The only end-to-end guide to securing Apache Web servers and Web applications
Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won’t protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you’ll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.
Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.
Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured “in the wild.”
For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.
Table of Contents:
About the Author xix
Foreword xxi
Acknowledgments xxv
Introduction xxvii
Chapter 1 Web Insecurity Contributing Factors 1
A Typical Morning 1
Why Web Security Is Important 3
Web Insecurity Contributing Factors 4
Managerial/Procedural Issues 4
Management and the Bottom Line 4
Selling Loaded Guns 5
The Two-Minute Drill 5
Development Environment Versus Production Environment 6
Firefighting Approach to Web Security (Reacting to Fires) 7
Technical Misconceptions Regarding Web Security 7
“We have our web server in a Demilitarized Zone (DMZ).” 8
“We have a firewall.” 9
“We have a Network-Based Intrusion Detection System.” 9
“We have a Host-Based Intrusion Detection System.” 11
“We are using Secure Socket Layer (SSL).” 11
Summary 11
Chapter 2 CIS Apache Benchmark 13
CIS Apache Benchmark for UNIX: OS-Level Issues 13
Minimize/Patch Non-HTTP Services 13
Example Service Attack: 7350wu–FTP Exploit 19
Vulnerable Services’ Impact on Apache’s Security 22
Apply Vendor OS Patches 23
Tune the IP Stack 24
Denial of Service Attacks 25
Create the Web Groups and User Account 28
Lock Down the Web Server User Account 31
Implementing Disk Quotas 32
Accessing OS-Level Commands 35
Update the Ownership and Permissions of System Commands 39
Traditional Chroot 40
Chroot Setup Warning 41
Mod_Security Chroot 41
Chroot Setup 41
Summary 50
Chapter 3 Downloading and Installing Apache 53
Apache 1.3 Versus 2.0 53
Using Pre-Compiled Binary Versus Source Code 54
Downloading the Apache Source Code 56
Why Verify with MD5 and PGP? 56
Uncompress and Open: Gunzip and Untar 63
Patches–Get ’em While They’re Hot! 64
Monitoring for Vulnerabilities and Patches 66
What Modules Should I Use? 70
Summary 80
Chapter 4 Configuring the httpd.conf File 81
CIS Apache Benchmark Settings 84
The httpd.conf File 85
Disable Un-Needed Modules 86
Directives 86
Server-Oriented Directives 87
Multi-Processing Modules (MPMs) 87
Listen 88
ServerName 88
ServerRoot 89
DocumentRoot 89
HostnameLookups 89
User-Oriented Directives 90
User 90
Group 91
ServerAdmin 91
Denial of Service (DoS) Protective Directives 92
Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration 92
TimeOut 94
KeepAlive 95
KeepAliveTimeout 95
MaxKeepAliveRequests 95
StartServers 96
MinSpareServers and MaxSpareServers 96
ListenBacklog 96
MaxClients and ServerLimit 97
Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration 97
Forward Reference 99
Software Obfuscation Directives 99
ServerTokens 99
ServerSignature 101
ErrorDocument 102
Directory Functionality Directives 104
All 104
ExecCGI 104
FollowSymLinks and SymLinksIfOwnerMatch 105
Includes and IncludesNoExec 105
Indexes 106
AllowOverride 106
Multiviews 107
Access Control Directives 107
Authentication Setup 108
Authorization 109
Order 110
Order deny, allow 110
Order allow, deny 110
Access Control: Where Clients Come From 111
Hostname or Domain 111
IP Address and IP Range 112
Client Request ENV 112
Protecting the Root Directory 113
Limiting HTTP Request Methods 114
Logging General Directives 114
LogLevel 114
ErrorLog 115
LogFormat 115
CustomLog 115
Removing Default/Sample Files 116
Apache Source Code Files 116
Default HTML Files 116
Sample CGIs 117
Webserv User Files 118
Updating Ownership and Permissions 118
Server Configuration Files 119
DocumentRoot Files 119
CGI-Bin 119
Logs 120
Bin 120
Updating the Apachectl Script 120
Nikto Scan After Updates 122
Summary 122
Chapter 5 Essential Security Modules for Apache 125
Secure Socket Layer (SSL) 125
Why Should I Use SSL? 126
How Does SSL Work? 128
Software Requirements 132
Installing SSL 133
Creating an SSL Certificate 133
Testing the Initial Configuration 134
Configuring mod_ssl 137
SSL Summary 144
Mod_Rewrite 144
Enabling Mod_Rewrite 145
Mod_Rewrite Summary 147
Mod_Log_Forensic 147
Mod_Dosevasive 149
What Is Mod_Dosevasive? 149
Installing Mod_Dosevasive 149
How Does Mod_Dosevasive Work? 150
Configuration 151
Mod_Dosevasive Summary 155
Mod_Security 155
Installing Mod_Security 156
Mod_Security Overview 156
Features and Capabilities of Mod_Security 157
Anti-Evasion Techniques 158
Special Built-In Checks 159
Filtering Rules 162
Actions 164
Wait, There’s Even More! 168
Summary 169
Chapter 6 Using the Center for Internet Security Apache Benchmark Scoring Tool 171
Downloading, Unpacking, and Running the Scoring Tool 171
Unpacking the Archive 173
Running the Tool 174
Summary 180
Chapter 7 Mitigating the WASC Web Security Threat Classification with Apache 181
Contributors 182
Web Security Threat Classification Description 182
Goals 183
Documentation Uses 183
Overview 183
Background 184
Classes of Attack 184
Threat Format 186
Authentication 186
Brute Force 187
Insufficient Authentication 191
Weak Password Recovery Validation 192
Authorization 195
Credential/Session Prediction 195
Insufficient Authorization 198
Insufficient Session Expiration 199
Session Fixation 201
Client-Side Attacks 205
Content Spoofing 205
Cross-Site Scripting 207
Command Execution 210
Buffer Overflow 210
Format String Attack 215
LDAP Injection 218
OS Commanding 220
SQL Injection 223
SSI Injection 228
XPath Injection 230
Information Disclosure 232
Directory Indexing 232
Information Leakage 236
Path Traversal 239
Predictable Resource Location 242
Logical Attacks 243
Abuse of Functionality 244
Denial of Service 246
Insufficient Anti-Automation 250
Insufficient Process Validation 251
Summary 253
Chapter 8 Protecting a Flawed Web Application: Buggy Bank 255
Installing Buggy Bank 256
Buggy Bank Files 257
Turn Off Security Settings 258
Testing the Installation 258
Functionality 261
Login Accounts 262
Assessment Methodology 262
General Questions 262
Tools Used 263
Configuring Burp Proxy 263
Buggy Bank Vulnerabilities 266
Comments in HTML 266
Enumerating Account Numbers 267
How Much Entropy? 270
Brute Forcing the Account Numbers 270
Enumerating PIN Numbers 273
Account Unlocked 274
Account Locked 274
Brute Forcing the PIN Numbers 276
Command Injection 277
Injecting Netstat 278
SQL Injection 282
SQL Injection Mitigation 285
Cross-Site Scripting (XSS) 287
Mitigations 289
Balance Transfer Logic Flaw 290
Mitigation 292
Summary 293
Chapter 9 Prevention and Countermeasures 295
Why Firewalls Fail to Protect Web Servers/Applications 296
Why Intrusion Detection Systems Fail as Well 299
Deep Packet Inspection Firewalls, Inline IDS, and Web Application Firewalls 304
Deep Packet Inspection Firewall 304
Inline IDS 305
Web Application Firewall (WAF) 307
Web Intrusion Detection Concepts 309
Signature-Based 309
Positive Policy Enforcement (White-Listing) 314
Header-Based Inspection 325
Protocol-Based Inspection 329
Uniform Resource Identifier (URI) Inspection 336
Heuristic-Based Inspection 339
Anomaly-Based Inspection 340
Web IDS Evasion Techniques and Countermeasures 342
HTTP IDS Evasion Options 342
Anti-Evasion Mechanisms 347
Evasion by Abusing Apache Functionality 348
Identifying Probes and Blocking Well-Known Offenders 352
Worm Probes 352
Blocking Well-Known Offenders 354
Nmap Ident Scan 357
Nmap Version Scanning 358
Why Change the Server Banner Information? 359
Masking the Server Banner Information 361
HTTP Fingerprinting 363
Implementation Differences of the HTTP Protocol 364
Banner Grabbing 370
Advanced Web Server Fingerprinting 370
HTTPrint 371
Web Server Fingerprinting Defensive Recommendations 373
Bad Bots, Curious Clients, and Super Scanners 379
Bad Bots and Curious Clients 379
Super Scanners 381
Reacting to DoS, Brute Force, and Web Defacement Attacks 388
DoS Attacks 388
Brute Force Attacks 389
Web Defacements 392
Defacement Countermeasures 397
Alert Notification and Tracking Attackers 399
Setting Up Variables 402
Creating Historical Knowledge 403
Filtering Out Noise and Thresholding Emails 403
Request Snapshot and Attacker Tracking Links 403
Send Alert to Pager 404
Crude Pause Feature 404
Send the HTML 404
Example Email Alerts 404
Log Monitoring and Analysis 412
Real-Time Monitoring with SWATCH 413
Heuristic/Statistical Log Monitoring with SIDS 417
Honeypot Options 424
Sticky Honeypot 424
Fake PHF 425
OS Commanding Trap and Trace 427
Mod_Rewrite (2.1) to the Rescue 428
Summary 429
Chapter 10 Open Web Proxy Honeypot 431
Why Deploy an Open Web Proxy Honeypot? 431
Lack of Knowledge That an Attack Even Occurred 432
Lack of Verbose/Adequate Logging of HTTP Transactions 432
Lack of Interest in Public Disclosure of the Attack 432
What Are Proxy Servers? 433
Open Proxy Background 434
Open Web Proxy Honeypot 435
Linksys Router/Firewall 435
Turn Off Un-Needed Network Services 436
Configure Apache for Proxy 436
Data Control 439
Mod_Dosevasive 439
Mod_Security 439
Utilizing Snort Signatures 441
Brute Force Attacks 441
Data Capture 442
Real-Time Monitoring with Webspy 444
Honeynet Project’s Scan of the Month Challenge #31 444
The Challenge 445
Initial Steps 446
Question: How Do You Think the Attackers Found the Honeyproxy? 447
Question: What Different Types of Attacks Can You Identify? For Each Category, Provide Just One Log Example and Detail as Much Info About the Attack as Possible (Such as CERT/CVE/Anti-Virus ID Numbers). How Many Can You Find? 448
Search Logs for Mod_Security-Message 449
Utilization of the AllowCONNECT Proxying Capabilities 450
Search Logs for Abnormal HTTP Status Codes 451
Abnormal HTTP Request Methods 454
Non-HTTP Compliant Requests 455
Attack Category–SPAMMERS 457
Attack Category–Brute Force Authentication 459
Attack Category–Vulnerability Scans 459
Attack Category–Web-Based Worms 465
Attack Category–Banner/Click-Thru Fraud 468
Attack Category–IRC Connections 469
Question: Do Attackers Target Secure Socket Layer (SSL)-Enabled Web Servers? 470
Did They Target SSL on Our Honeyproxy? 471
Why Would They Want to Use SSL? 472
Why Didn’t They Use SSL Exclusively? 472
Question: Are There Any Indications of Attackers Chaining Through Other Proxy Servers? Describe How You Identified This Activity. List Other Proxy Servers Identified. Can You Confirm That These Are Indeed Proxy Servers? 473
Identifying the Activity 473
Confirming the Proxy Servers 475
Targeting Specific Open Proxies 479
Targeting Specific Destination Servers 480
Question: Identify the Different Brute Force Authentication Attack Methods. Can You Obtain the Clear-Text Username/Password Credentials? Describe Your Methods. 481
HTTP GET Requests 481
HTTP POST Requests 482
HTTP Basic Authentication 483
Obtaining the Cleartext Authorization Credentials 485
Distributed Brute Force Scan Against Yahoo Accounts 486
Forward and Reverse Scanning 487
Question: What Does the Mod_Security Error Message “Invalid Character Detected” Mean? What Were the Attackers Trying to Accomplish? 493
SecFilterCheckURLEncoding–URL-Encoding Validation 493
SecFilterCheckUnicodeEncoding–Unicode-Encoding Validation 494
SecFilterForceByteRange–Byte Range Check 494
SOCKS Proxy Scan 494
Code Red/NIMDA Worm Attacks 495
Question: Several Attackers Tried to Send SPAM by Accessing the Following URL: http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They Tried to Send Email with an HTML Attachment (Files Listed in the /upload Directory). What Does the SPAM Web Page Say? Who Are the SPAM Recipients? 496
SPAM Recipients 497
Question: Provide Some High-Level Statistics. 498
Top Ten Attacker IP Addresses 498
Top Ten Targets 500
Top User-Agents (Any Weird/Fake Agent Strings?) 500
Attacker Correlation from DShield and Other Sources? 501
Bonus Question: Why Do You Think the Attackers Were Targeting Pornography Web sites for Brute Force Attacks? (Besides the Obvious Physical Gratification Scenarios.) 502
Even Though the Proxypot’s IP/Hostname Was Obfuscated from the Logs, Can You Still Determine the Probable Network Block Owner? 504
Summary 506
Chapter 11 Putting It All Together 509
Example Vulnerability Alert 509
Verify the Software Version 510
Patch Availability 510
Vulnerability Details 511
Creating a Mod_Security Vulnerability Filter 514
Testing the Vulnerability Filter 515
First Aid Versus a Hospital 516
Web Security: Beyond the Web Server 517
Domain Hijacking 517
DNS Cache Poisoning 517
Caching Proxy Defacement 519
Banner Ad Defacement 520
News Ticker Manipulations 521
Defacement or No Defacement? 521
Summary 522
Appendix A Web Application Security Consortium Glossary 523
Appendix B Apache Module Listing 533
Appendix C Example httpd.conf File 549
Index 561
About the Author :
Ryan C. Barnett is a chief security officer for EDS. He currently leads both Operations Security and Incident Response Teams for a government bureau in Washington, DC. In addition to his nine-to-five job, Ryan is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security, Top 20 Vulnerabilities team member, and local mentor for the SANS Track 4, “Hacker Techniques, Exploits, and Incident Handling,” course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX), and Security Essentials (GSEC). In addition to the SANS Institute, he is also the team lead for the Center for Internet Security Apache Benchmark Project and a member of the Web Application Security Consortium.
