Beruflich Dokumente
Kultur Dokumente
www.RD1.net
Agenda
Need A Secure Foundation
Minimizing the Attack Surface
Limiting HTTP Request Methods
Access Control
Mod_Security
Web Application Fire Wall
Logging and Monitoring
Sep 21, 2009
www.RD1.net
Non-profit Organization
Develops Technical Security Standards
Uses Consensus of Industry Experts
www.CISecurity.org
Benchmarks for:
www.RD1.net
www.RD1.net
Secure Foundation
OS Security
Start with a Security Hardened OS
Unix or Linux recommended for Internet
Apply appropriate CIS OS Benchmark
Dont mix other high risk, or critical
services
Regularly Apply OS and Apache updates
www.RD1.net
Secure Foundation
DNS Cache Poisoning Attacks
DNS Level attacks against your clients /customers
Secure your Authoritative and Caching DNS
Servers with CIS BIND Benchmark
DNS Pharming Attacks
www.RD1.net
www.RD1.net
www.RD1.net
10
www.RD1.net
11
CERT
https://forms.us-cert.gov/maillists/
Sun
https://subscriptions.sun.com
Fedora Core
https://www.redhat.com/mailman/listinfo
/fedora-announce-list
Sep 21, 2009
www.RD1.net
12
www.RD1.net
13
www.RD1.net
14
www.RD1.net
15
Example:
rpm qf /etc/httpd/conf.d/manual.conf
httpd-manual-2.2.xx-xx.x
rpm -e httpd-manual
Sep 21, 2009
www.RD1.net
16
www.RD1.net
17
http://httpd.apache.org/docs/2.0/mod/
http://httpd.apache.org/docs/2.2/mod/
Also Review Module recommendations in CIS
Benchmark Appendix
Some Modules have their own website, (such as
modsecurity.org) check your favorite search
engine.
Sep 21, 2009
www.RD1.net
18
Options Directive
Apache 2.2 docs
Description: Configures what features are available
in a particular directory
Syntax: Options [+|-]option [[+|-]option] ...
Default: Options All
Context: server config, virtual host, directory,
.htaccess
Override: Options
Module: core
Sep 21, 2009
www.RD1.net
19
Options Directive
Example 1 - Top Level Root
<Directory />
. . .
Options None
</Directory>
Options ExecCGI
</Directory>
www.RD1.net
20
Options Directive
Options
www.RD1.net
21
Access Controls
www.RD1.net
22
www.RD1.net
23
www.RD1.net
24
www.RD1.net
25
www.RD1.net
26
www.RD1.net
27
www.RD1.net
28
/var/www/chroot
www.RD1.net
29
www.RD1.net
30
www.RD1.net
31
www.RD1.net
32
/etc/selinux/targeted/contexts/files/
file_contexts labels directories with types
/var/www/cgi-bin(/.*)?
system_u:object_r:httpd_sys_script_exec_t:s0
/var/www(/.*)?
system_u:object_r:httpd_sys_content_t:s0
www.RD1.net
33
www.RD1.net
34
www.RD1.net
35
www.RD1.net
36
www.RD1.net
37
www.RD1.net
38
www.RD1.net
39
Mod Security
The Web Application Firewall
www.RD1.net
40
Mod_Security Features
Open Source Web Application Firewall
Features:
Request filtering
Anti-evasion techniques - paths and parameters
are normalized
Understands the HTTP protocol
Performs very specific and fine grain filtering.
POST payload analysis
www.RD1.net
41
www.RD1.net
42
Mod_security Configuration
Easily Installed via package, or build from
source.
Configuration mod_security.conf
Rename file if using include conf.d/
LoadModule security_module modules/mod_security.so
<IfModule mod_security.c>
# Turn the Filtering and Audit engine, On
SecFilterEngine On
SecAuditEngine RelevantOnly
Sep 21, 2009
www.RD1.net
43
www.RD1.net
44
www.RD1.net
45
www.RD1.net
46
www.RD1.net
47
Logging Directives
LogLevel
Controls Verbosity
Values are emerg, alert, crit, error, warn, notice,
info and debug
Notice is recommended
www.RD1.net
48
www.RD1.net
49
Log Monitoring
Sample LogWatch output with Web Attacks
Requests with error response codes
404 Not Found
//README: 2 Time(s)
//chat/messagesL.php3: 1 Time(s)
//graph_image.php: 1 Time(s)
/PhpMyChat//chat/messagesL.php3: 1 Time(s)
/horde-3.0.5//README: 2 Time(s)
406 Not Acceptable
/: 2 Time(s)
/robots.txt: 1 Time(s)
Sep 21, 2009
www.RD1.net
50
www.RD1.net
51
Abuse Reports
Why Report Attacks on your Servers?
www.RD1.net
52
www.RD1.net
53
www.RD1.net
54
www.RD1.net
55
Abuse Responses
From: Amazon EC2 Abuse ec2-abuse-team@amazon.com
Thank you for submitting your abuse report.
We have received your report of Intrusion Attempts originating from our network.
We have completed an initial investigation of the issue and learned that the
activity you noticed did indeed originate from an Amazon EC2 instance. These
intrusion attempts that you report were not, however, initiated by Amazon.
One of the biggest advantages of Amazon EC2 is that developers are given
complete control of their instances. . . .
That said, we do take reports of unauthorized network activity from our
environment very seriously. It is specifically forbidden in our terms of use. This
instance has since been terminated.
www.RD1.net
56
OSSEC.net
OSSEC Open Source HIDS, central logging and
monitoring solution aka SIM/SEM/SIEM
Supports most platforms
Linux/Unix/Windows/Mac
Real-time alerting
Active response - blocking of attacks
Agent and Agentless monitoring
File Integrity Monitoring
Rootkit detection
Sep 21, 2009
www.RD1.net
57
Questions?
rd@rd1.net