Web Server Administration
Chapter 10
Securing the Web
Environment
Overview
Identify threats and vulnerabilities
Secure data transmission
Secure the operating system
Secure server applications
Overview
Authenticate Web users
Use a firewall
Use a proxy server
Use intrusion detection software
Identifying Threats and
Vulnerabilities
Focus is on threats from the Internet
Hackers sometimes want the challenge
of penetrating a system and
vandalizing it – other times they are
after data
Data can be credit card numbers, user names
and passwords, other personal data
Information can be gathered while it
is being transmitted
Often, operating system flaws can
assist the hacker
Examining TCP/IP
Hackers often take advantage of
the intricacy of TCP/IP
The following are parts of the IP
header most relevant to security
Source address
Destination address
Packet identification, flags, fragment offset
Total length
Protocol – TCP, UDP, ICMP
TCPDelivering Data to
Applications
Important header fields
Source and destination ports
Sequence number, data offset
Flags, such as SYN, ACK, FIN
Establishing a TCP connection
Vulnerabilities of DNS
Historically DNS has had security problems
BIND is the most common implementation of DNS and some
older version had serious bugs
BIND 9, the current version, has been more secure
Vulnerabilities in
Operating Systems
Operating systems are large and
complex which means that there are
more opportunities for attack
Although Windows has had its share of
problems, often inattentive
administrators often fail to
implement patches when available
Some attacks, such as buffer
overruns, can allow the attacker to
take over the computer
Vulnerabilities in Web
servers
Static HTML pages pose virtually no problem
Programming environments and databases add complexity that
a hacker can exploit
Programmers often do not have time to focus on security
Vulnerabilities of E-mail
Servers
By design, e-mail servers are open
E-mail servers can be harmed by a
series of very large e-mail messages
Sending an overwhelming number of
messages at the same time can
prevent valid users from accessing
the server
Viruses can be sent to e-mail users
Retrieving e-mail over the Internet
often involves sending your user
name and password as clear text
Securing Data
Transmission
To secure data on a network that is accessible to others,
you need to encrypt the data
SSL is the most common method of encrypting data between a
browser and Web server
Secure Shell (SSH) is a secure replacement for Telnet
Secure Sockets Layer
(SSL)
A digital certificate issued by a
certification authority (CA) identifies an
organization
The public key infrastructure (PKI)
defines the system of CAs and certificates
Public key cryptography depends on two
keys
A public key is shared with everyone
The public key can be used to encrypt data
Only the owner of the public key has the corresponding
private key which is needed to decrypt the data
Establishing an SSL
Connection
Using SSH for Tunneling
Tunneling allows you to use an
unsecure protocol, such as POP3,
through a secure connection, such as
SSH
To set up tunneling
Configure the SSH client so the local port is
55555 (or another port between 1024 and
65535)
Configure the SSH client to connect to POP3 port
110
Log in to the SSH client
Direct the e-mail client to port 5555 and log in to
the e-mail server
Securing the Operating
System
Use the server for only necessary tasks
Minimize user accounts
Disable services that are not needed
Make sure that you have a secure
password
In addition to using upper case, lower case
numbers and symbols, hold down the ALT key on a
number (on the numeric keypad) from 1 to 255
Check a table of ALT values to avoid common
characters
The use of the ALT key will thwart most hackers
Securing Windows
There are many services that are not
needed in Windows for most Internetbased server applications
Alerter
Computer browser
DHCP client
DNS client
Messenger
Server
Workstation
Also, the registry can be used to alter
the configuration to make it more secure
such as disabling short file names
Securing Linux
As with Windows, make sure that you
only run daemons (services) that you
need
Generally, daemons are disabled by
default
The command netstat -l gives you a
list of daemons that are running
Use chkconfig to enable and disable
daemons
chkconfig imap on would enable imap
Securing E-mail
You have already seen the ability to tunnel POP3 which
would prevent data from being seen
Exchange 2000 can also use SSL for the protocols it uses
To prevent someone from sending large e-mail messages until
the disk is full, set a size limit for each mailbox
Securing the Web Server
Enable the minimum features
If you don't need a programming language,
do not enable it
Make sure programmers understand security issues
Implement SSL where appropriate
Securing the Web Server
Apache Directories
You can restrict access to directories
by using "allow" and "deny"
The following only allows computers
with the two IP addresses to access
the directory
<Directory "/var/www/html/reports">
order allow, deny
allow from 10.10.10.5 192.168.0.3
deny from all
</Directory>
Securing the Web ServerIIS
The URLScan utility blocks potentially
harmful page requests
The IIS Lockdown utility has templates to
ensure that you only enable what you need
Change NTFS permissions in
\inetpub\wwwroot from Everyone Full
Control to Everyone Execute
In IIS 5, delete \samples \IISHelp and
\MSADC folders
Delete extensions you do not use, such as
.htr, .idc, .stm, and others
Authenticating Web Users
Both Apache and IIS use HTTP to enable authentication
HTTP tries to access a protected directory
and fails
Then it requests authentication from the
user in a dialog box
Accesses directory with user information
Used in conjunction with SSL
Configuring User
Authentication in IIS
Four types of authenticated access
Windows integrated authentication
Digest authentication for Windows domain
servers
Works with proxy servers
Requires Active Directory and IE
Basic authentication
Most secure – requires IE
User name and password in clear text
Works with IE, Netscape, and others
Passport authentication
Centralized form of authentication
Only available on Windows Server 2003
User Authentication in
Apache
Basic authentication is most
common
User names and passwords are
kept in a separate file
Create password file
-c creates the users file
-b adds a password when creating user
htpasswd –c users mnoia
htpasswd users fpessoa
htpasswd users lcamoes –b lusiades
Directive
Apache
User Authentication
Directives
Description
AuthName
Specifies descriptive text for user authentication that appears on the
user’s browser when the request is made to log on. Example:
AuthName Internal Product Information
AuthType
Specifies the authentication type. Digest not supported so use
Basic. Example: AuthType Basic
AuthUserFile
Specifies the complete path to the user authentication file.
Example: AuthUserFile /var/www/users
AuthGroupFile
Specifies the complete path to the text file that associates users with
groups.
require
Defines which users in the user authentication file are allowed access
to the directory. Examples:
require user fpessoa lcamoes
require group developers designers
require valid-user