Preventing Web Attacks with Apache

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

ISBN: 9780321321282 | 0321321286
Cover: Paperback
Copyright: 1/27/2006

eBook

Available Instantly

Online: 1825 Days

Downloadable: Lifetime Access

$44.99

Supplemental Materials

Secure and lock down this extremely popular and versatile Web server - from a recognized Apache security expert and SANS instructor.

About the Author

xix

Foreword

xxi

Acknowledgments

xxv

Introduction

xxvii

Web Insecurity Contributing Factors

(12)

A Typical Morning

(2)

Why Web Security Is Important

(1)

Web Insecurity Contributing Factors

(1)

Managerial/Procedural Issues

(3)

Management and the Bottom Line

(1)

Selling Loaded Guns

(1)

The Two-Minute Drill

(1)

Development Environment Versus Production Environment

(1)

Firefighting Approach to Web Security (Reacting to Fires)

(1)

Technical Misconceptions Regarding Web Security

(4)

``We have our web server in a Demilitarized Zone (DMZ).''

(1)

``We have a firewall.''

(1)

``We have a Network-Based Intrusion Detection System.''

(2)

``We have a Host-Based Intrusion Detection System.''

(1)

``We are using Secure Socket Layer (SSL).''

(1)

Summary

(2)

CIS Apache Benchmark

(40)

CIS Apache Benchmark for UNIX: OS-Level Issues

(37)

Minimize/Patch Non-HTTP Services

(6)

Example Service Attack: 7350wu---FTP Exploit

(3)

Vulnerable Services' Impact on Apache's Security

(1)

Apply Vendor OS Patches

(1)

Tune the IP Stack

(1)

Denial of Service Attacks

(3)

Create the Web Groups and User Account

(3)

Lock Down the Web Server User Account

(1)

Implementing Disk Quotas

(3)

Accessing OS-Level Commands

(4)

Update the Ownership and Permissions of System Commands

(1)

Traditional Chroot

(1)

Chroot Setup Warning

(1)

Mod_Security Chroot

(1)

Chroot Setup

(9)

Summary

(3)

Downloading and Installing Apache

(28)

Apache 1.3 Versus 2.0

(1)

Using Pre-Compiled Binary Versus Source Code

(2)

Downloading the Apache Source Code

(7)

Why Verify with MD5 and PGP?

(7)

Uncompress and Open: Gunzip and Untar

(17)

Patches---Get `em While They're Hot!

(2)

Monitoring for Vulnerabilities and Patches

(4)

What Modules Should I Use?

(10)

Summary

(1)

Configuring the httpd.conf File

(44)

CIS Apache Benchmark Settings

(1)

The httpd.conf File

(1)

Disable Un-Needed Modules

(1)

Directives

(1)

Server-Oriented Directives

(3)

Multi-Processing Modules (MPMs)

(1)

Listen

(1)

ServerName

(1)

ServerRoot

(1)

DocumentRoot

(1)

HostnameLookups

(1)

User-Oriented Directives

(2)

User

(1)

Group

(1)

ServerAdmin

(1)

Denial of Service (DoS) Protective Directives

(7)

Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration

(2)

TimeOut

(1)

KeepAlive

(1)

KeepAliveTimeout

(1)

MaxKeepAliveRequests

(1)

StartServers

(1)

MinSpareServers and MaxSpareServers

(1)

ListenBacklog

(1)

MaxClients and ServerLimit

(1)

Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration

(2)

Forward Reference

(1)

Software Obfuscation Directives

(5)

ServerTokens

(2)

ServerSignature

101

(1)

ErrorDocument

102

(2)

Directory Functionality Directives

104

(3)

All

104

(1)

ExecCGI

104

(1)

FollowSymLinks and SymLinksIfOwnerMatch

105

(1)

Includes and IncludesNoExec

105

(1)

Indexes

106

(1)

AllowOverride

106

(1)

Multiviews

107

(1)

Access Control Directives

107

(1)

Authentication Setup

108

(1)

Authorization

109

(2)

Order

110

(1)

Order deny, allow

110

(1)

Order allow, deny

110

(1)

Access Control: Where Clients Come From

111

(3)

Hostname or Domain

111

(1)

IP Address and IP Range

112

(1)

Client Request ENV

112

(1)

Protecting the Root Directory

113

(1)

Limiting HTTP Request Methods

114

(1)

Logging General Directives

114

(2)

LogLevel

114

(1)

ErrorLog

115

(1)

LogFormat

115

(1)

CustomLog

115

(1)

Removing Default/Sample Files

116

(2)

Apache Source Code Files

116

(1)

Default HTML Files

116

(1)

Sample CGIs

117

(1)

Webserv User Files

118

(1)

Updating Ownership and Permissions

118

(2)

Server Configuration Files

119

(1)

DocumentRoot Files

119

(1)

CGI-Bin

119

(1)

Logs

120

(1)

Bin

120

(1)

Updating the Apachectl Script

120

(2)

Nikto Scan After Updates

122

(1)

Summary

122

(3)

Essential Security Modules for Apache

125

(46)

Secure Socket Layer (SSL)

125

(19)

Why Should I Use SSL?

126

(2)

How Does SSL Work?

128

(4)

Software Requirements

132

(1)

Installing SSL

133

(1)

Creating an SSL Certificate

133

(1)

Testing the Initial Configuration

134

(3)

Configuring mod_ssl

137

(7)

SSL Summary

144

(1)

Mod_Rewrite

144

(3)

Enabling Mod_Rewrite

145

(2)

Mod_Rewrite Summary

147

(1)

Mod_Log_Forensic

147

(2)

Mod_Dosevasive

149

(6)

What Is Mod_Dosevasive?

149

(1)

Installing Mod_Dosevasive

149

(1)

How Does Mod_Dosevasive Work?

150

(1)

Configuration

151

(4)

Mod_Dosevasive Summary

155

(1)

Mod_Security

155

(14)

Installing Mod_Security

156

(1)

Mod_Security Overview

156

(1)

Features and Capabilities of Mod_Security

157

(1)

Anti-Evasion Techniques

158

(1)

Special Built-In Checks

159

(3)

Filtering Rules

162

(2)

Actions

164

(4)

Wait, There's Even More!

168

(1)

Summary

169

(2)

Using the Center for Internet Security Apache Benchmark Scoring Tool

171

(10)

Downloading, Unpacking, and Running the Scoring Tool

171

(9)

Unpacking the Archive

173

(1)

Running the Tool

174

(6)

Summary

180

(1)

Mitigating the WASC Web Security Threat Classification with Apache

181

(74)

Contributors

182

(1)

Web Security Threat Classification Description

182

(2)

Goals

183

(1)

Documentation Uses

183

(1)

Overview

183

(1)

Background

184

(1)

Classes of Attack

184

(2)

Threat Format

186

(1)

Authentication

186

(9)

Brute Force

187

(4)

Insufficient Authentication

191

(1)

Weak Password Recovery Validation

192

(3)

Authorization

195

(10)

Credential/Session Prediction

195

(3)

Insufficient Authorization

198

(1)

Insufficient Session Expiration

199

(2)

Session Fixation

201

(4)

Client-Side Attacks

205

(5)

Content Spoofing

205

(2)

Cross-Site Scripting

207

(3)

Command Execution

210

(22)

Buffer Overflow

210

(5)

Format String Attack

215

(3)

LDAP Injection

218

(2)

OS Commanding

220

(3)

SQL Injection

223

(5)

SSI Injection

228

(2)

XPath Injection

230

(2)

Information Disclosure

232

(11)

Directory Indexing

232

(4)

Information Leakage

236

(3)

Path Traversal

239

(3)

Predictable Resource Location

242

(1)

Logical Attacks

243

(10)

Abuse of Functionality

244

(2)

Denial of Service

246

(4)

Insufficient Anti-Automation

250

(1)

Insufficient Process Validation

251

(2)

Summary

253

(2)

Protecting a Flawed Web Application: Buggy Bank

255

(40)

Installing Buggy Bank

256

(5)

Buggy Bank Files

257

(1)

Turn Off Security Settings

258

(1)

Testing the Installation

258

(3)

Functionality

261

(1)

262

(1)

Assessment Methodology

262

(4)

General Questions

262

(1)

Tools Used

263

(1)

Configuring Burp Proxy

263

(3)

Buggy Bank Vulnerabilities

266

(16)

Comments in HTML

266

(1)

Enumerating Account Numbers

267

(3)

How Much Entropy?

270

(1)

Brute Forcing the Account Numbers

270

(3)

Enumerating PIN Numbers

273

(1)

Account Unlocked

274

(1)

Account Locked

274

(2)

Brute Forcing the PIN Numbers

276

(1)

Command Injection

277

(1)

Injecting Netstat

278

(4)

SQL Injection

282

(5)

SQL Injection Mitigation

285

(2)

Cross-Site Scripting (XSS)

287

(3)

Mitigations

289

(1)

Balance Transfer Logic Flaw

290

(3)

Mitigation

292

(1)

Summary

293

(2)

Prevention and Countermeasures

295

(136)

Why Firewalls Fail to Protect Web Servers/Applications

296

(3)

Why Intrusion Detection Systems Fail as Well

299

(5)

Deep Packet Inspection Firewalls, Inline IDS, and Web Application Firewalls

304

(5)

Deep Packet Inspection Firewall

304

(1)

Inline IDS

305

(2)

Web Application Firewall (WAF)

307

(2)

Web Intrusion Detection Concepts

309

(33)

Signature-Based

309

(5)

Positive Policy Enforcement (White-Listing)

314

(11)

Header-Based Inspection

325

(4)

Protocol-Based Inspection

329

(7)

Uniform Resource Identifier (URI) Inspection

336

(3)

Heuristic-Based Inspection

339

(1)

Anomaly-Based Inspection

340

(2)

Web IDS Evasion Techniques and Countermeasures

342

(10)

HTTP IDS Evasion Options

342

(5)

Anti-Evasion Mechanisms

347

(1)

Evasion by Abusing Apache Functionality

348

(4)

Identifying Probes and Blocking Well-Known Offenders

352

(11)

Worm Probes

352

(2)

Blocking Well-Known Offenders

354

(3)

Nmap Ident Scan

357

(1)

Nmap Version Scanning

358

(1)

Why Change the Server Banner Information?

359

(2)

Masking the Server Banner Information

361

(2)

HTTP Fingerprinting

363

(16)

Implementation Differences of the HTTP Protocol

364

(6)

Banner Grabbing

370

(1)

Advanced Web Server Fingerprinting

370

(1)

HTTPrint

371

(2)

Web Server Fingerprinting Defensive Recommendations

373

(6)

Bad Bots, Curious Clients, and Super Scanners

379

(9)

Bad Bots and Curious Clients

379

(2)

Super Scanners

381

(7)

Reacting to DoS, Brute Force, and Web Defacement Attacks

388

(11)

DoS Attacks

388

(1)

Brute Force Attacks

389

(3)

Web Defacements

392

(5)

Defacement Countermeasures

397

(2)

Alert Notification and Tracking Attackers

399

(13)

Setting Up Variables

402

(1)

Creating Historical Knowledge

403

(1)

Filtering Out Noise and Thresholding Emails

403

(1)

Request Snapshot and Attacker Tracking Links

403

(1)

Send Alert to Pager

404

(1)

Crude Pause Feature

404

(1)

Send the HTML

404

(1)

Example Email Alerts

404

(8)

Log Monitoring and Analysis

412

(12)

Real-Time Monitoring with Swatch

413

(4)

Heuristic/Statistical Log Monitoring with SIDS

417

(7)

Honeypot Options

424

(5)

Sticky Honeypot

424

(1)

FakePHF

425

(2)

OS Commanding Trap and Trace

427

(1)

Mod_Rewrite (2.1) to the Rescue

428

(1)

Summary

429

(2)

Open Web Proxy Honeypot

431

(78)

Why Deploy an Open Web Proxy Honeypot?

431

(2)

Lack of Knowledge That an Attack Even Occurred

432

(1)

Lack of Verbose/Adequate Logging of HTTP Transactions

432

(1)

Lack of Interest in Public Disclosure of the Attack

432

(1)

What Are Proxy Servers?

433

(1)

Open Proxy Background

434

(1)

Open Web Proxy Honeypot

435

(4)

Linksys Router/Firewall

435

(1)

Turn Off Un-Needed Network Services

436

(1)

Configure Apache for Proxy

436

(3)

Data Control

439

(3)

Mod_Dosevasive

439

(1)

Mod_Security

439

(2)

Utilizing Snort Signatures

441

(1)

Brute Force Attacks

441

(1)

Data Capture

442

(2)

Real-Time Monitoring with Webspy

444

(1)

Honeynet Project's Scan of the Month Challenge #31

444

(3)

The Challenge

445

(1)

Initial Steps

446

(1)

Question: How Do You Think the Attackers Found the Honeyproxy?

447

(1)

Question: What Different Types of Attacks Can You Identify? For Each Category, Provide Just One Log Example and Detail as Much Info About the Attack as Possible (Such as CERT/CVE/Anti-Virus ID Numbers). How Many Can You Find?

448

(22)

Search Logs for Mod_Security-Message

449

(1)

Utilization of the AllowConnect Proxying Capabilities

450

(1)

Search Logs for Abnormal HTTP Status Codes

451

(3)

Abnormal HTTP Request Methods

454

(1)

Non-HTTP Compliant Requests

455

(2)

Attack Category---SPAMMERS

457

(2)

Attack Category---Brute Force Authentication

459

(1)

Attack Category---Vulnerability Scans

459

(6)

Attack Category---Web-Based Worms

465

(3)

Attack Category---Banner/Click-Thru Fraud

468

(1)

Attack Category---IRC Connections

469

(1)

Question: Do Attackers Target Secure Socket Layer (SSL)-Enabled Web Servers?

470

(3)

Did They Target SSL on Our Honeyproxy?

471

(1)

Why Would They Want to Use SSL?

472

(1)

Why Didn't They Use SSL Exclusively?

472

(1)

Question: Are There Any Indications of Attackers Chaining Through Other Proxy Servers? Describe How You Identified This Activity. List Other Proxy Servers Identified. Can You Confirm That These Are Indeed Proxy Servers? Identifying the Activity

473

(8)

Confirming the Proxy Servers

475

(4)

Targeting Specific Open Proxies

479

(1)

Targeting Specific Destination Servers

480

(1)

Question: Identify the Different Brute Force Authentication Attack Methods. Can You Obtain the Clear-Text Username/Password Credentials? Describe Your Methods

481

(12)

HTTP Get Requests

481

(1)

HTTP Post Requests

482

(1)

HTTP Basic Authentication

483

(2)

Obtaining the Cleartext Authorization Credentials

485

(1)

Distributed Brute Force Scan Against Yahoo Accounts

486

(1)

Forward and Reverse Scanning

487

(6)

Question: What Does the Mod_Security Error Message ``Invalid Character Detected'' Mean? What Were the Attackers Trying to Accomplish?

493

(4)

SecFilterCheckURLEncoding---URL-Encoding Validation

493

(1)

SecFilterCheckUnicodeEncoding---Unicode-Encoding Validation

494

(1)

SecFilterForceByteRange---Byte Range Check

494

(1)

Socks Proxy Scan

494

(1)

Code Red/NIMDA Worm Attacks

495

(2)

Question: Several Attackers Tried to Send SPAM by Accessing the Following URL: http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They Tried to Send Email with an HTML Attachment (Files Listed in the /upload Directory). What Does the SPAM Web Page Say? Who Are the SPAM Recipients? SPAM Recipients

497

(1)

Question: Provide Some High-Level Statistics

498

(4)

Top Ten Attacker IP Addresses

498

(2)

Top Ten Targets

500

(1)

Top User-Agents (Any Weird/Fake Agent Strings?)

500

(1)

Attacker Correlation from DShield and Other Sources?

501

(1)

Bonus Question: Why Do You Think the Attackers Were Targeting Pornography Web Sites for Brute Force Attacks? (Besides the Obvious Physical Gratification Scenarios)

502

(4)

Even Though the Proxypot's IP/Hostname Was Obfuscated from the Logs, Can You Still Determine the Probable Network Block Owner?

504

(2)

Summary

506

(3)

Putting It All Together

509

(14)

Example Vulnerability Alert

509

(1)

Verify the Software Version

510

(1)

Patch Availability

510

(1)

Vulnerability Details

511

(6)

Creating a Mod_Security Vulnerability Filter

514

(1)

Testing the Vulnerability Filter

515

(1)

First Aid Versus a Hospital

516

(1)

Web Security: Beyond the Web Server

517

(5)

Domain Hijacking

517

(1)

DNS Cache Poisoning

517

(2)

Caching Proxy Defacement

519

(1)

Banner Ad Defacement

520

(1)

News Ticker Manipulations

521

(1)

Defacement or No Defacement?

521

(1)

Summary

522

(1)

Appendix A Web Application Security Consortium Glossary

523

(10)

Appendix B Apache Module Listing

533

(16)

Appendix C Example httpd.conf File

549

(12)

Index

561

Please wait while the item is added to your bag...

FREE SHIPPING

Amazon no longer offers textbook rentals. We do!

Preventing Web Attacks with Apache

Summary

Author Biography

Table of Contents

Supplemental Materials