ebook img

Apache Security Digital Reprint - Ivan Ristic PDF

432 Pages·2017·3.86 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Apache Security Digital Reprint - Ivan Ristic

AAPPAACCHHEE SSEECCUURRIITTYY TThhee CCoommpplleettee GGuuiiddee ttoo SSeeccuurriinngg YYoouurr AAppaacchhee WWeebb SSeerrvveerr Ivan Ristić Last update: Wed Apr 27 09:04:50 BST 2016 (build 204) Apache Security Ivan Ristić Apache Security by Ivan Ristić Copyright © 2004, 2005 Ivan Ristić First published in March 2005. Digital reprint published in April 2010. Revision 204. Feisty Duck Limited www.feistyduck.com [email protected] Address: 6 Acantha Court Montpelier Road London W5 2QP United Kingdom Copyeditor: Mary Dageforde Technical reviewers: Rich Bowen and Anton Chuvakin All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior permission in writing of the publisher. The author and publisher have taken care in preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. Feisty Duck Digital Book Distribution www.feistyduck.com Licensed for the exclusive use of: Berton Hu <[email protected]> To my dear wife Jelena, who makes my life worth living. Table of Contents Preface to Digital Reprint .......................................................................... xi Preface ......................................................................................... xiii Audience xiii Scope xiv Contents of This Book xv Online Companion xvii Conventions Used in This Book xvii Programming Conventions xviii Typesetting Conventions xviii Using Code Examples xviii Acknowledgments xix 1. Apache Security Principles ....................................................................... 1 1.1. Security Definitions 1 1.1.1. Essential Security Principles 2 1.1.2. Common Security Vocabulary 4 1.1.3. Security Process Steps 4 1.1.4. Threat Modeling 5 1.1.5. System-Hardening Matrix 7 1.1.6. Calculating Risk 10 1.2. Web Application Architecture Blueprints 10 1.2.1. User View 11 1.2.2. Network View 12 1.2.3. Apache View 13 2. Installation and Configuration ................................................................... 15 2.1. Installation 16 2.1.1. Source or Binary 16 2.1.2. Static Binary or Dynamic Modules 19 2.1.3. Folder Locations 20 2.1.4. Installation Instructions 21 iii 2.2. Configuration and Hardening 26 2.2.1. Setting Up the Server User Account 27 2.2.2. Setting Apache Binary File Permissions 27 2.2.3. Configuring Secure Defaults 28 2.2.4. Enabling CGI Scripts 31 2.2.5. Logging 32 2.2.6. Setting Server Configuration Limits 33 2.2.7. Preventing Information Leaks 35 2.3. Changing Web Server Identity 37 2.3.1. Changing the Server Header Field 38 2.3.2. Removing Default Content 40 2.4. Putting Apache in Jail 41 2.4.1. Tools of the chroot Trade 43 2.4.2. Using chroot to Put Apache in Jail 46 2.4.3. Using the chroot(2) Patch 50 2.4.4. Using mod_security or mod_chroot 51 3. PHP ........................................................................................... 55 3.1. Installation 55 3.1.1. Using PHP as a Module 55 3.1.2. Using PHP as a CGI 57 3.1.3. Choosing Modules 58 3.2. Configuration 59 3.2.1. Disabling Undesirable Options 59 3.2.2. Disabling Functions and Classes 62 3.2.3. Restricting Filesystem Access 62 3.2.4. Setting Logging Options 63 3.2.5. Setting Limits 64 3.2.6. Controlling File Uploads 65 3.2.7. Increasing Session Security 66 3.2.8. Setting Safe Mode Options 67 3.3. Advanced PHP Hardening 69 3.3.1. PHP 5 SAPI Input Hooks 70 3.3.2. Hardened-PHP 70 4. SSL and TLS ................................................................................... 73 4.1. Cryptography 74 4.1.1. Symmetric Encryption 75 4.1.2. Asymmetric Encryption 77 4.1.3. One-Way Encryption 78 4.1.4. Public-Key Infrastructure 79 iv 4.1.5. How It All Falls into Place 82 4.2. SSL 83 4.2.1. SSL Communication Summary 84 4.2.2. Is SSL Secure? 84 4.3. OpenSSL 87 4.4. Apache and SSL 90 4.4.1. Installing mod_ssl 90 4.4.2. Generating Keys 91 4.4.3. Generating a Certificate Signing Request 92 4.4.4. Signing Your Own Certificate 93 4.4.5. Getting a Certificate Signed by a CA 94 4.4.6. Configuring SSL 95 4.5. Setting Up a Certificate Authority 97 4.5.1. Preparing the CA Certificate for Distribution 100 4.5.2. Issuing Server Certificates 101 4.5.3. Issuing Client Certificates 102 4.5.4. Revoking Certificates 103 4.5.5. Using Client Certificates 103 4.6. Performance Considerations 104 4.6.1. OpenSSL Benchmark Script 104 4.6.2. Hardware Acceleration 106 5. Denial of Service Attacks ...................................................................... 107 5.1. Network Attacks 109 5.1.1. Malformed Traffic 109 5.1.2. Brute-Force Attacks 109 5.1.3. SYN Flood Attacks 110 5.1.4. Source Address Spoofing 112 5.1.5. Distributed Denial of Service Attacks 112 5.1.6. Reflection DoS Attacks 113 5.2. Self-Inflicted Attacks 114 5.2.1. Badly Configured Apache 114 5.2.2. Poorly Designed Web Applications 116 5.2.3. Real-Life Client Problems 118 5.3. Traffic Spikes 119 5.3.1. Content Compression 119 5.3.2. Bandwidth Attacks 119 5.3.3. Cyber-Activism 120 5.3.4. The Slashdot Effect 120 5.4. Attacks on Apache 121 v 5.4.1. Apache Vulnerabilities 121 5.4.2. Brute-Force Attacks 122 5.4.3. Programming Model Attacks 123 5.5. Local Attacks 124 5.5.1. Process Limits 125 5.5.2. Process Accounting 126 5.5.3. Kernel Auditing 126 5.6. Traffic-Shaping Modules 127 5.7. DoS Defense Strategy 128 6. Sharing Servers ............................................................................... 129 6.1. Sharing Problems 129 6.1.1. File Permission Problems 130 6.1.2. Dynamic-Content Problems 132 6.1.3. Sharing Resources 137 6.1.4. Same Domain Name Problems 137 6.1.5. Information Leaks on Execution Boundaries 139 6.2. Distributing Configuration Data 142 6.3. Securing Dynamic Requests 144 6.3.1. Enabling Script Execution 144 6.3.2. Setting CGI Script Limits 146 6.3.3. Using suEXEC 146 6.3.4. FastCGI 153 6.3.5. Running PHP as a Module 155 6.4. Working with Large Numbers of Users 155 6.4.1. Web Shells 156 6.4.2. Dangerous Binaries 156 7. Access Control ............................................................................... 159 7.1. Overview 159 7.2. Authentication Methods 161 7.2.1. Basic Authentication 161 7.2.2. Digest Authentication 163 7.2.3. Form-Based Authentication 164 7.3. Access Control in Apache 166 7.3.1. Basic Authentication Using Plaintext Files 166 7.3.2. Basic Authentication Using DBM Files 168 7.3.3. Digest Authentication 169 7.3.4. Certificate-Based Access Control 169 7.3.5. Network Access Control 170 7.3.6. Proxy Access Control 172 vi 7.3.7. Final Access Control Notes 174 7.4. Single Sign-on 178 7.4.1. Web Single Sign-on 179 7.4.2. Simple Apache-Only Single Sign-on 180 8. Logging and Monitoring ........................................................................ 183 8.1. Apache Logging Facilities 183 8.1.1. Request Logging 184 8.1.2. Error Logging 188 8.1.3. Special Logging Modules 190 8.1.4. Audit Log 192 8.1.5. Performance Measurement 194 8.1.6. File Upload Interception 195 8.1.7. Application Logs 195 8.1.8. Logging as Much as Possible 196 8.2. Log Manipulation 200 8.2.1. Piped Logging 200 8.2.2. Log Rotation 202 8.2.3. Issues with Log Distribution 204 8.3. Remote Logging 205 8.3.1. Manual Centralization 205 8.3.2. Syslog Logging 206 8.3.3. Database Logging 208 8.3.4. Distributed Logging with the Spread Toolkit 209 8.4. Logging Strategies 211 8.5. Log Analysis 212 8.6. Monitoring 214 8.6.1. File Integrity 214 8.6.2. Event Monitoring 214 8.6.3. Web Server Status 220 9. Infrastructure ................................................................................ 231 9.1. Application Isolation Strategies 232 9.1.1. Isolating Applications from Servers 232 9.1.2. Isolating Application Modules 232 9.1.3. Utilizing Virtual Servers 233 9.2. Host Security 234 9.2.1. Restricting and Securing User Access 234 9.2.2. Deploying Minimal Services 235 9.2.3. Gathering Information and Monitoring Events 236 9.2.4. Securing Network Access 237 vii 9.2.5. Advanced Hardening 239 9.2.6. Keeping Up to Date 240 9.3. Network Security 240 9.3.1. Firewall Usage 241 9.3.2. Centralized Logging 241 9.3.3. Network Monitoring 242 9.3.4. External Monitoring 243 9.4. Using a Reverse Proxy 244 9.4.1. Apache Reverse Proxy 245 9.4.2. Reverse Proxy by Network Design 248 9.4.3. Reverse Proxy by Redirecting Network Traffic 248 9.5. Network Design 249 9.5.1. Reverse Proxy Patterns 250 9.5.2. Advanced Architectures 254 10. Web Application Security ..................................................................... 265 10.1. Session Management Attacks 267 10.1.1. Cookies 267 10.1.2. Session Management Concepts 269 10.1.3. Keeping in Touch with Clients 269 10.1.4. Session Tokens 270 10.1.5. Session Attacks 270 10.1.6. Good Practices 272 10.2. Attacks on Clients 273 10.2.1. Typical Client Attack Targets 273 10.2.2. Phishing 273 10.3. Application Logic Flaws 275 10.3.1. Cookies and Hidden Fields 275 10.3.2. POST Method 276 10.3.3. Referrer Check Flaws 277 10.3.4. Process State Management 277 10.3.5. Client-Side Validation 278 10.4. Information Disclosure 278 10.4.1. HTML Source Code 278 10.4.2. Directory Listings 279 10.4.3. Verbose Error Messages 281 10.4.4. Debug Messages 282 10.5. File Disclosure 283 10.5.1. Path Traversal 283 10.5.2. Application Download Flaws 283 viii

Description:
Handbook: Discovering and Exploiting Security Holes by Jack Koziol et Overflows Demystified” by Murat Balaban (http://www.enderunix.org/docs/.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.