10. Web Server Security

What We Will Cover Announcements Please sit at a computer station and start Apache or IIS I recommend you use same computer every week When class is over, please shut down your computer Log Tails 10.1: Host/OS Hardening 10.1.1: Out Of Box 10.1.2: Software Bugs 10.1.3: Server Processes 10.1.4: SUID Audit 10.1.5: OS Specific Hardening Lab Exercise 10.1 10.2: Who to Run a Web Server As 10.2.1: Modify the User the Web Server Runs 10.2.2: Access Permissions Example Lab Exercise 10.2 10.3: File Permissions and Ownership 10.3.1: Users, Groups and Ownership 10.3.2 File Permissions Lab Exercise 10.3 10.4: Other Configuration Concerns 10.4.1: Symbolic Links 10.4.2: Server-Side Includes Lab Exercise 10.4 Wrap Up Assignments Due Next: N/A Log Tails From Last Lab Any questions? What is the network address for a machine whose IP address is 172.7.7.105 and netmask is 255.255.255.0? Does a router check the source address of a packet? Quiz Review WebCT back to top 10.1: Host/OS Hardening Objectives At the end of the lesson the student will be able to: Determine what is running on your machine Determine which ports accept connections Operating system (OS) is responsible for machine resources and must be secure Software that the operating system controls also needs to be secure Software with a security hole that has high enough access rights can do major damage Compromising the OS compromises all the software it controls back to top 10.1.1: Out Of Box Biggest mistake is running a machine with the out-of-box configuration Security and functionality are often inversely related Vendors give you all the functionality by default on purpose They want to make their product as useful to you as possible However, security risks can be extreme Need to "lock down" and secure the configuration back to top 10.1.2: Software Bugs Software contains bugs As software grows larger and more complex, more bugs appear The more bugs present, the greater the possibility of security holes Principle is to deactivate of restrict unnecessary services First step is to identify exactly what is running on the machine For Example On Linux, use ps command to show the currently-running processes Useful options are -ef (all processes with full listing) ps -ef back to top 10.1.3: Server Processes Security risk is slightly higher when the process is a server process listening for incoming client connections on a network port Web server typically listens for Web client connections on TCP port 80 Other processes may also be listening for connections on other ports These types of processes interact with the local computer resources They also interact with remote machines over the network Non-network process requires an attacker to be logged in locally to exploit a vulnerability Process utilizing the network is susceptible to attacks from remote machines as well Important to know which network ports are open and listening for incoming client connections Should eliminate any unnecessary open network port to reduce the risk of attack For Example Use netstat command to look for listening processes netstat -an netstat -ap Look for items where the State column is labeled as "LISTENING" netstat -lp If TCP protocol is specified, can verify a port is accepting incoming connections using telnet General syntax: telnet ipAddress port For example: telnet 0.0.0.0 111 Usually close a telnet session with either exit or quit back to top 10.1.4: SUID Audit Normally, UNIX/Linux programs run under a standard user ID (UID) Sometimes need more privileges, such as when changing passwords UNIX/Linux provides a way to lock the UID to the owner, rather than the user Known as Set-UID or SUID Can see them because the owner execute bit is replaced with an "s" For example: $ ls -l /usr/bin/passwd -r-s--x--x 1 root root 22312 Sep 11 2002 /usr/bin/passwd ^ ^ SUID bit Problem is that every program with SUID can be vulnerable to exploitation If the program gets cracked, then the cracker has root access To protect against vulnerabilities, need to find and disable all unused programs Can use find command to find all suid and setgid executables For example: find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -ldb {} \; find / -type f -perm +6000 -ls back to top 10.1.5: OS Specific Hardening Linux Following are most important steps to secure a Linux machine: Apply a firewall (packet filter) to prevent access to possibly vulnerable services Apply system patches for all known security holes Perform both a port audit and an SUID audit Deactivate or restrict unnecessary services Eliminate unnecessary programs running on a machine Close unused network ports Tools exist to automate this process Should use these tools on your Web server After the next few labs, should be able to use the tools effectively Windows Can use any of a number of tools to test your system One such tool is the Microsoft Baseline Security Analyzer This utility will scan your system for vulnerabilities Presents you with a list of problems and recommendations for fixing them Further Information Google search: linux hardening www.bastille-linux.org Bastille Linux: A Walkthrough YoLinux: Internet Server Security and Configuration Tutorial Microsoft Baseline Security Analyzer RedHat Patches Windows Update back to top Lab Exercise 10.1 Use the next 10 minutes to complete the following. Start a text file named exercise10.txt Will be adding to this file during the lesson -- save it often. Prepare the exercise header as described in the HowTo on submitting exercises Label this exercise: Lab 10.1 Answer the following questions. Exercises and Questions Determine What Is Running on Your Machine Using the appropriate commands for your operating system, answer the following questions. What processes are currently running on your machine? Choose at least three to explore for today's lesson. What is the purpose of each of these processes? Use man page or visit www.tldp.org for information. Which processes are necessary, and which processes could you do without? Determine Which Ports Accept Connections Using netstat, telnet, or any other tool appropriate for your platform, answer the following questions. netstat -an What ports are currently accepting incoming connections to your computer? netstat -lp What is the purpose of each of these servers? netstat -lp Which ports are necessary, and which ports could you do without? back to top 10.2: Who to Run a Web Server As Objectives At the end of the lesson the student will be able to: Set up a safe user to run the web server as Modify the user the web server runs as back to top 10.2.1: Modify the User the Web Server Runs User Accounts First column in the output from the ps command lists various UIDs ps -ef This is the name of the user who is executing the process Multiuser operating systems like UNIX and NT allow more than one user to use the system at a time A user in this case is a user account, not an actual person Possible that the same user account is used by many different people Single-User Operating Systems Windows 95/98/ME and MacOS are single-user operating systems Except Mac OS-X, which is a multiuser OS A single-user operating system has only one user The user in a single-user operating system has complete control of all system resources Can read, write, and delete any file on the machine and can even format the hard disk Multiuser Operating Systems Multiuser OS grants various access rights and permissions to each user Different user accounts have different access rights For example, some users will not be able to run certain programs that other users are allowed to run There is one user who can do anything, just like the user in a single-user operating system can do anything This user is commonly termed the superuser root user in a UNIX/Linux environment Administrator in a Windows NT/2000/XP environment Users should only be granted the minimum access rights required to perform the tasks in his or her everyday use of the computer back to top 10.2.2: Access Permissions Example When a root user run the wc program on the file /etc/shadow wc program with the “-l” option counts the number of lines in the file /etc/shadow file contains user passwords Should not be accessible by just any user If root runs wc, it returns with the correct number of lines # id uid=0(root) gid=1(daemon) groups=1(daemon) # wc -l /etc/shadow 32 /etc/shadow When normal user tries to run, denied permissions However, can access the /etc/hosts file # id uid=564(cis164) gid=100(users) groups=100(users) # wc -l /etc/shadow wc: /etc/shadow: Permission denied # wc -l /etc/hosts 8 /etc/hosts For better security, grant only minimum access rights Tasks in his or her everyday use of the computer back to top Lab Exercise 10.2 Use the next 15 minutes to complete the following. Label this exercise: Lab 10.2 Complete the exercises and answer the following questions. Exercises and Questions Set up a Safe User to Run the Web Server As Create a new user with the standard permissions (non-superuser). For example: useradd -m webd passwd webd wrudh? Log in as the new user and try to view different files, run various programs, and modify different settings on the machine. Answer the questions below after doing a few tests of your own. Next, log in as the superuser (i.e., root) and do the same tests. Be very careful not to actually format your hard disk or delete any important files as you conduct your tests. Saving copies of files or having a backup before conducting each test would be wise. Can you view or copy system files? Linux example: /usr/sbin/init Windows example: C:/WINDOWS/regedit.exe Are you able to edit system configuration files? Linux example: /etc/hosts Windows example: C:/WINDOWS/System.ini Can you copy/delete important system files required by the operating system itself? Linux example: /etc/motd Windows example: C:/WINDOWS/winnt256.bmp Can you view, modify, or delete other user's files? Can you view, copy, or delete your own files? Can you format the hard disk? (Do not actually format the hard disk) Linux example: just attempt to run the mkfs program without any parameters Windows example: format a: Modify the User the Web Server Runs As If the Web server is not currently running, start Apache or IIS What user is the Web server running as? ps -ef | grep apache Note that when we installed Apache, the installation created a limited account named "nobody". There is no need to change this account unless you want to make your installation more obscure. If this account was not created and we were running as root, then we would modify the Apache httpd_conf file to be a special account. On Windows, IIS usually runs as INETxxx, where XXX is a number. See 4.3.1: User Access and the subsection on IIS Access Control back to top 10.3: File Permissions and Ownership Objectives At the end of the lesson the student will be able to: Describe file permissions and ownership Describe risks of web server file ownership Protect against the risks of directory browsing back to top 10.3.1: Users, Groups and Ownership User Accounts and the Superuser Security in Linux is controlled with user accounts, just like Windows Each account has a login and password One user, known as the superuser, can do anything in the system -- even destroy it The account name for the superuser is "root" Normally, one should not log in as root The root login is strictly for configuration and administration of a system Sometimes need to switch temporarily to the root account Use su (switch user) command su -l root When finished as the superuser, use the exit command exit File Ownership Every file and directory has an owner Default owner is root Owner of the file grants permission to other users to read, modify, delete, or execute it Owner can decide that no other users should be granted access to a file The exception is the superuser A user cannot take away access from the superuser Owner (or root) can change ownership of a file or directory Type chown newOwner filename where: newOwner is the username you want to change ownership to filename is the name of the file or directory chown cis164 myfile.txt Groups and Belonging Every user belongs to one or more groups Default group is users Every file and directory also has a group owner One can see the individual and groups by using the ls -l command ls -l Owners (or root) can change the group of a file or directory Type chgrp newGroup filename where: newGroup is the group you want to change ownership to filename is the name of the file or directory chgrp mysql myfile.txt The superuser can add users to additional groups Type useradd -g newGroup userName where: newGroup is the group you want to add to the user userName is the users account name useradd -g mysql cis164 back to top 10.3.2 File Permissions One can see file permissions using the ls -l command First digit is the file type Next 3 digits are the Owner permissions Next 3 digits are the Group permissions Next 3 digits are the Others (everyone) permissions If a permission is missing for an owner, group of other, it is represented by - (dash) File permissions are altered with the chmod command followed by octal value for each user type and the filename, where: Read = 4 Write = 2 Execute = 1 For example: chmod 755 exercise2.txt Above example gives full permission for the owner, read and execute access for the group and others More Information CHMOD (1) The One Page Linux Manual back to top Lab Exercise 10.3 Use the next 20 minutes to complete the following. Label this exercise: Lab 10.3 Do not submit exercises until all of them from today's lesson are finished Answer the following questions. Exercises and Questions Describe File Permissions and Ownership Login as a normal user (e.g. cis164) and create two files, called test1.html and test2.html, in a directory accessible via the Web. The content of each file does not matter. cd /home/cis164 mkdir public_html cd public_html echo test1 > test1.html echo test2 > test2.html What are the default permissions assigned to the files after creation? Can you view them using a Web browser over the network? localhost/~cis164/test1.html Remove read permission on test1.html for all users and groups except the owner. chmod 700 test1.html Can you view test1.html now using a Web browser over the network? Can you view test1.html locally in a Web browser run by the owner of test1.html (i.e., use file:// as opposed to http:// in the URL to access the file)? file:///home/guest/public_html/test1.html Can any users, other than the owner, modify test1.html now? Experiment with the file permissions for test1.html. What are the minimum file permissions required that allow you to still view test1.html remotely via a Web browser? Compare the minimum permissions you now have on test1.html to the default permissions given to test2.html. Are the default file permissions less restrictive than they need to be? Describe Risks of Web Server File Ownership Using a normal user, create a file and turn off all permission for all users including the owner. Can the owner still read and write to the file? What needs to be done to give the owner back permission to read and write to the file? Which users are allowed to give the owner back permission to read and write to the file? Protect against the Risks of Directory Browsing Create a directory off the document root, giving everyone read and execute permission. su - password: cd /usr/local/apache2/htdocs mkdir temp Create or copy some files into this directory that are readable by the Web server user. cp * temp/ Next, create a simple default file: index.html. This file may have been copied from the document root directory. Make sure that it is readable by the Web server user. What do see when you go to this directory's URL using a Web browser? What do you see if you delete the default file and go to the directory's URL again using a Web browser? rm temp/index.html Remove read permission from the directory and reload the URL. cd /usr/local/apache2/htdocs chmod 700 temp What happens now when you go to the URL? Create another default file that the Web server user can read. cd /var/www/html cp index.html temp/ What happens now when you go to the URL? Some Web servers have a feature allowing a webmaster to disable directory browsing. If your Web server has this feature, put the read access back on the directory you created and turn off directory browsing in the Web server's configuration. If you run Apache, the proper method would be to edit the httpd_conf file and set the Indexes option. What happens now when you go to the URL? back to top 10.4: Other Configuration Concerns Objectives At the end of the lesson the student will be able to: Describe the risks that symbolic links present Describe the risks with server-side includes Web servers often enable us to protect against some holes we may have failed to protect against at the operating system level Symbolic links are one such example back to top 10.4.1: Symbolic Links Symbolic link is simply a reference file that points to an actual file or directory elsewhere on disk Each actual file and directory has its own location We organize files and directories through a logical hierarchy of directories and subdirectories Occasionally, a file or directory belongs in two places Rather than duplicating the entire file or directory, we use a symbolic link ln -s target linkname A symbolic link is a pointer back to the actual location where the file or directory resides Windows's shortcuts is a similar idea back to top 10.4.2: Server-Side Includes Professional Web sites maintain visual continuity among various Web pages Each page at the site has the same general look and feel Provides the appearance that all the pages belong together Typically use the same colors, fonts, header, footer, and navigation bar on each page Problems arise when you need to change something Every page on the site must be edited to reflect the changes Server-side includes are a way to fix this problem A server-side include allows you to embed one file in another Web server includes the other file when it sees the SSI command in the HTML document We saw an example of this in lesson 5.3.1 back to top Lab Exercise 10.4 Use the next 10 minutes to complete the following. Label this exercise: Lab 10.4 Do not submit exercises until all of them from today's lesson are finished Answer the following questions. Exercises and Questions Understand the Risks That Symbolic Links Present In a directory under the document root of your Web server, create a symbolic link to a directory outside the document root naming the link, symlink. For instance, if the document root is /usr/local/apache2/htdocs, create a link /usr/local/apache2/htdocs/symlink that points to a directory such as /etc. Choose a file in the symbolically linked directory that we will reference here with the generic name file.1 (file.1 should be readable by everyone). ln -s /etc symlink cd symlink echo file1 > file.1 What happens when you load file.1 from your Web server using a URL of the form localhost/symlink/file.1? What would happen if there were another symbolic link in this second directory? Modify your Web server configuration and disable the symbolic link. The method for doing this depends on your Web server. To disable this in Apache, simply edit the httpd_conf file, turning off the FollowSymLinks option. Do not forget to restart Apache or IIS. What happens now when you load file.1 using the same method as in Question a? Understand the Risk with Server-Side Includes First make sure that server-side includes are enabled on your Web server. Next, create an HTML file that utilizes a server-side include macro. View the HTML document in a Web browser and compare the source HTML the browser sees to the actual contents of the HTML file you created. What do you notice that is different? Now turn off server-side includes and reload the same page. Again compare the HTML source the Web browser sees to the actual HTML file's contents. Do not forget to restart Apache or IIS. back to top Wrap Up When class is over, please shut down your computer => Logout => Shut Down Due Next: N/A You may complete unfinished exercises at any time before the next class. Be sure to submit the file to the instructor before the beginning of the next class to receive credit. Instructions on submitting exercises are available from the HowTo's page. back to top Home | WebCT | Announcements | Schedule | Expectations | Syllabus | Help | FAQ's | HowTo's | Links Last Updated: 7/16/2003 4:45:42 PM