Presentation is loading. Please wait.

Presentation is loading. Please wait.

Apache Security Travis Jeffries. Introduction Authentication and Authorization Strict Access Methods Defending against Attacks Bad CGI Programs Apache.

Published byHilda Williamson Modified over 9 years ago

Similar presentations

Presentation on theme: "Apache Security Travis Jeffries. Introduction Authentication and Authorization Strict Access Methods Defending against Attacks Bad CGI Programs Apache."— Presentation transcript:

1 Apache Security Travis Jeffries

2 Introduction Authentication and Authorization Strict Access Methods Defending against Attacks Bad CGI Programs Apache with SSL Exploits Security Topics to be Covered

3 Basic Authentication – Apache Module: Mod_Auth – Sent over the net in plaintext! Bad! Bad! Bad! AuthType Basic AuthName Protected AuthUserFile /dir../passwordfile Require valid-user Satisfy All

4 Digest Authentication Digest Authenticaiton – Apache Module: Mod_Digest – Not Sent over the net in plaintext! Good! –MD5 Hash used AuthType Digest AuthName Protected AuthUserFile /dir../passwordfile Require valid-user Satisfy All

5 Password Creation htpasswd – for basic auth Ex.Htpasswd user.pass bob this adds bob to the user.password file htpasswd [ -c ] [ -m | -d | -s | -p ] passwdfile username htdigest – for digest authentication htdigest [ -c ] passwdfile realm username Never use the systems password file! That is bad! Create your own password files!

6 Strong vs. Weak Auth Weak = the previous lines where we used password authentication Strong = by the network address …. Order deny,allow Deny from all Allow from 124.155.1

7 Per Directory/File Security <Directory /directory/ #strong or weak authentication here.. Satisfy Any Order Deny, Allow Allow from all This sets the /directory/anybody directory without security but the rest of /directory/ is under authentication

8 Defending Against Simple Attacks Preventing Huge Uploads SetEnvIf Content-Length “[1-9][0-9]{4,}” upload_to_large=1 Order Deny,Allow Deny from env=upload_too_large Error document #stuff here to redirect to our own “file_to_large” script

9 Preventing Simple Attacks 2 Another site is using your pics for their content and stealing your bandwidth! Block out the site! SetEnvIfNoCase Referer “^http://([^/]*\.)?filestealingturds.com/” local_referrer=1 Order Allow,Deny Allow from env=local_referrer

10 Brute Force Password Attacks No Solution in Apache –No link between login attempts –You can use mod Apache::BruteWatch Watches the log files and will send an e-mail to the admin if it thinks an attack is happening http://cvs.lplug.org/cvsweb.cgi/Apache-BruteWatch/

11 DOS Attacks Easy Solution: Limit Server Forks Heres the line you change in httpd.conf MAXCLIENTS 5

12 Bad CGI Scripts We will not cover all the possible stupid things a badly written script can do But in the realm of apache itself… –All scripts are run as the user: Nobody –Make sure Nobody can’t write to anything else on the system, so a compromise is sandboxed find / -user nobody find / -group nobody

13 Apache with SSL Mod_SSL – standard on 2.0, can be installed on 1.3 SSL already covered in class so lets talk about tools.. OpenSSL – make keys, make certificate signing requests, sign the certificate if you want to CA.pl – same as above but you can make a.pem file the user can import into the broswer to remove annoying warning messages about the certificate

14 SSL w/ Apache 1.3 –Redirect /secure/ https://secure.domain.com/secure/ 2.0 SSLRequireSSL

15 Sploitz There are a ton! Google “Apache Exploit” to find out. Too many to talk about now. Update constantly and know what version number of apache you have Commands httpd –v or Apachectl status

16 Yay it’s over Ask questions

Download ppt "Apache Security Travis Jeffries. Introduction Authentication and Authorization Strict Access Methods Defending against Attacks Bad CGI Programs Apache."

Similar presentations

A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.

A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
Comergence 3/14/13. What Does Comergence Do? Comergence provides streamlined processing and centralized storage of Correspondent applications nationwide.

Comergence 3/14/13. What Does Comergence Do? Comergence provides streamlined processing and centralized storage of Correspondent applications nationwide.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.

Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Access control and user management in Apache

Access control and user management in Apache
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.

Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.
Access control and user management in Apache 1WUCM1.

Access control and user management in Apache 1WUCM1.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.

Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.
Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.

Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.

8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.

Similar presentations

Ads by Google