1 / 15

Confining the Apache Web Server with Security-Enhanced Linux

Confining the Apache Web Server with Security-Enhanced Linux. Guanzhong Wang. Michelle J. Gosselin, Jennifer Schommer. P reface.

gayora
Télécharger la présentation

Confining the Apache Web Server with Security-Enhanced Linux

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Confining the Apache Web Server with Security-Enhanced Linux Guanzhong Wang Michelle J. Gosselin, Jennifer Schommer

  2. Preface • Linux is mainly used for setting up network server. Today the reports that server and websites are hacked by hackers can be seen almost every day; with the variety of network applications, the forms and methods of attacking are also changing. How to enhance the security of Linux server becomes one of the most important issues that concern the Linux system administrators.

  3. Introduction to Linux • Linux system belongs to open source software. Because of its technical features like high stability and security, strong network load and small hardware demand, it has been quickly promoted and implemented since its birthday, and has developed into one of the mainstream server operating systems in the current world.

  4. “Apache” service • Linux service includes contents of DNS, DFS, Samba, Sendmail, Posfix, Apache….. APACHE

  5. Communication process • (1) The client (browser) and Web server will build a TCP connection. Then it sends an access request (like “get”) to the Web server. According to HTTP protocol, the request includes information like IP address, browser type and URL of the client. • (2) After the Web server receives the request, it turns the requested pages back to the client. If errors appear, it turns back an error code. • (3) Disconnect fromthe remote Web server.

  6. How to configure a security Apache server ? • Install patches regularly The latest change log in http://www.apache.org/ are written: bug fix, security bug fix. • Hide and mask Apache version The method to remove Apache version number is to change configuration file/etc/httpd.conf.

  7. Build a safety directory structure Apache server includes four main directories as follows ServerRoot:save configuration file, binary files and other server configuration files. DocumentRoot:save content of Web sites including HTML files and pictures. ScriptAlias:save CGI script. Customlog and Errorlog:save access logs and error logs.

  8. Special users and user groups for Apache • Principle of least privilege is one of the most basic principles in system security. It restricts the least privilege required when users access the system and data, hence it guarantees that users could complete the operated tasks, meanwhile it also ensures the least loss caused by illegal users or abnormal operation.

  9. group add webteam usermod –G webteam GW chown –R httpd.webteam Chmod –R 2570 /www/htdocs G means modify the additional groups where the users belong. R means change the same owner for all files in the current directory and subdirectories, which is to change one after one by pull over. SUID means that if a user set the permission on his own shell script, the other users performing this script will also have the same appropriate permission as the lord. GUID means the users who implement the corresponding script will have the permissions same with the user's group.

  10. Access strategies of web directory 1. Forbid using catalogue index 2. Forbid default access If allow accessing the/var/www /html directory, please using the following settings: 3. Forbid user reloading In order to prevent users from overloading on this directory configuration file, it can be set:

  11. DOS attacks Apache servers are under the threat of DOS attacks all the time. It mainly includes the following several forms. • 1. The flood attack of data packet • 2. Disk attack • 3. The router is inaccessible • 4. The attacks of distributed denial of service

  12. Preventing DOS attacks • Apache server realizes its defense of attack of denial service mainly through software Apache DoS Evasive Maneuvers Module . It is an alternative to mod access, against the attack of DoS. And this software could quickly deny repeated requests from the same address toward the same URL.

  13. Use SSL to reinforce Apache • Using a Web server with SSL can improve the safety performance of website. SSL protocol works between Linux TCP/IP protocol and HTTP protocol, SSL uses encryption method to protect the flow of information between Web servers and browsers. SSL is not only used to encrypt the data flow transmitted over the Internet, but can also provide authentication.

  14. How does it work? • 1. The client application link includes the algorithm lists and other achievable information, • 2. When the server responds to a link, it can confirm the algorithm needed by this communication, and sends its own certificate, which contains its own identity and public key, • 3. After it receives a message, the client-side will generate a secret key, encrypt it and send it by using the web server's public key • 4. Then the server uses the private key to decrypt and process it, so as to generate an encryption key, the session key is success in negotiation, • 5. The client-side and the server both realize the session key, and use the session key to encrypt the data.

  15. END

More Related