Web Server Administration
Chapter 10
Securing the Web
Environment


Overview


Identify threats and vulnerabilities



Secure data transmission



Secure the operating system



Secure server applications


Overview


Authenticate Web users



Use a firewall



Use a proxy server



Use intrusion detection software


Identifying Threats and
Vulnerabilities



Focus is on threats from the Internet
Hackers sometimes want the challenge
of penetrating a system and
vandalizing it – other times they are
after data






Data can be credit card numbers, user names
and passwords, other personal data


Information can be gathered while it
is being transmitted
Often, operating system flaws can
assist the hacker


Examining TCP/IP




Hackers often take advantage of
the intricacy of TCP/IP
The following are parts of the IP
header most relevant to security






Source address
Destination address
Packet identification, flags, fragment offset
Total length
Protocol – TCP, UDP, ICMP


TCPDelivering Data to
Applications

Important header fields








Source and destination ports
Sequence number, data offset
Flags, such as SYN, ACK, FIN

Establishing a TCP connection


Vulnerabilities of DNS


Historically DNS has had security problems



BIND is the most common implementation of DNS and some
older version had serious bugs



BIND 9, the current version, has been more secure



Vulnerabilities in
Operating Systems






Operating systems are large and
complex which means that there are
more opportunities for attack
Although Windows has had its share of
problems, often inattentive
administrators often fail to
implement patches when available
Some attacks, such as buffer
overruns, can allow the attacker to
take over the computer


Vulnerabilities in Web
servers


Static HTML pages pose virtually no problem



Programming environments and databases add complexity that

a hacker can exploit



Programmers often do not have time to focus on security


Vulnerabilities of E-mail
Servers








By design, e-mail servers are open
E-mail servers can be harmed by a
series of very large e-mail messages
Sending an overwhelming number of
messages at the same time can
prevent valid users from accessing
the server
Viruses can be sent to e-mail users
Retrieving e-mail over the Internet
often involves sending your user
name and password as clear text



Securing Data
Transmission


To secure data on a network that is accessible to others,
you need to encrypt the data



SSL is the most common method of encrypting data between a
browser and Web server



Secure Shell (SSH) is a secure replacement for Telnet


Secure Sockets Layer
(SSL)






A digital certificate issued by a
certification authority (CA) identifies an
organization
The public key infrastructure (PKI)
defines the system of CAs and certificates

Public key cryptography depends on two
keys




A public key is shared with everyone
The public key can be used to encrypt data
Only the owner of the public key has the corresponding
private key which is needed to decrypt the data


Establishing an SSL
Connection


Using SSH for Tunneling




Tunneling allows you to use an
unsecure protocol, such as POP3,
through a secure connection, such as
SSH
To set up tunneling








Configure the SSH client so the local port is
55555 (or another port between 1024 and
65535)
Configure the SSH client to connect to POP3 port
110
Log in to the SSH client
Direct the e-mail client to port 5555 and log in to
the e-mail server


Securing the Operating
System





Use the server for only necessary tasks
Minimize user accounts
Disable services that are not needed
Make sure that you have a secure
password







In addition to using upper case, lower case
numbers and symbols, hold down the ALT key on a
number (on the numeric keypad) from 1 to 255
Check a table of ALT values to avoid common
characters
The use of the ALT key will thwart most hackers


Securing Windows


There are many services that are not
needed in Windows for most Internetbased server applications










Alerter
Computer browser
DHCP client
DNS client
Messenger
Server

Workstation

Also, the registry can be used to alter
the configuration to make it more secure
such as disabling short file names


Securing Linux








As with Windows, make sure that you
only run daemons (services) that you
need
Generally, daemons are disabled by
default
The command netstat -l gives you a
list of daemons that are running
Use chkconfig to enable and disable
daemons


chkconfig imap on would enable imap



Securing E-mail


You have already seen the ability to tunnel POP3 which
would prevent data from being seen



Exchange 2000 can also use SSL for the protocols it uses



To prevent someone from sending large e-mail messages until
the disk is full, set a size limit for each mailbox


Securing the Web Server


Enable the minimum features


If you don't need a programming language,
do not enable it



Make sure programmers understand security issues




Implement SSL where appropriate


Securing the Web Server
Apache Directories




You can restrict access to directories
by using "allow" and "deny"
The following only allows computers
with the two IP addresses to access
the directory

<Directory "/var/www/html/reports">
order allow, deny
allow from 10.10.10.5 192.168.0.3
deny from all
</Directory>


Securing the Web ServerIIS











The URLScan utility blocks potentially
harmful page requests
The IIS Lockdown utility has templates to
ensure that you only enable what you need
Change NTFS permissions in
\inetpub\wwwroot from Everyone Full
Control to Everyone Execute
In IIS 5, delete \samples \IISHelp and
\MSADC folders
Delete extensions you do not use, such as
.htr, .idc, .stm, and others


Authenticating Web Users


Both Apache and IIS use HTTP to enable authentication







HTTP tries to access a protected directory
and fails

Then it requests authentication from the
user in a dialog box
Accesses directory with user information

Used in conjunction with SSL


Configuring User
Authentication in IIS


Four types of authenticated access


Windows integrated authentication




Digest authentication for Windows domain
servers





Works with proxy servers
Requires Active Directory and IE

Basic authentication






Most secure – requires IE

User name and password in clear text
Works with IE, Netscape, and others

Passport authentication



Centralized form of authentication
Only available on Windows Server 2003


User Authentication in
Apache




Basic authentication is most
common
User names and passwords are
kept in a separate file





Create password file
-c creates the users file
-b adds a password when creating user

htpasswd –c users mnoia
htpasswd users fpessoa
htpasswd users lcamoes –b lusiades


Directive

Apache
User Authentication
Directives
Description

AuthName

Specifies descriptive text for user authentication that appears on the
user’s browser when the request is made to log on. Example:
AuthName Internal Product Information

AuthType

Specifies the authentication type. Digest not supported so use
Basic. Example: AuthType Basic

AuthUserFile


Specifies the complete path to the user authentication file.
Example: AuthUserFile /var/www/users

AuthGroupFile

Specifies the complete path to the text file that associates users with
groups.

require

Defines which users in the user authentication file are allowed access
to the directory. Examples:
require user fpessoa lcamoes
require group developers designers
require valid-user