Preventing Web Attacks with Apache

Table of Contents:
About the Author     xix Foreword     xxi Acknowledgments     xxv Introduction     xxvii Chapter 1     Web Insecurity Contributing Factors     1 A Typical Morning     1 Why Web Security Is Important     3 Web Insecurity Contributing Factors     4 Managerial/Procedural Issues     4 Management and the Bottom Line     4 Selling Loaded Guns     5 The Two-Minute Drill     5 Development Environment Versus Production Environment     6 Firefighting Approach to Web Security (Reacting to Fires)     7 Technical Misconceptions Regarding Web Security     7 “We have our web server in a Demilitarized Zone (DMZ).”     8 “We have a firewall.”     9 “We have a Network-Based Intrusion Detection System.”     9 “We have a Host-Based Intrusion Detection System.”     11 “We are using Secure Socket Layer (SSL).”     11 Summary     11 Chapter 2     CIS Apache Benchmark     13 CIS Apache Benchmark for UNIX: OS-Level Issues     13 Minimize/Patch Non-HTTP Services     13 Example Service Attack: 7350wu–FTP Exploit     19 Vulnerable Services’ Impact on Apache’s Security     22 Apply Vendor OS Patches     23 Tune the IP Stack     24 Denial of Service Attacks     25 Create the Web Groups and User Account     28 Lock Down the Web Server User Account     31 Implementing Disk Quotas     32 Accessing OS-Level Commands     35 Update the Ownership and Permissions of System Commands     39 Traditional Chroot     40 Chroot Setup Warning     41 Mod_Security Chroot     41 Chroot Setup     41 Summary     50 Chapter 3     Downloading and Installing Apache     53 Apache 1.3 Versus 2.0     53 Using Pre-Compiled Binary Versus Source Code     54 Downloading the Apache Source Code     56 Why Verify with MD5 and PGP?     56 Uncompress and Open: Gunzip and Untar     63 Patches–Get ’em While They’re Hot!     64 Monitoring for Vulnerabilities and Patches      66 What Modules Should I Use?     70 Summary     80 Chapter 4     Configuring the httpd.conf File     81 CIS Apache Benchmark Settings     84 The httpd.conf File      85 Disable Un-Needed Modules     86 Directives     86 Server-Oriented Directives     87 Multi-Processing Modules (MPMs)     87 Listen     88 ServerName     88 ServerRoot     89 DocumentRoot     89 HostnameLookups     89 User-Oriented Directives     90 User     90 Group     91 ServerAdmin     91 Denial of Service (DoS) Protective Directives     92 Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration      92 TimeOut     94 KeepAlive     95 KeepAliveTimeout     95 MaxKeepAliveRequests     95 StartServers     96 MinSpareServers and MaxSpareServers     96 ListenBacklog     96 MaxClients and ServerLimit     97 Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration      97 Forward Reference     99 Software Obfuscation Directives     99 ServerTokens     99 ServerSignature     101 ErrorDocument     102 Directory Functionality Directives     104 All          104 ExecCGI     104 FollowSymLinks and SymLinksIfOwnerMatch     105 Includes and IncludesNoExec     105 Indexes     106 AllowOverride     106 Multiviews     107 Access Control Directives     107 Authentication Setup     108 Authorization     109 Order     110 Order deny, allow     110 Order allow, deny     110 Access Control: Where Clients Come From     111 Hostname or Domain     111 IP Address and IP Range     112 Client Request ENV     112 Protecting the Root Directory     113 Limiting HTTP Request Methods     114 Logging General Directives     114 LogLevel      114 ErrorLog      115 LogFormat      115 CustomLog      115 Removing Default/Sample Files     116 Apache Source Code Files      116 Default HTML Files      116 Sample CGIs      117 Webserv User Files     118 Updating Ownership and Permissions     118 Server Configuration Files      119 DocumentRoot Files      119 CGI-Bin      119 Logs     120 Bin          120 Updating the Apachectl Script     120 Nikto Scan After Updates     122 Summary     122 Chapter 5     Essential Security Modules for Apache     125 Secure Socket Layer (SSL)     125 Why Should I Use SSL?     126 How Does SSL Work?     128 Software Requirements     132 Installing SSL     133 Creating an SSL Certificate     133 Testing the Initial Configuration     134 Configuring mod_ssl     137 SSL Summary     144 Mod_Rewrite     144 Enabling Mod_Rewrite     145 Mod_Rewrite Summary     147 Mod_Log_Forensic     147 Mod_Dosevasive     149 What Is Mod_Dosevasive?     149 Installing Mod_Dosevasive     149 How Does Mod_Dosevasive Work?     150 Configuration     151 Mod_Dosevasive Summary     155 Mod_Security     155 Installing Mod_Security     156 Mod_Security Overview     156 Features and Capabilities of Mod_Security     157 Anti-Evasion Techniques     158 Special Built-In Checks     159 Filtering Rules     162 Actions     164 Wait, There’s Even More!     168 Summary     169 Chapter 6     Using the Center for Internet Security Apache Benchmark Scoring Tool     171 Downloading, Unpacking, and Running the Scoring Tool     171 Unpacking the Archive     173 Running the Tool     174 Summary     180 Chapter 7     Mitigating the WASC Web Security Threat Classification with Apache     181 Contributors     182 Web Security Threat Classification Description     182 Goals     183 Documentation Uses     183 Overview     183 Background     184 Classes of Attack     184 Threat Format     186 Authentication     186 Brute Force     187 Insufficient Authentication     191 Weak Password Recovery Validation     192 Authorization     195 Credential/Session Prediction     195 Insufficient Authorization     198 Insufficient Session Expiration     199 Session Fixation     201 Client-Side Attacks     205 Content Spoofing     205 Cross-Site Scripting     207 Command Execution     210 Buffer Overflow     210 Format String Attack     215 LDAP Injection     218 OS Commanding     220 SQL Injection     223 SSI Injection     228 XPath Injection     230 Information Disclosure     232 Directory Indexing     232 Information Leakage     236 Path Traversal     239 Predictable Resource Location     242 Logical Attacks     243 Abuse of Functionality     244 Denial of Service     246 Insufficient Anti-Automation     250 Insufficient Process Validation     251 Summary     253 Chapter 8     Protecting a Flawed Web Application: Buggy Bank     255 Installing Buggy Bank     256 Buggy Bank Files     257 Turn Off Security Settings     258 Testing the Installation     258 Functionality     261 Login Accounts     262 Assessment Methodology     262 General Questions     262 Tools Used     263 Configuring Burp Proxy     263 Buggy Bank Vulnerabilities      266 Comments in HTML     266 Enumerating Account Numbers     267 How Much Entropy?     270 Brute Forcing the Account Numbers     270 Enumerating PIN Numbers     273 Account Unlocked     274 Account Locked     274 Brute Forcing the PIN Numbers     276 Command Injection     277 Injecting Netstat     278 SQL Injection     282 SQL Injection Mitigation     285 Cross-Site Scripting (XSS)     287 Mitigations     289 Balance Transfer Logic Flaw     290 Mitigation     292 Summary     293 Chapter 9     Prevention and Countermeasures     295 Why Firewalls Fail to Protect Web Servers/Applications     296 Why Intrusion Detection Systems Fail as Well     299 Deep Packet Inspection Firewalls, Inline IDS, and Web Application Firewalls     304 Deep Packet Inspection Firewall     304 Inline IDS     305 Web Application Firewall (WAF)     307 Web Intrusion Detection Concepts     309 Signature-Based     309 Positive Policy Enforcement (White-Listing)     314 Header-Based Inspection     325 Protocol-Based Inspection     329 Uniform Resource Identifier (URI) Inspection     336 Heuristic-Based Inspection     339 Anomaly-Based Inspection     340 Web IDS Evasion Techniques and Countermeasures     342 HTTP IDS Evasion Options     342 Anti-Evasion Mechanisms     347 Evasion by Abusing Apache Functionality     348 Identifying Probes and Blocking Well-Known Offenders     352 Worm Probes     352 Blocking Well-Known Offenders     354 Nmap Ident Scan     357 Nmap Version Scanning     358 Why Change the Server Banner Information?     359 Masking the Server Banner Information     361 HTTP Fingerprinting     363 Implementation Differences of the HTTP Protocol     364 Banner Grabbing     370 Advanced Web Server Fingerprinting     370 HTTPrint     371 Web Server Fingerprinting Defensive Recommendations     373 Bad Bots, Curious Clients, and Super Scanners     379 Bad Bots and Curious Clients     379 Super Scanners     381 Reacting to DoS, Brute Force, and Web Defacement Attacks     388 DoS Attacks     388 Brute Force Attacks     389 Web Defacements     392 Defacement Countermeasures     397 Alert Notification and Tracking Attackers     399 Setting Up Variables     402 Creating Historical Knowledge     403 Filtering Out Noise and Thresholding Emails     403 Request Snapshot and Attacker Tracking Links     403 Send Alert to Pager     404 Crude Pause Feature     404 Send the HTML     404 Example Email Alerts     404 Log Monitoring and Analysis     412 Real-Time Monitoring with SWATCH     413 Heuristic/Statistical Log Monitoring with SIDS     417 Honeypot Options     424 Sticky Honeypot     424 Fake PHF     425 OS Commanding Trap and Trace     427 Mod_Rewrite (2.1) to the Rescue     428 Summary     429 Chapter 10     Open Web Proxy Honeypot     431 Why Deploy an Open Web Proxy Honeypot?     431 Lack of Knowledge That an Attack Even Occurred     432 Lack of Verbose/Adequate Logging of HTTP Transactions     432 Lack of Interest in Public Disclosure of the Attack     432 What Are Proxy Servers?     433 Open Proxy Background     434 Open Web Proxy Honeypot     435 Linksys Router/Firewall     435 Turn Off Un-Needed Network Services     436 Configure Apache for Proxy     436 Data Control     439 Mod_Dosevasive     439 Mod_Security     439 Utilizing Snort Signatures     441 Brute Force Attacks     441 Data Capture     442 Real-Time Monitoring with Webspy     444 Honeynet Project’s Scan of the Month Challenge #31     444 The Challenge     445 Initial Steps     446 Question: How Do You Think the Attackers Found the Honeyproxy?      447 Question: What Different Types of Attacks Can You Identify? For Each Category, Provide Just One Log Example and Detail as Much Info About the Attack as Possible (Such as CERT/CVE/Anti-Virus ID Numbers). How Many Can You Find?      448 Search Logs for Mod_Security-Message     449 Utilization of the AllowCONNECT Proxying Capabilities     450 Search Logs for Abnormal HTTP Status Codes     451 Abnormal HTTP Request Methods      454 Non-HTTP Compliant Requests     455 Attack Category–SPAMMERS     457 Attack Category–Brute Force Authentication     459 Attack Category–Vulnerability Scans     459 Attack Category–Web-Based Worms     465 Attack Category–Banner/Click-Thru Fraud      468 Attack Category–IRC Connections     469 Question: Do Attackers Target Secure Socket Layer (SSL)-Enabled Web Servers?      470 Did They Target SSL on Our Honeyproxy?      471 Why Would They Want to Use SSL?      472 Why Didn’t They Use SSL Exclusively?     472 Question: Are There Any Indications of Attackers Chaining Through Other Proxy Servers? Describe How You Identified This Activity. List Other Proxy Servers Identified. Can You Confirm That These Are Indeed Proxy Servers?      473 Identifying the Activity     473 Confirming the Proxy Servers     475 Targeting Specific Open Proxies     479 Targeting Specific Destination Servers     480 Question: Identify the Different Brute Force Authentication Attack Methods. Can You Obtain the Clear-Text Username/Password Credentials? Describe Your Methods.     481 HTTP GET Requests     481 HTTP POST Requests     482 HTTP Basic Authentication     483 Obtaining the Cleartext Authorization Credentials     485 Distributed Brute Force Scan Against Yahoo Accounts     486 Forward and Reverse Scanning     487 Question: What Does the Mod_Security Error Message “Invalid Character Detected” Mean? What Were the Attackers Trying to Accomplish?     493 SecFilterCheckURLEncoding–URL-Encoding Validation     493 SecFilterCheckUnicodeEncoding–Unicode-Encoding Validation     494 SecFilterForceByteRange–Byte Range Check     494 SOCKS Proxy Scan     494 Code Red/NIMDA Worm Attacks     495 Question: Several Attackers Tried to Send SPAM by Accessing the Following URL: http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They Tried to Send Email with an HTML Attachment (Files Listed in the /upload Directory). What Does the SPAM Web Page Say? Who Are the SPAM Recipients?      496 SPAM Recipients     497 Question: Provide Some High-Level Statistics.      498 Top Ten Attacker IP Addresses     498 Top Ten Targets     500 Top User-Agents (Any Weird/Fake Agent Strings?)     500 Attacker Correlation from DShield and Other Sources?     501 Bonus Question: Why Do You Think the Attackers Were Targeting Pornography Web sites for      Brute Force Attacks? (Besides the Obvious Physical Gratification Scenarios.)      502 Even Though the Proxypot’s IP/Hostname Was Obfuscated from the Logs, Can You Still Determine the Probable Network Block Owner?      504 Summary     506 Chapter 11     Putting It All Together     509 Example Vulnerability Alert     509 Verify the Software Version     510 Patch Availability     510 Vulnerability Details     511 Creating a Mod_Security Vulnerability Filter     514 Testing the Vulnerability Filter     515 First Aid Versus a Hospital     516 Web Security: Beyond the Web Server     517 Domain Hijacking     517 DNS Cache Poisoning     517 Caching Proxy Defacement     519 Banner Ad Defacement     520 News Ticker Manipulations     521 Defacement or No Defacement?     521 Summary     522 Appendix A     Web Application Security Consortium Glossary     523 Appendix B     Apache Module Listing     533 Appendix C      Example httpd.conf File     549 Index     561  

About the Author :
Ryan C. Barnett is a chief security officer for EDS. He currently leads both Operations Security and Incident Response Teams for a government bureau in Washington, DC. In addition to his nine-to-five job, Ryan is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security, Top 20 Vulnerabilities team member, and local mentor for the SANS Track 4, “Hacker Techniques, Exploits, and Incident Handling,” course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX), and Security Essentials (GSEC). In addition to the SANS Institute, he is also the team lead for the Center for Internet Security Apache Benchmark Project and a member of the Web Application Security Consortium.