hardening in apache web server
DESCRIPTION
This apresentation part of course Utah Networxs Hardening Web Servers. The target is show any options to configure security apache web server and protect to possible hackers attacks. The package debian_hardening-0.1_beta.deb is available in http://www.utah.com.br/deb/debian_hardening-0.1_beta.deb and source code to change or generate a new debian available in http://www.utah.com.br/src/debian_hardening-0.1_beta.tar.gz Thanks... Utah Networxs Walking to GiantsTRANSCRIPT
![Page 1: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/1.jpg)
“Mapping threats, Mitigating risk and
Implementing Corrective activities in Web Servers”
![Page 2: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/2.jpg)
WHO WE ARE?
FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL.
17 YEARS OF PRATICE IN LINUX
12 YEARS WITH BEST LINUX IN BRAZIL
MORE THAN 50.000 STUDENTS TRAINED
MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS
LPI-C ATP IN BRAZIL
MORE: www.utah.com.br
![Page 3: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/3.jpg)
SOCIAL MEDIA
Follow! @fabioandpires
Follow! @utah_networxs
Enjoy! Utah Networxs
![Page 4: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/4.jpg)
Speaker: Fabio Pires
Mini Curriculum:
Graduated in Computer Science
Graduated in Bachelor of Computing
Post Graduate in Project Analysis and Systems - FATEC
Post Graduate in S.O. Linux - UFLA
LPIC
Teacher of Undergraduate and Graduate
Twitter in Spare Time
Contact: [email protected]
![Page 5: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/5.jpg)
TARGET
“PRESENT ONE AMONG SEVERAL SOLUTION FOR BUILDING WEB SERVER"
hardening "THROUGH THE USE OF TOOLS FREE TO MINIMIZE IMPACTS OF ATTACKS."
![Page 6: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/6.jpg)
VULNERABILITY STACK
![Page 7: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/7.jpg)
WEBSERVER MARKET SHARES
![Page 8: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/8.jpg)
OPEN SOURCE WEB SERVER ARCHITECTURE
![Page 9: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/9.jpg)
VULNERABILITY WEB APPLICATIONS
![Page 10: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/10.jpg)
WHY WEB SERVER ARE COMPROMISED?
![Page 11: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/11.jpg)
TOOLS
HTTP PRINT – BANNER WEB SERVERNIKTO - VULNERABILITIES
NESSUS – VULNERABILITIES W3AF - AUDITY E EXPLORATION
NMAP – SCAN PORT
![Page 12: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/12.jpg)
MITIGATING RISKS
DoS Attack DDoS Attack
Brutal Force (ssh, telnet)Port Scanning AttackPing Flooding AttackElevation of Privilege
Man in the Middle AttackDirectory Transversal
Password Cracking (Spoofing, Phising, Trojar Horse)
![Page 13: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/13.jpg)
DEPLOYING CORRETION
What’s Hardening ?
Is a process of mapping of threats, risk mitigation and implementation of
corrective activities, focusing on infrastructure and primary goal to make it ready to face attempts to
attack.
![Page 14: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/14.jpg)
PRATICE IN WEB SERVER APACHE
Where you search packages ?
- Packages Repository- Md5SUM Verified- Security Update- Pré-Compiled Package or Source
Package
![Page 15: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/15.jpg)
PRATICE IN WEB SERVER APACHE
#CHROOT JAIL
![Page 16: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/16.jpg)
CHROOT ARCHITETURE APACHE/
tmp
boot
chroot
bin
dev
etc
home
lib
mnt
opt
proc
root
sbin
usr
var
dev
etc
lib
usr
var
![Page 17: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/17.jpg)
DISABLE UNUSED MODULES
suexec userdir cgi / cgid autoindex
![Page 18: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/18.jpg)
RESTRICT RESOURCES
Number Of Process:
With RES=7000k, SHR=2500k and 400Mavailable for Apache, the result is:
400/(7-2.5) = 89.
RES=Resident
![Page 19: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/19.jpg)
MITIGATE MEMORY LEAKS
MaxRequestsPerChild 10000
![Page 20: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/20.jpg)
RESTRICT INCOMMING CONNECTIONS
# iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j REJECT --reject-with tcp-reset
![Page 21: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/21.jpg)
FILE PERMISSIONS
# find /srv/www -user utahuser# find /srv/www ! -type l \( -perm /o=w -o -perm /g=w -group utahgroup \)
![Page 22: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/22.jpg)
SEARCH FILES AND SSL
* Search hidden files
# find /var/www -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*‘
* SSL key files* Make sure your SSL keys are only readable by the root user.
![Page 23: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/23.jpg)
OTHER APACHE CONFIG
* Bewarec of certain RewriteRules
# INSECURE configuration, don't use! RewriteRule ^/old/directory/(.*)$ /$1Use this
# SECURE - UseRewriteRule ^/old/directory/(.*)$ /$1 [PT]
* Don't use Limit/LimitExcept(conf.d/security)
TraceEnable off
![Page 24: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/24.jpg)
OTHER APACHE CONFIG
* ServerSignature Off* ServerTokens Prod* Remove PHP scripts (test.php, info.php, i.php, php.info)* Disable directory indexing* Disable WebDAV* Enable PHP basedir* Install a Web Firewall (mod_security)
l * Suhosin PHP
![Page 25: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/25.jpg)
SUHOSIN PHP - BASIC
suhosin.executor.include.max_traversal=4 (../../../../)suhosin.executor.disable_emodifier=Off(exec function)suhosin.mail.protect=2(protect spammers attack)suhosin.memory_limit=256Msuhosin.filter.action=402(return code detect error)suhosin.upload.max_uploads=100
![Page 26: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/26.jpg)
SUHOSIN PHP - BASIC
suhosin.request.max_array_depth=4096 suhosin.request.max_array_index_length=2048 suhosin.request.max_name_length=2048suhosin.request.max_value_length=650000 suhosin.request.max_vars=4096 suhosin.post.max_array_depth=8048 suhosin.post.max_array_index_length=1024 suhosin.post.max_name_length=2048 suhosin.post.max_totalname_length=8048 suhosin.post.max_vars=4096
![Page 27: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/27.jpg)
OTHER APACHE CONFIG
* ErrorDocument 404 errors/404.html* ErrorDocument 500 errors/500.html* ServerAdmin (Use Alias Mail)* UserDir disabled root
![Page 28: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/28.jpg)
INSTALL PACKAGE
# dpkg -i hardening-apache_beta-01.deb
Albert Einstein
![Page 29: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/29.jpg)
PROBLEMS
l UNIQUE USERl INSERT DIALOG
l PORTABLE OTHER DISTROS
![Page 30: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/30.jpg)
DOBTS ?
![Page 31: HARDENING IN APACHE WEB SERVER](https://reader035.vdocuments.mx/reader035/viewer/2022081717/55616929d8b42a5f4b8b52f1/html5/thumbnails/31.jpg)
SOURCES OF RESEARCH
APACHE FOUNDATIONwww.apache.org
ECCOUNCILwww.eccouncil.org
UTAH HARDENING COURSEwww.utah.com.br
IMAGES - ECCOUNCILwww.eccouncil.org