Serveur Web Apache. Jean-Marc Robert Génie logiciel et des TI

Serveur Web – Apache

Jean-Marc Robert

Génie logiciel et des TI

Popularité

http://news.netcraft.com/

Serveur Web – Apache

n 

Installation et Configuration

q 

DISA STIG

n 

Pare-feu et Système de détection/prévention d’intrusions (IDPS)

q 

ModSecurity

n 

Tests

q 

OWASP Vulnérabilites

q 

nikto2

Installation et Configuration

n 

Installation

q  Sources ou binaires?

q  Binaires statiques ou dynamiques?

q  Localisation des répertoires

n 

Configuration et Sécurisation

q  Compte usager: httpd

q  Binaires: root

q  Configuration par défaut

n  Allow /var/www/htdocs

n  Deny all

q  Scripts exécutables

n  Exec /var/www/cgi-bin

q  Fichiers journaux

q  Limites

q  Fuites d’information

n 

Changer l’identité du serveur

q  Enlever tout contenu par défaut.

q  Changer la bannière (?).

n 

Mettre le serveur Apache en jail

n 

Utiliser mod_security

Installation et Configuration

n 

APACHE SERVER 2.2 pour Unix

q 

Security Technical Implementation Guide de la Defense Information Systems Agency

n  55 recommandations

q 

HIGH: Server side includes (SSIs) must run with execution capability disabled.

n  The Options directive configures the web server features that are available in

particular directories. The IncludesNOEXEC feature controls the ability of the server to utilize SSIs while disabling the exec command, which is used to execute external scripts. If the full includes feature is used it could allow the execution of malware leading to a system compromise.

http://www.stigviewer.com/stig/aa9a9e638ee181b23a293064c2b2618d3ccd8555/

Installation et Configuration

n 

APACHE SERVER 2.2 pour Unix

q 

Security Technical Implementation Guide de la Defense Information Systems Agency

n  55 recommandations

q 

MEDIUM: The httpd.conf MaxClients directive must be set properly.

n  These requirements are set to mitigate the effects of several types of denial of service attacks. Although there is some latitude concerning the settings themselves, the

requirements attempt to provide reasonable limits for the protection of the web server. If necessary, these limits can be adjusted to accommodate the operational requirement of a given system. …

http://www.stigviewer.com/stig/aa9a9e638ee181b23a293064c2b2618d3ccd8555/

ModSecurity

n 

Open Source Web Application Firewall

q 

ou Web Application Intrusion Prevention System

n 

Fonctionnalités

q 

Trafic HTTP – journalisation complète

n  Vie privée?

n  Possibilité de masquer certains champs

q 

Surveillance et détection d’attaques en temps réel

q 

Prévention d’attaques

n  Modèle de sécurité négatif : Pointage pour les anomalies, les comportements inhabituels et les attaques habituelles. Bloquer les connexions à pointage élevé.

n  Modèle de sécurité positif : N’accepter que les requêtes qui sont valides. Rejeter toute autre requête.

q 

Mises-à-jour virtuelles

n  Corriger les faiblesses et les vulnérabilités connues des applications du serveur.

Statique Dynamique

ModSecurity

n 

IDS/IPS HTTP

q 

Analyse complète du protocole

n  Requêtes

n  Réponses

n  Entêtes et charges utiles

n 

Intégrer au serveur Web

q 

SSL ne représente pas une barrière

n 

Règles de filtrage

q 

Techniques anti-évasion

q 

Validation de l’encodage

q 

Règles pour détecter les requêtes invalides

q 

Réactions aux requêtes invalides

ModSecurity

n 

OWASP ModSecurity Core Rule Set Project

q 

ModSecurity™ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity™

must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, the OWASP Defender Community has developed and maintains a free set of application

protection rules called the OWASP ModSecurity Core Rule Set (CRS).

Unlike intrusion detection and prevention systems, which rely on

signatures specific to known vulnerabilities, the CRS provides generic protection from unknown vulnerabilities often found in web application.

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

ModSecurity

n 

OWASP ModSecurity Core Rule Set Project

q 

HTTP Protection - detecting violations of the HTTP protocol and a locally defined usage policy.

q 

Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation

q 

Web-based Malware Detection - identifies malicious web content by check against the Google Safe Browsing API.

q 

HTTP Denial of Service Protections - defense against HTTP Flooding and Slow HTTP DoS Attacks.

q 

Common Web Attacks Protection - detecting common web

application security attack.

ModSecurity

n 

OWASP ModSecurity Core Rule Set Project

q 

Automation Detection - Detecting bots, crawlers, scanners and other surface malicious activity.

q 

Integration with AV Scanning for File Uploads - detects malicious files uploaded through the web application.

q 

Tracking Sensitive Data - Tracks Credit Card usage and blocks leakages.

q 

Trojan Protection - Detecting access to Trojans horses.

q 

Identification of Application Defects - alerts on application misconfigurations.

q 

Error Detection and Hiding - Disguising error messages sent by the

server.

ModSecurity

n 

Exemple de règle: Injection SQL

# OR 1#

# DROP sampletable;--

# admin'--

# DROP/*comment*/sampletable

# DR/**/OP/*bypass blacklisting*/sampletable

# SELECT/*avoid-spaces*/password/**/FROM/**/Members

# SELECT /*!32302 1/0, */ 1 FROM tablename

# ‘ or 1=1#

# ‘ or 1=1-- -

# ‘ or 1=1/*

# ' or 1=1;\x00

# 1='1' or-- -

# ' /*!50000or*/1='1

# ' /*!or*/1='1

# 0/**/union/*!50000select*/table_name`foo`/**/

https://github.com/SpiderLabs/owasp-modsecurity-crs

ModSecurity

n 

Exemple de règle: Injection SQL

q  SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|

REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(/\*!?|\*/|[';]--|--[\s\r\n\v

\f]|(?:--[^-]*?-)|([^\-&])#.*?[\s\r\n\v\f]|;?\\x00)" "phase:2,rev:'2',ver:'OWASP_CRS/

2.2.8',maturity:'8',accuracy:'8',id:'981231',t:none,t:urlDecodeUni,block,msg:'SQL Comment Sequence Detected.',severity:'2',capture,logdata:'Matched Data: %{TX.0} found within % {MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/

SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/

A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+%

{tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%

{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%

{matched_var_name}=%{tx.0}"

https://github.com/SpiderLabs/owasp-modsecurity-crs

Vulnérabilités

n 

OWASP Testing Guide Version 3, 2008, 349 pages. Ouf!

q  Configuration Management Testing

q  Authentication Testing

q  Session Management Testing

q  Authorization Testing

q  Business Logic Testing

q  Data Validation Testing

q  Denial of Service Testing

q  Web Services Testing

q  Ajax Testing

q  https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

n 

La version 4 est en cours de développement.

q  https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

Vulnérabilités – nikto2

n 

Scanneur de vulnérabilités

q 

Serveur et logiciel

n  Mauvaises configurations

n  Versions non mises à jour

q 

Fichiers et programmes par défaut

q 

Fichiers et programmes non-sécurisés

n 

Base de données

q 

Reconnaissance de 1250 serveurs

n  Problèmes spécifiques sur 270 serveurs

q 

6500 fichiers/CGIs problématiques

Vulnérabilités – nikto2 : Exemple

+ Server: Apache/2.2.3 (CentOS)

- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE

+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.

+ OSVDB-0: Retrieved X-Powered-By header: PHP/4.4.7 + PHP/4.4.7 appears to be outdated (current is at least 5.2.5)

+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current.

+ OSVDB-0: GET /index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.

+ OSVDB-0: GET /config.php : PHP Config file may contain database IDs and passwords.

+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft.

See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details + OSVDB-12184: GET /index.php?=PHPB8B5F2A0-3C92-11d3-

A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.

+ OSVDB-3092: GET /db/ : This might be interesting...

Vulnérabilités – nikto2 : Exemple

+ OSVDB-3092: GET /includes/ : This might be interesting...

+ OSVDB-3093: GET /index.php?base=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.

+ OSVDB-3093: GET /index.php?IDAdmin=test : This might be interesting... has been seen in web logs from an unknown scanner.

+ OSVDB-3093: GET /index.php?pymembs=admin : This might be interesting... has been seen in web logs from an unknown scanner.

+ OSVDB-3093: GET /index.php?SqlQuery=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.

+ OSVDB-3093: GET /index.php?tampon=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.

+ OSVDB-3093: GET /index.php?

topic=<script>alert(document.cookie)</script>%20 : This might be interesting... has been seen in web logs from an unknown scanner.

+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + OSVDB-3268: GET /images/ : Directory indexing is enabled: /images + OSVDB-3268: GET /docs/ : Directory indexing is enabled: /docs

+ OSVDB-3233: GET /icons/README : Apache default file found.

Références

n 

Ivan Ristic, Apache Security, O’Reilly, 2005.

En ligne : Chapitre 2 – Installation and Configuration

http://www.apachesecurity.net/download/apachesecurity-ch02.pdf

n 

Ryan C. Barnett, Preventing Web Attacks with Apache,

Addison-Wesley, 2006.