Security of Web Servers and Web Applications

IT-Security

Software Freedom Kosova 2011

Who‘s Talking?

Amir Neziri lives and works in Germany

Double Degree in Master of Science: Master in Computer Science

and Master in IT-Security from TU-Darmstadt/Germany Currently I’m writing Master Thesis about Data Security in Cloud

Services

Profession: Software Engineer, Consultant for Web- and Software- Security

http://www.linkedin.com/in/amirneziri https://www.xing.com/profile/Amir_Neziri

11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 2

Security of Web Servers and Web Applications

Why is it so important today?

Motivation – Political Damage

…another shocking news

Motivation – Economic Damage

So….

Are we last now????

Agenda

Components and Architecture

Security Attacks

Defenses

Securing (Web) Server

Securing Web Applications

Take home message

Components & Architecture

Security Attacks

Defenses

Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe

Securing the operating system

Variety of possible sources of information Federal Office for Information Security (BSI, Germany)

Server Security https://www.bsi.bund.de/cln_156/ContentBSI/grundschutz/kataloge/baust/b0

3/b03.html IT-Security Catalog

National Security Agency (NSA, USA) Recommendations and guidelines for installation and

Configuration of operating systems with focus onsecurity

Security is a Process

Example: Linux Systems

Linux Systems - Installation

Installation from CD Authentic Source Contains no updates

Installation from Network Authentic and trustworthy Source is needed

Minimal Functionality Example: Server Systems do not need GUI

Example Web-Server Installation : Web-Server, Secure-Shell, Secure File Transfer

ATTENTION: Do not use unsecure protocols like FTP

Linux Systems - Configuration

Get all running Services nmap localhost or netstat -lnp --ip netstat -lnp --inet6

Linux Systems - Configuration

Shut down unused Services

Hide Services with Port Knocking Example:

Web Server Service is public hide SFTP-, SSH- Services

Use Onetime Passwords by generating them with Password generators

Linux Systems – Maintenance / Updates

Always update the installed Software

Debian/Ubuntu apt-get update && apt-get upgrade or apt-get update && apt-get dist-upgrade

IMPORTANT: The Kernel should be always up-to-date

Linux Systems - Monitoring

File System Integrity Checker

Open Source Tool for checking Integrity: Tripwire http://www.tripwire.org/ http://sourceforge.net/projects/tripwire/

Analyze Log Files Authentication Errors /-Problems: /var/log/auth.log Web-Access and Errors : /var/log/apache2/*.log

Linux Systems - Monitoring

Automated fraud detection Example sshguard (http://www.sshguard.net/)

SSH-Guard Analyzes Log Files of SSH-Services Detects Attack Attempts and blocks Attacker temporary ( by setting

firewall rules )

Securing Web-Server – Main Steps

1. User- /Groups settings for Web Server Processes 2. File System Settings3. Permissions for executable Software

Nobody except root should write into Binary-Folders of Apache

4. Reduce functions to your needs Apache can be extended with Modules, e.g.: mod_cgi, mod_ssl…

5. Suppress Fingerprinting

Securing Web-Server – Main Steps

6. Restrict used Hardware Resources to avoid DoS-Attacks Change Default TimeOut Restrict HTTP-Requests

7. Restrict access to Web Resources Often resources are not to be accessible for everyone htaccess is a simple mechanism for access Protection htaccess is activated by a file .htaccess to protected directory

(or above in one)

Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/

Access Control - .htaccess

Simple Example

Site-Configuration controls use of .htaccess files:

AllowOverride None: .htaccess is ignored

AllowOverride All: .htaccess may overwrite (almost) all global settings

Access Control

Structure of the password file:

UserName:Hash

Example: myUser:GxkVrKPk8WSbM

Default Hash-Function: crypt

Created by the tool htpasswd

Transfer of password: As HTTP Header “Authorization” UserName:Password Base64 encoded Example: Authorization: Basic d2lraTpwZWRpYQ==

Web Application Security

Various Sources of Information OWASP Top 10

The Open Web Application Security Project

CWE/SANS Top 25 Common Weakness Enumeration

Exploit Databases http://www.exploit-db.com/webapps/

www.exploit-db.com/webapps/

2011 CWE/SANS Top 25 Most Dangerous Software Errors

Source: http://cwe.mitre.org/top25/

Buffer Overflows: Statistics Still a major threat (e.g. in Internet Explorer or Acrobat Reader, etc.)

Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe

2010 OWASP Top 10

Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Web Application Security - BackTrack

Operating System based on Ubuntu

Pentetrating testing and digital forensics

Available as Live CD or USB

Source: http://www.backtrack-linux.org/screenshots/

Web Application Security - BackTrack

BackTrack arranges tools into 12 categories: Information Gathering Vulnerability Assessment Exploitation Tools Privilege Escalation Maintaining Access Reverse Engineering RFID Tools Stress testing Forensics Reporting Tools Services Miscellaneous

Take Home Message

Web Security is very important for everyone (e.g. e-banking…)

Server Security information sources Federal Office for Information Security (BSI, Germany) National Security Agency (NSA, USA)

Web Applicaiton Security information sources The Open Web Application Security Project (OWASP) Top 10 CWE/EANS Top 25 Exploit Databases

Security Tool: BackTrack

Questions???

Security of Web Servers and Web Applications

Education

Security Web Servers

Chapter 08 - booksite.elsevier.com€¦ · Chapter 08 Securing Web Applications, Services, and Servers. f08-01-9780123943972. f08-02-9780123943972

Ch10_Hacking Web Servers

Servers & Web Hosting

€¦ · Web viewInstallation & Configuration of Servers, Storage, VSphere, VM servers. Administration of 14 Windows VM Servers / 6 RHEL Servers & 2 Web Load Balancers. Installation

05 · Web viewWeb Servers, SQL Servers , Web Applications, Electronic Document Management Systems, ERP, Electronic Banking and System Integration Title 05 Author Владо Last modified

Web Based Applications - mohiqbal.staff.gunadarma.ac.idmohiqbal.staff.gunadarma.ac.id/Downloads/files/35165/mohiqbal+-+1-2... · Running applications server-side requires servers

3.3 Web Servers

Semantic Web Servers

Internet Engineering Web Servers. Introduction Company needs to provide various web services Hosting intranet applications Company web site Various

Rejuvenate the application environment · EIS (SAP, PeopleSoft, etc.) Legacy Applications Legacy Applications Application & Web Services Servers: .NET – BizTalk J2EE – JBoss/Tomcat

Building Better IoT Applications without Servers

CompTIA Server+ Certification (Exam SK0‑004) Study · Web view• Installing Roles and Applications • Database and Application Servers • Web Servers • File Transfer Services

Scalable Web Servers

Web servers

Web Servers Nizam

Network Applications: The Web and High-Performance Web Servers Y. Richard Yang 9/24/2013

Internet Engineering Course Web Servers. Introduction Company needs to provide various web services ◦ Hosting intranet applications ◦ Company web site

6.Web Servers

Web servers Guntis Bārzdiņš Artūrs Lavrenovs. What web servers do?