Web Server Administration

advertisement
Web Server Administration
Chapter 10
Securing the Web Environment
Overview




Identify threats and vulnerabilities
Secure data transmission
Secure the operating system
Secure server applications
Overview




Authenticate Web users
Use a firewall
Use a proxy server
Use intrusion detection software
Identifying Threats and
Vulnerabilities



Hackers vs Crackers vs Attackers
Focus is on threats from the Internet connection
Where attack



Computer system itself – OS or app sometimes at fault
Transmission of the data
Why attack



Challenge of penetrating a system
Challenge of vandalizing it
To gather data - credit card numbers, user names and
passwords, other personal data
Examining TCP/IP




TCP/IP designed for communication not security.
Hackers can take advantage of the intricacy of TCP/IP
Applications assume packets are correct and accept
them blindly from the specific port.
IP header parts most relevant to security





Source address
Destination address
Packet identification, flags, fragment offset
Total length
Protocol – TCP, UDP, ICMP
TCP-Delivering Data to Applications

Important header fields




Source and destination ports
Sequence number, data offset
Flags, such as SYN, ACK, FIN
Establishing a standard TCP connection
Connection Vulnerabilities



SYN flood – attacker manipulates header to
cause this.
UDP protocol is connectionless (DNS) and can
be used to attack a system
ICMP protocol controls communication and
reports status (responds to PING). Attacker
can probe these messages to find ways to
attack.
Vulnerabilities of DNS


Historically DNS has had security
problems
BIND -most common DNS


older version had serious bugs
BIND 9, the current version, has been
more secure
https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
Vulnerabilities in Operating Systems

large and complex software


Systems personnel is busy



more opportunities for attack
Not maintaining updates
Not installing patches
Common OS attack

buffer overruns-allow the attacker to take over the
computer
Vulnerabilities in Web servers




Static HTML pages -no problem
Databases – create vulnerability
Programming – create vulnerability
Programmers over-worked



No time to focus on security
Security is an after- thought
Security is handled when attacker attacks
Vulnerabilities in Web servers

Databases



Placement of connection string
Not filtering and validating data sent from
client.
Programming

User authentication


Stored as plain text
Transmitted as plain text
Vulnerabilities of E-mail Servers





E-mail servers are open by design
E-mail servers can be overflowed by a series of very
large e-mail messages
E-mail can get denial of service if an overwhelming
number of messages are sent at the same time
Viruses can be sent to e-mail users
User authentication done in plain text when
Retrieving e-mail over the Internet
Securing Data Transmission


Encrypt transmitted data
SSL – Secure Socket layer


Used between client and web server
SSH - Secure Shell


Secure telnet
Secure FTP
Secure Sockets Layer (SSL)

Digital certificate




issued by a certification authority (CA) identifies an
organization
CA can be a third party (e-commerce)
Public key infrastructure (PKI) defines the system of
CAs and certificates
Public key cryptography depends on two keys

Public key




Shared with everyone
Encrypted data to send to server
Client encrypts session key (clients private key) with message
Private key – kept by owner of the public key

needed to decrypt the data
Establishing an SSL
Connection
Using SSH for Tunneling


Tunneling - use an unsecure protocol, such as POP3,
through a secure connection, such as SSH
To set up tunneling




Configure the SSH client so the local port is 55555 (or
another port between 1024 and 65535)
Configure the SSH client to connect to POP3 port 110
Log in to the SSH client
Direct the e-mail client to port 5555 and log in to the e-mail
server
Securing the Operating System




Use the server for only necessary tasks
Minimize user accounts
Disable services that are not needed
Make sure that you have a secure password



In addition to using upper case, lower case numbers and
symbols, hold down the ALT key on a number (on the
numeric keypad) from 1 to 255
Check a table of ALT values to avoid common characters
The use of the ALT key will thwart most hackers
Securing Linux



Only run daemons (services) that you need
Generally, daemons are disabled by default
list of daemons that are running
netstat -l

Use chkconfig to enable and disable daemons
chkconfig imap on

- enables imap
Get list of services turned on at boot up
chkconfig - - list
Securing FTP and telnet




Linux - SSH – allows you to do the
same functions as telnet but using a
secure environment
Windows – PuTTY is a SSH client
Linux – sftp (secure ftp)
Windows – psftp (PuTTY sftp)
Securing E-mail


SSH tunnel for POP3 which would prevent
data from being seen
Limit mailbox size - To prevent someone from
sending large e-mail messages until the disk
is full
Securing the Web Server

Enable the minimum features



If you don't need a programming
language, do not enable it
Make sure programmers understand
security issues
Implement SSL where appropriate
Securing Apache Directories

Httpd directory entries:


You can restrict access to directories by using "allow" and "deny"
Allows only 2 ip addresses to access directory
<Directory "/var/www/html/reports">
order allow, deny
allow from 10.10.10.5 192.168.0.3
deny from all
</Directory>

Denies any client from evildoers.org access directory
<Directory "/var/www/html/reports">
order deny, allow
allow from all
deny from evilDovers.org
</Directory>
Authenticating Web Users

Apache uses HTTP to enable authentication

HTTP tries to access a protected directory and fails
Then it requests authentication from the user in a
dialog box
My CSCI323 discussion of HTTP Authentication

More documentation: Comprehensive Guide to .htaccess



Used in conjunction with SSL

User authentication pair is encrypted for transfer
User Authentication in Apache



Use httpd.conf file for server in general
Can create a pair to protect certain directories: HTTP
authentication
User names and passwords are kept in a separate file
 Create .htaccess in directory to protect
 Create password file (.htpasswd)

-c creates a new .htpasswd file
htpasswd –c .htpasswd zimmer1
(need to type in password when prompted)
Apache User Authentication Directives
Directive
Description
AuthName
Specifies descriptive text for user authentication that appears on the
user’s browser when the request is made to log on. Example:
AuthName Internal Product Information
AuthType
Specifies the authentication type, use Basic. Example:
AuthType Basic
AuthUserFile
Specifies the complete path to the user authentication file (.htpasswd)
Example: AuthUserFile /var/www/users
AuthGroupFile
Specifies the complete path to the text file that associates users with
groups.
require
Defines which users in the user authentication file are allowed access
to the directory. Examples:
require user zimmer1 zimmer2
require group developers designers
require valid-user
Apache User Authentication

Assume you want to restrict the
/newprods directory to any user in the
users file
<Location /newprods>
AuthName "New Product Information"
AuthType Basic
AuthUserFile /var/www/users
require valid-user
</Location>
Break

Using csci323 web server

Within public_html




Create a directory: csci325
Create a simple webpage: csci325_secure.html
Using the notes: CSCI323 HTTP Auth
secure the csci325 directory
Check your security: Class page
27
Using a Firewall

A firewall implements a security policy
between networks


Our focus is between the Internet and an
organization's network
You need to limit access, especially
from the Internet to your internal
computers

Restrict access to Web servers, e-mail
servers, and other related servers
Types of Filtering

Packet filtering



Circuit-level filtering (stateful or dynamic filtering)



Looks at each individual packet
Based on rules, it determines whether to let it pass through
the firewall
Controls complete communication session, not just individual
packets
Allows traffic initialized from within the organization to
return, yet restricts traffic initialized from outside
Application-level

Instead of transferring packets, it sets up a separate
connection to totally isolate applications such as Web and email
A Packet-filtering Firewall




Consists of a list of acceptance and denial
rules
A firewall independently filters what comes in
and what goes out
It is best to start with a default policy that
denies all traffic, in and out
We can reject or drop a failed packet


Drop – (best) thrown away without response
Reject – ICMP message sent in response
Firewall on Linux - iptables


Connections can be logged
Initializing the firewall

Remove any pre-existing rules


Set default policy to drop packets



iptables --flush
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
At this point nothing comes in and nothing
goes out
Describing the Packets to Accept







-A (Append rule)
INPUT or OUTPUT
-i eth0 (input interface) or –o eth0 (output)
-p tcp or -p udp (protocol type)
-s , -d (source, destination address)
--sport, --dport (source, destination port)
-j ACCEPT (this is a good rule)
Allowing Access to Web Server

Allow packets from any address with an
unprivileged port to the address on our server
destined to port 80

The following should be on a single line
iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d
192.168.1.10 --dport 80 –j ACCEPT

Allow packets to go out port 80 from our
server to any unprivileged port at any
address
iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10
--sport 80 --dport 1024:65535 –j ACCEPT
Allowing Access to DNS

DNS uses port 53

UDP for resolving, TCP for zone transfers
iptables –A INPUT –i eth0 –p udp --sport
1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT
iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10
--sport 53 --dport 1024:65535 –j ACCEPT
iptables –A INPUT –i eth0 –p tcp --sport
1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10
--sport 53 --dport 1024:65535 –j ACCEPT
Allowing Access to FTP


Port 21 for data, port 20 for control
Data is transferred through unprivileged ports

Opening unprivileged ports can be a problem
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d
192.168.1.10 --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 21 -dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d
192.168.1.10 --dport 20 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 20 -dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d
192.168.1.10 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport
1024:65535 --dport 1024:65535 -j ACCEPT
Using a Proxy Server



A proxy server delivers content on behalf of a user or
server application
Proxy servers need to understand the protocol of the
application that they proxy such as HTTP or FTP
Forward proxy servers isolate users from the Internet


Users contact proxy server which gets Web page
Reverse proxy servers isolate Web server
environment from the Internet

When a Web page is requested from the Internet, the proxy
server retrieves the page from the internal server
Using Intrusion Detection Software



Intrusion detection is designed to show
you that your defenses have been
penetrated
With Microsoft ISA Server, it only
detects specific types of intrusion
In Linux, Tripwire tracks changes to files
Tripwire



Tripwire allows you to set policies that allow
you to monitor any changes to the files on
the system
Tripwire can detect file additions, file
deletions, and changes to existing files
By understanding the changes to the files,
you can determine which ones are
unauthorized and then try to find out the
cause of the change
Tripwire



After installing Tripwire, you configure the
policy file to determine which files to monitor
A default list of files is included but it will take
time to refine the list
A report can be produced to find out which
files have been added, changed, and deleted

Usually, it runs automatically at night
Summary





Every computer connected to the Internet
represents a potential target for attack
Hackers can gather data and modify systems
SSL can secure data transmission
Keep each server to a single purpose such as
Web server or e-mail
Keep applications and services to a minimum
Summary




User authentication controls access to one or
more Web server directories
Firewalls control access policies between
networks
A proxy server delivers content on behalf of a
user or server application
Intrusion detection software identifies
intrusions but typically does not prevent them
Download