Web Server Administration : Web Server Administration Chapter 10
Securing the Web Environment
Overview : Overview Identify threats and vulnerabilities
Secure data transmission
Secure the operating system
Secure server applications
Overview : Overview Authenticate Web users
Use a firewall
Use a proxy server
Use intrusion detection software
Identifying Threats and Vulnerabilities : Identifying Threats and Vulnerabilities Focus is on threats from the Internet
Hackers sometimes want the challenge of penetrating a system and vandalizing it – other times they are after data
Data can be credit card numbers, user names and passwords, other personal data
Information can be gathered while it is being transmitted
Often, operating system flaws can assist the hacker
Examining TCP/IP : Examining TCP/IP Hackers often take advantage of the intricacy of TCP/IP
The following are parts of the IP header most relevant to security
Source address
Destination address
Packet identification, flags, fragment offset
Total length
Protocol – TCP, UDP, ICMP
TCP-Delivering Data to Applications : TCP-Delivering Data to Applications Important header fields
Source and destination ports
Sequence number, data offset
Flags, such as SYN, ACK, FIN
Establishing a TCP connection
Vulnerabilities of DNS : Vulnerabilities of DNS Historically DNS has had security problems
BIND is the most common implementation of DNS and some older version had serious bugs
BIND 9, the current version, has been more secure
Vulnerabilities in Operating Systems : Vulnerabilities in Operating Systems Operating systems are large and complex which means that there are more opportunities for attack
Although Windows has had its share of problems, often inattentive administrators often fail to implement patches when available
Some attacks, such as buffer overruns, can allow the attacker to take over the computer
Vulnerabilities in Web servers : Vulnerabilities in Web servers Static HTML pages pose virtually no problem
Programming environments and databases add complexity that a hacker can exploit
Programmers often do not have time to focus on security
Vulnerabilities of E-mail Servers : Vulnerabilities of E-mail Servers By design, e-mail servers are open
E-mail servers can be harmed by a series of very large e-mail messages
Sending an overwhelming number of messages at the same time can prevent valid users from accessing the server
Viruses can be sent to e-mail users
Retrieving e-mail over the Internet often involves sending your user name and password as clear text
Securing Data Transmission : Securing Data Transmission To secure data on a network that is accessible to others, you need to encrypt the data
SSL is the most common method of encrypting data between a browser and Web server
Secure Shell (SSH) is a secure replacement for Telnet
Secure Sockets Layer (SSL) : Secure Sockets Layer (SSL) A digital certificate issued by a certification authority (CA) identifies an organization
The public key infrastructure (PKI) defines the system of CAs and certificates
Public key cryptography depends on two keys
A public key is shared with everyone
The public key can be used to encrypt data
Only the owner of the public key has the corresponding private key which is needed to decrypt the data
Establishing an SSL Connection : Establishing an SSL Connection
Using SSH for Tunneling : Using SSH for Tunneling Tunneling allows you to use an unsecure protocol, such as POP3, through a secure connection, such as SSH
To set up tunneling
Configure the SSH client so the local port is 55555 (or another port between 1024 and 65535)
Configure the SSH client to connect to POP3 port 110
Log in to the SSH client
Direct the e-mail client to port 5555 and log in to the e-mail server
Securing the Operating System : Securing the Operating System Use the server for only necessary tasks
Minimize user accounts
Disable services that are not needed
Make sure that you have a secure password
In addition to using upper case, lower case numbers and symbols, hold down the ALT key on a number (on the numeric keypad) from 1 to 255
Check a table of ALT values to avoid common characters
The use of the ALT key will thwart most hackers
Securing Windows : Securing Windows There are many services that are not needed in Windows for most Internet-based server applications
Alerter
Computer browser
DHCP client
DNS client
Messenger
Server
Workstation
Also, the registry can be used to alter the configuration to make it more secure such as disabling short file names
Securing Linux : Securing Linux As with Windows, make sure that you only run daemons (services) that you need
Generally, daemons are disabled by default
The command netstat -l gives you a list of daemons that are running
Use chkconfig to enable and disable daemons
chkconfig imap on would enable imap
Securing E-mail : Securing E-mail You have already seen the ability to tunnel POP3 which would prevent data from being seen
Exchange 2000 can also use SSL for the protocols it uses
To prevent someone from sending large e-mail messages until the disk is full, set a size limit for each mailbox
Securing the Web Server : Securing the Web Server Enable the minimum features
If you don't need a programming language, do not enable it
Make sure programmers understand security issues
Implement SSL where appropriate
Securing the Web ServerApache Directories : Securing the Web ServerApache Directories You can restrict access to directories by using "allow" and "deny"
The following only allows computers with the two IP addresses to access the directory
order allow, deny
allow from 10.10.10.5 192.168.0.3
deny from all
Securing the Web Server-IIS : Securing the Web Server-IIS The URLScan utility blocks potentially harmful page requests
The IIS Lockdown utility has templates to ensure that you only enable what you need
Change NTFS permissions in \inetpub\wwwroot from Everyone Full Control to Everyone Execute
In IIS 5, delete \samples \IISHelp and \MSADC folders
Delete extensions you do not use, such as .htr, .idc, .stm, and others
Authenticating Web Users : Authenticating Web Users Both Apache and IIS use HTTP to enable authentication
HTTP tries to access a protected directory and fails
Then it requests authentication from the user in a dialog box
Accesses directory with user information
Used in conjunction with SSL
Configuring User Authentication in IIS : Configuring User Authentication in IIS Four types of authenticated access
Windows integrated authentication
Most secure – requires IE
Digest authentication for Windows domain servers
Works with proxy servers
Requires Active Directory and IE
Basic authentication
User name and password in clear text
Works with IE, Netscape, and others
Passport authentication
Centralized form of authentication
Only available on Windows Server 2003
User Authentication in Apache : User Authentication in Apache Basic authentication is most common
User names and passwords are kept in a separate file
Create password file
-c creates the users file
-b adds a password when creating user
htpasswd –c users mnoia
htpasswd users fpessoa
htpasswd users lcamoes –b lusiades
ApacheUser Authentication Directives : ApacheUser Authentication Directives
ApacheUser Authentication : ApacheUser Authentication Assume you want to restrict the /newprods directory to any user in the users file
AuthName "New Product Information"
AuthType Basic
AuthUserFile /var/www/users
require valid-user
Using a Firewall : Using a Firewall A firewall implements a security policy between networks
Our focus is between the Internet and an organization's network
You need to limit access, especially from the Internet to your internal computers
Restrict access to Web servers, e-mail servers, and other related servers
Types of Filtering : Types of Filtering Packet filtering
Looks at each individual packet
Based on rules, it determines whether to let it pass through the firewall
Circuit-level filtering (stateful or dynamic filtering)
Controls complete communication session, not just individual packets
Allows traffic initialized from within the organization to return, yet restricts traffic initialized from outside
Application-level
Instead of transferring packets, it sets up a separate connection to totally isolate applications such as Web and e-mail
A Packet-filtering Firewall : A Packet-filtering Firewall Consists of a list of acceptance and denial rules
A firewall independently filters what comes in and what goes out
It is best to start with a default policy that denies all traffic, in and out
We can reject or drop a failed packet
Drop – (best) thrown away without response
Reject – ICMP message sent in response
Firewall on Linux - iptables : Firewall on Linux - iptables Connections can be logged
Initializing the firewall
Remove any pre-existing rules
iptables --flush
Set default policy to drop packets
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
At this point nothing comes in and nothing goes out
Describing the Packets to Accept : Describing the Packets to Accept -A (Append rule)
INPUT or OUTPUT
-i eth0 (input interface) or –o eth0 (output)
-p tcp or -p udp (protocol type)
-s , -d (source, destination address)
--sport, --dport (source, destination port)
-j ACCEPT (this is a good rule)
Allowing Access to Web Server : Allowing Access to Web Server Allow packets from any address with an unprivileged port to the address on our server destined to port 80
The following should be on a single line
iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 80 –j ACCEPT
Allow packets to go out port 80 from our server to any unprivileged port at any address
iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10
--sport 80 --dport 1024:65535 –j ACCEPT
Allowing Access to DNS : Allowing Access to DNS DNS uses port 53
UDP for resolving, TCP for zone transfers
iptables –A INPUT –i eth0 –p udp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT
iptables –A OUTPUT –o eth0 –p udp –s 192.168.1.10
--sport 53 --dport 1024:65535 –j ACCEPT
iptables –A INPUT –i eth0 –p tcp --sport 1024:65535 –d 192.168.1.10 --dport 53 –j ACCEPT
iptables –A OUTPUT –o eth0 –p tcp –s 192.168.1.10
--sport 53 --dport 1024:65535 –j ACCEPT
Allowing Access to FTP : Allowing Access to FTP Port 21 for data, port 20 for control
Data is transferred through unprivileged ports
Opening unprivileged ports can be a problem
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 21 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 20 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 20 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 192.168.1.10 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.10 --sport 1024:65535 --dport 1024:65535 -j ACCEPT
Using a Proxy Server : Using a Proxy Server A proxy server delivers content on behalf of a user or server application
Proxy servers need to understand the protocol of the application that they proxy such as HTTP or FTP
Forward proxy servers isolate users from the Internet
Users contact proxy server which gets Web page
Reverse proxy servers isolate Web server environment from the Internet
When a Web page is requested from the Internet, the proxy server retrieves the page from the internal server
Using Intrusion Detection Software : Using Intrusion Detection Software Intrusion detection is designed to show you that your defenses have been penetrated
With Microsoft ISA Server, it only detects specific types of intrusion
In Linux, Tripwire tracks changes to files
Tripwire : Tripwire Tripwire allows you to set policies that allow you to monitor any changes to the files on the system
Tripwire can detect file additions, file deletions, and changes to existing files
By understanding the changes to the files, you can determine which ones are unauthorized and then try to find out the cause of the change
Tripwire : Tripwire After installing Tripwire, you configure the policy file to determine which files to monitor
A default list of files is included but it will take time to refine the list
A report can be produced to find out which files have been added, changed, and deleted
Usually, it runs automatically at night
Intrusion Detection in ISA Server : Intrusion Detection in ISA Server The following intrusions are tracked
Windows out-of-band (WinNuke)–A specific type of Denial-of-Service attack
Land–A spoofed packet is sent with the SYN flag set so that the source address is the same as the destination address, which is the address of the server. The server can then try to connect to itself and crash.
Ping of death –The server receives ICMP packets that include large files attachments, which can cause a server to crash.
IP half scan –If a remote computer attempts to connect to a port by sending a packet with the SYN flag set and the port is not available, the RST flag is set on the return packet. When the remote computer does not respond to the RST flag, this is called an IP half scan. In normal situations, the TCP connection is closed with a packet containing a FIN flag.
UDP bomb –A UDP packet with an illegal configuration.
Port scan –You determine the threshold for the number of ports that are scanned (checked) before an alert is issued.
Summary : Summary Every computer connected to the Internet represents a potential target for attack
Hackers can gather data and modify systems
SSL can secure data transmission
Keep each server to a single purpose such as Web server or e-mail
Keep applications and services to a minimum
Summary : Summary User authentication controls access to one or more Web server directories
Firewalls control access policies between networks
A proxy server delivers content on behalf of a user or server application
Intrusion detection software identifies intrusions but typically does not prevent them