Serveur Web – Apache Jean-Marc Robert Génie logiciel et des TI
Serveur Web – Apache
Jean-Marc Robert Génie logiciel et des TI
Popularité
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 2
http://news.netcraft.com/
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 3
Serveur Web – Apache
n Installation et Configuration q DISA STIG
n Pare-feu et Système de détection/prévention d’intrusions (IDPS) q ModSecurity
n Tests q OWASP Vulnérabilites q nikto2
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 4
Installation et Configuration
n Installation q Sources ou binaires? q Binaires statiques ou dynamiques? q Localisation des répertoires
n Configuration et Sécurisation q Compte usager: httpd q Binaires: root q Configuration par défaut
n Allow /var/www/htdocs n Deny all
q Scripts exécutables n Exec /var/www/cgi-bin
q Fichiers journaux q Limites q Fuites d’information
n Changer l’identité du serveur q Enlever tout contenu par défaut. q Changer la bannière (?).
n Mettre le serveur Apache en jail
n Utiliser mod_security
Installation et Configuration
n APACHE SERVER 2.2 pour Unix q Security Technical Implementation Guide de la Defense Information
Systems Agency n 55 recommandations
q HIGH: Server side includes (SSIs) must run with execution capability disabled. n The Options directive configures the web server features that are available in
particular directories. The IncludesNOEXEC feature controls the ability of the server to utilize SSIs while disabling the exec command, which is used to execute external scripts. If the full includes feature is used it could allow the execution of malware leading to a system compromise.
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 5
http://www.stigviewer.com/stig/aa9a9e638ee181b23a293064c2b2618d3ccd8555/
Installation et Configuration
n APACHE SERVER 2.2 pour Unix q Security Technical Implementation Guide de la Defense Information
Systems Agency n 55 recommandations
q MEDIUM: The httpd.conf MaxClients directive must be set properly. n These requirements are set to mitigate the effects of several types of denial of service
attacks. Although there is some latitude concerning the settings themselves, the requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. …
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 6
http://www.stigviewer.com/stig/aa9a9e638ee181b23a293064c2b2618d3ccd8555/
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 7
ModSecurity
n Open Source Web Application Firewall q ou Web Application Intrusion Prevention System
n Fonctionnalités q Trafic HTTP – journalisation complète
n Vie privée? n Possibilité de masquer certains champs
q Surveillance et détection d’attaques en temps réel q Prévention d’attaques
n Modèle de sécurité négatif : Pointage pour les anomalies, les comportements inhabituels et les attaques habituelles. Bloquer les connexions à pointage élevé.
n Modèle de sécurité positif : N’accepter que les requêtes qui sont valides. Rejeter toute autre requête.
q Mises-à-jour virtuelles n Corriger les faiblesses et les vulnérabilités connues des applications du serveur.
Statique
Dynamique
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 8
ModSecurity
n IDS/IPS HTTP q Analyse complète du protocole
n Requêtes n Réponses n Entêtes et charges utiles
n Intégrer au serveur Web q SSL ne représente pas une barrière
n Règles de filtrage q Techniques anti-évasion q Validation de l’encodage q Règles pour détecter les requêtes invalides q Réactions aux requêtes invalides
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 9
ModSecurity
n OWASP ModSecurity Core Rule Set Project q ModSecurity™ is a web application firewall engine that provides very
little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, the OWASP Defender Community has developed and maintains a free set of application protection rules called the OWASP ModSecurity Core Rule Set (CRS). Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS provides generic protection from unknown vulnerabilities often found in web application.
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 10
ModSecurity
n OWASP ModSecurity Core Rule Set Project q HTTP Protection - detecting violations of the HTTP protocol and a
locally defined usage policy. q Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation q Web-based Malware Detection - identifies malicious web content by
check against the Google Safe Browsing API. q HTTP Denial of Service Protections - defense against HTTP Flooding
and Slow HTTP DoS Attacks. q Common Web Attacks Protection - detecting common web
application security attack.
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 11
ModSecurity
n OWASP ModSecurity Core Rule Set Project q Automation Detection - Detecting bots, crawlers, scanners and other
surface malicious activity. q Integration with AV Scanning for File Uploads - detects malicious
files uploaded through the web application. q Tracking Sensitive Data - Tracks Credit Card usage and blocks
leakages. q Trojan Protection - Detecting access to Trojans horses. q Identification of Application Defects - alerts on application
misconfigurations. q Error Detection and Hiding - Disguising error messages sent by the
server.
ModSecurity
n Exemple de règle: Injection SQL # OR 1# # DROP sampletable;-- # admin'-- # DROP/*comment*/sampletable # DR/**/OP/*bypass blacklisting*/sampletable # SELECT/*avoid-spaces*/password/**/FROM/**/Members # SELECT /*!32302 1/0, */ 1 FROM tablename # ‘ or 1=1# # ‘ or 1=1-- - # ‘ or 1=1/* # ' or 1=1;\x00 # 1='1' or-- - # ' /*!50000or*/1='1 # ' /*!or*/1='1 # 0/**/union/*!50000select*/table_name`foo`/**/
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 12
https://github.com/SpiderLabs/owasp-modsecurity-crs
ModSecurity
n Exemple de règle: Injection SQL
q SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.8',maturity:'8',accuracy:'8',id:'981231',t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:'2',capture,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 13
https://github.com/SpiderLabs/owasp-modsecurity-crs
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 14
Vulnérabilités
n OWASP Testing Guide Version 3, 2008, 349 pages. Ouf! q Configuration Management Testing q Authentication Testing q Session Management Testing q Authorization Testing q Business Logic Testing q Data Validation Testing q Denial of Service Testing q Web Services Testing q Ajax Testing q https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
n La version 4 est en cours de développement. q https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 15
Vulnérabilités – nikto2
n Scanneur de vulnérabilités q Serveur et logiciel
n Mauvaises configurations n Versions non mises à jour
q Fichiers et programmes par défaut q Fichiers et programmes non-sécurisés
n Base de données q Reconnaissance de 1250 serveurs
n Problèmes spécifiques sur 270 serveurs
q 6500 fichiers/CGIs problématiques
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 16
Vulnérabilités – nikto2 : Exemple + Server: Apache/2.2.3 (CentOS) - Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for
debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-0: Retrieved X-Powered-By header: PHP/4.4.7 + PHP/4.4.7 appears to be outdated (current is at least 5.2.5) + Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39
and 2.0.61 are also current. + OSVDB-0: GET /index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are
vulnerable to a remote execution bug via SQL command injection. + OSVDB-0: GET /config.php : PHP Config file may contain database IDs and
passwords. + OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft.
See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-
A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3092: GET /db/ : This might be interesting...
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 17
Vulnérabilités – nikto2 : Exemple + OSVDB-3092: GET /includes/ : This might be interesting... + OSVDB-3093: GET /index.php?base=test%20 : This might be interesting... has been
seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?IDAdmin=test : This might be interesting... has been
seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?pymembs=admin : This might be interesting... has been
seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?SqlQuery=test%20 : This might be interesting... has
been seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?tampon=test%20 : This might be interesting... has been
seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?
topic=<script>alert(document.cookie)</script>%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + OSVDB-3268: GET /images/ : Directory indexing is enabled: /images + OSVDB-3268: GET /docs/ : Directory indexing is enabled: /docs + OSVDB-3233: GET /icons/README : Apache default file found.
Jean-Marc Robert, ETS MTI 719 - Apache - A13 v1.0 18
Références
n Ivan Ristic, Apache Security, O’Reilly, 2005. En ligne : Chapitre 2 – Installation and Configuration http://www.apachesecurity.net/download/apachesecurity-ch02.pdf
n Ryan C. Barnett, Preventing Web Attacks with Apache, Addison-Wesley, 2006.