securing the apache web server

31
Securing The Apache Web Server Matthew Cook http://escarpment.net/

Upload: webhostingguy

Post on 10-Nov-2014

1.225 views

Category:

Documents


5 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Securing the Apache web server

SecuringThe Apache Web Server

Matthew Cookhttp://escarpment.net/

Page 2: Securing the Apache web server

Agenda

• Background• Web Servers• Connections• Apache History• System Attacks• Securing Apache• Useful Tools• In Summary• Further Advice and Guidance

Page 3: Securing the Apache web server

Background

• The Security Service is running a number of similar courses in conjunction with Professional Development.

• Details are available at:http://www.lboro.ac.uk/computing/security/

• By increasing the security of networked machines on campus, we hope to reduce the number of compromised machines and IT Support Staff workload.

Page 4: Securing the Apache web server

Web Servers

• The first operational web servers were developed in 1991.

• Graphical browsers helped development.• Scaling to around 50 around the world in

1992.• Netcraft reports 59,100,880 sites in

February 2005.

Page 5: Securing the Apache web server

Web Servers…

Web Server Platform:

Apache - 40681140 (68.83%)IIS - 12322111 (20.85%)Sun - 1835718 (3.11%)Zeus - 618599 (1.05%)

Page 6: Securing the Apache web server

Connections

• Usually via a graphical browserPort :

– 80 Standard Web Traffic– 443 SSL Web Traffic– 81, 8080, … Many other ports, 0-65535!

Page 7: Securing the Apache web server

Connections…

• Can connect via telnet:• telnet <web server> <port>• GET <document name> <HTTP-version>• Check the response text:

HTTP/1.0 Nnn Response text • Nnn is the three digit code and the

Response text the human readable version.

Page 8: Securing the Apache web server

Connections…

Response Codes:200 – Document Follows301 – Moved Permanently302 – Moved Temporarily403 – Forbidden404 – Not Found400 – Server Error

Page 9: Securing the Apache web server

Connections…

telnet www.lboro.ac.uk 80GET /index.html HTTP/1.0 <Return Twice>HTTP/1.1 200 OKDate: Wed, 09 Feb 2005 10:04:27 GMTServer: Apache/1.3.27 (Unix)Last-Modified: Tue, 18 Jan 2005 15:23:38 GMTETag: "1440c8-294c-41ed29fa"Accept-Ranges: bytesContent-Length: 10572Connection: closeContent-Type: text/html

Page 10: Securing the Apache web server

Connections…

An other example:

HTTP/1.1 404 Object Not FoundServer: Microsoft-IIS/5.0Date: Wed, 09 Feb 2005 10:06:33 GMTContent-Length: 4040Content-Type: text/html

Page 11: Securing the Apache web server

Apache History

• Until 1995 the most popular web server on the Internet was the NCSA HTTPd

• Apache 0.6.2 was released in April 1995• Apache 1.0 was released in December

1995 and it became the most used.• Apache 2.0 was released in April 2002• Apache 2.0 is a complete code base re-

write

Page 12: Securing the Apache web server

Apache Versions

• Apache 1.3.33 is Current– No more releases for 1.2 and below– Supports; Unix, Linux, Windows, Netware,

OS/2 and many more• Apache 2.0.53

– Supports; Unix, Linux, Windows, Netware

• Download: http://httpd.apache.org/

Page 13: Securing the Apache web server

Apache 1.3 - 2.0 DifferencesCore Enhancements:

• Unix Threading• New Build System• Multi Protocol Support• Non-Unix support• Apache API• IPv6 Support• Filtering• Multilanguage Errors• Simplified Configuration• Windows Unicode Support• Regular Expression Library

Module Enhancements:

• Mod_ssl• Mod_dav• Mod_deflate• Mod_auth_ldap• Mod_auth_digest• Mod_charset_lite• Mod_file_cache• Mod_headers• Mod_proxy• Mod_negotiation• Mod_autoindex• Mod_include• Mod_auth_dbm

Page 14: Securing the Apache web server

Apache 1.3 - 2.0 Differences…

Apache 1.3.33• Actively maintained and ‘leisurely’

developed to maintain stability• Releases made to address security

issues, bug fixes or improvements.• New features are likely not to be added to

1.3 in preference to 2.0• Most important decision is module based

Page 15: Securing the Apache web server

System Attacks…

Common Fingerprints:• Directory Traversalhttp://host/cgi-bin/lame.cgi?file=../../../../etc/motd

• Unicode Requestshttp://host/cgi-bin/lame.cgi?page=ls%20/ahttp://host/cgi-bin/lame.cgi?page=../etc/motd%00html

• Redirection Requestshttp://host/cgi-bin/lame.cgi?page=echo”733t”>../msg.htmlhttp://host/something.php=<b>Hi%20I'm%20Bold!</b>

Page 16: Securing the Apache web server

System Attacks…

Common Fingerprints:• Server Side Includeshttp://host1/something.php=<!%20--#include%20virtual="http://host2/fake-

article.html"-->http://host/something.php=<!%20--#include%20virtual=".htpasswd"-->

• <? Requestshttp://host/something.php=<? passthru("id");?>

• ` Requestshttp://host/something.cgi=`id`

Page 17: Securing the Apache web server

System Attacks…

Common Fingerprints:• Overflowshttp://host/cgi-

bin/helloworld?type=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Page 18: Securing the Apache web server

Securing Apache

• Secure the Operating System• Offer no network services except HTTP (80/tcp)

and HTTPS (443/tcp) to the Internet• Access to and from the Internet controlled by a

firewall• Apache web server must be the only service

running on the machine• Only necessary Apache modules to be loaded• Diagnostic web pages and automatic directory

listings turned off

Page 19: Securing the Apache web server

Securing Apache…

• Minimise the amount of security disclosure• Run the Apache process under a unique

UID/GID• Limit the Apache process by

chrooting/sandboxing• Ensure not shell programs are in the

chroot environment

Page 20: Securing the Apache web server

Securing Apache…

Notes based on Apache 1.3.33 under Fedora Core 3:

• Apache that ships with Fedora is:Apache/2.0.52 (Fedora)

• Apache 1.3.33 downloaded from:http://httpd.apache.org/download.cgi

• I have used Apache 1.3.33 due to the nature of the web content provided.

Page 21: Securing the Apache web server

Securing Apache…

Build Apache with only the modules required:• http_core• Mod_access• Mod_auth• Mod_dir• Mod_log_config• Mod_mime

Do not install: mod_autoindex and mod_info Compiled statically, which also removes the needfor mod_so

Page 22: Securing the Apache web server

Securing Apache…

• Create a chroot’d directory structure– Usually /chroot/http/<blah>– Create /dev/null and other devices– Copy binaries required into the structure– Copy config files into the structure– Start Apache and test if it works in the

environment– Check the logs for problems

Page 23: Securing the Apache web server

Securing Apache…

• Trim the httpd.conf file to leave only the basics– Reduce the number of modules– Stop producing server signature– Apache processes running under regular user/group

permissions– Only directories/files explicitly in the config file can be

accessed from the web server– Limit access using Access control– Limit MIME types supported– Apache needs to log more details about the requests

Page 24: Securing the Apache web server

Securing Apache…

• Logging:LogLevel warnLogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"

\"%{User-Agent}i\"" combinedLogFormat "%h %l %u %t \"%r\" %>s %b" commonLogFormat "%{Referer}i -> %U" refererLogFormat "%{User-agent}i" agentErrorLog /usr/local/apache/logs/error_logCustomLog /usr/local/apache/logs/access_log combined

Page 25: Securing the Apache web server

Mod_security

• Similar to the URL Scan concept in IIS• Intercepts HTTP requests

– Filter on keywords ‘/etc/passwd/’– Directory traversal– XSS Attacks– SQL Injection– Require HTTP_User_Agent and HTTP_Host– Formmail Spamming

Page 26: Securing the Apache web server

Mod_security…

• Support for Apache 1.3 and 2.0• Support to statically compile module• Can convert snort rules to mod_security• Full installation documentation

• Download from:http://www.modsecurity.org/

Page 27: Securing the Apache web server

In Summary

• Between 2003-2005, IIS has had no direct vulnerability. (Three concerning extensions)

• Apache 2.0 has had 22, 1.3 has had 12• Have Microsoft got things right?• …or have they removed more things from the

default install?

• The security of the server is only as good as the configuration by the administrator.

Page 28: Securing the Apache web server

In Summary…

• Securely configure the host OS• Audit your security settings• Remove un-necessary modules• Chroot Apache• Investigate mod_security• Request a Penetration Test from CC• Check the logs• Subscribe to the security lists• Patch and Patch and Patch some more!

Page 29: Securing the Apache web server

Further Advice and Guidance

• http://www.lboro.ac.uk/computing/security/• http://httpd.apache.org/• Apache Security, Ivan Ristic, O’Reilly

• Mailing lists:– [email protected][email protected][email protected]

Page 30: Securing the Apache web server

Further Advice and Guidance

• Introduction to I.T. Security• Securing Microsoft Windows 2000 Server• Securing Microsoft Windows 2003 Server• Securing Microsoft Internet Information

Server (I.I.S.) 5 and 6• Securing Fedora Linux• Securing RedHat Enterprise Server• Securing The Apache Web Server

Page 31: Securing the Apache web server

Questions and Answers

http://escarpment.net/