SlideShare ist ein Scribd-Unternehmen logo

Durkee apache 2009_v7

Denys Zabiyako
Denys Zabiyako
Technologie
1 von 58
Securing Apache Web Servers with Mod Security & CIS Benchmark Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN Principal Security Consultant rd@rd1.net
2Sep 21, 2009 www.RD1.net About Ralph Durkee 25+ years of experience  Systems and Network Security  Software Development and Systems Administration Independent Consultant and Trainer since 1996 SANS GIAC Certified since 2000  GSEC, GCIH, GSNA, GPEN Lead Developer, Author and Maintainer for the Center for Internet Security: RedHat Linux, DNS BIND, Apache Community Instructor for SANS CISSP Certified CISSP Instructor Rochester OWASP President & ISSA VP
3Sep 21, 2009 www.RD1.net Agenda Need A Secure Foundation Minimizing the Attack Surface Limiting HTTP Request Methods Access Control Mod_Security – Web Application Fire Wall Logging and Monitoring
4Sep 21, 2009 www.RD1.net Center for Internet Security Benchmarks Center for Internet Security  Non-profit Organization  Develops Technical Security Standards  Uses Consensus of Industry Experts  www.CISecurity.org Benchmarks for:  Most Unix and Windows Operating Systems  Several Servers such as Apache and BIND  Oracle and MS SQL Server Databases  Others applications are in the works
5 Need A Secure Foundation Sep 21, 2009 www.RD1.net
6Sep 21, 2009 www.RD1.net Start with a Security Hardened OS Unix or Linux recommended for Internet Apply appropriate CIS OS Benchmark Don’t mix other high risk, or critical services Regularly Apply OS and Apache updates Secure Foundation – OS Security
7Sep 21, 2009 www.RD1.net Secure Foundation – DNS Cache Poisoning Attacks DNS Level attacks against your clients /customers Secure your Authoritative and Caching DNS Servers with CIS BIND Benchmark DNS Pharming Attacks  Uses DNS Cache poisoning to harvest victims  Bogus IP Addresses provided to Vulnerable DNS Cache  Typically requires guessing DNS Query-ID and port  Clients resolve domain name are directed to a spoofed hostile website instead of trusted website
8 Dan Kaminsky’s - DNS Attack Much more effective than traditional DNS cache poisoning. Uses:  Requests many random nonexistent host names  Send many negative responses with guessed QID  Response: Go to server NAME & IP has the answer.  Victim caches the IP address of “DNS” server  Game over the “DNS” server was the target Only Complete Prevention requires DNSSEC Securing the Caching DNS Server helps Sep 21, 2009 www.RD1.net
9Sep 21, 2009 www.RD1.net Apache User Account Don’t run Apache as root  Use dedicated locked Account  Account with Invalid Shell such as /dev/null  Locked, with no valid password Example Server Configuration User apache Group apache # grep apache /etc/passwd /etc/shadow apache:x:48:48:Apache:/var/www:/dev/null apache:!!:14428:0:99999:7:::
10Sep 21, 2009 www.RD1.net Set Minimal Permissions Ownership and Permissions Apache Configuration Files  Read-write by group Web Admin  Owned by Root  No access for Other  Apache reads these as root, before starting Document Root (and most sub-directories)  Read-write by group Web Development  Readable by Other  Owned by root
11Sep 21, 2009 www.RD1.net Set Minimal Permissions (2) More Ownership and Permissions CGI-BIN Directories  Read-write by group Web Admin  Readable & Executable by Other  Owned by root Apache bin files (apachectl and httpd)  Read & Execute by Wed Admin  Read & Execute by root
12Sep 21, 2009 www.RD1.net Subscribe to Security Advisories Web Admin and System Admin should subscribed to appropriate advisories Apache http://httpd.apache.org/lists.html CERT https://forms.us-cert.gov/maillists/ Sun https://subscriptions.sun.com Fedora Core https://www.redhat.com/mailman/listinfo /fedora-announce-list
13 Minimize the Attack Surface Sep 21, 2009 www.RD1.net
14Sep 21, 2009 www.RD1.net Disable Unnecessary Modules Modules you probably DON’T need  mod_dav - Distributed Authoring and Versioning (WebDAV) functionality  mod_dav_fs – File System for mod_dav  mod_status – Provide Web Server status info.  mod_proxy – HTTP Proxy  mod_autoindex - Directory listings  mod_cern_meta - CERN HTTPD Meta file semantics (old not used)
15Sep 21, 2009 www.RD1.net Use only Necessary Modules Modules you might need  mod_log_config – Provides flexible for Logging of Requests  mod_logio – Provides I/O bytes per request  mod_mime – Determines MIME type / Handler by file extension  mod_env – Controls environment passed to CGI  mod_expires - Generation of Expires and Cache-Control HTTP headers
16Sep 21, 2009 www.RD1.net Check Config Include Directories Check any config include directories  Red Hat Linux uses /etc/httpd/conf.d  All *.conf files are auto included  Remove the rpm, not just the file  Or comment out the file content Example: rpm –qf /etc/httpd/conf.d/manual.conf httpd-manual-2.2.xx-xx.x rpm -e httpd-manual
17Sep 21, 2009 www.RD1.net Remove Any Default Files Default HTML Files  Manual  Welcome page  Directory Index icons Sample CGI files (e.g. printenv) Apache source code files Apache user files (.bashrc etc)
18Sep 21, 2009 www.RD1.net Other Resources for Modules Modules list available On-line http://httpd.apache.org/docs/2.0/mod/ http://httpd.apache.org/docs/2.2/mod/ Also Review Module recommendations in CIS Benchmark Appendix Some Modules have their own website, (such as modsecurity.org) check your favorite search engine.
19Sep 21, 2009 www.RD1.net Options Directive Apache 2.2 docs Description: Configures what features are available in a particular directory Syntax: Options [+|-]option [[+|-]option] ... Default: Options All Context: server config, virtual host, directory, .htaccess Override: Options Module: core
20Sep 21, 2009 www.RD1.net Options Directive Example 1 - Top Level Root <Directory /> . . . Options None </Directory> Example 2 – cgi-bin Directory ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/ <Directory /usr/lib/mailman/cgi-bin/> . . . Options ExecCGI </Directory>
21Sep 21, 2009 www.RD1.net Options Directive Options  All – Everything except Multiviews  ExecCGI – Execution of CGI scripts  FollowSymLinks – Will follow symbolic links  SymLinksIfOwnerMatch –only if owner matches  Includes - Enables Server Side include  IncludesNOEXEC – SSI without #exec  AllowOverride – Allow usage of .htaccess files.  Multiviews - Content negotiation (e.g. Language)
22 Access Controls Sep 21, 2009 www.RD1.net
23 Auth and Authz Modules  mod_authz_host (was mod_access) - Access based on IP address or hostname.  mod_authz_user , mod_authz_groupfile Mod_auth - user authentication using text files Sep 21, 2009 www.RD1.net
24Sep 21, 2009 www.RD1.net Access Control Directives (1) Protecting Root (httpd.conf) <Directory /> Options None AllowOverride None deny from all </Directory> Allowing All Access <Directory "/var/www/html/"> Order allow,deny allow from all </Directory>
25Sep 21, 2009 www.RD1.net Access Control Directives (2) Allowing Limited Access Usage of IP Address or partial IP Address <Directory "/var/www/html/"> Order allow,deny deny from all allow from 10.10.2. </Directory> Domain and Host names also work
26Sep 21, 2009 www.RD1.net HTTP Basic Authentication Requires mod_auth enabled Send base64 encoded username and password sent with every request. Needs SSL to protect username/password No password guessing protection built-in Sample Configuration <Directory /var/www/html/members> AuthType Basic AuthName “Memebers Access" AuthUserFile /path/to/passwordfile Require valid-user </Directory>
27Sep 21, 2009 www.RD1.net HTTP Basic Authentication (2) Setup Apache Password file htpasswd -c /path/to/passwordfile jsmith New password: password Re-type new password: password Adding password for user jsmith Don’t place Password file in the DocRoot Apache needs Read-only access Don’t allow other read access.
28Sep 21, 2009 www.RD1.net HTTP Digest Authentication Requires mod_auth and mod_digest enabled Uses Challenge – Response Response is encrypted with the password Does not protect data, still needs SSL No password guessing protection built-in Sample Configuration <Directory /var/www/html/members> AuthType Digest AuthName “Members Access" AuthUserFile /path/to/passwordfile Require valid-user </Directory>
29 New ChrootDir Directive Description: Directory for apache to run chroot(8) after startup. Syntax: ChrootDir /path/to/directory Default: none Context: server config Module: event, prefork, worker Compatibility: Available in Apache 2.2.10 and later Example: ChrootDir /var/www/chroot Sep 21, 2009 www.RD1.net
30 New ChrootDir Directive (2) Apache Disclaimer: Note that running the server under chroot is not simple, and requires additional setup, particularly if you are running scripts such as CGI or PHP. Please make sure you are properly familiar with the operation of chroot before attempting to use this feature. Sep 21, 2009 www.RD1.net
31 New ChrootDir Directive (3) Makes chroot easier, but still work required. Some typical directories required: CHR=/var/www/chroot/ mkdir –p $CHR/var/www mv /var/www/* /var/www/chroot/var/www/ mkdir $CHR/var/run mkdir $CHR/tmp mkdir –p $CHR/ /var/lib/php/session Usually others? Your Mileage Will vary! Sep 21, 2009 www.RD1.net
32 Apache and SELinux an Alternative to chroot A different (easier?) approach to chroot Implements Mandatory Access Controls Use SELinux in targeted mode In /etc/selinux/config, set SELINUXTYPE=targeted To test, start with SELINUX=permissive Switch to SELINUX=enforcing Sep 21, 2009 www.RD1.net
33 Apache SELinux Polices httpd_selinux(8) man page defines contexts types:  httpd_sys_content_t - all content access  httpd_sys_script_exec_t – for scripts /etc/selinux/targeted/contexts/files/ file_contexts – labels directories with types  /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0  /var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 Sep 21, 2009 www.RD1.net
34 Checking SELinux Labels Use –Z option on ls to see SELinux labels ls -Z /var/www drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons drwxr-xr-x webalizer root system_u:object_r:httpd_sys_content_t usage Sep 21, 2009 www.RD1.net
35 Limiting HTTP Request Methods Sep 21, 2009 www.RD1.net
36 HTTP Request Methods? RFC 2616 defines HTTP/1.1 Methods  GET - Most used – retrieves content  HEAD – Doesn’t return body, used to check for existence and updates  POST – Typically used for FORM submissions  PUT – Push a resource up to the server  DELETE – Remove a resource  TRACE – For Debugging  CONNECT – for SSL Proxy connections Sep 21, 2009 www.RD1.net
37Sep 21, 2009 www.RD1.net Limiting HTTP Request Methods Limit Methods to HEAD, GET and POST <Directory "/var/www/html"> Order allow,deny Allow from all <LimitExcept GET POST> deny from all </LimitExcept> Options None AllowOverride None </Directory> TRACE is not limited by this! HEAD is included with GET
38Sep 21, 2009 www.RD1.net Deny HTTP Trace Mod_Rewrite Technique TRACE method part of RFC HTTP protocol Reflects the request back to the client Intended for Debug Used for XST (Cross-Site Tracing vulnerabilities) Use mod_rewrite to deny TRACE Method [F] Flag returns 403 Forbidden RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]
39Sep 21, 2009 www.RD1.net Deny HTTP Trace New TraceEnable Directive Description: Determines the behavior on TRACE requests Syntax: TraceEnable [on|off|extended] Default: TraceEnable on Context: server config Module: core Compatibility: Available in Apache 1.3.34, 2.0.55 and later Example: TraceEnable off
40 Mod Security – The Web Application Firewall Sep 21, 2009 www.RD1.net
41Sep 21, 2009 www.RD1.net Mod_Security Features Open Source Web Application Firewall Features:  Request filtering  Anti-evasion techniques - paths and parameters are normalized  Understands the HTTP protocol  Performs very specific and fine grain filtering.  POST payload analysis
42Sep 21, 2009 www.RD1.net Mod_Security Features (2) More Features:  Audit logging - Full details can be logged for later analysis  HTTPS – Analysis performed after decryption  Inspect and Filter Any Headers  Buffer Overflow Protection  Attack Detection and Prevention
43Sep 21, 2009 www.RD1.net Mod_security Configuration Easily Installed via package, or build from source. Configuration mod_security.conf Rename file if using include conf.d/ LoadModule security_module modules/mod_security.so <IfModule mod_security.c> # Turn the Filtering and Audit engine, On SecFilterEngine On SecAuditEngine RelevantOnly
44Sep 21, 2009 www.RD1.net Mod_security Configuration (2) More Basic Feature Configuration # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding On # Only allow bytes from this range SecFilterForceByteRange 1 255 # Cookie format checks. SecFilterCheckCookieFormat On # The name of the audit log file SecAuditLog logs/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Default action set SecFilterDefaultAction "deny,log,status:406"
45Sep 21, 2009 www.RD1.net Mod_security Filters (1) Basic Recommended Filters # Require HTTP_USER_AGENT and HTTP_HOST headers SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Only accept request encodings we how handle # we exclude GET requests because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$| ^application/x-www-form-urlencoded$|^multipart/form- data)"
46Sep 21, 2009 www.RD1.net Mod_security Filters (2) More Basic Recommended Filters # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we don't handle SecFilterSelective HTTP_Transfer-Encoding "!^$"
47 Logging and Monitoring Sep 21, 2009 www.RD1.net
48Sep 21, 2009 www.RD1.net Logging Directives LogLevel  Controls Verbosity  Values are emerg, alert, crit, error, warn, notice, info and debug  Notice is recommended ErrorLog – File name for logging errors LogFormat – Defined format of log entries CustomLog logs/acces_log combined
49Sep 21, 2009 www.RD1.net Logging Directives (2) Sample Logging Configuration LogLevel notice ErrorLog logs/error_log LogFormat "%h %l %u %t "%r" %>s %b "%{Accept}i" "% {Referer}i" "%{User-Agent}i"" combined CustomLog logs/access_log combined Combined format is fairly standard and handled well by log analysis software Use Swatch or LogWatch for log monitoring.
50Sep 21, 2009 www.RD1.net Log Monitoring Sample LogWatch output with Web Attacks Requests with error response codes 404 Not Found //README: 2 Time(s) //chat/messagesL.php3: 1 Time(s) //graph_image.php: 1 Time(s) /PhpMyChat//chat/messagesL.php3: 1 Time(s) /horde-3.0.5//README: 2 Time(s) 406 Not Acceptable /: 2 Time(s) /robots.txt: 1 Time(s)
51 Log Monitoring (2) More Samples of Web Scans / Attacks Looking for open proxy & phone apps? 400 Bad Request http://www.wantsfly.com/prx.php?hash=457F6 ... 404 Not Found /apple-touch-icon.png: 1 Time(s) /iphone/: 2 Time(s) /mobi/: 2 Time(s) /mobile/: 2 Time(s) /pda/: 2 Time(s) /sql/: 1 Time(s) Sep 21, 2009 www.RD1.net
52 Abuse Reports Why Report Attacks on your Servers?  Makes it a more difficult for the attacker (Yeah, mostly for the script kiddies)  Educates organizations on the state of their system and their need for response  Helps make the Internet a better place Choose your “favorites” to report Use whois on IP address of the source IP to abuse email contact Reporting to questionable organizations may not be helpful, or helpful in the wrong way. Sep 21, 2009 www.RD1.net
53 Abuse Reports – How to (2) Keep it Simple Just the facts. To: abuse@example.com Subject: web vulnerability attack from IP xx.xx.xx.xx Logs are included below of a web vulnerability attack from the above address. This system may have been compromised or infected. Please take action to prevent further abuse. An e-mail reply is appreciated. Thank you for taking action on this. -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN Information Security Consultant USA 585-624-9551 Logs are NTP time synced in USA EDT TZ Sep 21, 2009 www.RD1.net
54 Abuse Reports (2) Send Sample of Access Web Logs xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /scripts/setup.php HTTP/1.1" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /scripts/setup.php HTTP/1.1" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /phpMyAdmin/ HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /sql/ HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)” Sep 21, 2009 www.RD1.net
55 Abuse Reports (3) Some Recent Interesting User Agent in Logs xx.xx.xx.xx - - [03/Sep/2009:20:04:50 -0400] "GET / HTTP/1.0" 200 67 "-" "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3“ xx.xx.xx.xx - - [03/Sep/2009:20:05:01 -0400] "GET /apple-touch-icon.png HTTP/1.0" 404 218 "-" "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3" Sep 21, 2009 www.RD1.net
56 Abuse Responses From: Amazon EC2 Abuse ec2-abuse-team@amazon.com Thank you for submitting your abuse report. We have received your report of Intrusion Attempts originating from our network. We have completed an initial investigation of the issue and learned that the activity you noticed did indeed originate from an Amazon EC2 instance. These intrusion attempts that you report were not, however, initiated by Amazon. One of the biggest advantages of Amazon EC2 is that developers are given complete control of their instances. . . . That said, we do take reports of unauthorized network activity from our environment very seriously. It is specifically forbidden in our terms of use. This instance has since been terminated. Sep 21, 2009 www.RD1.net
57 OSSEC.net OSSEC – Open Source HIDS, central logging and monitoring solution – aka SIM/SEM/SIEM Supports most platforms Linux/Unix/Windows/Mac Real-time alerting Active response - blocking of attacks Agent and Agentless monitoring File Integrity Monitoring Rootkit detection Sep 21, 2009 www.RD1.net
Durkee Consulting, Inc. www.rd1.net rd@rd1.net Questions?

Empfohlen

Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Serverswebhostingguy
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Vlad Lasky
 
Red Hat Certified engineer course
Red Hat Certified engineer course Red Hat Certified engineer course
Red Hat Certified engineer course Ali Abdo
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guidejasembo
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4Information Technology
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
Apache Web Server Setup 1
Apache Web Server Setup 1Apache Web Server Setup 1
Apache Web Server Setup 1Information Technology
 
are available here
are available hereare available here
are available herewebhostingguy
 

Empfohlen

Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Serverswebhostingguy
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Vlad Lasky
 
Red Hat Certified engineer course
Red Hat Certified engineer course Red Hat Certified engineer course
Red Hat Certified engineer course Ali Abdo
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guidejasembo
 
Apache Web Server Setup 4
Apache Web Server Setup 4Apache Web Server Setup 4
Apache Web Server Setup 4Information Technology
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
Apache Web Server Setup 1
Apache Web Server Setup 1Apache Web Server Setup 1
Apache Web Server Setup 1Information Technology
 
are available here
are available hereare available here
are available herewebhostingguy
 
Word Press Security
Word Press SecurityWord Press Security
Word Press SecurityRandall Rode
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Presentation on rhce
Presentation on rhcePresentation on rhce
Presentation on rhceG Raveena Nair
 
Debugging IBM Connections for the Impatient Admin - Social Connections VII
Debugging IBM Connections for the Impatient Admin - Social Connections VIIDebugging IBM Connections for the Impatient Admin - Social Connections VII
Debugging IBM Connections for the Impatient Admin - Social Connections VIIMartin Leyrer
 
Apache Web Server Setup 3
Apache Web Server Setup 3Apache Web Server Setup 3
Apache Web Server Setup 3Information Technology
 
Zumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and TricksZumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and TricksFrank A. Petillo, Sr.
 
Squid
SquidSquid
SquidChirag Gupta
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...PROIDEA
 
Caching objects-in-memory
Caching objects-in-memoryCaching objects-in-memory
Caching objects-in-memoryMauro Cassani
 
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7Mazenetsolution
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRadien software
 
Apache Web server Complete Guide
Apache Web server Complete GuideApache Web server Complete Guide
Apache Web server Complete Guidewebhostingguy
 
Codendi Installation Guide
Codendi Installation GuideCodendi Installation Guide
Codendi Installation GuideCodendi
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server TutorialJagat Kothari
 
Squid server
Squid serverSquid server
Squid serverRohit Phulsunge
 
Apache Web Server Setup 2
Apache Web Server Setup 2Apache Web Server Setup 2
Apache Web Server Setup 2Information Technology
 
RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)Sumant Garg
 
Apache ppt
Apache pptApache ppt
Apache pptSanmuga Nathan
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web ServersInformation Technology
 
Ch 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet ServersCh 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet Serverswebhostingguy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Word Press Security
Word Press SecurityWord Press Security
Word Press SecurityRandall Rode
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Debugging IBM Connections for the Impatient Admin - Social Connections VII
Debugging IBM Connections for the Impatient Admin - Social Connections VIIDebugging IBM Connections for the Impatient Admin - Social Connections VII
Debugging IBM Connections for the Impatient Admin - Social Connections VIIMartin Leyrer
 
Zumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and TricksZumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and TricksFrank A. Petillo, Sr.
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...PROIDEA
 
Caching objects-in-memory
Caching objects-in-memoryCaching objects-in-memory
Caching objects-in-memoryMauro Cassani
 
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7Mazenetsolution
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRadien software
 
Apache Web server Complete Guide
Apache Web server Complete GuideApache Web server Complete Guide
Apache Web server Complete Guidewebhostingguy
 
Codendi Installation Guide
Codendi Installation GuideCodendi Installation Guide
Codendi Installation GuideCodendi
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hostingwebhostingguy
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server TutorialJagat Kothari
 
RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)Sumant Garg
 

Was ist angesagt? (20)

Word Press Security
Word Press SecurityWord Press Security
Word Press Security
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Presentation on rhce
Presentation on rhcePresentation on rhce
Presentation on rhce
 
Debugging IBM Connections for the Impatient Admin - Social Connections VII
Debugging IBM Connections for the Impatient Admin - Social Connections VIIDebugging IBM Connections for the Impatient Admin - Social Connections VII
Debugging IBM Connections for the Impatient Admin - Social Connections VII
 
Apache Web Server Setup 3
Apache Web Server Setup 3Apache Web Server Setup 3
Apache Web Server Setup 3
 
Zumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and TricksZumasys Citrix Top 10 Tips and Tricks
Zumasys Citrix Top 10 Tips and Tricks
 
Squid
SquidSquid
Squid
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
 
Caching objects-in-memory
Caching objects-in-memoryCaching objects-in-memory
Caching objects-in-memory
 
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 
Apache Web server Complete Guide
Apache Web server Complete GuideApache Web server Complete Guide
Apache Web server Complete Guide
 
Codendi Installation Guide
Codendi Installation GuideCodendi Installation Guide
Codendi Installation Guide
 
Apache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual HostingApache web server installation/configuration, Virtual Hosting
Apache web server installation/configuration, Virtual Hosting
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
Apache Server Tutorial
Apache Server TutorialApache Server Tutorial
Apache Server Tutorial
 
Squid server
Squid serverSquid server
Squid server
 
Apache Web Server Setup 2
Apache Web Server Setup 2Apache Web Server Setup 2
Apache Web Server Setup 2
 
RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)
 
Apache ppt
Apache pptApache ppt
Apache ppt
 

Ähnlich wie Durkee apache 2009_v7

Ch 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet ServersCh 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet Serverswebhostingguy
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..webhostingguy
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..webhostingguy
 
Apache2 BootCamp : Getting Started With Apache
Apache2 BootCamp : Getting Started With ApacheApache2 BootCamp : Getting Started With Apache
Apache2 BootCamp : Getting Started With ApacheWildan Maulana
 
Intro to development sites and site migration
Intro to development sites and site migrationIntro to development sites and site migration
Intro to development sites and site migrationR-Cubed Design Forge
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptwebhostingguy
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptwebhostingguy
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptwebhostingguy
 
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAndrew Khoury
 
Domain Access Module
Domain Access ModuleDomain Access Module
Domain Access ModuleRyan Cross
 
Install and configure linux
Install and configure linuxInstall and configure linux
Install and configure linuxVicent Selfa
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsyncHazel Smith
 
70-410 Practice Test
70-410 Practice Test70-410 Practice Test
70-410 Practice Testwrailebo
 
WE18_Performance_Up.ppt
WE18_Performance_Up.pptWE18_Performance_Up.ppt
WE18_Performance_Up.pptwebhostingguy
 
Rock Solid WordPress
Rock Solid WordPressRock Solid WordPress
Rock Solid WordPressErik Osterman
 

Ähnlich wie Durkee apache 2009_v7 (20)

Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
 
Ch 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet ServersCh 22: Web Hosting and Internet Servers
Ch 22: Web Hosting and Internet Servers
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..
 
Apache2 BootCamp : Getting Started With Apache
Apache2 BootCamp : Getting Started With ApacheApache2 BootCamp : Getting Started With Apache
Apache2 BootCamp : Getting Started With Apache
 
Dot netnuke
Dot netnukeDot netnuke
Dot netnuke
 
Intro to development sites and site migration
Intro to development sites and site migrationIntro to development sites and site migration
Intro to development sites and site migration
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
 
Utosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.pptUtosc2007_Apache_Configuration.ppt
Utosc2007_Apache_Configuration.ppt
 
Apache
ApacheApache
Apache
 
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
 
Domain Access Module
Domain Access ModuleDomain Access Module
Domain Access Module
 
Squid
SquidSquid
Squid
 
Windows Loves drupal
Windows Loves drupalWindows Loves drupal
Windows Loves drupal
 
Install and configure linux
Install and configure linuxInstall and configure linux
Install and configure linux
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsync
 
70-410 Practice Test
70-410 Practice Test70-410 Practice Test
70-410 Practice Test
 
WE18_Performance_Up.ppt
WE18_Performance_Up.pptWE18_Performance_Up.ppt
WE18_Performance_Up.ppt
 
Rock Solid WordPress
Rock Solid WordPressRock Solid WordPress
Rock Solid WordPress
 

Kürzlich hochgeladen

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Durkee apache 2009_v7

  • 1. Securing Apache Web Servers with Mod Security & CIS Benchmark Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN Principal Security Consultant rd@rd1.net
  • 2. 2Sep 21, 2009 www.RD1.net About Ralph Durkee 25+ years of experience  Systems and Network Security  Software Development and Systems Administration Independent Consultant and Trainer since 1996 SANS GIAC Certified since 2000  GSEC, GCIH, GSNA, GPEN Lead Developer, Author and Maintainer for the Center for Internet Security: RedHat Linux, DNS BIND, Apache Community Instructor for SANS CISSP Certified CISSP Instructor Rochester OWASP President & ISSA VP
  • 3. 3Sep 21, 2009 www.RD1.net Agenda Need A Secure Foundation Minimizing the Attack Surface Limiting HTTP Request Methods Access Control Mod_Security – Web Application Fire Wall Logging and Monitoring
  • 4. 4Sep 21, 2009 www.RD1.net Center for Internet Security Benchmarks Center for Internet Security  Non-profit Organization  Develops Technical Security Standards  Uses Consensus of Industry Experts  www.CISecurity.org Benchmarks for:  Most Unix and Windows Operating Systems  Several Servers such as Apache and BIND  Oracle and MS SQL Server Databases  Others applications are in the works
  • 5. 5 Need A Secure Foundation Sep 21, 2009 www.RD1.net
  • 6. 6Sep 21, 2009 www.RD1.net Start with a Security Hardened OS Unix or Linux recommended for Internet Apply appropriate CIS OS Benchmark Don’t mix other high risk, or critical services Regularly Apply OS and Apache updates Secure Foundation – OS Security
  • 7. 7Sep 21, 2009 www.RD1.net Secure Foundation – DNS Cache Poisoning Attacks DNS Level attacks against your clients /customers Secure your Authoritative and Caching DNS Servers with CIS BIND Benchmark DNS Pharming Attacks  Uses DNS Cache poisoning to harvest victims  Bogus IP Addresses provided to Vulnerable DNS Cache  Typically requires guessing DNS Query-ID and port  Clients resolve domain name are directed to a spoofed hostile website instead of trusted website
  • 8. 8 Dan Kaminsky’s - DNS Attack Much more effective than traditional DNS cache poisoning. Uses:  Requests many random nonexistent host names  Send many negative responses with guessed QID  Response: Go to server NAME & IP has the answer.  Victim caches the IP address of “DNS” server  Game over the “DNS” server was the target Only Complete Prevention requires DNSSEC Securing the Caching DNS Server helps Sep 21, 2009 www.RD1.net
  • 9. 9Sep 21, 2009 www.RD1.net Apache User Account Don’t run Apache as root  Use dedicated locked Account  Account with Invalid Shell such as /dev/null  Locked, with no valid password Example Server Configuration User apache Group apache # grep apache /etc/passwd /etc/shadow apache:x:48:48:Apache:/var/www:/dev/null apache:!!:14428:0:99999:7:::
  • 10. 10Sep 21, 2009 www.RD1.net Set Minimal Permissions Ownership and Permissions Apache Configuration Files  Read-write by group Web Admin  Owned by Root  No access for Other  Apache reads these as root, before starting Document Root (and most sub-directories)  Read-write by group Web Development  Readable by Other  Owned by root
  • 11. 11Sep 21, 2009 www.RD1.net Set Minimal Permissions (2) More Ownership and Permissions CGI-BIN Directories  Read-write by group Web Admin  Readable & Executable by Other  Owned by root Apache bin files (apachectl and httpd)  Read & Execute by Wed Admin  Read & Execute by root
  • 12. 12Sep 21, 2009 www.RD1.net Subscribe to Security Advisories Web Admin and System Admin should subscribed to appropriate advisories Apache http://httpd.apache.org/lists.html CERT https://forms.us-cert.gov/maillists/ Sun https://subscriptions.sun.com Fedora Core https://www.redhat.com/mailman/listinfo /fedora-announce-list
  • 13. 13 Minimize the Attack Surface Sep 21, 2009 www.RD1.net
  • 14. 14Sep 21, 2009 www.RD1.net Disable Unnecessary Modules Modules you probably DON’T need  mod_dav - Distributed Authoring and Versioning (WebDAV) functionality  mod_dav_fs – File System for mod_dav  mod_status – Provide Web Server status info.  mod_proxy – HTTP Proxy  mod_autoindex - Directory listings  mod_cern_meta - CERN HTTPD Meta file semantics (old not used)
  • 15. 15Sep 21, 2009 www.RD1.net Use only Necessary Modules Modules you might need  mod_log_config – Provides flexible for Logging of Requests  mod_logio – Provides I/O bytes per request  mod_mime – Determines MIME type / Handler by file extension  mod_env – Controls environment passed to CGI  mod_expires - Generation of Expires and Cache-Control HTTP headers
  • 16. 16Sep 21, 2009 www.RD1.net Check Config Include Directories Check any config include directories  Red Hat Linux uses /etc/httpd/conf.d  All *.conf files are auto included  Remove the rpm, not just the file  Or comment out the file content Example: rpm –qf /etc/httpd/conf.d/manual.conf httpd-manual-2.2.xx-xx.x rpm -e httpd-manual
  • 17. 17Sep 21, 2009 www.RD1.net Remove Any Default Files Default HTML Files  Manual  Welcome page  Directory Index icons Sample CGI files (e.g. printenv) Apache source code files Apache user files (.bashrc etc)
  • 18. 18Sep 21, 2009 www.RD1.net Other Resources for Modules Modules list available On-line http://httpd.apache.org/docs/2.0/mod/ http://httpd.apache.org/docs/2.2/mod/ Also Review Module recommendations in CIS Benchmark Appendix Some Modules have their own website, (such as modsecurity.org) check your favorite search engine.
  • 19. 19Sep 21, 2009 www.RD1.net Options Directive Apache 2.2 docs Description: Configures what features are available in a particular directory Syntax: Options [+|-]option [[+|-]option] ... Default: Options All Context: server config, virtual host, directory, .htaccess Override: Options Module: core
  • 20. 20Sep 21, 2009 www.RD1.net Options Directive Example 1 - Top Level Root <Directory /> . . . Options None </Directory> Example 2 – cgi-bin Directory ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/ <Directory /usr/lib/mailman/cgi-bin/> . . . Options ExecCGI </Directory>
  • 21. 21Sep 21, 2009 www.RD1.net Options Directive Options  All – Everything except Multiviews  ExecCGI – Execution of CGI scripts  FollowSymLinks – Will follow symbolic links  SymLinksIfOwnerMatch –only if owner matches  Includes - Enables Server Side include  IncludesNOEXEC – SSI without #exec  AllowOverride – Allow usage of .htaccess files.  Multiviews - Content negotiation (e.g. Language)
  • 22. 22 Access Controls Sep 21, 2009 www.RD1.net
  • 23. 23 Auth and Authz Modules  mod_authz_host (was mod_access) - Access based on IP address or hostname.  mod_authz_user , mod_authz_groupfile Mod_auth - user authentication using text files Sep 21, 2009 www.RD1.net
  • 24. 24Sep 21, 2009 www.RD1.net Access Control Directives (1) Protecting Root (httpd.conf) <Directory /> Options None AllowOverride None deny from all </Directory> Allowing All Access <Directory "/var/www/html/"> Order allow,deny allow from all </Directory>
  • 25. 25Sep 21, 2009 www.RD1.net Access Control Directives (2) Allowing Limited Access Usage of IP Address or partial IP Address <Directory "/var/www/html/"> Order allow,deny deny from all allow from 10.10.2. </Directory> Domain and Host names also work
  • 26. 26Sep 21, 2009 www.RD1.net HTTP Basic Authentication Requires mod_auth enabled Send base64 encoded username and password sent with every request. Needs SSL to protect username/password No password guessing protection built-in Sample Configuration <Directory /var/www/html/members> AuthType Basic AuthName “Memebers Access" AuthUserFile /path/to/passwordfile Require valid-user </Directory>
  • 27. 27Sep 21, 2009 www.RD1.net HTTP Basic Authentication (2) Setup Apache Password file htpasswd -c /path/to/passwordfile jsmith New password: password Re-type new password: password Adding password for user jsmith Don’t place Password file in the DocRoot Apache needs Read-only access Don’t allow other read access.
  • 28. 28Sep 21, 2009 www.RD1.net HTTP Digest Authentication Requires mod_auth and mod_digest enabled Uses Challenge – Response Response is encrypted with the password Does not protect data, still needs SSL No password guessing protection built-in Sample Configuration <Directory /var/www/html/members> AuthType Digest AuthName “Members Access" AuthUserFile /path/to/passwordfile Require valid-user </Directory>
  • 29. 29 New ChrootDir Directive Description: Directory for apache to run chroot(8) after startup. Syntax: ChrootDir /path/to/directory Default: none Context: server config Module: event, prefork, worker Compatibility: Available in Apache 2.2.10 and later Example: ChrootDir /var/www/chroot Sep 21, 2009 www.RD1.net
  • 30. 30 New ChrootDir Directive (2) Apache Disclaimer: Note that running the server under chroot is not simple, and requires additional setup, particularly if you are running scripts such as CGI or PHP. Please make sure you are properly familiar with the operation of chroot before attempting to use this feature. Sep 21, 2009 www.RD1.net
  • 31. 31 New ChrootDir Directive (3) Makes chroot easier, but still work required. Some typical directories required: CHR=/var/www/chroot/ mkdir –p $CHR/var/www mv /var/www/* /var/www/chroot/var/www/ mkdir $CHR/var/run mkdir $CHR/tmp mkdir –p $CHR/ /var/lib/php/session Usually others? Your Mileage Will vary! Sep 21, 2009 www.RD1.net
  • 32. 32 Apache and SELinux an Alternative to chroot A different (easier?) approach to chroot Implements Mandatory Access Controls Use SELinux in targeted mode In /etc/selinux/config, set SELINUXTYPE=targeted To test, start with SELINUX=permissive Switch to SELINUX=enforcing Sep 21, 2009 www.RD1.net
  • 33. 33 Apache SELinux Polices httpd_selinux(8) man page defines contexts types:  httpd_sys_content_t - all content access  httpd_sys_script_exec_t – for scripts /etc/selinux/targeted/contexts/files/ file_contexts – labels directories with types  /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0  /var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 Sep 21, 2009 www.RD1.net
  • 34. 34 Checking SELinux Labels Use –Z option on ls to see SELinux labels ls -Z /var/www drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons drwxr-xr-x webalizer root system_u:object_r:httpd_sys_content_t usage Sep 21, 2009 www.RD1.net
  • 35. 35 Limiting HTTP Request Methods Sep 21, 2009 www.RD1.net
  • 36. 36 HTTP Request Methods? RFC 2616 defines HTTP/1.1 Methods  GET - Most used – retrieves content  HEAD – Doesn’t return body, used to check for existence and updates  POST – Typically used for FORM submissions  PUT – Push a resource up to the server  DELETE – Remove a resource  TRACE – For Debugging  CONNECT – for SSL Proxy connections Sep 21, 2009 www.RD1.net
  • 37. 37Sep 21, 2009 www.RD1.net Limiting HTTP Request Methods Limit Methods to HEAD, GET and POST <Directory "/var/www/html"> Order allow,deny Allow from all <LimitExcept GET POST> deny from all </LimitExcept> Options None AllowOverride None </Directory> TRACE is not limited by this! HEAD is included with GET
  • 38. 38Sep 21, 2009 www.RD1.net Deny HTTP Trace Mod_Rewrite Technique TRACE method part of RFC HTTP protocol Reflects the request back to the client Intended for Debug Used for XST (Cross-Site Tracing vulnerabilities) Use mod_rewrite to deny TRACE Method [F] Flag returns 403 Forbidden RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]
  • 39. 39Sep 21, 2009 www.RD1.net Deny HTTP Trace New TraceEnable Directive Description: Determines the behavior on TRACE requests Syntax: TraceEnable [on|off|extended] Default: TraceEnable on Context: server config Module: core Compatibility: Available in Apache 1.3.34, 2.0.55 and later Example: TraceEnable off
  • 40. 40 Mod Security – The Web Application Firewall Sep 21, 2009 www.RD1.net
  • 41. 41Sep 21, 2009 www.RD1.net Mod_Security Features Open Source Web Application Firewall Features:  Request filtering  Anti-evasion techniques - paths and parameters are normalized  Understands the HTTP protocol  Performs very specific and fine grain filtering.  POST payload analysis
  • 42. 42Sep 21, 2009 www.RD1.net Mod_Security Features (2) More Features:  Audit logging - Full details can be logged for later analysis  HTTPS – Analysis performed after decryption  Inspect and Filter Any Headers  Buffer Overflow Protection  Attack Detection and Prevention
  • 43. 43Sep 21, 2009 www.RD1.net Mod_security Configuration Easily Installed via package, or build from source. Configuration mod_security.conf Rename file if using include conf.d/ LoadModule security_module modules/mod_security.so <IfModule mod_security.c> # Turn the Filtering and Audit engine, On SecFilterEngine On SecAuditEngine RelevantOnly
  • 44. 44Sep 21, 2009 www.RD1.net Mod_security Configuration (2) More Basic Feature Configuration # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding On # Only allow bytes from this range SecFilterForceByteRange 1 255 # Cookie format checks. SecFilterCheckCookieFormat On # The name of the audit log file SecAuditLog logs/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Default action set SecFilterDefaultAction "deny,log,status:406"
  • 45. 45Sep 21, 2009 www.RD1.net Mod_security Filters (1) Basic Recommended Filters # Require HTTP_USER_AGENT and HTTP_HOST headers SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Only accept request encodings we how handle # we exclude GET requests because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$| ^application/x-www-form-urlencoded$|^multipart/form- data)"
  • 46. 46Sep 21, 2009 www.RD1.net Mod_security Filters (2) More Basic Recommended Filters # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we don't handle SecFilterSelective HTTP_Transfer-Encoding "!^$"
  • 47. 47 Logging and Monitoring Sep 21, 2009 www.RD1.net
  • 48. 48Sep 21, 2009 www.RD1.net Logging Directives LogLevel  Controls Verbosity  Values are emerg, alert, crit, error, warn, notice, info and debug  Notice is recommended ErrorLog – File name for logging errors LogFormat – Defined format of log entries CustomLog logs/acces_log combined
  • 49. 49Sep 21, 2009 www.RD1.net Logging Directives (2) Sample Logging Configuration LogLevel notice ErrorLog logs/error_log LogFormat "%h %l %u %t "%r" %>s %b "%{Accept}i" "% {Referer}i" "%{User-Agent}i"" combined CustomLog logs/access_log combined Combined format is fairly standard and handled well by log analysis software Use Swatch or LogWatch for log monitoring.
  • 50. 50Sep 21, 2009 www.RD1.net Log Monitoring Sample LogWatch output with Web Attacks Requests with error response codes 404 Not Found //README: 2 Time(s) //chat/messagesL.php3: 1 Time(s) //graph_image.php: 1 Time(s) /PhpMyChat//chat/messagesL.php3: 1 Time(s) /horde-3.0.5//README: 2 Time(s) 406 Not Acceptable /: 2 Time(s) /robots.txt: 1 Time(s)
  • 51. 51 Log Monitoring (2) More Samples of Web Scans / Attacks Looking for open proxy & phone apps? 400 Bad Request http://www.wantsfly.com/prx.php?hash=457F6 ... 404 Not Found /apple-touch-icon.png: 1 Time(s) /iphone/: 2 Time(s) /mobi/: 2 Time(s) /mobile/: 2 Time(s) /pda/: 2 Time(s) /sql/: 1 Time(s) Sep 21, 2009 www.RD1.net
  • 52. 52 Abuse Reports Why Report Attacks on your Servers?  Makes it a more difficult for the attacker (Yeah, mostly for the script kiddies)  Educates organizations on the state of their system and their need for response  Helps make the Internet a better place Choose your “favorites” to report Use whois on IP address of the source IP to abuse email contact Reporting to questionable organizations may not be helpful, or helpful in the wrong way. Sep 21, 2009 www.RD1.net
  • 53. 53 Abuse Reports – How to (2) Keep it Simple Just the facts. To: abuse@example.com Subject: web vulnerability attack from IP xx.xx.xx.xx Logs are included below of a web vulnerability attack from the above address. This system may have been compromised or infected. Please take action to prevent further abuse. An e-mail reply is appreciated. Thank you for taking action on this. -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN Information Security Consultant USA 585-624-9551 Logs are NTP time synced in USA EDT TZ Sep 21, 2009 www.RD1.net
  • 54. 54 Abuse Reports (2) Send Sample of Access Web Logs xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /scripts/setup.php HTTP/1.1" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /scripts/setup.php HTTP/1.1" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /phpMyAdmin/ HTTP/1.1" 404 209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" xx.xx.xx.xx - - [03/Sep/2009:06:26:31 -0400] "GET /sql/ HTTP/1.1" 404 202 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)” Sep 21, 2009 www.RD1.net
  • 55. 55 Abuse Reports (3) Some Recent Interesting User Agent in Logs xx.xx.xx.xx - - [03/Sep/2009:20:04:50 -0400] "GET / HTTP/1.0" 200 67 "-" "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3“ xx.xx.xx.xx - - [03/Sep/2009:20:05:01 -0400] "GET /apple-touch-icon.png HTTP/1.0" 404 218 "-" "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3" Sep 21, 2009 www.RD1.net
  • 56. 56 Abuse Responses From: Amazon EC2 Abuse ec2-abuse-team@amazon.com Thank you for submitting your abuse report. We have received your report of Intrusion Attempts originating from our network. We have completed an initial investigation of the issue and learned that the activity you noticed did indeed originate from an Amazon EC2 instance. These intrusion attempts that you report were not, however, initiated by Amazon. One of the biggest advantages of Amazon EC2 is that developers are given complete control of their instances. . . . That said, we do take reports of unauthorized network activity from our environment very seriously. It is specifically forbidden in our terms of use. This instance has since been terminated. Sep 21, 2009 www.RD1.net
  • 57. 57 OSSEC.net OSSEC – Open Source HIDS, central logging and monitoring solution – aka SIM/SEM/SIEM Supports most platforms Linux/Unix/Windows/Mac Real-time alerting Active response - blocking of attacks Agent and Agentless monitoring File Integrity Monitoring Rootkit detection Sep 21, 2009 www.RD1.net
  • 58. Durkee Consulting, Inc. www.rd1.net rd@rd1.net Questions?