Web server administration chap10

Identifying Threats and Vulnerabilities  Focus is on threats from the Internet  Hackers sometimes want the challenge of penetrating a system and vandalizing it – other times they are

Web Server Administration

Chapter 10 Securing the Web

Environment

 Identify threats and vulnerabilities

 Secure data transmission

 Secure the operating system

 Secure server applications

 Authenticate Web users

 Use a firewall

 Use a proxy server

 Use intrusion detection software

Identifying Threats and

Vulnerabilities

 Focus is on threats from the Internet

 Hackers sometimes want the challenge

of penetrating a system and

vandalizing it – other times they are after data

 Data can be credit card numbers, user names

and passwords, other personal data

 Information can be gathered while it

is being transmitted

 Often, operating system flaws can

assist the hacker

Examining TCP/IP

the intricacy of TCP/IP

header most relevant to security

TCP-Delivering Data to

Applications Important header fields

 Source and destination ports

 Sequence number, data offset

 Flags, such as SYN, ACK, FIN

Vulnerabilities of DNS

 Historically DNS has had security problems

 BIND is the most common implementation of DNS and some older version had serious bugs

 BIND 9, the current version, has been more secure

Vulnerabilities in

Operating Systems

 Operating systems are large and

complex which means that there are

more opportunities for attack

 Although Windows has had its share of problems, often inattentive

administrators often fail to

implement patches when available

 Some attacks, such as buffer

overruns, can allow the attacker to take over the computer

Vulnerabilities in Web

servers

 Static HTML pages pose virtually no problem

 Programming environments and databases add complexity that

a hacker can exploit

 Programmers often do not have time to focus on security

Vulnerabilities of E-mail

Servers

 By design, e-mail servers are open

 E-mail servers can be harmed by a series of very large e-mail messages

 Sending an overwhelming number of messages at the same time can

prevent valid users from accessing the server

 Viruses can be sent to e-mail users

 Retrieving e-mail over the Internet often involves sending your user

name and password as clear text

Secure Sockets Layer

(SSL)

 A digital certificate issued by a

certification authority (CA) identifies an organization

 The public key infrastructure (PKI)

defines the system of CAs and certificates

 Public key cryptography depends on two

keys

 A public key is shared with everyone

 The public key can be used to encrypt data

 Only the owner of the public key has the corresponding private key which is needed to decrypt the data

Establishing an SSL Connection

Using SSH for Tunneling

 Tunneling allows you to use an

unsecure protocol, such as POP3,

through a secure connection, such as SSH

 To set up tunneling

 Configure the SSH client so the local port is

55555 (or another port between 1024 and

65535)

 Configure the SSH client to connect to POP3 port 110

 Log in to the SSH client

 Direct the e-mail client to port 5555 and log in to the e-mail server

Securing the Operating

System

 Use the server for only necessary tasks

 Minimize user accounts

 Disable services that are not needed

 Make sure that you have a secure

password

 In addition to using upper case, lower case

numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255

 Check a table of ALT values to avoid common

characters

 The use of the ALT key will thwart most hackers

Securing Windows

needed in Windows for most

Internet-based server applications

the configuration to make it more secure such as disabling short file names

Securing Linux

 As with Windows, make sure that you only run daemons (services) that you need

 Generally, daemons are disabled by default

 The command netstat -l gives you a

list of daemons that are running

 Use chkconfig to enable and disable daemons

 chkconfig imap on would enable imap

Securing E-mail

 You have already seen the ability to tunnel POP3 which

would prevent data from being seen

 Exchange 2000 can also use SSL for the protocols it uses

 To prevent someone from sending large e-mail messages until the disk is full, set a size limit for each mailbox

Securing the Web Server

 Enable the minimum features

 If you don't need a programming language,

do not enable it

 Make sure programmers understand security issues

 Implement SSL where appropriate

Securing the Web Server

Apache Directories

 You can restrict access to directories

by using "allow" and "deny"

 The following only allows computers

with the two IP addresses to access

Securing the Web

Server-IIS

 The URLScan utility blocks potentially

harmful page requests

 The IIS Lockdown utility has templates to ensure that you only enable what you need

 Change NTFS permissions in

\inetpub\wwwroot from Everyone Full

Control to Everyone Execute

 In IIS 5, delete \samples \IISHelp and

\MSADC folders

 Delete extensions you do not use, such as htr, idc, stm, and others

Authenticating Web Users

 Both Apache and IIS use HTTP to enable authentication

 HTTP tries to access a protected directory and fails

 Then it requests authentication from the user in a dialog box

 Accesses directory with user information

 Used in conjunction with SSL

Configuring User

Authentication in IIS

 Four types of authenticated access

 Windows integrated authentication

 Digest authentication for Windows domain servers

 Basic authentication

 Passport authentication

User Authentication in

Apache

common

kept in a separate file

 Create password file

 -c creates the users file

 -b adds a password when creating user

htpasswd –c users mnoia

htpasswd users fpessoa

htpasswd users lcamoes –b lusiades

Apache User Authentication Directives

Directive Description

AuthName Specifies descriptive text for user authentication that appears on the

user’s browser when the request is made to log on Example:

AuthName Internal Product Information

AuthType Specifies the authentication type Digest not supported so use

Basic Example: AuthType Basic

AuthUserFile Specifies the complete path to the user authentication file.

Example: AuthUserFile /var/www/users

AuthGroupFile Specifies the complete path to the text file that associates users with

groups.

require Defines which users in the user authentication file are allowed access

to the directory Examples:

require user fpessoa lcamoes require group developers designers require valid-user

Using a Firewall

 A firewall implements a security policy between networks

 Our focus is between the Internet and an organization's network

 You need to limit access, especially from the Internet to your internal computers

 Restrict access to Web servers, e-mail

servers, and other related servers

Types of Filtering

 Looks at each individual packet

 Based on rules, it determines whether to let it pass

through the firewall

 It is best to start with a default

policy that denies all traffic, in

and out

 We can reject or drop a failed packet

 Drop – (best) thrown away without response

 Reject – ICMP message sent in response

Firewall on Linux - iptables

 Connections can be logged

 Initializing the firewall

 Remove any pre-existing rules

 iptables flush

 Set default policy to drop packets

 iptables policy INPUT DROP

 iptables policy OUTPUT DROP

 At this point nothing comes in and nothing goes out

Describing the Packets to

 -p tcp or -p udp (protocol type)

 -s , -d (source, destination address)

 sport, dport (source, destination port)

 -j ACCEPT (this is a good rule)

Allowing Access to Web

Server

 Allow packets from any address with

an unprivileged port to the address

on our server destined to port 80

 The following should be on a single line

iptables –A INPUT –i eth0 –p tcp sport 1024:65535 –d

192.168.1.10 dport 80 –j ACCEPT

 Allow packets to go out port 80

from our server to any unprivileged port at any address

iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10

sport 80 dport 1024:65535 –j ACCEPT

Allowing Access to DNS

 DNS uses port 53

 UDP for resolving, TCP for zone transfers

iptables –A INPUT –i eth0 –p udp sport

1024:65535 –d 192.168.1.10 dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10 sport 53 dport 1024:65535 –j ACCEPT

iptables –A INPUT –i eth0 –p tcp sport

1024:65535 –d 192.168.1.10 dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10 sport 53 dport 1024:65535 –j ACCEPT

Allowing Access to FTP

 Port 21 for data, port 20 for control

 Data is transferred through

unprivileged ports

 Opening unprivileged ports can be a problem

iptables -A INPUT -i eth0 -p tcp sport 1024:65535 -d 192.168.1.10 dport 21 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 sport 21 dport 1024:65535 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp sport 1024:65535 -d 192.168.1.10 dport 20 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 sport 20 dport 1024:65535 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp sport 1024:65535 -d 192.168.1.10 dport 1024:65535 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 sport 1024:65535 dport 1024:65535 -j ACCEPT

Using a Proxy Server

 A proxy server delivers content on behalf

of a user or server application

 Proxy servers need to understand the

protocol of the application that they

proxy such as HTTP or FTP

 Forward proxy servers isolate users from the Internet

 Users contact proxy server which gets Web page

 Reverse proxy servers isolate Web server environment from the Internet

 When a Web page is requested from the Internet, the proxy server retrieves the page from the internal server

Using Intrusion Detection Software

 Intrusion detection is designed to show you that your

defenses have been penetrated

 With Microsoft ISA Server, it only detects specific types

of intrusion

 In Linux, Tripwire tracks changes to files

 Tripwire allows you to set policies that allow you to monitor any changes

to the files on the system

 Tripwire can detect file additions, file deletions, and changes to

existing files

 By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the change

 After installing Tripwire, you

configure the policy file to

determine which files to monitor

 A default list of files is included but it will take time to refine the list

 A report can be produced to find out which files have been added, changed, and deleted

 Usually, it runs automatically at night

Intrusion Detection in ISA Server

 The following intrusions are tracked

Denial-of-Service attack

that the source address is the same as the destination address, which is the address of the server The server can then try to connect to itself and crash

include large files attachments, which can cause a server

to crash.

a port by sending a packet with the SYN flag set and the port is not available, the RST flag is set on the return packet When the remote computer does not respond to the RST flag, this is called an IP half scan In normal

situations, the TCP connection is closed with a packet containing a FIN flag.

ports that are scanned (checked) before an alert is

issued

 Every computer connected to the

Internet represents a potential target for attack

 Hackers can gather data and modify

systems

 SSL can secure data transmission

 Keep each server to a single purpose such as Web server or e-mail

 Keep applications and services to a

minimum

 A proxy server delivers content on

behalf of a user or server application

 Intrusion detection software

identifies intrusions but typically

does not prevent them