2007 Web Hacking Incident Graph

2007 Web Hacking Incident Graph

The Threat Model

Who gets attacked? Everyone! Just because you’re small doesn’t matter. What are the goals of those trying to attack? The chart on the right shows a breakdown based on data from the Web Hacking Incidents Database.

Maybe not so surprisingly was the next slide, that showed that most successful attacks (I think somewhere near 50%) were because of someone getting the admins passwords through some means, perhaps social engineering or phishing. Sysadmins should definitely be more careful with this sensitive data.

So, how do you protect against these attacks? That’s what Sander will cover in this session.

Apache HTTP Server is Secure

There have been very few security vulnerabilities reported against Apache, and no critical vulnerabilities in the 2.2.x branch. If you do think that you have found a security vulnerability in Apache, you can email security@apache.org and they will respond swiftly if it is a real vulnerability. This includes them reporting it to CVE, a government defense contractor that tracks vulnerabilities.  

Installing Apache and Securing it

If you build Apache yourself, the default is a pretty secure installation. If you install it from a distribution (such as a Linux RPM, etc), there are a variety of configurations and differences between packages. For instance, RedHat 4 Enterprise includes 2.0.46 at this time, even though this is very old. Then they manage pulling in and backporting patches themselves. In this case, they have a secure version because of their tediously updating patches, but you must understand the difference between getting the “latest” version of Apache, and getting the “latest” from your particular distributor.  

Apache Configuration Tips

Operating System Hardening (mostly Linux)

Windows - Use what you know!! Sander says that a poorly maintained Linux installation by someone who doesn’t know what they’re doing is worse than a well maintained Windows installation by someone who is only familiar with Windows.

Network Infrastructure

ModSecurity - the next session will talk more about ModSecurity, but basically it is a Web Application Firewall that runs right inside Apache. It can do rule-based security, and a whole host of other things to protect you. Since it runs inside Apache, it can also see inside HTTPS packets - something a hardware firewall couldn’t do.

Always ask yourself “WHY”

Change Management - you should implement change management for your server environment. This means that you do not make changes to the configuration files on the live server. Do them in a testing environment first (after asking “why?”). Then apply them to the live server, with a backup of the previous configuration. (Could you use a version control system for your config files?)

Database Privileges - Many applications that you download to install (Joomla / WordPress / etc) have bad default configuration advice - like GRANT ALL PRIVILEGES. Do you really need to do this? No! What app really needs create table and drop table privileges? You will only need to do this to set up the application.

PHP Configuration - Here are some configuration details to make your PHP installation more secure:

Further Reading

Sander says that he will be posting his slides at: http://people.apache.org/~sctemme/ApconUS2008/