Web server security Dr Jim Briggs WEBP security1
What do we mean by secure? 100% security Trading off security versus convenience Particular vulnerabilities of the Internet –The "wild west" WEBP security2
Vulnerability of web systems Open to the outside world –Aim to attract strangers! Left unattended (largely) Lots of potential security holes –Running other people's buggy software –Running own buggy software (even worse!) –Large amount of code (often) Visitors are largely anonymous and can be very remote Communication can be eavesdropped (unless encrypted) Difficult (impossible?) to test exhaustively WEBP security3
Server risks Bugs or misconfiguration problems in the Web server that allow unauthorized remote users to: –Steal confidential documents not intended for their eyes. –Execute commands on the server host machine, allowing them to modify the system. –Gain information about the Web server's host machine that will allow them to break into the system. –Launch denial-of-service attacks, rendering the machine temporarily unusable. WEBP security4
Client risks Browser-side risks, including: –Active content (e.g. Java, JavaScript, ActiveX) that crashes the browser damages the user's system breaches the user's privacy, or merely creates an annoyance –The misuse of personal information knowingly or unknowingly provided by the end-user passwords credit card numbers other sensitive data WEBP security5
Network risks Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including: –The network on the browser's side of the connection –The network on the server's side of the connection (including intranets). –The end-user's Internet service provider (ISP) –The server's ISP –Either ISPs' regional access provider WEBP security6
General security techniques Keep your software up to date with security patches Try not to use unsafe techniques (e.g. CGI, SSI) If you have to use them, test them thoroughly –Include own use of hacker tools Design and implement an access control policy (both via the web and to the host server) Log everything; monitor the logs; and investigate suspicious activity WEBP security7
Specific server side issues Back door access to the server –Remote/local login –FTP –Alternative web sites hosted on same machine Don't run the server as "root" Turn off un-needed … –features in software –IP ports Firewalls WEBP security8
Denial of service (DoS) attacks Definition: –attack designed to render a computer or network incapable of providing normal services Typical attacks –Bandwidth attacks flood network with high volume of traffic consequence – all available network resources are consumed and legitimate user requests can not get through –Connectivity attacks flood computer with high volume of connection requests consequence – all available operating system resources are consumed, and computer can not process legitimate requests WEBP security9
Distributed DoS (DDoS) attacks Many hosts simultaneously attack target Typically caused by agent hijacking vulnerable hosts (e.g. via virus) As important to protect your machine from hijack as it is to protect it from attack Techniques: –Scan regularly for DDoS tools –Do egress filtering (check for spoofed packets) WEBP security10
HTTP security Authentication –Basic –Digest Secure transport –SSL WEBP security11