Web Server Administration
Chapter 10
Securing the Web Environment
Overview
■ Identify threats and vulnerabilities
■ Secure data transmission
■ Secure the operating system
■ Secure server applications
Overview
■ Authenticate Web users
■ Use a firewall
■ Use a proxy server
■ Use intrusion detection software
Identifying Threats and Vulnerabilities
■ Focus is on threats from the Internet
■ Hackers sometimes want the challenge of penetrating a system and vandalizing it – other times they are after data
■
Data can be credit card numbers, user names and passwords, other personal data
■ Information can be gathered while it is being transmitted
■ Often, operating system flaws can assist the
hacker
Examining TCP/IP
■ Hackers often take advantage of the intricacy of TCP/IP
■ The following are parts of the IP header most relevant to security
■
Source address
■
Destination address
■
Packet identification, flags, fragment offset
■
Total length
■
Protocol – TCP, UDP, ICMP
TCP-
Delivering Data to Applications
■ Important header fields
■
Source and destination ports
■
Sequence number, data offset
■
Flags, such as SYN, ACK, FIN
■ Establishing a TCP connection
Vulnerabilities of DNS
■ Historically DNS has had security problems
■ BIND is the most common
implementation of DNS and some older version had serious bugs
■ BIND 9, the current version, has been
more secure
Vulnerabilities in Operating Systems
■ Operating systems are large and complex which means that there are more
opportunities for attack
■ Although Windows has had its share of
problems, often inattentive administrators often fail to implement patches when
available
■ Some attacks, such as buffer overruns, can
allow the attacker to take over the computer
Vulnerabilities in Web servers
■ Static HTML pages pose virtually no problem
■ Programming environments and
databases add complexity that a hacker can exploit
■ Programmers often do not have time to
focus on security
Vulnerabilities of E-mail Servers
■ By design, e-mail servers are open
■ E-mail servers can be harmed by a series of very large e-mail messages
■ Sending an overwhelming number of
messages at the same time can prevent valid users from accessing the server
■ Viruses can be sent to e-mail users
■ Retrieving e-mail over the Internet often involves sending your user name and
password as clear text
Securing Data Transmission
■ To secure data on a network that is accessible to others, you need to
encrypt the data
■ SSL is the most common method of
encrypting data between a browser and Web server
■ Secure Shell (SSH) is a secure
replacement for Telnet
Secure Sockets Layer (SSL)
■ A digital certificate issued by a certification authority (CA) identifies an organization
■ The public key infrastructure (PKI) defines the system of CAs and certificates
■ Public key cryptography depends on two keys
■
A public key is shared with everyone
■
The public key can be used to encrypt data
■
Only the owner of the public key has the
corresponding private key which is needed to
decrypt the data
Establishing an SSL
Connection
Using SSH for Tunneling
■ Tunneling allows you to use an unsecure protocol, such as POP3, through a secure connection, such as SSH
■ To set up tunneling
■
Configure the SSH client so the local port is 55555 (or another port between 1024 and 65535)
■
Configure the SSH client to connect to POP3 port 110
■
Log in to the SSH client
■
Direct the e-mail client to port 5555 and log in to
the e-mail server
Securing the Operating System
■ Use the server for only necessary tasks
■ Minimize user accounts
■ Disable services that are not needed
■ Make sure that you have a secure password
■
In addition to using upper case, lower case
numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255
■
Check a table of ALT values to avoid common characters
■
The use of the ALT key will thwart most hackers
Securing Windows
■
There are many services that are not needed in
Windows for most Internet-based server applications
■
Alerter
■
Computer browser
■
DHCP client
■
DNS client
■
Messenger
■
Server
■
Workstation
■
Also, the registry can be used to alter the
configuration to make it more secure such as
disabling short file names
Securing Linux
■ As with Windows, make sure that you only run daemons (services) that you need
■ Generally, daemons are disabled by default
■ The command netstat -l gives you a list of daemons that are running
■ Use chkconfig to enable and disable daemons
■
chkconfig imap on would enable imap
Securing E-mail
■ You have already seen the ability to
tunnel POP3 which would prevent data from being seen
■ Exchange 2000 can also use SSL for the protocols it uses
■ To prevent someone from sending large e-mail messages until the disk is full,
set a size limit for each mailbox
Securing the Web Server
■ Enable the minimum features
■ If you don't need a programming language, do not enable it
■ Make sure programmers understand security issues
■ Implement SSL where appropriate
Securing the Web Server Apache Directories
■ You can restrict access to directories by using
"allow" and "deny"
■ The following only allows computers with the two IP addresses to access the directory
<Directory "/var/www/html/reports">
order allow, deny
allow from 10.10.10.5 192.168.0.3 deny from all
</Directory>
Securing the Web Server- IIS
■
The URLScan utility blocks potentially harmful page requests
■
The IIS Lockdown utility has templates to ensure that you only enable what you need
■
Change NTFS permissions in \inetpub\wwwroot from Everyone Full Control to Everyone Execute
■
In IIS 5, delete \samples \IISHelp and \MSADC folders
■
Delete extensions you do not use, such as .htr, .idc,
.stm, and others
Authenticating Web Users
■ Both Apache and IIS use HTTP to enable authentication
■ HTTP tries to access a protected directory and fails
■ Then it requests authentication from the user in a dialog box
■ Accesses directory with user information
■ Used in conjunction with SSL
Configuring User
Authentication in IIS
■ Four types of authenticated access
■
Windows integrated authentication
■
Most secure – requires IE
■
Digest authentication for Windows domain servers
■
Works with proxy servers
■
Requires Active Directory and IE
■
Basic authentication
■
User name and password in clear text
■
Works with IE, Netscape, and others
■
Passport authentication
■
Centralized form of authentication
■
Only available on Windows Server 2003
User Authentication in Apache
■ Basic authentication is most common
■ User names and passwords are kept in a separate file
■ Create password file
■ -c creates the users file
■ -b adds a password when creating user
htpasswd –c users mnoia htpasswd users fpessoa
htpasswd users lcamoes –b lusiades
Apache
User Authentication Directives
Defines which users in the user authentication file are allowed access to the directory. Examples:
require user fpessoa lcamoes
require group developers designers require valid-user
require
Specifies the complete path to the text file that associates users with groups.
AuthGroupFile
Specifies the complete path to the user authentication file.
Example: AuthUserFile /var/www/users AuthUserFile
Specifies the authentication type. Digest not supported so use Basic. Example: AuthType Basic
AuthType
Specifies descriptive text for user authentication that appears on the user’s browser when the request is made to log on. Example:
AuthName Internal Product Information AuthName
Description Directive
Apache
User Authentication
■ Assume you want to restrict the
/newprods directory to any user in the users file
<Location /newprods>
AuthName "New Product Information"
AuthType Basic
AuthUserFile /var/www/users require valid-user
</Location>
Using a Firewall
■ A firewall implements a security policy between networks
■ Our focus is between the Internet and an organization's network
■ You need to limit access, especially from the Internet to your internal computers
■ Restrict access to Web servers, e-mail
servers, and other related servers
Types of Filtering
■
Packet filtering
■
Looks at each individual packet
■
Based on rules, it determines whether to let it pass through the firewall
■
Circuit-level filtering (stateful or dynamic filtering)
■
Controls complete communication session, not just individual packets
■
Allows traffic initialized from within the organization to return, yet restricts traffic initialized from outside
■
Application-level
■
Instead of transferring packets, it sets up a separate
connection to totally isolate applications such as Web and
A Packet-filtering Firewall
■ Consists of a list of acceptance and denial rules
■ A firewall independently filters what comes in and what goes out
■ It is best to start with a default policy that denies all traffic, in and out
■ We can reject or drop a failed packet
■
Drop – (best) thrown away without response
■
Reject – ICMP message sent in response
Firewall on Linux - iptables
■ Connections can be logged
■ Initializing the firewall
■ Remove any pre-existing rules
■
iptables --flush
■ Set default policy to drop packets
■
iptables --policy INPUT DROP
■
iptables --policy OUTPUT DROP
■ At this point nothing comes in and nothing
goes out
Describing the Packets to Accept
■ -A (Append rule)
■ INPUT or OUTPUT
■ -i eth0 (input interface) or –o eth0 (output)
■ -p tcp or -p udp (protocol type)
■ -s , -d (source, destination address)
■ --sport, --dport (source, destination port)
■ -j ACCEPT (this is a good rule)
Allowing Access to Web Server
■ Allow packets from any address with an
unprivileged port to the address on our server destined to port 80
■
The following should be on a single line
iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 80 –j ACCEPT
■ Allow packets to go out port 80 from our
server to any unprivileged port at any address
iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10
--sport 80 --dport 1024:65535 –j ACCEPT
Allowing Access to DNS
■ DNS uses port 53
■ UDP for resolving, TCP for zone transfers
iptables –A INPUT –i eth0 –p udp --sport
1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10 --sport 53 --dport 1024:65535 –j ACCEPT
iptables –A INPUT –i eth0 –p tcp --sport
1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10
--sport 53 --dport 1024:65535 –j ACCEPT
Allowing Access to FTP
■ Port 21 for data, port 20 for control
■ Data is transferred through unprivileged ports
■
Opening unprivileged ports can be a problem
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 21 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 20 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 20 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport
1024:65535 --dport 1024:65535 -j ACCEPT
Using a Proxy Server
■
A proxy server delivers content on behalf of a user or server application
■
Proxy servers need to understand the protocol of the application that they proxy such as HTTP or FTP
■
Forward proxy servers isolate users from the Internet
■
Users contact proxy server which gets Web page
■
Reverse proxy servers isolate Web server environment from the Internet
■
When a Web page is requested from the Internet, the proxy
server retrieves the page from the internal server
Using Intrusion Detection Software
■ Intrusion detection is designed to show you that your defenses have been
penetrated
■ With Microsoft ISA Server, it only detects specific types of intrusion
■ In Linux, Tripwire tracks changes to
files
Tripwire
■ Tripwire allows you to set policies that allow you to monitor any changes to the files on the system
■ Tripwire can detect file additions, file deletions, and changes to existing files
■ By understanding the changes to the files, you can determine which ones are
unauthorized and then try to find out the
cause of the change
Tripwire
■ After installing Tripwire, you configure the
policy file to determine which files to monitor
■ A default list of files is included but it will take time to refine the list
■ A report can be produced to find out which files have been added, changed, and deleted
■
Usually, it runs automatically at night
Intrusion Detection in ISA Server
■
The following intrusions are tracked
■
Windows out-of-band (WinNuke)–A specific type of Denial-of-Service attack
■
Land–A spoofed packet is sent with the SYN flag set so that the source address is the same as the destination address, which is the address of the server. The server can then try to connect to itself and crash.
■
Ping of death –The server receives ICMP packets that include large files attachments, which can cause a server to crash.
■
IP half scan –If a remote computer attempts to connect to a port by sending a packet with the SYN flag set and the port is not available, the RST flag is set on the return packet. When the remote computer does not respond to the RST flag, this is called an IP half scan. In normal situations, the TCP connection is closed with a packet containing a FIN flag.
■
UDP bomb –A UDP packet with an illegal configuration.
■
