did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780321321282

Preventing Web Attacks with Apache

by
  • ISBN13:

    9780321321282

  • ISBN10:

    0321321286

  • Edition: 1st
  • Format: Paperback
  • Copyright: 2006-01-27
  • Publisher: Addison-Wesley Professional
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $54.99 Save up to $10.00
  • Digital
    $44.99
    Add to Cart

    DURATION
    PRICE

Supplemental Materials

What is included with this book?

Summary

Secure and lock down this extremely popular and versatile Web server - from a recognized Apache security expert and SANS instructor.

Author Biography

Ryan C. Barnett is a chief security officer for EDS. He currently leads both Operations Security and Incident Response Teams for a government bureau in Washington, DC. In addition to his nine-to-five job, Ryan is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security, Top 20 Vulnerabilities team member, and local mentor for the SANS Track 4, “Hacker Techniques, Exploits, and Incident Handling,” course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX), and Security Essentials (GSEC). In addition to the SANS Institute, he is also the team lead for the Center for Internet Security Apache Benchmark Project and a member of the Web Application Security Consortium.

Table of Contents

About the Author xix
Foreword xxi
Acknowledgments xxv
Introduction xxvii
Web Insecurity Contributing Factors
1(12)
A Typical Morning
1(2)
Why Web Security Is Important
3(1)
Web Insecurity Contributing Factors
4(1)
Managerial/Procedural Issues
4(3)
Management and the Bottom Line
4(1)
Selling Loaded Guns
5(1)
The Two-Minute Drill
5(1)
Development Environment Versus Production Environment
6(1)
Firefighting Approach to Web Security (Reacting to Fires)
7(1)
Technical Misconceptions Regarding Web Security
7(4)
``We have our web server in a Demilitarized Zone (DMZ).''
8(1)
``We have a firewall.''
9(1)
``We have a Network-Based Intrusion Detection System.''
9(2)
``We have a Host-Based Intrusion Detection System.''
11(1)
``We are using Secure Socket Layer (SSL).''
11(1)
Summary
11(2)
CIS Apache Benchmark
13(40)
CIS Apache Benchmark for UNIX: OS-Level Issues
13(37)
Minimize/Patch Non-HTTP Services
13(6)
Example Service Attack: 7350wu---FTP Exploit
19(3)
Vulnerable Services' Impact on Apache's Security
22(1)
Apply Vendor OS Patches
23(1)
Tune the IP Stack
24(1)
Denial of Service Attacks
25(3)
Create the Web Groups and User Account
28(3)
Lock Down the Web Server User Account
31(1)
Implementing Disk Quotas
32(3)
Accessing OS-Level Commands
35(4)
Update the Ownership and Permissions of System Commands
39(1)
Traditional Chroot
40(1)
Chroot Setup Warning
41(1)
Mod_Security Chroot
41(1)
Chroot Setup
41(9)
Summary
50(3)
Downloading and Installing Apache
53(28)
Apache 1.3 Versus 2.0
53(1)
Using Pre-Compiled Binary Versus Source Code
54(2)
Downloading the Apache Source Code
56(7)
Why Verify with MD5 and PGP?
56(7)
Uncompress and Open: Gunzip and Untar
63(17)
Patches---Get `em While They're Hot!
64(2)
Monitoring for Vulnerabilities and Patches
66(4)
What Modules Should I Use?
70(10)
Summary
80(1)
Configuring the httpd.conf File
81(44)
CIS Apache Benchmark Settings
84(1)
The httpd.conf File
85(1)
Disable Un-Needed Modules
86(1)
Directives
86(1)
Server-Oriented Directives
87(3)
Multi-Processing Modules (MPMs)
87(1)
Listen
88(1)
ServerName
88(1)
ServerRoot
89(1)
DocumentRoot
89(1)
HostnameLookups
89(1)
User-Oriented Directives
90(2)
User
90(1)
Group
91(1)
ServerAdmin
91(1)
Denial of Service (DoS) Protective Directives
92(7)
Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration
92(2)
TimeOut
94(1)
KeepAlive
95(1)
KeepAliveTimeout
95(1)
MaxKeepAliveRequests
95(1)
StartServers
96(1)
MinSpareServers and MaxSpareServers
96(1)
ListenBacklog
96(1)
MaxClients and ServerLimit
97(1)
Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration
97(2)
Forward Reference
99(1)
Software Obfuscation Directives
99(5)
ServerTokens
99(2)
ServerSignature
101(1)
ErrorDocument
102(2)
Directory Functionality Directives
104(3)
All
104(1)
ExecCGI
104(1)
FollowSymLinks and SymLinksIfOwnerMatch
105(1)
Includes and IncludesNoExec
105(1)
Indexes
106(1)
AllowOverride
106(1)
Multiviews
107(1)
Access Control Directives
107(1)
Authentication Setup
108(1)
Authorization
109(2)
Order
110(1)
Order deny, allow
110(1)
Order allow, deny
110(1)
Access Control: Where Clients Come From
111(3)
Hostname or Domain
111(1)
IP Address and IP Range
112(1)
Client Request ENV
112(1)
Protecting the Root Directory
113(1)
Limiting HTTP Request Methods
114(1)
Logging General Directives
114(2)
LogLevel
114(1)
ErrorLog
115(1)
LogFormat
115(1)
CustomLog
115(1)
Removing Default/Sample Files
116(2)
Apache Source Code Files
116(1)
Default HTML Files
116(1)
Sample CGIs
117(1)
Webserv User Files
118(1)
Updating Ownership and Permissions
118(2)
Server Configuration Files
119(1)
DocumentRoot Files
119(1)
CGI-Bin
119(1)
Logs
120(1)
Bin
120(1)
Updating the Apachectl Script
120(2)
Nikto Scan After Updates
122(1)
Summary
122(3)
Essential Security Modules for Apache
125(46)
Secure Socket Layer (SSL)
125(19)
Why Should I Use SSL?
126(2)
How Does SSL Work?
128(4)
Software Requirements
132(1)
Installing SSL
133(1)
Creating an SSL Certificate
133(1)
Testing the Initial Configuration
134(3)
Configuring mod_ssl
137(7)
SSL Summary
144(1)
Mod_Rewrite
144(3)
Enabling Mod_Rewrite
145(2)
Mod_Rewrite Summary
147(1)
Mod_Log_Forensic
147(2)
Mod_Dosevasive
149(6)
What Is Mod_Dosevasive?
149(1)
Installing Mod_Dosevasive
149(1)
How Does Mod_Dosevasive Work?
150(1)
Configuration
151(4)
Mod_Dosevasive Summary
155(1)
Mod_Security
155(14)
Installing Mod_Security
156(1)
Mod_Security Overview
156(1)
Features and Capabilities of Mod_Security
157(1)
Anti-Evasion Techniques
158(1)
Special Built-In Checks
159(3)
Filtering Rules
162(2)
Actions
164(4)
Wait, There's Even More!
168(1)
Summary
169(2)
Using the Center for Internet Security Apache Benchmark Scoring Tool
171(10)
Downloading, Unpacking, and Running the Scoring Tool
171(9)
Unpacking the Archive
173(1)
Running the Tool
174(6)
Summary
180(1)
Mitigating the WASC Web Security Threat Classification with Apache
181(74)
Contributors
182(1)
Web Security Threat Classification Description
182(2)
Goals
183(1)
Documentation Uses
183(1)
Overview
183(1)
Background
184(1)
Classes of Attack
184(2)
Threat Format
186(1)
Authentication
186(9)
Brute Force
187(4)
Insufficient Authentication
191(1)
Weak Password Recovery Validation
192(3)
Authorization
195(10)
Credential/Session Prediction
195(3)
Insufficient Authorization
198(1)
Insufficient Session Expiration
199(2)
Session Fixation
201(4)
Client-Side Attacks
205(5)
Content Spoofing
205(2)
Cross-Site Scripting
207(3)
Command Execution
210(22)
Buffer Overflow
210(5)
Format String Attack
215(3)
LDAP Injection
218(2)
OS Commanding
220(3)
SQL Injection
223(5)
SSI Injection
228(2)
XPath Injection
230(2)
Information Disclosure
232(11)
Directory Indexing
232(4)
Information Leakage
236(3)
Path Traversal
239(3)
Predictable Resource Location
242(1)
Logical Attacks
243(10)
Abuse of Functionality
244(2)
Denial of Service
246(4)
Insufficient Anti-Automation
250(1)
Insufficient Process Validation
251(2)
Summary
253(2)
Protecting a Flawed Web Application: Buggy Bank
255(40)
Installing Buggy Bank
256(5)
Buggy Bank Files
257(1)
Turn Off Security Settings
258(1)
Testing the Installation
258(3)
Functionality
261(1)
Login Accounts
262(1)
Assessment Methodology
262(4)
General Questions
262(1)
Tools Used
263(1)
Configuring Burp Proxy
263(3)
Buggy Bank Vulnerabilities
266(16)
Comments in HTML
266(1)
Enumerating Account Numbers
267(3)
How Much Entropy?
270(1)
Brute Forcing the Account Numbers
270(3)
Enumerating PIN Numbers
273(1)
Account Unlocked
274(1)
Account Locked
274(2)
Brute Forcing the PIN Numbers
276(1)
Command Injection
277(1)
Injecting Netstat
278(4)
SQL Injection
282(5)
SQL Injection Mitigation
285(2)
Cross-Site Scripting (XSS)
287(3)
Mitigations
289(1)
Balance Transfer Logic Flaw
290(3)
Mitigation
292(1)
Summary
293(2)
Prevention and Countermeasures
295(136)
Why Firewalls Fail to Protect Web Servers/Applications
296(3)
Why Intrusion Detection Systems Fail as Well
299(5)
Deep Packet Inspection Firewalls, Inline IDS, and Web Application Firewalls
304(5)
Deep Packet Inspection Firewall
304(1)
Inline IDS
305(2)
Web Application Firewall (WAF)
307(2)
Web Intrusion Detection Concepts
309(33)
Signature-Based
309(5)
Positive Policy Enforcement (White-Listing)
314(11)
Header-Based Inspection
325(4)
Protocol-Based Inspection
329(7)
Uniform Resource Identifier (URI) Inspection
336(3)
Heuristic-Based Inspection
339(1)
Anomaly-Based Inspection
340(2)
Web IDS Evasion Techniques and Countermeasures
342(10)
HTTP IDS Evasion Options
342(5)
Anti-Evasion Mechanisms
347(1)
Evasion by Abusing Apache Functionality
348(4)
Identifying Probes and Blocking Well-Known Offenders
352(11)
Worm Probes
352(2)
Blocking Well-Known Offenders
354(3)
Nmap Ident Scan
357(1)
Nmap Version Scanning
358(1)
Why Change the Server Banner Information?
359(2)
Masking the Server Banner Information
361(2)
HTTP Fingerprinting
363(16)
Implementation Differences of the HTTP Protocol
364(6)
Banner Grabbing
370(1)
Advanced Web Server Fingerprinting
370(1)
HTTPrint
371(2)
Web Server Fingerprinting Defensive Recommendations
373(6)
Bad Bots, Curious Clients, and Super Scanners
379(9)
Bad Bots and Curious Clients
379(2)
Super Scanners
381(7)
Reacting to DoS, Brute Force, and Web Defacement Attacks
388(11)
DoS Attacks
388(1)
Brute Force Attacks
389(3)
Web Defacements
392(5)
Defacement Countermeasures
397(2)
Alert Notification and Tracking Attackers
399(13)
Setting Up Variables
402(1)
Creating Historical Knowledge
403(1)
Filtering Out Noise and Thresholding Emails
403(1)
Request Snapshot and Attacker Tracking Links
403(1)
Send Alert to Pager
404(1)
Crude Pause Feature
404(1)
Send the HTML
404(1)
Example Email Alerts
404(8)
Log Monitoring and Analysis
412(12)
Real-Time Monitoring with Swatch
413(4)
Heuristic/Statistical Log Monitoring with SIDS
417(7)
Honeypot Options
424(5)
Sticky Honeypot
424(1)
FakePHF
425(2)
OS Commanding Trap and Trace
427(1)
Mod_Rewrite (2.1) to the Rescue
428(1)
Summary
429(2)
Open Web Proxy Honeypot
431(78)
Why Deploy an Open Web Proxy Honeypot?
431(2)
Lack of Knowledge That an Attack Even Occurred
432(1)
Lack of Verbose/Adequate Logging of HTTP Transactions
432(1)
Lack of Interest in Public Disclosure of the Attack
432(1)
What Are Proxy Servers?
433(1)
Open Proxy Background
434(1)
Open Web Proxy Honeypot
435(4)
Linksys Router/Firewall
435(1)
Turn Off Un-Needed Network Services
436(1)
Configure Apache for Proxy
436(3)
Data Control
439(3)
Mod_Dosevasive
439(1)
Mod_Security
439(2)
Utilizing Snort Signatures
441(1)
Brute Force Attacks
441(1)
Data Capture
442(2)
Real-Time Monitoring with Webspy
444(1)
Honeynet Project's Scan of the Month Challenge #31
444(3)
The Challenge
445(1)
Initial Steps
446(1)
Question: How Do You Think the Attackers Found the Honeyproxy?
447(1)
Question: What Different Types of Attacks Can You Identify? For Each Category, Provide Just One Log Example and Detail as Much Info About the Attack as Possible (Such as CERT/CVE/Anti-Virus ID Numbers). How Many Can You Find?
448(22)
Search Logs for Mod_Security-Message
449(1)
Utilization of the AllowConnect Proxying Capabilities
450(1)
Search Logs for Abnormal HTTP Status Codes
451(3)
Abnormal HTTP Request Methods
454(1)
Non-HTTP Compliant Requests
455(2)
Attack Category---SPAMMERS
457(2)
Attack Category---Brute Force Authentication
459(1)
Attack Category---Vulnerability Scans
459(6)
Attack Category---Web-Based Worms
465(3)
Attack Category---Banner/Click-Thru Fraud
468(1)
Attack Category---IRC Connections
469(1)
Question: Do Attackers Target Secure Socket Layer (SSL)-Enabled Web Servers?
470(3)
Did They Target SSL on Our Honeyproxy?
471(1)
Why Would They Want to Use SSL?
472(1)
Why Didn't They Use SSL Exclusively?
472(1)
Question: Are There Any Indications of Attackers Chaining Through Other Proxy Servers? Describe How You Identified This Activity. List Other Proxy Servers Identified. Can You Confirm That These Are Indeed Proxy Servers? Identifying the Activity
473(8)
Confirming the Proxy Servers
475(4)
Targeting Specific Open Proxies
479(1)
Targeting Specific Destination Servers
480(1)
Question: Identify the Different Brute Force Authentication Attack Methods. Can You Obtain the Clear-Text Username/Password Credentials? Describe Your Methods
481(12)
HTTP Get Requests
481(1)
HTTP Post Requests
482(1)
HTTP Basic Authentication
483(2)
Obtaining the Cleartext Authorization Credentials
485(1)
Distributed Brute Force Scan Against Yahoo Accounts
486(1)
Forward and Reverse Scanning
487(6)
Question: What Does the Mod_Security Error Message ``Invalid Character Detected'' Mean? What Were the Attackers Trying to Accomplish?
493(4)
SecFilterCheckURLEncoding---URL-Encoding Validation
493(1)
SecFilterCheckUnicodeEncoding---Unicode-Encoding Validation
494(1)
SecFilterForceByteRange---Byte Range Check
494(1)
Socks Proxy Scan
494(1)
Code Red/NIMDA Worm Attacks
495(2)
Question: Several Attackers Tried to Send SPAM by Accessing the Following URL: http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They Tried to Send Email with an HTML Attachment (Files Listed in the /upload Directory). What Does the SPAM Web Page Say? Who Are the SPAM Recipients? SPAM Recipients
497(1)
Question: Provide Some High-Level Statistics
498(4)
Top Ten Attacker IP Addresses
498(2)
Top Ten Targets
500(1)
Top User-Agents (Any Weird/Fake Agent Strings?)
500(1)
Attacker Correlation from DShield and Other Sources?
501(1)
Bonus Question: Why Do You Think the Attackers Were Targeting Pornography Web Sites for Brute Force Attacks? (Besides the Obvious Physical Gratification Scenarios)
502(4)
Even Though the Proxypot's IP/Hostname Was Obfuscated from the Logs, Can You Still Determine the Probable Network Block Owner?
504(2)
Summary
506(3)
Putting It All Together
509(14)
Example Vulnerability Alert
509(1)
Verify the Software Version
510(1)
Patch Availability
510(1)
Vulnerability Details
511(6)
Creating a Mod_Security Vulnerability Filter
514(1)
Testing the Vulnerability Filter
515(1)
First Aid Versus a Hospital
516(1)
Web Security: Beyond the Web Server
517(5)
Domain Hijacking
517(1)
DNS Cache Poisoning
517(2)
Caching Proxy Defacement
519(1)
Banner Ad Defacement
520(1)
News Ticker Manipulations
521(1)
Defacement or No Defacement?
521(1)
Summary
522(1)
Appendix A Web Application Security Consortium Glossary 523(10)
Appendix B Apache Module Listing 533(16)
Appendix C Example httpd.conf File 549(12)
Index 561

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Excerpts

Foreword ForewordRyan Barnett recently asked if I'd write the foreword to his book. I was delighted to even be considered because Ryan is an exceptional security professional and the honor could have easily gone to anyone in the industry. Ryan has a background as someone who actively defends government web sites. He's the person who led the effort to create the Apache Benchmark standard for the Center for Internet Security (CIS). He's a co-author of the Web Security Threat Classification for the Web Application Security Consortium (WASC), and has more certifications than I knew existed. Ryan is also a SANS Instructor for Apache Security. There's quite a bit more, but suffice it to say Ryan has to be one of the most-qualified experts to writePreventing Web Attacks with Apache.A foreword is an opportunity to express why a particular topic is important and describe what role the information plays in a broader context. Even though I've been part of the web application security field for a really long time (back before there was a term to describe what we do), more research was in order. I fired up Firefox and headed on over to Google for some investigation. Netcraft, the WASC, the CIS, the Open Source Vulnerability Database (OSVDB), SecurityFocus, and Wikipedia are incredible resources for collecting security information. While I was taking notes and saving bookmarks, it suddenly occurred to me that during my research, I must have crossed paths with hundreds of Apache web servers without realizing it. What a perfect way to describe the importance of Apache security!According to Netcraft's Web Server Survey (September 2005), Apache accounts for roughly 70 percent of the Internet's web servers. Through our tiny browser window, it's difficult to imagine the global hum of 72 million web servers, the keyboard chatter of over 800 million international netizens, wading through a sea of 8 billion web pages. Apache is a fundamental part of our daily online lives--so much so, it's become a transparent artifact in the architecture of the web. When we shop for books, reserve plane tickets, read the news, check our bank account, bid in an auction, or do anything else with a web browser, the odds are there's an Apache web server involved. How's that for important?The web has become bigger and more powerful than we ever imagined. 24x7x365, web sites carry out mission-critical business processes, exchanging even the most sensitive forms of information including names, addresses, phone numbers, social security numbers, financial records, medical history, birth dates, business contacts, and more. Web sites may also supply access to source code, intellectual property, customer lists, payroll data, HR data, routers, and servers. If a particular computer system or business process isn't web-enabled today, bet that it will be tomorrow. Anything a cyber-criminal would ever want is available somewhere on a web site. With all the great things we can do on the web, one must temper the benefits with the risk that any information available on or behind a web site is also a target for identify theft, industrial espionage, extortion, and fraud. It should come as no surprise that the attack trends we're witnessing are migrating from the network layer up to the web application layer.Here's where things get interesting and scary at the same time. Firewalls, anti-virus scanners, and Secure Sockets Layer (SSL) do not help secure a web site. Let me say that again. Firewalls, anti-virus scanners, and SSLdo not help secure a web site. When you visit any web site, we don't see any of these things because they functionally don't exist at the web layer. On the web, there's nothing standing between a hacker, your web serve

Rewards Program