Serveur Web – Apache - etsmtl.ca · Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 3 Serveur...

Serveur Web – Apache

Jean-Marc Robert Génie logiciel et des TI

Popularité

Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 2

http://news.netcraft.com/


Serveur Web – Apache

n  Installation et Configuration q  DISA STIG

n  Pare-feu et Système de détection/prévention d’intrusions (IDPS) q  ModSecurity

n  Tests q  OWASP Vulnérabilites q  nikto2


Installation et Configuration

n  Installation q  Sources ou binaires? q  Binaires statiques ou dynamiques? q  Localisation des répertoires

n  Configuration et Sécurisation q  Compte usager: httpd q  Binaires: root q  Configuration par défaut

n  Allow /var/www/htdocs n  Deny all

q  Scripts exécutables n  Exec /var/www/cgi-bin

q  Fichiers journaux q  Limites q  Fuites d’information

n  Changer l’identité du serveur q  Enlever tout contenu par défaut. q  Changer la bannière (?).

n  Mettre le serveur Apache en jail

n  Utiliser mod_security


n  APACHE SERVER 2.2 pour Unix q  Security Technical Implementation Guide de la Defense Information

Systems Agency n  55 recommandations

q  HIGH: Server side includes (SSIs) must run with execution capability disabled. n  The Options directive configures the web server features that are available in

particular directories. The IncludesNOEXEC feature controls the ability of the server to utilize SSIs while disabling the exec command, which is used to execute external scripts. If the full includes feature is used it could allow the execution of malware leading to a system compromise.


http://www.stigviewer.com/stig/aa9a9e638ee181b23a293064c2b2618d3ccd8555/


n  APACHE SERVER 2.2 pour Unix q  Security Technical Implementation Guide de la Defense Information

Systems Agency n  55 recommandations

q  MEDIUM: The httpd.conf MaxClients directive must be set properly. n  These requirements are set to mitigate the effects of several types of denial of service

attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. …


http://www.stigviewer.com/stig/aa9a9e638ee181b23a293064c2b2618d3ccd8555/


ModSecurity

n  Open Source Web Application Firewall q  ou Web Application Intrusion Prevention System

n  Fonctionnalités q  Trafic HTTP – journalisation complète

n  Vie privée? n  Possibilité de masquer certains champs

q  Surveillance et détection d’attaques en temps réel q  Prévention d’attaques

n  Modèle de sécurité négatif : Pointage pour les anomalies, les comportements inhabituels et les attaques habituelles. Bloquer les connexions à pointage élevé.

n  Modèle de sécurité positif : N’accepter que les requêtes qui sont valides. Rejeter toute autre requête.

q  Mises-à-jour virtuelles n  Corriger les faiblesses et les vulnérabilités connues des applications du serveur.

Statique

Dynamique


ModSecurity

n  IDS/IPS HTTP q  Analyse complète du protocole

n  Requêtes n  Réponses n  Entêtes et charges utiles

n  Intégrer au serveur Web q  SSL ne représente pas une barrière

n  Règles de filtrage q  Techniques anti-évasion q  Validation de l’encodage q  Règles pour détecter les requêtes invalides q  Réactions aux requêtes invalides


ModSecurity

n  OWASP ModSecurity Core Rule Set Project q  ModSecurity™ is a web application firewall engine that provides very

little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, the OWASP Defender Community has developed and maintains a free set of application protection rules called the OWASP ModSecurity Core Rule Set (CRS). Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS provides generic protection from unknown vulnerabilities often found in web application.

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project


ModSecurity

n  OWASP ModSecurity Core Rule Set Project q  HTTP Protection - detecting violations of the HTTP protocol and a

locally defined usage policy. q  Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation q  Web-based Malware Detection - identifies malicious web content by

check against the Google Safe Browsing API. q  HTTP Denial of Service Protections - defense against HTTP Flooding

and Slow HTTP DoS Attacks. q  Common Web Attacks Protection - detecting common web

application security attack.


ModSecurity

n  OWASP ModSecurity Core Rule Set Project q  Automation Detection - Detecting bots, crawlers, scanners and other

surface malicious activity. q  Integration with AV Scanning for File Uploads - detects malicious

files uploaded through the web application. q  Tracking Sensitive Data - Tracks Credit Card usage and blocks

leakages. q  Trojan Protection - Detecting access to Trojans horses. q  Identification of Application Defects - alerts on application

misconfigurations. q  Error Detection and Hiding - Disguising error messages sent by the

server.

ModSecurity

n  Exemple de règle: Injection SQL # OR 1# # DROP sampletable;-- # admin'-- # DROP/*comment*/sampletable # DR/**/OP/*bypass blacklisting*/sampletable # SELECT/*avoid-spaces*/password/**/FROM/**/Members # SELECT /*!32302 1/0, */ 1 FROM tablename # ‘ or 1=1# # ‘ or 1=1-- - # ‘ or 1=1/* # ' or 1=1;\x00 # 1='1' or-- - # ' /*!50000or*/1='1 # ' /*!or*/1='1 # 0/**/union/*!50000select*/table_name`foo`/**/


https://github.com/SpiderLabs/owasp-modsecurity-crs

ModSecurity

n  Exemple de règle: Injection SQL

q  SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'981231',t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:'2',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"


https://github.com/SpiderLabs/owasp-modsecurity-crs


Vulnérabilités

n  OWASP Testing Guide Version 3, 2008, 349 pages. Ouf! q  Configuration Management Testing q  Authentication Testing q  Session Management Testing q  Authorization Testing q  Business Logic Testing q  Data Validation Testing q  Denial of Service Testing q  Web Services Testing q  Ajax Testing q  https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

n  La version 4 est en cours de développement. q  https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents


Vulnérabilités – nikto2

n  Scanneur de vulnérabilités q  Serveur et logiciel

n  Mauvaises configurations n  Versions non mises à jour

q  Fichiers et programmes par défaut q  Fichiers et programmes non-sécurisés

n  Base de données q  Reconnaissance de 1250 serveurs

n  Problèmes spécifiques sur 270 serveurs

q  6500 fichiers/CGIs problématiques


Vulnérabilités – nikto2 : Exemple + Server: Apache/2.2.3 (CentOS) - Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for

debugging and should be disabled. This message does not mean it is vulnerable to XST.

+ OSVDB-0: Retrieved X-Powered-By header: PHP/4.4.7 + PHP/4.4.7 appears to be outdated (current is at least 5.2.5) + Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39

and 2.0.61 are also current. + OSVDB-0: GET /index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are

vulnerable to a remote execution bug via SQL command injection. + OSVDB-0: GET /config.php : PHP Config file may contain database IDs and

passwords. + OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft.

See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-

A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.

+ OSVDB-3092: GET /db/ : This might be interesting...


Vulnérabilités – nikto2 : Exemple + OSVDB-3092: GET /includes/ : This might be interesting... + OSVDB-3093: GET /index.php?base=test%20 : This might be interesting... has been

seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?IDAdmin=test : This might be interesting... has been

seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?pymembs=admin : This might be interesting... has been

seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?SqlQuery=test%20 : This might be interesting... has

been seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?tampon=test%20 : This might be interesting... has been

seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?

topic=<script>alert(document.cookie)</script>%20 : This might be interesting... has been seen in web logs from an unknown scanner.

+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + OSVDB-3268: GET /images/ : Directory indexing is enabled: /images + OSVDB-3268: GET /docs/ : Directory indexing is enabled: /docs + OSVDB-3233: GET /icons/README : Apache default file found.


Références

n  Ivan Ristic, Apache Security, O’Reilly, 2005. En ligne : Chapitre 2 – Installation and Configuration http://www.apachesecurity.net/download/apachesecurity-ch02.pdf

n  Ryan C. Barnett, Preventing Web Attacks with Apache, Addison-Wesley, 2006.

Serveur Web – Apache - etsmtl.ca · Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 3 Serveur...

Documents

Transcript of Serveur Web – Apache - etsmtl.ca · Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 3 Serveur...