Home > Store

Preventing Web Attacks with Apache

Register your product to gain access to bonus material or receive a coupon.

Preventing Web Attacks with Apache

eBook (Watermarked)

  • Your Price: $35.19
  • List Price: $43.99
  • Includes EPUB, MOBI, and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    MOBI MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.


  • Copyright 2006
  • Edition: 1st
  • eBook (Watermarked)
  • ISBN-10: 0-13-280035-7
  • ISBN-13: 978-0-13-280035-8

The only end-to-end guide to securing Apache Web servers and Web applications

Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won’t protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you’ll need to do that: step-by-step guidance, hands-on examples, and tested configuration files.

Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.

Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured “in the wild.”

For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.

Sample Content

Table of Contents

About the Author     xix

Foreword     xxi

Acknowledgments     xxv

Introduction     xxvii

Chapter 1     Web Insecurity Contributing Factors     1

A Typical Morning     1

Why Web Security Is Important     3

Web Insecurity Contributing Factors     4

Managerial/Procedural Issues     4

Management and the Bottom Line     4

Selling Loaded Guns     5

The Two-Minute Drill     5

Development Environment Versus Production Environment     6

Firefighting Approach to Web Security (Reacting to Fires)     7

Technical Misconceptions Regarding Web Security     7

“We have our web server in a Demilitarized Zone (DMZ).”     8

“We have a firewall.”     9

“We have a Network-Based Intrusion Detection System.”     9

“We have a Host-Based Intrusion Detection System.”     11

“We are using Secure Socket Layer (SSL).”     11

Summary     11

Chapter 2     CIS Apache Benchmark     13

CIS Apache Benchmark for UNIX: OS-Level Issues     13

Minimize/Patch Non-HTTP Services     13

Example Service Attack: 7350wu–FTP Exploit     19

Vulnerable Services’ Impact on Apache’s Security     22

Apply Vendor OS Patches     23

Tune the IP Stack     24

Denial of Service Attacks     25

Create the Web Groups and User Account     28

Lock Down the Web Server User Account     31

Implementing Disk Quotas     32

Accessing OS-Level Commands     35

Update the Ownership and Permissions of System Commands     39

Traditional Chroot     40

Chroot Setup Warning     41

Mod_Security Chroot     41

Chroot Setup     41

Summary     50

Chapter 3     Downloading and Installing Apache     53

Apache 1.3 Versus 2.0     53

Using Pre-Compiled Binary Versus Source Code     54

Downloading the Apache Source Code     56

Why Verify with MD5 and PGP?     56

Uncompress and Open: Gunzip and Untar     63

Patches–Get ’em While They’re Hot!     64

Monitoring for Vulnerabilities and Patches      66

What Modules Should I Use?     70

Summary     80

Chapter 4     Configuring the httpd.conf File     81

CIS Apache Benchmark Settings     84

The httpd.conf File      85

Disable Un-Needed Modules     86

Directives     86

Server-Oriented Directives     87

Multi-Processing Modules (MPMs)     87

Listen     88

ServerName     88

ServerRoot     89

DocumentRoot     89

HostnameLookups     89

User-Oriented Directives     90

User     90

Group     91

ServerAdmin     91

Denial of Service (DoS) Protective Directives     92

Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration      92

TimeOut     94

KeepAlive     95

KeepAliveTimeout     95

MaxKeepAliveRequests     95

StartServers     96

MinSpareServers and MaxSpareServers     96

ListenBacklog     96

MaxClients and ServerLimit     97

Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration      97

Forward Reference     99

Software Obfuscation Directives     99

ServerTokens     99

ServerSignature     101

ErrorDocument     102

Directory Functionality Directives     104

All          104

ExecCGI     104

FollowSymLinks and SymLinksIfOwnerMatch     105

Includes and IncludesNoExec     105

Indexes     106

AllowOverride     106

Multiviews     107

Access Control Directives     107

Authentication Setup     108

Authorization     109

Order     110

Order deny, allow     110

Order allow, deny     110

Access Control: Where Clients Come From     111

Hostname or Domain     111

IP Address and IP Range     112

Client Request ENV     112

Protecting the Root Directory     113

Limiting HTTP Request Methods     114

Logging General Directives     114

LogLevel      114

ErrorLog      115

LogFormat      115

CustomLog      115

Removing Default/Sample Files     116

Apache Source Code Files      116

Default HTML Files      116

Sample CGIs      117

Webserv User Files     118

Updating Ownership and Permissions     118

Server Configuration Files      119

DocumentRoot Files      119

CGI-Bin      119

Logs     120

Bin          120

Updating the Apachectl Script     120

Nikto Scan After Updates     122

Summary     122

Chapter 5     Essential Security Modules for Apache     125

Secure Socket Layer (SSL)     125

Why Should I Use SSL?     126

How Does SSL Work?     128

Software Requirements     132

Installing SSL     133

Creating an SSL Certificate     133

Testing the Initial Configuration     134

Configuring mod_ssl     137

SSL Summary     144

Mod_Rewrite     144

Enabling Mod_Rewrite     145

Mod_Rewrite Summary     147

Mod_Log_Forensic     147

Mod_Dosevasive     149

What Is Mod_Dosevasive?     149

Installing Mod_Dosevasive     149

How Does Mod_Dosevasive Work?     150

Configuration     151

Mod_Dosevasive Summary     155

Mod_Security     155

Installing Mod_Security     156

Mod_Security Overview     156

Features and Capabilities of Mod_Security     157

Anti-Evasion Techniques     158

Special Built-In Checks     159

Filtering Rules     162

Actions     164

Wait, There’s Even More!     168

Summary     169

Chapter 6     Using the Center for Internet Security Apache Benchmark Scoring Tool     171

Downloading, Unpacking, and Running the Scoring Tool     171

Unpacking the Archive     173

Running the Tool     174

Summary     180

Chapter 7     Mitigating the WASC Web Security Threat Classification with Apache     181

Contributors     182

Web Security Threat Classification Description     182

Goals     183

Documentation Uses     183

Overview     183

Background     184

Classes of Attack     184

Threat Format     186

Authentication     186

Brute Force     187

Insufficient Authentication     191

Weak Password Recovery Validation     192

Authorization     195

Credential/Session Prediction     195

Insufficient Authorization     198

Insufficient Session Expiration     199

Session Fixation     201

Client-Side Attacks     205

Content Spoofing     205

Cross-Site Scripting     207

Command Execution     210

Buffer Overflow     210

Format String Attack     215

LDAP Injection     218

OS Commanding     220

SQL Injection     223

SSI Injection     228

XPath Injection     230

Information Disclosure     232

Directory Indexing     232

Information Leakage     236

Path Traversal     239

Predictable Resource Location     242

Logical Attacks     243

Abuse of Functionality     244

Denial of Service     246

Insufficient Anti-Automation     250

Insufficient Process Validation     251

Summary     253

Chapter 8     Protecting a Flawed Web Application: Buggy Bank     255

Installing Buggy Bank     256

Buggy Bank Files     257

Turn Off Security Settings     258

Testing the Installation     258

Functionality     261

Login Accounts     262

Assessment Methodology     262

General Questions     262

Tools Used     263

Configuring Burp Proxy     263

Buggy Bank Vulnerabilities      266

Comments in HTML     266

Enumerating Account Numbers     267

How Much Entropy?     270

Brute Forcing the Account Numbers     270

Enumerating PIN Numbers     273

Account Unlocked     274

Account Locked     274

Brute Forcing the PIN Numbers     276

Command Injection     277

Injecting Netstat     278

SQL Injection     282

SQL Injection Mitigation     285

Cross-Site Scripting (XSS)     287

Mitigations     289

Balance Transfer Logic Flaw     290

Mitigation     292

Summary     293

Chapter 9     Prevention and Countermeasures     295

Why Firewalls Fail to Protect Web Servers/Applications     296

Why Intrusion Detection Systems Fail as Well     299

Deep Packet Inspection Firewalls, Inline IDS, and Web Application Firewalls     304

Deep Packet Inspection Firewall     304

Inline IDS     305

Web Application Firewall (WAF)     307

Web Intrusion Detection Concepts     309

Signature-Based     309

Positive Policy Enforcement (White-Listing)     314

Header-Based Inspection     325

Protocol-Based Inspection     329

Uniform Resource Identifier (URI) Inspection     336

Heuristic-Based Inspection     339

Anomaly-Based Inspection     340

Web IDS Evasion Techniques and Countermeasures     342

HTTP IDS Evasion Options     342

Anti-Evasion Mechanisms     347

Evasion by Abusing Apache Functionality     348

Identifying Probes and Blocking Well-Known Offenders     352

Worm Probes     352

Blocking Well-Known Offenders     354

Nmap Ident Scan     357

Nmap Version Scanning     358

Why Change the Server Banner Information?     359

Masking the Server Banner Information     361

HTTP Fingerprinting     363

Implementation Differences of the HTTP Protocol     364

Banner Grabbing     370

Advanced Web Server Fingerprinting     370

HTTPrint     371

Web Server Fingerprinting Defensive Recommendations     373

Bad Bots, Curious Clients, and Super Scanners     379

Bad Bots and Curious Clients     379

Super Scanners     381

Reacting to DoS, Brute Force, and Web Defacement Attacks     388

DoS Attacks     388

Brute Force Attacks     389

Web Defacements     392

Defacement Countermeasures     397

Alert Notification and Tracking Attackers     399

Setting Up Variables     402

Creating Historical Knowledge     403

Filtering Out Noise and Thresholding Emails     403

Request Snapshot and Attacker Tracking Links     403

Send Alert to Pager     404

Crude Pause Feature     404

Send the HTML     404

Example Email Alerts     404

Log Monitoring and Analysis     412

Real-Time Monitoring with SWATCH     413

Heuristic/Statistical Log Monitoring with SIDS     417

Honeypot Options     424

Sticky Honeypot     424

Fake PHF     425

OS Commanding Trap and Trace     427

Mod_Rewrite (2.1) to the Rescue     428

Summary     429

Chapter 10     Open Web Proxy Honeypot     431

Why Deploy an Open Web Proxy Honeypot?     431

Lack of Knowledge That an Attack Even Occurred     432

Lack of Verbose/Adequate Logging of HTTP Transactions     432

Lack of Interest in Public Disclosure of the Attack     432

What Are Proxy Servers?     433

Open Proxy Background     434

Open Web Proxy Honeypot     435

Linksys Router/Firewall     435

Turn Off Un-Needed Network Services     436

Configure Apache for Proxy     436

Data Control     439

Mod_Dosevasive     439

Mod_Security     439

Utilizing Snort Signatures     441

Brute Force Attacks     441

Data Capture     442

Real-Time Monitoring with Webspy     444

Honeynet Project’s Scan of the Month Challenge #31     444

The Challenge     445

Initial Steps     446

Question: How Do You Think the Attackers Found the Honeyproxy?      447

Question: What Different Types of Attacks Can You Identify? For Each Category, Provide Just One Log Example and Detail as Much Info About the Attack as Possible (Such as CERT/CVE/Anti-Virus ID Numbers). How Many Can You Find?      448

Search Logs for Mod_Security-Message     449

Utilization of the AllowCONNECT Proxying Capabilities     450

Search Logs for Abnormal HTTP Status Codes     451

Abnormal HTTP Request Methods      454

Non-HTTP Compliant Requests     455

Attack Category–SPAMMERS     457

Attack Category–Brute Force Authentication     459

Attack Category–Vulnerability Scans     459

Attack Category–Web-Based Worms     465

Attack Category–Banner/Click-Thru Fraud      468

Attack Category–IRC Connections     469

Question: Do Attackers Target Secure Socket Layer (SSL)-Enabled Web Servers?      470

Did They Target SSL on Our Honeyproxy?      471

Why Would They Want to Use SSL?      472

Why Didn’t They Use SSL Exclusively?     472

Question: Are There Any Indications of Attackers Chaining Through Other Proxy Servers? Describe How You Identified This Activity. List Other Proxy Servers Identified. Can You Confirm That These Are Indeed Proxy Servers?      473

Identifying the Activity     473

Confirming the Proxy Servers     475

Targeting Specific Open Proxies     479

Targeting Specific Destination Servers     480

Question: Identify the Different Brute Force Authentication Attack Methods. Can You Obtain the Clear-Text Username/Password Credentials? Describe Your Methods.     481

HTTP GET Requests     481

HTTP POST Requests     482

HTTP Basic Authentication     483

Obtaining the Cleartext Authorization Credentials     485

Distributed Brute Force Scan Against Yahoo Accounts     486

Forward and Reverse Scanning     487

Question: What Does the Mod_Security Error Message “Invalid Character Detected” Mean? What Were the Attackers Trying to Accomplish?     493

SecFilterCheckURLEncoding–URL-Encoding Validation     493

SecFilterCheckUnicodeEncoding–Unicode-Encoding Validation     494

SecFilterForceByteRange–Byte Range Check     494

SOCKS Proxy Scan     494

Code Red/NIMDA Worm Attacks     495

Question: Several Attackers Tried to Send SPAM by Accessing the Following URL: http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They Tried to Send Email with an HTML Attachment (Files Listed in the /upload Directory). What Does the SPAM Web Page Say? Who Are the SPAM Recipients?      496

SPAM Recipients     497

Question: Provide Some High-Level Statistics.      498

Top Ten Attacker IP Addresses     498

Top Ten Targets     500

Top User-Agents (Any Weird/Fake Agent Strings?)     500

Attacker Correlation from DShield and Other Sources?     501

Bonus Question: Why Do You Think the Attackers Were Targeting Pornography Web sites for      Brute Force Attacks? (Besides the Obvious Physical Gratification Scenarios.)      502

Even Though the Proxypot’s IP/Hostname Was Obfuscated from the Logs, Can You Still Determine the Probable Network Block Owner?      504

Summary     506

Chapter 11     Putting It All Together     509

Example Vulnerability Alert     509

Verify the Software Version     510

Patch Availability     510

Vulnerability Details     511

Creating a Mod_Security Vulnerability Filter     514

Testing the Vulnerability Filter     515

First Aid Versus a Hospital     516

Web Security: Beyond the Web Server     517

Domain Hijacking     517

DNS Cache Poisoning     517

Caching Proxy Defacement     519

Banner Ad Defacement     520

News Ticker Manipulations     521

Defacement or No Defacement?     521

Summary     522

Appendix A     Web Application Security Consortium Glossary     523

Appendix B     Apache Module Listing     533

Appendix C      Example httpd.conf File     549

Index     561



Submit Errata

More Information

Unlimited one-month access with your purchase
Free Safari Membership