ebook img

Hardening Apache PDF

284 Pages·2004·6.719 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Hardening Apache

Hardening Apache TONYMOBILY APress Media, LLC Hardening Apache Copyright 2004 by Tony Mobily © Originally published by Apress in 2004 All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any informa tion storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN 978-1-59059-378-3 ISBN 978-1-4302-0675-0 (eBook) DOI 10.1007/978-1-4302-0675-0 Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. Lead Editor: Jim Sumser Technical Reviewers: Ken Coar and Jonathan Hassell Editorial Board: Steve Anglin, Dan Appleman, Gary Cornell, James Cox, Thny Davis, John Franklin, Chris Mills, Steve Rycroft, Dominic Shakeshaft, Julian Skinner, Jim Sumser, Karen Watterson, Gavin Wray, John Zukowski Project Manager: Nate McFadden Copy Manager: Nicole LeClerc Copy Editor: Brian MacDonald Production Manager: Kari Brooks Production Editor: KellyWmquist Compositor: Molly Sharp, ContentWorks Proofreader: liz Welch Indexer: Valerie Hanes Perry Artist: Kinetic Publishing Services, llC Cover Designer: Kurt Krames Manufacturing Manager: Tom Debolski The information in this book is distributed on an "as is" basis, without warranty. Although every precaution has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work. The source code for this book is available to readers at http: //1\'!NW. a press. com in the Downloads section. To Anna Dymitr Hawkes and Stella Johnson, my beloved bodhisattvas Contents at a Glance Foreword ............................................................ xi About the Author ................................................. xiii About the Technical Reviewers ................................... xv Acknowledgments .................................................. xvii Introduction ...................................................... xix Chapter 1 Secure Installation and Configuration ............. 1 Chapter 2 Common Attacks ...................................... 41 Chapter 3 Logging .............................................. 55 Chapter 4 Cross-Site Scripting Attacks ...................... 85 Chapter 5 Apache Security Modules ........................... 99 Chapter 6 Apache in Jail ..................................... 179 Chapter 7 Automating Security ............................... 203 Appendix A Apache Resources .................................. 237 Appendix B HTTP and Apache ................................... 241 Appendix C Chapter Checkpoints ............................... 255 Index .............................................................. 259 v Contents Foreword ............................................................ xi About the Author ................................................. xiii About the Technical Reviewers ................................... xv Acknowledgments .................................................. xvii Introduction ...................................................... xix Chapter 1 Secure Installation and Configuration ..... 1 Downloading the Right Apache ...................................... 1 Installing Apache ................................................. 10 Testing Your Apache with Nikto ................................. 14 Secure Configuration .............................................. 19 Blocking Access to Your Site .................................... 28 Apache and SSL .................................................... 32 Checkpoints ........................................................ 40 Chapter 2 Common Attacks ................................... 41 Common Terms ....................................................... 41 Types of Attacks .................................................. 44 Important Reference Sites ........................................ 44 Apache Vulnerabilities: Practical Examples ..................... 45 Checkpoints ........................................................ 54 Chapter 3 Logging ............................................. 55 Why Logging? ....................................................... 55 Configuring Logging in Apache ................................... 56 Security Issues of Log Files .................................... 58 Reading the Log Files ............................................ 61 Remote Logging ..................................................... 65 Checkpoints ........................................................ 83 Chapter 4 Cross-Site Scripting Attacks ................ 85 Cross-Site Scripting Attacks in Practice ....................... 85 Apache and XSS .................................................... 92 XSS Attacks: A Real-World Scenario .............................. 94 vii Contents How to Prevent XSS ................................................ 95 Online Resources on XSS .......................................... 96 Checkpoints ........................................................ 96 Chapter 5 Apache Security Modules ....................... 99 Why More Security? ................................................9 9 Apache Is Modular ................................................ 100 Apache Modules: Some Warnings .................................. 100 Where to Find Modules ........................................... 102 Selected Apache Modules ......................................... 103 mod_security ...................................................... 103 mod bandwidth ..................................................... 125 mod dosevasive .................................................... 136 mod_parmguard ..................................................... 148 mod_hackprotect and mod_hackdetect ............................. 167 Conclusions ....................................................... 177 Checkpoints ....................................................... 177 Chapter 6 Apache in Jail .................................. 179 chroot ............................................................. 179 chroot in Practice ............................................... 180 Apache in Jail ................................................... 183 Making Perl Work ................................................. 194 Making PHP Work .................................................. 197 Other Issues ..................................................... 199 Security Issues .................................................. 199 Checkpoints ...................................................... 201 Chapter 7 Automating Security. ........................... 203 The Scripts ....................................................... 203 Running the Scripts Automatically .............................. 233 Checkpoints ....................................................... 236 Appendix A Apache Resources ................................ 237 Vulnerability Scanners and Searching Tools .................... 237 Advisories and Vulnerability Resources ........................ 237 HTTP Protocol Information ....................................... 239 Vendors ............................................................ 239 Intrusion Detection Systems ..................................... 240 viii Contents Appendix B HTTP and Apache ................................. 241 The Web and Its Components ......................................2 41 What Happens when You Serve a Page ............................ 249 Conclusions ....................................................... 254 Appendix C Chapter Checkpoints ............................ 255 Chapter 1: Secure Installation and Configuration ............. 255 Chapter 2: Common Attacks ....................................... 256 Chapter 3 : Logging ............................................... 256 Chapter 4: Cross-Site Scripting Attacks ....................... 257 Chapter 5 : Apache Security Modules ............................. 257 Chapter 6: Apache in Jail ....................................... 258 Chapter 7: Automating Security ................................. 258 Index .............................................................. 259 ix Foreword CONGRATULATIONS! YOU HAVE BEFORE YOU a book whose time has more than come. More and more attention has been forcibly drawn to the issues of computer and information security. Only a few years ago, it was an afterthought for just about everybody connected with computers or networks; now it is an exceed ingly rare week that passes without at least one alert of a security vulnerability affecting tens of thousands of users. Two factors (at least!) have contributed to this explosive growth of awareness and concern. One is the increasing ubiquity of computer access; more and more individuals must use a computer as part of their daily jobs, and increasing num bers of families have computers at home. And almost every single one of these computers has the potential, realized or not, of being connected to a network that includes hundreds to millions of others. Another major contributing factor is the ever-expanding demand for more and more functionality and capability. Not only does meeting this demand require faster hardware; it also requires more complicated software. The faster hardware and network connections makes certain attack forms (such as pass word bashing) more viable, and the increasing complexity of the software inevitably introduces more nooks and crannies in which some sort of oversight or bug might hide. What does all this have to do with Hardening Apache? The Apache Web server is one of those bits of software that has become increasingly involved and eso teric as it has grown to meet the demands of its users and developers for more functionality. Combine the potential for security vulnerabilities with the perva siveness of the package (which at the time of this writing drives more than thirty million web sites-over two thirds of the Web!) and you have a very attractive tar get for crackers. In addition to the complexity of the base Apache httpd package, its design permits-nay, encourages-third-party vendors to extend its functionality with their own special-purpose code. So regardless of the security robustness of Apache itself (and it's pretty robust) some less well-scrutinized after-market package may introduce vulnerabilities. Despite the foregoing and the popularity of the Apache web server, there is a surprising dearth of authoritative and complete documents providing instruc tions for making an Apache installation as secure as possible. Enter Hardening Apache. In it, Tony Mobily takes you from obtaining the software and verifying that no one has tampered with it, through installing and configuring it, to covering most of the attack forms that have been mounted against it. In each case, he describes what the issue is, how it works, whether it xi Foreword has been addressed by the Apache developers (so you can tell if upgrading will correct it), and various actions you can take to prevent penetration. Software is a moving target, and documenting it is a difficult and never ending task. So in addition to giving you information as current as possible as of the time of this writing, Hardening Apache also includes pointers to online sources and mailing lists that you can use to keep up with the latest news, views, and clues concerning vulnerabilities and attack forms. As I said: a book whose time has more than come. KenCoar, Apache Software Foundation, February 2004 xii

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.