Serveur Web Apache. Jean-Marc Robert Génie logiciel et des TI

Transcription

1 Serveur Web Apache Jean-Marc Robert Génie logiciel et des TI

2 Popularité

3 Serveur Web Apache Installation et Configuration DISA STIG Pare-feu et Système de détection/prévention d intrusio ModSecurity Tests OWASP Vulnérabilites nikto2

4 Installation et Configuration Installation Sources ou binaires? Binaires statiques ou dynamiques? Localisation des répertoires Configuration et Sécurisation Compte usager: httpd Binaires: root Configuration par défaut Allow /var/www/htdocs Deny all Scripts exécutables Exec /var/www/cgi-bin Fichiers journaux Limites Fuites d information Changer l identité du ser Enlever tout contenu pa Changer la bannière (?) Mettre le serveur Apache Utiliser mod_security

5 Installation et Configuration APACHE SERVER 2.2 pour Unix Security Technical Implementation Guide de la Defense Inform Systems Agency 55 recommandations HIGH: Server side includes (SSIs) must run with execution c disabled. The Options directive configures the web server features that are availabl particular directories. The IncludesNOEXEC feature controls the ability o to utilize SSIs while disabling the exec command, which is used to execute scripts. If the full includes feature is used it could allow the execution of m leading to a system compromise.

6 Installation et Configuration APACHE SERVER 2.2 pour Unix Security Technical Implementation Guide de la Defense Inform Systems Agency 55 recommandations MEDIUM: The httpd.conf MaxClients directive must be set p These requirements are set to mitigate the effects of several types of denia attacks. Although there is some latitude concerning the settings themselve requirements attempt to provide reasonable limits for the protection of the server. If necessary, these limits can be adjusted to accommodate the oper requirement of a given system.

7 ModSecurity Open Source Web Application Firewall ou Web Application Intrusion Prevention System Fonctionnalités Trafic HTTP journalisation complète Vie privée? Possibilité de masquer certains champs Surveillance et détection d attaques en temps réel Prévention d attaques Dynamique Statique Modèle de sécurité négatif : Pointage pour les anomalies, les comporteme inhabituels et les attaques habituelles. Bloquer les connexions à pointage é Modèle de sécurité positif : N accepter que les requêtes qui sont valides. R autre requête. Mises-à-jour virtuelles Corriger les faiblesses et les vulnérabilités connues des applications du ser

8 ModSecurity IDS/IPS HTTP Analyse complète du protocole Requêtes Réponses Entêtes et charges utiles Intégrer au serveur Web SSL ne représente pas une barrière Règles de filtrage Techniques anti-évasion Validation de l encodage Règles pour détecter les requêtes invalides Réactions aux requêtes invalides

9 ModSecurity OWASP ModSecurity Core Rule Set Project ModSecurity is a web application firewall engine that provid little protection on its own. In order to become useful, ModSec must be configured with rules. In order to enable users to take advantage of ModSecurity out of the box, the OWASP Defen Community has developed and maintains a free set of applicati protection rules called the OWASP ModSecurity Core Rule Set Unlike intrusion detection and prevention systems, which rely o signatures specific to known vulnerabilities, the CRS provides protection from unknown vulnerabilities often found in web ap

10 ModSecurity OWASP ModSecurity Core Rule Set Project HTTP Protection - detecting violations of the HTTP protocol locally defined usage policy. Real-time Blacklist Lookups - utilizes 3rd Party IP Reputatio Web-based Malware Detection - identifies malicious web co check against the Google Safe Browsing API. HTTP Denial of Service Protections - defense against HTTP and Slow HTTP DoS Attacks. Common Web Attacks Protection - detecting common web application security attack.

11 ModSecurity OWASP ModSecurity Core Rule Set Project Automation Detection - Detecting bots, crawlers, scanners an surface malicious activity. Integration with AV Scanning for File Uploads - detects ma files uploaded through the web application. Tracking Sensitive Data - Tracks Credit Card usage and bloc leakages. Trojan Protection - Detecting access to Trojans horses. Identification of Application Defects - alerts on application misconfigurations. Error Detection and Hiding - Disguising error messages sent server.

12 ModSecurity Exemple de règle: Injection SQL # OR 1# # DROP sampletable;-- # admin'-- # DROP/*comment*/sampletable # DR/**/OP/*bypass blacklisting*/sampletable # SELECT/*avoid-spaces*/password/**/FROM/**/Members # SELECT /*! /0, */ 1 FROM tablename # or 1=1# # or 1=1-- - # or 1=1/* # ' or 1=1;\x00 # 1='1' or-- - # ' /*!50000or*/1='1 # ' /*!or*/1='1 # 0/**/union/*!50000select*/table_name`foo`/**/

13 ModSecurity Exemple de règle: Injection SQL SecRule REQUEST_COOKIES!REQUEST_COOKIES:/ utm/ REQUEST_COOKIES_NAMES ARGS_NAMES ARGS XML:/* "(/\*!? \*/ [' \f] (?:--[^-]*?-) ([^\-&])#.*?[\s\r\n\v\f] ;?\\x00)" "phase:2,rev:'2',ver:'owasp_c 2.2.8',maturity:'8',accuracy:'8',id:'981231',t:none,t:urlDecodeUni,block,msg:'SQ Sequence Detected.',severity:'2',capture,logdata:'Matched Data: %{TX.0} foun {MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WE SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/ A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',setvar:tx.anomaly_score=+ {tx.critical_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=% {rule.msg}',setvar:tx.%{rule.id}-owasp_crs/web_attack/sql_injec {matched_var_name}=%{tx.0}"

14 Vulnérabilités OWASP Testing Guide Version 3, 2008, 349 pages. Ou Configuration Management Testing Authentication Testing Session Management Testing Authorization Testing Business Logic Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing La version 4 est en cours de développement.

15 Vulnérabilités nikto2 Scanneur de vulnérabilités Serveur et logiciel Mauvaises configurations Versions non mises à jour Fichiers et programmes par défaut Fichiers et programmes non-sécurisés Base de données Reconnaissance de 1250 serveurs Problèmes spécifiques sur 270 serveurs 6500 fichiers/cgis problématiques

16 Vulnérabilités nikto2 : Exemple + Server: Apache/2.2.3 (CentOS) - Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only u debugging and should be disabled. This message does not mean it is vuln XST. + OSVDB-0: Retrieved X-Powered-By header: PHP/ PHP/4.4.7 appears to be outdated (current is at least 5.2.5) + Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apa and are also current. + OSVDB-0: GET /index.php?module=my_egallery : My_eGallery prior to vulnerable to a remote execution bug via SQL command injection. + OSVDB-0: GET /config.php : PHP Config file may contain database IDs a passwords. + OSVDB-877: TRACE / : TRACE option appears to allow XSS or credenti See + OSVDB-12184: GET /index.php?=phpb8b5f2a0-3c92-11d3- A3A9-4C7B08C10000 : PHP reveals potentially sensitive information vi HTTP requests which contain specific QUERY strings. + OSVDB-3092: GET /db/ : This might be interesting...

17 Vulnérabilités nikto2 : Exemple + OSVDB-3092: GET /includes/ : This might be interesting... + OSVDB-3093: GET /index.php?base=test%20 : This might be interesting.. seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?idadmin=test : This might be interesting. seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?pymembs=admin : This might be interesti seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?sqlquery=test%20 : This might be interes been seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php?tampon=test%20 : This might be interestin seen in web logs from an unknown scanner. + OSVDB-3093: GET /index.php? topic=<script>alert(document.cookie)</script&am This might be interesting... has been seen in web logs from an unknown s + OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons + OSVDB-3268: GET /images/ : Directory indexing is enabled: /images + OSVDB-3268: GET /docs/ : Directory indexing is enabled: /docs + OSVDB-3233: GET /icons/readme : Apache default file found.

18 Références Ivan Ristic, Apache Security, O Reilly, En ligne : Chapitre 2 Installation and Configuration Ryan C. Barnett, Preventing Web Attacks with Apache, Addison-Wesley, 2006.

19 Click below to find more Mipaper at Mipaper at