most Popular
![Page 4: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/4.jpg)
Why Apache?
![Page 5: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/5.jpg)
Problems & Risks
• Type of Web Attacking– Denial of Service
![Page 6: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/6.jpg)
Problems & Risks
• Type of Web Attacking (Cont.)– Defaced Web Page
![Page 7: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/7.jpg)
Problems & Risks
• Type of Web Attacking– Deletion of Files
![Page 8: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/8.jpg)
Problems & Risks
• Type of Web Attacking– Placement of Malicious Software
such as trojan horse or worm
![Page 9: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/9.jpg)
Problems & Risks
• Risks of Apache– From System Administrator
• Think “Apache is the best!!”• Ignore Hardening
– From Apache (itself)• Apache is not secure• Website Apache.org was hacked in May
2000
![Page 10: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/10.jpg)
Problems & Risks
![Page 11: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/11.jpg)
Hardening Apache Step-by-Step
Create the Web Server Group/User Download the Appropriate Apache Distribution Apply Latest Web Server Patches Configure/Compile/Install the Apache Distribution Edit the Apache Configuration file -httpd.conf
![Page 12: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/12.jpg)
Hardening Apache Step-by-Step (Cont.)
Change Ownership/Permissions on Directories and Files Clean Out Unneeded Files and Directories Update Apache Start Script for Notification Advanced Settings - Miscellaneous Security Enhancements
![Page 13: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/13.jpg)
Step 1: Create the Web Server Group/User
1.1 Create Groups for Web Server Content >> webmaster:webmaster1.2 Create a Specific User for Web Server>> nobody:nobody
1.3 Create Quota for Web Server 1.4 Verify Quota 1.5 Lock Down the New Account
![Page 14: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/14.jpg)
Step 1: Create the Web Server Group/User
RR---Webserver>>nobody
RWR---web author
RWRW---web developer
RWRWRRRWwebmaster>>webmaster
ContentCGIlogstoolsconfuser
![Page 15: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/15.jpg)
Step 1: Create the Web Server Group/User
user
execute(nobody)
root
starthttproot
http
http
httphttphttp
fork
fork
fork fork
fork
nobodynobody nobody
nobody
nobody
![Page 16: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/16.jpg)
Step 2: Download the Appropriate Apache Distribution
2.1 Download the Apache Source 2.2 Verify the PGP Signatures 2.3 Verify the MD5 Checksums
![Page 17: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/17.jpg)
Step 3: Apply Latest Web Server Patch
• For Latest Patch of Apachehttp://www.apache.org/dist/httpd/patches/
• Apply Patch# cd apache_source_directory# patch –p0 \</tmp/proxy_http1.1_chunking.patch
![Page 18: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/18.jpg)
Step 4: Configure/Compile/Install the Apache Distribution
4.1 Configure the Apache Distribution 4.2 Edit the httpd.h File #define SERVER_BASEVENDOR “Apache Group”#define SERVER_BASEPRODUCT “My-Server”#define SERVER_BASEREVISION “4.0”
4.3 Compile Apache 4.4 Install the Software
![Page 19: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/19.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf
5.1 Basic Web Server Settings o ServerType o HostnameLookups ono User & Group o Port o ServerAdmin o ServerRoot o ServerName
![Page 20: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/20.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.2 Security Related Settings o LogLevel noticeo CustomLog ... Combinedo ErrorLog ...
![Page 21: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/21.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
Some of Error Messages in ErrorLog• File does not exist: access a URL that does not exist• File permissions deny server access: access a
document that does not have sufficient privileges to read it.
• Password mismatch: access a protected document with an incorrect password
• Client denied by server configuration: access to a directory is restricted to certain IP addresses
• Malformed header from script: This is a warning message showing that a bad output cannot be interpreted correctly.
![Page 22: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/22.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.2 Security Related Settings (Cont.)o <Directory> o Options
o AllowOverride Noneo IncludesNoExec o SymLinksIfOwnerMatch
o Order and Allow/Deny from (Use IP)
![Page 23: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/23.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.2 Security Related Settings (Cont.)o ServerSignature Offo ServerTokens ProductOnlyo CoreDumpDirectory ...
o Error Responses o 401/403 Errors o Other Status Codes
o LimitExcept
![Page 24: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/24.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.3 Access Control –Restrict Access to File or Directory
• Host-based Authentication
Server
request
IP Address / Hostname
authenticate
Is it in allow list?
Is it in deny list?
compare
![Page 25: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/25.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.3 Access Control –Restrict Access to File or Directory
(Cont.)• HTTP-specified Basic Authentication
Server
request authenticaterequire
username&passwd
sendusername&passwd
.htpasswdcheck
![Page 26: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/26.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.4 Common Attack Signatures – Mod_Rewrite Voodoo – Robots
![Page 27: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/27.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.5 CGI Bin Mischief – Review CGI Files/Code – Fake CGIs
• Foil Vulnerability Scanners • Fake PHF
– <DirectoryMatch> – <FilesMatch>
![Page 28: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/28.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.6 Denial of Service – Timeout 60– KeepAlive On– KeepAliveTimeout 15– StartServers 10– MinSpareServers 10– MaxSpareServers 20
![Page 29: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/29.jpg)
Step 5: Edit the Apache Configuration file - httpd.conf (Cont.)
5.7 Buffer Overflows – LimitRequestBody 10240– LimitRequestFields 40– LimitRequestFieldsize 100– LimitRequestLine 500
![Page 30: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/30.jpg)
Step 6: Change Ownership/Permissions on Directories and Files
6.1 Server Configuration Directories # chown –R root <Conf_Dir># chgrp –R webmaster <Conf_Dir># chmod –R 770 <Conf_Dir>
6.2 Document Root Directory # chown –R webmaster <htdocs_Dir># chgrp –R webmaster <htdocs_Dir># chmod –R 775 <htdocs_Dir>
![Page 31: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/31.jpg)
Step 6: Change Ownership/Permissions on Directories and Files
6.3 CGI-Bin Directory # chown –R root <Cgi-bin_Dir># chgrp –R webmaster <Cgi-bin_Dir># chmod –R 775 <Cgi-bin_Dir>
6.4 Log Files # chown –R root <Logs_Dir># chgrp –R webmaster <Logs_Dir># chmod –R 750 <Logs_Dir>
![Page 32: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/32.jpg)
Step 6: Change Ownership/Permissions on Directories and Files
6.5 Bin Directory # chown –R root <Bin_Dir># chgrp –R webmaster <Bin_Dir># chmod –R 770 <Bin_Dir>
![Page 33: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/33.jpg)
Step 7: Clean Out Unneeded Files and Directories
7.1 Src Directory 7.2 Default HTML Documents
![Page 34: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/34.jpg)
Step 8: Update Apache Start Script for Notification
• To let the System Administrator know that Apache Web Server has been restarted
![Page 35: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/35.jpg)
Step 9: Advanced Settings - Miscellaneous Security Enhancements
9.1 Worms At War such as CodeRed and Nimda
9.2 Swatch 9.3 Monitor Changes in Web Content 9.4 Secure Index Pages 9.5 Chroot 9.6 Secure Socket Layer (SSL)
![Page 36: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/36.jpg)
Bug/ Exploit
• CERT® Advisory CA-2002-17Apache Web Server Chunk Handling VulnerabilityJune 17, 2002
• CERT® Advisory CA-2002-27Apache/mod_ssl WormSeptember 14, 2002
• Related Link:http://httpd.apache.org/security_report.html
![Page 37: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/37.jpg)
Hardening Dedicated Server & Network Diagram
• Download and Install the latest versions of the Daemon
• No user login account• All update do from internal network• Audit and Penetration Testing on your Server• Carefully Check your CGI Scripts• Prevent other from running their CGI Scripts• DO NOT send confidential info., etc back to
the user via e-mail
![Page 38: PowerPoint Presentation](https://reader037.fdocuments.us/reader037/viewer/2022110119/555a6a34d8b42a972b8b4ace/html5/thumbnails/38.jpg)
Hardening Dedicated Server & Network Diagram
FirewallRouter
Internet
DMZ
Intranet
DMZ
8080
3306