IT-Security Software Freedom Kosova 2011 Security of Web Servers and Web Applications
May 18, 2015
IT-Security
Software Freedom Kosova 2011
Security of Web Servers and Web Applications
Who‘s Talking?
Amir Neziri lives and works in Germany
Double Degree in Master of Science: Master in Computer Science
and Master in IT-Security from TU-Darmstadt/Germany Currently I’m writing Master Thesis about Data Security in Cloud
Services
Profession: Software Engineer, Consultant for Web- and Software- Security
http://www.linkedin.com/in/amirneziri https://www.xing.com/profile/Amir_Neziri
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 2
Security of Web Servers and Web Applications
Why is it so important today?
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 3
Motivation – Political Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 4
Motivation – Political Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 5
…another shocking news
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 6
…another shocking news
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 7
Motivation – Political Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 8
Motivation – Economic Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 9
Motivation – Economic Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 10
So….
Are we last now????
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 11
NO!
Agenda
Components and Architecture
Security Attacks
Defenses
Securing (Web) Server
Securing Web Applications
Take home message
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 12
Components & Architecture
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 13
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 14
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 15
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 16
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 17
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 18
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 19
Defenses
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 20
Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe
Securing the operating system
Variety of possible sources of information Federal Office for Information Security (BSI, Germany)
Server Security https://www.bsi.bund.de/cln_156/ContentBSI/grundschutz/kataloge/baust/b0
3/b03.html IT-Security Catalog
National Security Agency (NSA, USA) Recommendations and guidelines for installation and
Configuration of operating systems with focus onsecurity
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 21
Security is a Process
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 22
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 23
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 24
Linux Systems - Installation
Installation from CD Authentic Source Contains no updates
Installation from Network Authentic and trustworthy Source is needed
Minimal Functionality Example: Server Systems do not need GUI
Example Web-Server Installation : Web-Server, Secure-Shell, Secure File Transfer
ATTENTION: Do not use unsecure protocols like FTP
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 25
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 26
Linux Systems - Configuration
Get all running Services nmap localhost or netstat -lnp --ip netstat -lnp --inet6
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 27
Linux Systems - Configuration
Shut down unused Services
Hide Services with Port Knocking Example:
Web Server Service is public hide SFTP-, SSH- Services
Use Onetime Passwords by generating them with Password generators
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 28
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 29
Linux Systems – Maintenance / Updates
Always update the installed Software
Debian/Ubuntu apt-get update && apt-get upgrade or apt-get update && apt-get dist-upgrade
IMPORTANT: The Kernel should be always up-to-date
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 30
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 31
Linux Systems - Monitoring
File System Integrity Checker
Open Source Tool for checking Integrity: Tripwire http://www.tripwire.org/ http://sourceforge.net/projects/tripwire/
Analyze Log Files Authentication Errors /-Problems: /var/log/auth.log Web-Access and Errors : /var/log/apache2/*.log
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 32
Linux Systems - Monitoring
Automated fraud detection Example sshguard (http://www.sshguard.net/)
SSH-Guard Analyzes Log Files of SSH-Services Detects Attack Attempts and blocks Attacker temporary ( by setting
firewall rules )
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 33
Securing Web-Server – Main Steps
1. User- /Groups settings for Web Server Processes 2. File System Settings3. Permissions for executable Software
Nobody except root should write into Binary-Folders of Apache
4. Reduce functions to your needs Apache can be extended with Modules, e.g.: mod_cgi, mod_ssl…
5. Suppress Fingerprinting
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 34
Securing Web-Server – Main Steps
6. Restrict used Hardware Resources to avoid DoS-Attacks Change Default TimeOut Restrict HTTP-Requests
7. Restrict access to Web Resources Often resources are not to be accessible for everyone htaccess is a simple mechanism for access Protection htaccess is activated by a file .htaccess to protected directory
(or above in one)
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 35
Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/
Access Control - .htaccess
Simple Example
Site-Configuration controls use of .htaccess files:
AllowOverride None: .htaccess is ignored
AllowOverride All: .htaccess may overwrite (almost) all global settings
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 36
Access Control
Structure of the password file:
UserName:Hash
Example: myUser:GxkVrKPk8WSbM
Default Hash-Function: crypt
Created by the tool htpasswd
Transfer of password: As HTTP Header “Authorization” UserName:Password Base64 encoded Example: Authorization: Basic d2lraTpwZWRpYQ==
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 37
Web Application Security
Various Sources of Information OWASP Top 10
The Open Web Application Security Project
CWE/SANS Top 25 Common Weakness Enumeration
Exploit Databases http://www.exploit-db.com/webapps/
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 38
www.exploit-db.com/webapps/
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 39
Web Application Security
2011 CWE/SANS Top 25 Most Dangerous Software Errors
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 40
Source: http://cwe.mitre.org/top25/
Web Application Security
Buffer Overflows: Statistics Still a major threat (e.g. in Internet Explorer or Acrobat Reader, etc.)
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 41
Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe
Web Application Security
2010 OWASP Top 10
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 42
Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Web Application Security - BackTrack
Operating System based on Ubuntu
Pentetrating testing and digital forensics
Available as Live CD or USB
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 43
Source: http://www.backtrack-linux.org/screenshots/
Web Application Security - BackTrack
BackTrack arranges tools into 12 categories: Information Gathering Vulnerability Assessment Exploitation Tools Privilege Escalation Maintaining Access Reverse Engineering RFID Tools Stress testing Forensics Reporting Tools Services Miscellaneous
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 44
Take Home Message
Web Security is very important for everyone (e.g. e-banking…)
Server Security information sources Federal Office for Information Security (BSI, Germany) National Security Agency (NSA, USA)
Web Applicaiton Security information sources The Open Web Application Security Project (OWASP) Top 10 CWE/EANS Top 25 Exploit Databases
Security Tool: BackTrack
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 45
Questions???
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 46
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 47