Apache Security Travis Jeffries. Introduction Authentication and Authorization Strict Access Methods Defending against Attacks Bad CGI Programs Apache.

Slides:



Advertisements
Similar presentations
A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.
Advertisements

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
Comergence 3/14/13. What Does Comergence Do? Comergence provides streamlined processing and centralized storage of Correspondent applications nationwide.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Access control and user management in Apache
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.
Access control and user management in Apache 1WUCM1.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
APACHE SERVER By Innovationframes.com »
Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.
Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.
Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself.
Secure Access There are three distinct forms of secure access – authentication – verifying a user’s identity user log in via some mechanism (typically.
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
IT security By Tilly Gerlack.
Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.
Web Services CSCI N321 – System and Network Administration Copyright © 2007,2008 by Scott Orr and the Trustees of Indiana University.
Integrating with UCSF’s Shibboleth system
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
Set 13: Web Servers (configuration and security) (Chapter 21) IT452 Advanced Web and Internet Systems.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Apache and... Virtual Hosts ---- aliases mod_rewrite ---- htaccess AFNOG 11 Kigali, Rwanda May 2010 Dorcas Muthoni Courtesy: Hervey Allen.
User authentication, passwords
The New SIMnet.org with Social Networking User Orientation Notes June 21,
TPR5: Custom Configurations Steve Lewis, Web Manager, SUNY Brockport TPR5: Custom Configurations: Unlock the Power of Apache Steven Lewis Web Manager SUNY.
18-jan-962. ETH-W4 (ra)1 security on the Web l security l authentication l privacy.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Hands On Networking Network Applications Ram P Rustagi, ISE Dept Kundan Kumar, MCA Dept Manini Sahoor, MCA Dept Ravi Teja, MCA Dept Sourav.
Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Web Site Access Control Using the Apache Web Server Instructor: Joseph.
Running Jakarta/Tomcat CIT304/CSE301 University of Sunderland Harry R. Erwin, PhD.
September 2003 SIGUCCS ‘03 Paper # 62 WebDAV: What It Is, What It Does, Why You Need It by Luis O. Hernández Mahmoud Pegah.
Hardening HTaccess RSenic Hacker Jokes (low quality) n Hackers do it through the backdoor. n Hackers exploit all your holes. n.
Securing the Apache Server and Apache Performance Tuning 1.
/etc/apache2/apache2.conf # Porneste gazduirea virtuala pe http NameVirtualHost :80 # Porneste gazduirea virtuala pe https NameVirtualHost :443.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
1 Apache and... Virtual Hosts ---- aliases mod_rewrite ---- htaccess AFNOG X Cairo, Egypt May 2009 Hervey Allen.
Sessions, Cookies, &.htaccess IT 210. Procedural Issues  Quiz #3 Today!  Homework #3 Due Friday at midnight UML for Lab 4  Withdraw Deadline is Wed,
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Authentication Names and Passwords Names and Passwords Also can use Groups Also can use Groups Webmaster can “require” authentication Webmaster can “require”
Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.
How to maintain state in a stateless web Shirley Cohen
SlideSet #18: HTTP Authentication
Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Qmail Installation. Build Qmail tar zxvf qmailrocks.tar.gz tar zxvf qmailrocks.tar.gz Edit and Run : Edit and Run : /test/qmailrocks/scripts/install/qmr_install_linux-s1.script.
Day 15 Apache. Being a web server Once your system is correctly connected to the network, you could be a web server. –When you go to a web site such as.
Downloading and Installing GRASP-AF Workshop Ian Robson Information Analyst, North of England Cardiovascular Network.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Server Performance, Scaling, Reliability and Configuration Norman White.
Switchvox SMB 4.6 for your peace of mind
Apache web server Quick overview.
WEB APPLICATION TESTING
Apache and... Virtual Hosts ---- aliases mod_rewrite ---- htaccess
Authentication & .htaccess
Enhanced Web Site Design Stanford University Continuing Studies CS 22
Unix System Administration
Security in Web Applications
Web Server Design Week 11 Old Dominion University
Presentation transcript:

Apache Security Travis Jeffries

Introduction Authentication and Authorization Strict Access Methods Defending against Attacks Bad CGI Programs Apache with SSL Exploits Security Topics to be Covered

Basic Authentication – Apache Module: Mod_Auth – Sent over the net in plaintext! Bad! Bad! Bad! AuthType Basic AuthName Protected AuthUserFile /dir../passwordfile Require valid-user Satisfy All

Digest Authentication Digest Authenticaiton – Apache Module: Mod_Digest – Not Sent over the net in plaintext! Good! –MD5 Hash used AuthType Digest AuthName Protected AuthUserFile /dir../passwordfile Require valid-user Satisfy All

Password Creation htpasswd – for basic auth Ex.Htpasswd user.pass bob this adds bob to the user.password file htpasswd [ -c ] [ -m | -d | -s | -p ] passwdfile username htdigest – for digest authentication htdigest [ -c ] passwdfile realm username Never use the systems password file! That is bad! Create your own password files!

Strong vs. Weak Auth Weak = the previous lines where we used password authentication Strong = by the network address …. Order deny,allow Deny from all Allow from

Per Directory/File Security <Directory /directory/ #strong or weak authentication here.. Satisfy Any Order Deny, Allow Allow from all This sets the /directory/anybody directory without security but the rest of /directory/ is under authentication

Defending Against Simple Attacks Preventing Huge Uploads SetEnvIf Content-Length “[1-9][0-9]{4,}” upload_to_large=1 Order Deny,Allow Deny from env=upload_too_large Error document #stuff here to redirect to our own “file_to_large” script

Preventing Simple Attacks 2 Another site is using your pics for their content and stealing your bandwidth! Block out the site! SetEnvIfNoCase Referer “^ local_referrer=1 Order Allow,Deny Allow from env=local_referrer

Brute Force Password Attacks No Solution in Apache –No link between login attempts –You can use mod Apache::BruteWatch Watches the log files and will send an to the admin if it thinks an attack is happening

DOS Attacks Easy Solution: Limit Server Forks Heres the line you change in httpd.conf MAXCLIENTS 5

Bad CGI Scripts We will not cover all the possible stupid things a badly written script can do But in the realm of apache itself… –All scripts are run as the user: Nobody –Make sure Nobody can’t write to anything else on the system, so a compromise is sandboxed find / -user nobody find / -group nobody

Apache with SSL Mod_SSL – standard on 2.0, can be installed on 1.3 SSL already covered in class so lets talk about tools.. OpenSSL – make keys, make certificate signing requests, sign the certificate if you want to CA.pl – same as above but you can make a.pem file the user can import into the broswer to remove annoying warning messages about the certificate

SSL w/ Apache 1.3 –Redirect /secure/ SSLRequireSSL

Sploitz There are a ton! Google “Apache Exploit” to find out. Too many to talk about now. Update constantly and know what version number of apache you have Commands httpd –v or Apachectl status

Yay it’s over Ask questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.