HARDENING IN APACHE WEB SERVER
-
Upload
utah-networxs-consultoria-e-treinamento -
Category
Technology
-
view
1.641 -
download
1
description
Transcript of HARDENING IN APACHE WEB SERVER
“Mapping threats, Mitigating risk and
Implementing Corrective activities in Web Servers”
WHO WE ARE?
FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL.
17 YEARS OF PRATICE IN LINUX
12 YEARS WITH BEST LINUX IN BRAZIL
MORE THAN 50.000 STUDENTS TRAINED
MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS
LPI-C ATP IN BRAZIL
MORE: www.utah.com.br
SOCIAL MEDIA
Follow! @fabioandpires
Follow! @utah_networxs
Enjoy! Utah Networxs
Speaker: Fabio Pires
Mini Curriculum:
Graduated in Computer Science
Graduated in Bachelor of Computing
Post Graduate in Project Analysis and Systems - FATEC
Post Graduate in S.O. Linux - UFLA
LPIC
Teacher of Undergraduate and Graduate
Twitter in Spare Time
Contact: [email protected]
TARGET
“PRESENT ONE AMONG SEVERAL SOLUTION FOR BUILDING WEB SERVER"
hardening "THROUGH THE USE OF TOOLS FREE TO MINIMIZE IMPACTS OF ATTACKS."
VULNERABILITY STACK
WEBSERVER MARKET SHARES
OPEN SOURCE WEB SERVER ARCHITECTURE
VULNERABILITY WEB APPLICATIONS
WHY WEB SERVER ARE COMPROMISED?
TOOLS
HTTP PRINT – BANNER WEB SERVERNIKTO - VULNERABILITIES
NESSUS – VULNERABILITIES W3AF - AUDITY E EXPLORATION
NMAP – SCAN PORT
MITIGATING RISKS
DoS Attack DDoS Attack
Brutal Force (ssh, telnet)Port Scanning AttackPing Flooding AttackElevation of Privilege
Man in the Middle AttackDirectory Transversal
Password Cracking (Spoofing, Phising, Trojar Horse)
DEPLOYING CORRETION
What’s Hardening ?
Is a process of mapping of threats, risk mitigation and implementation of
corrective activities, focusing on infrastructure and primary goal to make it ready to face attempts to
attack.
PRATICE IN WEB SERVER APACHE
Where you search packages ?
- Packages Repository- Md5SUM Verified- Security Update- Pré-Compiled Package or Source
Package
PRATICE IN WEB SERVER APACHE
#CHROOT JAIL
CHROOT ARCHITETURE APACHE/
tmp
boot
chroot
bin
dev
etc
home
lib
mnt
opt
proc
root
sbin
usr
var
dev
etc
lib
usr
var
DISABLE UNUSED MODULES
suexec userdir cgi / cgid autoindex
RESTRICT RESOURCES
Number Of Process:
With RES=7000k, SHR=2500k and 400Mavailable for Apache, the result is:
400/(7-2.5) = 89.
RES=Resident
MITIGATE MEMORY LEAKS
MaxRequestsPerChild 10000
RESTRICT INCOMMING CONNECTIONS
# iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j REJECT --reject-with tcp-reset
FILE PERMISSIONS
# find /srv/www -user utahuser# find /srv/www ! -type l \( -perm /o=w -o -perm /g=w -group utahgroup \)
SEARCH FILES AND SSL
* Search hidden files
# find /var/www -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*‘
* SSL key files* Make sure your SSL keys are only readable by the root user.
OTHER APACHE CONFIG
* Bewarec of certain RewriteRules
# INSECURE configuration, don't use! RewriteRule ^/old/directory/(.*)$ /$1Use this
# SECURE - UseRewriteRule ^/old/directory/(.*)$ /$1 [PT]
* Don't use Limit/LimitExcept(conf.d/security)
TraceEnable off
OTHER APACHE CONFIG
* ServerSignature Off* ServerTokens Prod* Remove PHP scripts (test.php, info.php, i.php, php.info)* Disable directory indexing* Disable WebDAV* Enable PHP basedir* Install a Web Firewall (mod_security)
l * Suhosin PHP
SUHOSIN PHP - BASIC
suhosin.executor.include.max_traversal=4 (../../../../)suhosin.executor.disable_emodifier=Off(exec function)suhosin.mail.protect=2(protect spammers attack)suhosin.memory_limit=256Msuhosin.filter.action=402(return code detect error)suhosin.upload.max_uploads=100
SUHOSIN PHP - BASIC
suhosin.request.max_array_depth=4096 suhosin.request.max_array_index_length=2048 suhosin.request.max_name_length=2048suhosin.request.max_value_length=650000 suhosin.request.max_vars=4096 suhosin.post.max_array_depth=8048 suhosin.post.max_array_index_length=1024 suhosin.post.max_name_length=2048 suhosin.post.max_totalname_length=8048 suhosin.post.max_vars=4096
OTHER APACHE CONFIG
* ErrorDocument 404 errors/404.html* ErrorDocument 500 errors/500.html* ServerAdmin (Use Alias Mail)* UserDir disabled root
INSTALL PACKAGE
# dpkg -i hardening-apache_beta-01.deb
Albert Einstein
PROBLEMS
l UNIQUE USERl INSERT DIALOG
l PORTABLE OTHER DISTROS
DOBTS ?
SOURCES OF RESEARCH
APACHE FOUNDATIONwww.apache.org
ECCOUNCILwww.eccouncil.org
UTAH HARDENING COURSEwww.utah.com.br
IMAGES - ECCOUNCILwww.eccouncil.org