- ホーム
- > 洋書
- > 英文書
- > Computer / Languages
Full Description
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information." --Stephen Northcutt, The SANS Institute The only end-to-end guide to securing Apache Web servers and Web applications Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files. Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create.He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild." For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security. With this book, you will learn to *Address the OS-related flaws most likely to compromise Web server security *Perform security-related tasks needed to safely download, configure, and install Apache *Lock down your Apache httpd.conf file and install essential Apache security modules *Test security with the CIS Apache Benchmark Scoring Tool *Use the WASC Web Security Threat Classification to identify and mitigate application threats *Test Apache mitigation settings against the Buggy Bank Web application *Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers *Master advanced techniques for detecting and preventing intrusions
Contents
About the Author xixForeword xxiAcknowledgments xxvIntroduction xxviiChapter 1 Web Insecurity Contributing Factors 1A Typical Morning 1Why Web Security Is Important 3Web Insecurity Contributing Factors 4Managerial/Procedural Issues 4Management and the Bottom Line 4Selling Loaded Guns 5The Two-Minute Drill 5Development Environment Versus Production Environment 6Firefighting Approach to Web Security (Reacting to Fires) 7Technical Misconceptions Regarding Web Security 7"We have our web server in a Demilitarized Zone (DMZ)." 8"We have a firewall." 9"We have a Network-Based Intrusion Detection System." 9"We have a Host-Based Intrusion Detection System." 11"We are using Secure Socket Layer (SSL)." 11Summary 11Chapter 2 CIS Apache Benchmark 13CIS Apache Benchmark for UNIX: OS-Level Issues 13Minimize/Patch Non-HTTP Services 13Example Service Attack: 7350wu-FTP Exploit 19Vulnerable Services' Impact on Apache's Security 22Apply Vendor OS Patches 23Tune the IP Stack 24Denial of Service Attacks 25Create the Web Groups and User Account 28Lock Down the Web Server User Account 31Implementing Disk Quotas 32Accessing OS-Level Commands 35Update the Ownership and Permissions of System Commands 39Traditional Chroot 40Chroot Setup Warning 41Mod_Security Chroot 41Chroot Setup 41Summary 50Chapter 3 Downloading and Installing Apache 53Apache 1.3 Versus 2.0 53Using Pre-Compiled Binary Versus Source Code 54Downloading the Apache Source Code 56Why Verify with MD5 and PGP? 56Uncompress and Open: Gunzip and Untar 63Patches-Get 'em While They're Hot! 64Monitoring for Vulnerabilities and Patches 66What Modules Should I Use? 70Summary 80Chapter 4 Configuring the httpd.conf File 81CIS Apache Benchmark Settings 84The httpd.conf File 85Disable Un-Needed Modules 86Directives 86Server-Oriented Directives 87Multi-Processing Modules (MPMs) 87Listen 88ServerName 88ServerRoot 89DocumentRoot 89HostnameLookups 89User-Oriented Directives 90User 90Group 91ServerAdmin 91Denial of Service (DoS) Protective Directives 92Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration 92TimeOut 94KeepAlive 95KeepAliveTimeout 95MaxKeepAliveRequests 95StartServers 96MinSpareServers and MaxSpareServers 96ListenBacklog 96MaxClients and ServerLimit 97Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration 97Forward Reference 99Software Obfuscation Directives 99ServerTokens 99ServerSignature 101ErrorDocument 102Directory Functionality Directives 104All 104ExecCGI 104FollowSymLinks and SymLinksIfOwnerMatch 105Includes and IncludesNoExec 105Indexes 106AllowOverride 106Multiviews 107Access Control Directives 107Authentication Setup 108Authorization 109Order 110Order deny, allow 110Order allow, deny 110Access Control: Where Clients Come From 111Hostname or Domain 111IP Address and IP Range 112Client Request ENV 112Protecting the Root Directory 113Limiting HTTP Request Methods 114Logging General Directives 114LogLevel 114ErrorLog 115LogFormat 115CustomLog 115Removing Default/Sample Files 116Apache Source Code Files 116Default HTML Files 116Sample CGIs 117Webserv User Files 118Updating Ownership and Permissions 118Server Configuration Files 119DocumentRoot Files 119CGI-Bin 119Logs 120Bin 120Updating the Apachectl Script 120Nikto Scan After Updates 122Summary 122Chapter 5 Essential Security Modules for Apache 125Secure Socket Layer (SSL) 125Why Should I Use SSL? 126How Does SSL Work? 128Software Requirements 132Installing SSL 133Creating an SSL Certificate 133Testing the Initial Configuration 134Configuring mod_ssl 137SSL Summary 144Mod_Rewrite 144Enabling Mod_Rewrite 145Mod_Rewrite Summary 147Mod_Log_Forensic 147Mod_Dosevasive 149What Is Mod_Dosevasive? 149Installing Mod_Dosevasive 149How Does Mod_Dosevasive Work? 150Configuration 151Mod_Dosevasive Summary 155Mod_Security 155Installing Mod_Security 156Mod_Security Overview 156Features and Capabilities of Mod_Security 157Anti-Evasion Techniques 158Special Built-In Checks 159Filtering Rules 162Actions 164Wait, There's Even More! 168Summary 169Chapter 6 Using the Center for Internet Security Apache Benchmark Scoring Tool 171Downloading, Unpacking, and Running the Scoring Tool 171Unpacking the Archive 173Running the Tool 174Summary 180Chapter 7 Mitigating the WASC Web Security Threat Classification with Apache 181Contributors 182Web Security Threat Classification Description 182Goals 183Documentation Uses 183Overview 183Background 184Classes of Attack 184Threat Format 186Authentication 186Brute Force 187Insufficient Authentication 191Weak Password Recovery Validation 192Authorization 195Credential/Session Prediction 195Insufficient Authorization 198Insufficient Session Expiration 199Session Fixation 201Client-Side Attacks 205Content Spoofing 205Cross-Site Scripting 207Command Execution 210Buffer Overflow 210Format String Attack 215LDAP Injection 218OS Commanding 220SQL Injection 223SSI Injection 228XPath Injection 230Information Disclosure 232Directory Indexing 232Information Leakage 236Path Traversal 239Predictable Resource Location 242Logical Attacks 243Abuse of Functionality 244Denial of Service 246Insufficient Anti-Automation 250Insufficient Process Validation 251Summary 253Chapter 8 Protecting a Flawed Web Application: Buggy Bank 255Installing Buggy Bank 256Buggy Bank Files 257Turn Off Security Settings 258Testing the Installation 258Functionality 261Login Accounts 262Assessment Methodology 262General Questions 262Tools Used 263Configuring Burp Proxy 263Buggy Bank Vulnerabilities 266Comments in HTML 266Enumerating Account Numbers 267How Much Entropy? 270Brute Forcing the Account Numbers 270Enumerating PIN Numbers 273Account Unlocked 274Account Locked 274Brute Forcing the PIN Numbers 276Command Injection 277Injecting Netstat 278SQL Injection 282SQL Injection Mitigation 285Cross-Site Scripting (XSS) 287Mitigations 289Balance Transfer Logic Flaw 290Mitigation 292Summary 293Chapter 9 Prevention and Countermeasures 295Why Firewalls Fail to Protect Web Servers/Applications 296Why Intrusion Detection Systems Fail as Well 299Deep Packet Inspection Firewalls, Inline IDS, and Web Application Firewalls 304Deep Packet Inspection Firewall 304Inline IDS 305Web Application Firewall (WAF) 307Web Intrusion Detection Concepts 309Signature-Based 309Positive Policy Enforcement (White-Listing) 314Header-Based Inspection 325Protocol-Based Inspection 329Uniform Resource Identifier (URI) Inspection 336Heuristic-Based Inspection 339Anomaly-Based Inspection 340Web IDS Evasion Techniques and Countermeasures 342HTTP IDS Evasion Options 342Anti-Evasion Mechanisms 347Evasion by Abusing Apache Functionality 348Identifying Probes and Blocking Well-Known Offenders 352Worm Probes 352Blocking Well-Known Offenders 354Nmap Ident Scan 357Nmap Version Scanning 358Why Change the Server Banner Information? 359Masking the Server Banner Information 361HTTP Fingerprinting 363Implementation Differences of the HTTP Protocol 364Banner Grabbing 370Advanced Web Server Fingerprinting 370HTTPrint 371Web Server Fingerprinting Defensive Recommendations 373Bad Bots, Curious Clients, and Super Scanners 379Bad Bots and Curious Clients 379Super Scanners 381Reacting to DoS, Brute Force, and Web Defacement Attacks 388DoS Attacks 388Brute Force Attacks 389Web Defacements 392Defacement Countermeasures 397Alert Notification and Tracking Attackers 399Setting Up Variables 402Creating Historical Knowledge 403Filtering Out Noise and Thresholding Emails 403Request Snapshot and Attacker Tracking Links 403Send Alert to Pager 404Crude Pause Feature 404Send the HTML 404Example Email Alerts 404Log Monitoring and Analysis 412Real-Time Monitoring with SWATCH 413Heuristic/Statistical Log Monitoring with SIDS 417Honeypot Options 424Sticky Honeypot 424Fake PHF 425OS Commanding Trap and Trace 427Mod_Rewrite (2.1) to the Rescue 428Summary 429Chapter 10 Open Web Proxy Honeypot 431Why Deploy an Open Web Proxy Honeypot? 431Lack of Knowledge That an Attack Even Occurred 432Lack of Verbose/Adequate Logging of HTTP Transactions 432Lack of Interest in Public Disclosure of the Attack 432What Are Proxy Servers? 433Open Proxy Background 434Open Web Proxy Honeypot 435Linksys Router/Firewall 435Turn Off Un-Needed Network Services 436Configure Apache for Proxy 436Data Control 439Mod_Dosevasive 439Mod_Security 439Utilizing Snort Signatures 441Brute Force Attacks 441Data Capture 442Real-Time Monitoring with Webspy 444Honeynet Project's Scan of the Month Challenge #31 444The Challenge 445Initial Steps 446Question: How Do You Think the Attackers Found the Honeyproxy? 447Question: What Different Types of Attacks Can You Identify? For Each Category, Provide Just One Log Example and Detail as Much Info About the Attack as Possible (Such as CERT/CVE/Anti-Virus ID Numbers). How Many Can You Find? 448Search Logs for Mod_Security-Message 449Utilization of the AllowCONNECT Proxying Capabilities 450Search Logs for Abnormal HTTP Status Codes 451Abnormal HTTP Request Methods 454Non-HTTP Compliant Requests 455Attack Category-SPAMMERS 457Attack Category-Brute Force Authentication 459Attack Category-Vulnerability Scans 459Attack Category-Web-Based Worms 465Attack Category-Banner/Click-Thru Fraud 468Attack Category-IRC Connections 469Question: Do Attackers Target Secure Socket Layer (SSL)-Enabled Web Servers? 470Did They Target SSL on Our Honeyproxy? 471Why Would They Want to Use SSL? 472Why Didn't They Use SSL Exclusively? 472Question: Are There Any Indications of Attackers Chaining Through Other Proxy Servers? Describe How You Identified This Activity. List Other Proxy Servers Identified. Can You Confirm That These Are Indeed Proxy Servers? 473Identifying the Activity 473Confirming the Proxy Servers 475Targeting Specific Open Proxies 479Targeting Specific Destination Servers 480Question: Identify the Different Brute Force Authentication Attack Methods. Can You Obtain the Clear-Text Username/Password Credentials? Describe Your Methods. 481HTTP GET Requests 481HTTP POST Requests 482HTTP Basic Authentication 483Obtaining the Cleartext Authorization Credentials 485Distributed Brute Force Scan Against Yahoo Accounts 486Forward and Reverse Scanning 487Question: What Does the Mod_Security Error Message "Invalid Character Detected" Mean? What Were the Attackers Trying to Accomplish? 493SecFilterCheckURLEncoding-URL-Encoding Validation 493SecFilterCheckUnicodeEncoding-Unicode-Encoding Validation 494SecFilterForceByteRange-Byte Range Check 494SOCKS Proxy Scan 494Code Red/NIMDA Worm Attacks 495Question: Several Attackers Tried to Send SPAM by Accessing the Following URL: http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They Tried to Send Email with an HTML Attachment (Files Listed in the /upload Directory). What Does the SPAM Web Page Say? Who Are the SPAM Recipients? 496SPAM Recipients 497Question: Provide Some High-Level Statistics. 498Top Ten Attacker IP Addresses 498Top Ten Targets 500Top User-Agents (Any Weird/Fake Agent Strings?) 500Attacker Correlation from DShield and Other Sources? 501Bonus Question: Why Do You Think the Attackers Were Targeting Pornography Web sites for Brute Force Attacks? (Besides the Obvious Physical Gratification Scenarios.) 502Even Though the Proxypot's IP/Hostname Was Obfuscated from the Logs, Can You Still Determine the Probable Network Block Owner? 504Summary 506Chapter 11 Putting It All Together 509Example Vulnerability Alert 509Verify the Software Version 510Patch Availability 510Vulnerability Details 511Creating a Mod_Security Vulnerability Filter 514Testing the Vulnerability Filter 515First Aid Versus a Hospital 516Web Security: Beyond the Web Server 517Domain Hijacking 517DNS Cache Poisoning 517Caching Proxy Defacement 519Banner Ad Defacement 520News Ticker Manipulations 521Defacement or No Defacement? 521Summary 522Appendix A Web Application Security Consortium Glossary 523Appendix B Apache Module Listing 533Appendix C Example httpd.conf File 549Index 561
