Securing The Apache Web Server. Agenda. Background. Matthew Cook

Transcription

1 Securing The Apache Web Server Matthew Cook Agenda Background Web Servers Connections Apache History System Attacks Securing Apache Useful Tools In Summary Further Advice and Guidance Background The Security Service is running a number of similar courses in conjunction with Professional Development. Details are available at: By increasing the security of networked machines on campus, we hope to reduce the number of compromised machines and IT Support Staff workload. 1

2 Web Servers The first operational web servers were developed in Graphical browsers helped development. Scaling to around 50 around the world in Netcraft reports 59,100,880 sites in February Web Server Platform: Web Servers Apache (68.83%) IIS (20.85%) Sun (3.11%) Zeus (1.05%) Connections Usually via a graphical browser Port : 80 Standard Web Traffic 443 SSL Web Traffic 81, 8080, Many other ports, ! 2

3 Connections Can connect via telnet: telnet <web server> <port> GET <document name> <HTTP-version> Check the response text: HTTP/1.0 Nnn Response text Nnn is the three digit code and the Response text the human readable version. Connections Response Codes: 200 Document Follows 301 Moved Permanently 302 Moved Temporarily 403 Forbidden 404 Not Found 400 Server Error Connections telnet 80 GET /index.html HTTP/1.0 <Return Twice> HTTP/ OK Date: Wed, 09 Feb :04:27 GMT Server: Apache/ (Unix) Last-Modified: Tue, 18 Jan :23:38 GMT ETag: "1440c8-294c-41ed29fa" Accept-Ranges: bytes Content-Length: Connection: close Content-Type: text/html 3

4 An other example: Connections HTTP/ Object Not Found Server: Microsoft-IIS/5.0 Date: Wed, 09 Feb :06:33 GMT Content-Length: 4040 Content-Type: text/html Apache History Until 1995 the most popular web server on the Internet was the NCSA HTTPd Apache was released in April 1995 Apache 1.0 was released in December 1995 and it became the most used. Apache 2.0 was released in April 2002 Apache 2.0 is a complete code base rewrite Apache Versions Apache is Current No more releases for 1.2 and below Supports; Unix, Linux, Windows, Netware, OS/2 and many more Apache Supports; Unix, Linux, Windows, Netware Download: 4

5 Apache Differences Core Enhancements: Unix Threading New Build System Multi Protocol Support Non-Unix support Apache API IPv6 Support Filtering Multilanguage Errors Simplified Configuration Windows Unicode Support Regular Expression Library Module Enhancements: Mod_ssl Mod_dav Mod_deflate Mod_auth_ldap Mod_auth_digest Mod_charset_lite Mod_file_cache Mod_headers Mod_proxy Mod_negotiation Mod_autoindex Mod_include Mod_auth_dbm Apache Differences Apache Actively maintained and leisurely developed to maintain stability Releases made to address security issues, bug fixes or improvements. New features are likely not to be added to 1.3 in preference to 2.0 Most important decision is module based System Attacks Common Fingerprints: Directory Traversal Unicode Requests Redirection Requests 733t >../msg.html 5

6 System Attacks Common Fingerprints: Server Side Includes <? Requests passthru("id");?> ` Requests System Attacks Common Fingerprints: Overflows AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAA Securing Apache Secure the Operating System Offer no network services except HTTP (80/tcp) and HTTPS (443/tcp) to the Internet Access to and from the Internet controlled by a firewall Apache web server must be the only service running on the machine Only necessary Apache modules to be loaded Diagnostic web pages and automatic directory listings turned off 6

7 Securing Apache Minimise the amount of security disclosure Run the Apache process under a unique UID/GID Limit the Apache process by chrooting/sandboxing Ensure not shell programs are in the chroot environment Securing Apache Notes based on Apache under Fedora Core 3: Apache that ships with Fedora is: Apache/ (Fedora) Apache downloaded from: I have used Apache due to the nature of the web content provided. Securing Apache Build Apache with only the modules required: http_core Mod_access Mod_auth Mod_dir Mod_log_config Mod_mime Do not install: mod_autoindex and mod_info Compiled statically, which also removes the need for mod_so 7

8 Securing Apache Create a chroot d directory structure Usually /chroot/http/<blah> Create /dev/null and other devices Copy binaries required into the structure Copy config files into the structure Start Apache and test if it works in the environment Check the logs for problems Securing Apache Trim the httpd.conf file to leave only the basics Reduce the number of modules Stop producing server signature Apache processes running under regular user/group permissions Only directories/files explicitly in the config file can be accessed from the web server Limit access using Access control Limit MIME types supported Apache needs to log more details about the requests Securing Apache Logging: LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ErrorLog /usr/local/apache/logs/error_log CustomLog /usr/local/apache/logs/access_log combined 8

9 Mod_security Similar to the URL Scan concept in IIS Intercepts HTTP requests Filter on keywords /etc/passwd/ Directory traversal XSS Attacks SQL Injection Require HTTP_User_Agent and HTTP_Host Formmail Spamming Mod_security Support for Apache 1.3 and 2.0 Support to statically compile module Can convert snort rules to mod_security Full installation documentation Download from: In Summary Between , IIS has had no direct vulnerability. (Three concerning extensions) Apache 2.0 has had 22, 1.3 has had 12 Have Microsoft got things right? or have they removed more things from the default install? The security of the server is only as good as the configuration by the administrator. 9

10 In Summary Securely configure the host OS Audit your security settings Remove un-necessary modules Chroot Apache Investigate mod_security Request a Penetration Test from CC Check the logs Subscribe to the security lists Patch and Patch and Patch some more! Further Advice and Guidance Apache Security, Ivan Ristic, O Reilly Mailing lists: it-security@lists.lboro.ac.uk unix-security@lists.lboro.ac.uk windows-security@lists.lboro.ac.uk Further Advice and Guidance Introduction to I.T. Security Securing Microsoft Windows 2000 Server Securing Microsoft Windows 2003 Server Securing Microsoft Internet Information Server (I.I.S.) 5 and 6 Securing Fedora Linux Securing RedHat Enterprise Server Securing The Apache Web Server 10

11 Questions and Answers 11