apache security
play

Apache Security - I m proving the security of your w eb server by - PowerPoint PPT Presentation

Mar 07, 2024 •276 likes •697 views

Risk Advisory Services Apache Security - I m proving the security of your w eb server by breaking into it Sebastian Wolfgarten, 21C3, December 2004 sebastian.wolfgarten@de.ey.com 1 Berlin, Germany - 29.12.2004 Agenda Preface

  1. Risk Advisory Services Apache Security - I m proving the security of your w eb server by breaking into it Sebastian Wolfgarten, 21C3, December 2004 sebastian.wolfgarten@de.ey.com 1 Berlin, Germany - 29.12.2004

  2. Agenda • Preface • Introduction to Apache • History of vulnerabilities • Basic principles of Apache security • Configuration analysis • Advanced Apache security • Demonstration • Summary • References 2 Risk Advisory Services Berlin, Germany - 29.12.2004

  3. Preface $ whoami • Student of business & computer science at the University of Cooperative Education in Stuttgart/Germany • Working with Ernst & Young’s Risk Advisory Services (RAS) group for more than 2 years • Specialized in network security, pen-testing and IT forensics • Author of more than a dozen articles for various German IT magazines as well as three books (e.g. “Apache Webserver 2”) for the Addison & Wesley publishing house • Reviewer for Addison & Wesley and O’Reilly US 3 Risk Advisory Services Berlin, Germany - 29.12.2004

  4. Introduction to Apache There are many cowboys, but there is only one Apache • Originally based on the NCSA httpd 1.3 written by Rob McCool (University of Illinois) and for the first time published in April 1995 • Powerful, modular, flexible, highly configurable, extensible and freely available Open Source web server • Apache currently runs on approx. 68% of all web servers worldwide making it the #1 choice ever since 1996 4 Risk Advisory Services Berlin, Germany - 29.12.2004

  5. Introduction to Apache (cont.) There are many cowboys, but there is only one Apache • Currently three different version branches (1.3.x, 2.0 and 2.1) available whereas only 2.0 and 2.1 are being actively developed • 1.3.x is proven most stable but is feature-wise frozen (only bug-fixing) • 2.x introduces a bunch of cutting-edge features including various runtime-models (MPMs), multi protocol support, APR, IPv6, in- and output filtering etc. 5 Risk Advisory Services Berlin, Germany - 29.12.2004

  6. History of vulnerabilities Buffer overflows and various other vulnerabilities • In the past Apache (and its modules) suffered from various locally and remotely exploitable vulnerabilities including (digest): – mod_include Local Buffer Overflow Vulnerability (published: 20.10.2004, CVE: CAN-2004-0940) – mod_ssl SSLCipherSuite Restriction Bypass Vulnerability (published: 11.10.2004, CVE: CAN-2004-0885) – mod_proxy Remote Negative Content-Length Buffer Overflow Vulnerability (published: 10.06.2004, CVE: CAN-2004-0492) – Satisfy Directive Access Control Bypass Vulnerability (published: 23.09.2004, CVE: CAN-2004-0811) – mod_userdir Module Information Disclosure Vulnerability (published: 04.12.2003, CVE: n/a) • However as a consequence of its design there hasn’t been a single r00t vulnerability in Apache. 6 Risk Advisory Services Berlin, Germany - 29.12.2004

  7. Basic principles of Apache security Non-Apache related system security (digest) • Host and system security is an important part of any (Apache) installation. • Therefore minimize a server's exposure to current and future threats by fully configuring the operating system and removing unnecessary applications. • Verify the authenticity and integrity of all software products used. • Ensure to install the latest patches and versions available. 7 Risk Advisory Services Berlin, Germany - 29.12.2004

  8. Basic principles of Apache security Non-Apache related system security (cont.) • Disable or restrict unnecessary system services • Use strong encryption • Use strong passwords and strong password policies • Remove default accounts, change default passwords • Apply OS hardening procedures • Use firewalls/IDSs • …. 8 Risk Advisory Services Berlin, Germany - 29.12.2004

  9. Basic principles of Apache security Security-related Apache configuration directives • Apache provides quite a number of security- related configuration directives enabling the administrator to tighten the security, e.g.: – User / Group: Defines the user and group Apache should run as – AllowOverride: Types of directives allowed in external configuration files (aka .htaccess files) – LimitRequestBody: Restricts the total size of the HTTP request body sent from a client – LimitRequestFields: Limits the number of HTTP request header fields that will be accepted from the client 9 Risk Advisory Services Berlin, Germany - 29.12.2004

  10. Basic principles of Apache security Security-related Apache configuration directives (cont.) • Furthermore: – LimitRequestFieldSize: Limits the size of the HTTP request header allowed from the client – LimitRequestLine: Limits the overall size of the HTTP request line that will be accepted – Listen: Defines the IP addresses and ports the server listens on – Options: Configures what features are available in a particular directory – Order: Controls the default access state and the order in which Allow and Deny are evaluated 10 Risk Advisory Services Berlin, Germany - 29.12.2004

  11. Basic principles of Apache security Security-related Apache configuration directives (cont.) • Finally there is: – Proxy: Container for directives applied to proxied resources – ServerTokens: Configures the Server HTTP response header – ServerSignature: Defines the content of the footer available on server-generated documents – SSLEngine: This directive toggles the usage of the SSL/TLS protocol engine – UserDir: Indicates the location of user-specific directories – AuthDigestFile: Use HTTP Digest Authentication 11 Risk Advisory Services Berlin, Germany - 29.12.2004

  12. Basic principles of Apache security The do’s and don’ts of httpd.conf • User & Group directive: – Unix/Linux: Create a separate user and group to run the Apache, disable the login for that user and assign a non-existing home directory (e.g. useradd -g wwwgroup -d /dev/null -s /bin/false wwwuser) – Windows 2003 Server: Things on Microsoft Windows are a bit more complicated as the User and Group directive does not exist: • Install Apache as a service into a separate directory (e.g. C:\Apache2) and add a new group as well user to the system. • Assign a strong password, do not give the user the permission to change his password. • Add that user to the newly created group and remove it from all other groups (e.g. Users). • Ensure the user is not able to login remotely using Terminal Services, do not connect client drives or printers, do not grant the user access to the main (default) printer and deny any remote access. • Most importantly start the Apache service as that user instead of the Local System account. 12 Risk Advisory Services Berlin, Germany - 29.12.2004

  13. Basic principles of Apache security The do’s and don’ts of httpd.conf (cont.) • File & directory permissions: – Unix/Linux: Install Apache as root, chmod 600 to all config files and 500 to the httpd binary (optional) – Windows 2003 Server: Only grant all permissions (Full Control, Modify, Read & Execute, List Folder Contents, Read, Write) on the installation folder of the Apache to the Administrator as well as the new user id running the Apache and remove all users and permissions (including inherited permissions) from that folder. • Logging: – Log and analyze everything (maybe even use mod_log_forensic) and ensure the logs have not been tampered with 13 Risk Advisory Services Berlin, Germany - 29.12.2004

  14. Basic principles of Apache security The do’s and don’ts of httpd.conf (cont.) • HTTP fingerprinting: – Use the ServerTokens and ServerSignature directive to prevent people from fingerprinting your HTTP server: • ServerSignature Off • ServerTokens Prod • Ultimately send a customized Server:-header (Apache 2 only!) or modify the source code directly • Symbolic links: – Disable symbolic links – If necessary re-enable them for certain directories and use SymLinksIfOwnerMatch to make the server only follow symbolic links for which the target file or directory is owned by the same user id as the link 14 Risk Advisory Services Berlin, Germany - 29.12.2004

  15. Basic principles of Apache security The do’s and don’ts of httpd.conf (cont.) • Indexing: – Disable indexing to prevent content from being accidentally exposed to the public and eventually found by Google (e.g. “Index of /backup“): • Options None or Options -Indexes – If necessary, re-enable it only for certain directories you are aware of • SSI: – Best practice: Disable server-side includes completely – If necessary, use suexec, enable SSI and disable certain commands (e.g. #exec cmd and #exec cgi): • Options –IncludesNOEXEC • XBitHack off – Note: Users will still be able to #include virtual CGI scripts from ScriptAliased directories. 15 Risk Advisory Services Berlin, Germany - 29.12.2004

  16. Basic principles of Apache security The do’s and don’ts of httpd.conf (cont.) • .htpasswd and .htaccess files: – Disable access to those files completely as they possibly contain sensitive information: <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> – This is a default configuration but some people seem to disable this functionality?! • AllowOverride: – Beware of the power of those directives that can be used in .htaccess files! • Use AllowOverride AuthConfig or AllowOverride None 16 Risk Advisory Services Berlin, Germany - 29.12.2004

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services Agenda Security Advisories @ Apache Issues associated with the advisory process Apache CXF advisories + lessons learned

394 views • 28 slides
Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security

Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security

Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape 11/19/14 2 Solution Building blocks Apache CXF Fediz Apache CXF Fediz Single Sign On (WS-Federation) Attribute Based Access

515 views • 29 slides
Apache Shiro - Executive Summary Apache Shiro is a powerful, easy-to-use Java Security

Apache Shiro - Executive Summary Apache Shiro is a powerful, easy-to-use Java Security

Christopher Lynch - CSCI 5448 Graduate Presentation Apache Shiro - Executive Summary Apache Shiro is a powerful, easy-to-use Java Security Framework with a goal to be more powerful and easier to use than the standard Java APIs. If you

348 views • 34 slides
Apache Security Secrets: Revealed! (Again!) for ApacheCon 2003, Las Vegas Mark J Cox revision 3

Apache Security Secrets: Revealed! (Again!) for ApacheCon 2003, Las Vegas Mark J Cox revision 3

Apache Security Secrets: Revealed! (Again!) for ApacheCon 2003, Las Vegas Mark J Cox revision 3 www.awe.com/mark/apcon2003 Apache Apache web server Powers over half of the Internet web server infrastructure Mature project, over 7

890 views • 53 slides
CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr

CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr

CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr Gordon Russell Lecturers: G. Russell This lecture Apache Basic Authentication Log Analysis Security Issues Discussions

803 views • 51 slides
Apache Security Secrets: Revealed for ApacheCon 2002, Las Vegas Mark J Cox revision 1

Apache Security Secrets: Revealed for ApacheCon 2002, Las Vegas Mark J Cox revision 1

Apache Security Secrets: Revealed for ApacheCon 2002, Las Vegas Mark J Cox revision 1 www.awe.com/mark/apcon2002 Quick Introduction Who am I? Why do you care? What is Security Response Why do we need it? Red Hat, Apache,

551 views • 51 slides
Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N A N D R I T I T I K A M A M O O R J A N A N I Introduction Topics Covered Security Checking using Nikto Dangers of Default

262 views • 22 slides
Painless Applica,on Security Les Hazlewood Apache Shiro Project

Painless Applica,on Security Les Hazlewood Apache Shiro Project

Painless Applica,on Security Les Hazlewood Apache Shiro Project Chair CTO, Kataso5 Inc / CloudDirectory What is Apache Shiro? Applica&gt;on security

628 views • 43 slides
Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com

Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com

Karlsruher Entwicklertag 2014 Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com ashakirin.blogspot.com/ Agenda Introduction in Apache CXF Security Requirements Apply security features to CXF Services

930 views • 49 slides
Apache Airavata Security Manager Authentication &amp; Authorization Im Implementation for a

Apache Airavata Security Manager Authentication &amp; Authorization Im Implementation for a

Apache Airavata Security Manager Authentication &amp; Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About

Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About

Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About cziegeler@apache.org @cziegeler RnD Team at Adobe Research Switzerland Member of the Apache So fu ware Foundation Apache Felix and Apache

725 views • 26 slides
Bug hunting with Apache Lucene Uwe Schindler Apache Lucene PMC &amp; Apache Software Foundation

Bug hunting with Apache Lucene Uwe Schindler Apache Lucene PMC &amp; Apache Software Foundation

Bug hunting with Apache Lucene Uwe Schindler Apache Lucene PMC &amp; Apache Software Foundation Member uschindler@apache.org http://www.thetaphi.de, http://blog.thetaphi.de @ThetaPh1 SD DataSolutions GmbH , Wtjenstr. 49, 28213 Bremen,

859 views • 51 slides
Integrating Apache Camel with Apache Syncope Dr. Colm higeartaigh, Talend. Speaker

Integrating Apache Camel with Apache Syncope Dr. Colm higeartaigh, Talend. Speaker

Integrating Apache Camel with Apache Syncope Dr. Colm higeartaigh, Talend. Speaker Introduction Introducing Apache Syncope Apache Syncope basics Apache Syncope is an Open Source system for managing digital identities in enterprise

929 views • 33 slides
How Apache works JB Onofr &lt;jbonofre@apache.org&gt; Who am I JB Onofr

How Apache works JB Onofr &lt;jbonofre@apache.org&gt; Who am I JB Onofr

How Apache works JB Onofr &lt;jbonofre@apache.org&gt; Who am I JB Onofr &lt;jbonofre@apache.org&gt; @jbonofre | http://blog.nanthrax.net Fellow /Software Architect at Talend Member of the Apache Software Foundation (started in 2004)

821 views • 45 slides
Apache Calcite for Enabling SQL Access to NoSQL Data Systems such as Apache Geode Christian

Apache Calcite for Enabling SQL Access to NoSQL Data Systems such as Apache Geode Christian

Apache Calcite for Enabling SQL Access to NoSQL Data Systems such as Apache Geode Christian Tzolov Whoami Christian Tzolov Engineer at Pivotal, Big-Data, Hadoop, Spring Cloud Dataflow, Apache Geode, Apache HAWQ, Apache Committer, Apache

796 views • 41 slides
Apache Lucene 5 New Features and Improvements for Apache Solr and Elasticsearch Uwe Schindler

Apache Lucene 5 New Features and Improvements for Apache Solr and Elasticsearch Uwe Schindler

Apache Lucene 5 New Features and Improvements for Apache Solr and Elasticsearch Uwe Schindler Apache Software Foundation | SD DataSolutions GmbH | PANGAEA My Background Committer and PMC member of Apache Lucene and Solr - main focus is on

1.09k views • 83 slides
EGI-InSPIRE Building an OpenNebula Cloud Compliant with EGI FedCloud Boris Park, CESNET

EGI-InSPIRE Building an OpenNebula Cloud Compliant with EGI FedCloud Boris Park, CESNET

EGI-InSPIRE Building an OpenNebula Cloud Compliant with EGI FedCloud Boris Park, CESNET 2014-05-23, EGI Community Forum 2014, Helsinki 1 EGI-InSPIRE RI-261323 www.egi.eu Agenda OpenNebula in the EGI Federated Cloud Introduction

356 views • 17 slides
LAMP CC ICT-SUD Setting up and integrate Apache, MySQL and PHP on a Linux system Installation

LAMP CC ICT-SUD Setting up and integrate Apache, MySQL and PHP on a Linux system Installation

LAMP CC ICT-SUD Setting up and integrate Apache, MySQL and PHP on a Linux system Installation Simple Alternative (for development/testing only): Xampp I will assume MySQL is already installed and configured (see related presentation)

619 views • 30 slides
Mass Virtual Hosting with Apache 2.0 Paul Querna chip@OutOfOrder.cc Virtual Hosts IP

Mass Virtual Hosting with Apache 2.0 Paul Querna chip@OutOfOrder.cc Virtual Hosts IP

Mass Virtual Hosting with Apache 2.0 Paul Querna chip@OutOfOrder.cc Virtual Hosts IP Address Required for HTTPS The 'Host' Header Mass Virtual Hosting? HTTPD's Default configuration doesn't deal well with thousands of

967 views • 20 slides
Highway to heaven Building microservices in the cloud Frankfurter Entwicklertag 2016 Agenda

Highway to heaven Building microservices in the cloud Frankfurter Entwicklertag 2016 Agenda

Highway to heaven Building microservices in the cloud Frankfurter Entwicklertag 2016 Agenda Meet AutoScout24 Shifting gears How we build our services How we organize ourselves @cdeger &amp; @wolfwolf AutoScout24 - 30.000ft C C C

857 views • 36 slides
Next-Gen Mirai Balthasar Martin &lt;balthasar@srlabs.de&gt; Fabian Brunlein

Next-Gen Mirai Balthasar Martin &lt;balthasar@srlabs.de&gt; Fabian Brunlein

Next-Gen Mirai Balthasar Martin &lt;balthasar@srlabs.de&gt; Fabian Brunlein &lt;fabian@srlabs.de&gt; SRLabs Template v12 Mirai and IoT Reaper botnets exploited open Telnet and other known vulnerabilities Mirai botnet Reaper botnet Known

306 views • 26 slides
kdbus in Tizen 3.0 Hyungjun Choi Karol Lewandowski Samsung Electronics Agenda Agenda D-Bus

kdbus in Tizen 3.0 Hyungjun Choi Karol Lewandowski Samsung Electronics Agenda Agenda D-Bus

kdbus in Tizen 3.0 Hyungjun Choi Karol Lewandowski Samsung Electronics Agenda Agenda D-Bus vs kdbus Motivation and project goals First attempts kdbus in Tizen 3.0 Challenges 3 D-Bus vs kdbus D-Bus Message bus system

370 views • 33 slides
PulseAudio on Mac OS X Daniel Mack for LAC 2011, Maynooth Why? Network transparency

PulseAudio on Mac OS X Daniel Mack for LAC 2011, Maynooth Why? Network transparency

PulseAudio on Mac OS X Daniel Mack for LAC 2011, Maynooth Why? Network transparency Application mixing Free your Audio Interoperability with arbitrary protocols More testing of the PulseAudio code Yet another

604 views • 23 slides
Kali Linux's Experience By Raphal Hertzog &lt;hertzog@debian.org&gt; &lt;buxy@kali.org&gt;

Kali Linux's Experience By Raphal Hertzog &lt;hertzog@debian.org&gt; &lt;buxy@kali.org&gt;

Kali Linux's Experience By Raphal Hertzog &lt;hertzog@debian.org&gt; &lt;buxy@kali.org&gt; DebConf 16 2016-07-05 Cape Town Plan Presentation of Kali Linux My role in Kali Linux Hardware and software infrastructure Structure

761 views • 26 slides

More recommend