Utah Networxs Consultoria e Treinamento, profile picture
Uploaded byUtah Networxs Consultoria e Treinamento
2,626 views

HARDENING IN APACHE WEB SERVER

The document discusses threat mapping, risk mitigation, and corrective activities for web servers, focusing on hardening techniques and tools to protect against various types of attacks. It highlights the importance of proper server configurations and provides detailed practices for securing Apache servers, including permissions, vulnerabilities, and the use of security tools. Additionally, it outlines an educational background and experience of the author, Fabio Pires, in Linux and web server consulting in Brazil.

Downloaded 81 times
“Mapping threats, Mitigating risk and Implementing Corrective activities in Web Servers”
WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
SOCIAL MEDIA Follow! @fabioandpires Follow! @utah_networxs Enjoy! Utah Networxs
Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
TARGET “PRESENT ONE AMONG SEVERAL SOLUTION FOR BUILDING WEB SERVER" hardening "THROUGH THE USE OF TOOLS FREE TO MINIMIZE IMPACTS OF ATTACKS."
VULNERABILITY STACK
WEBSERVER MARKET SHARES
OPEN SOURCE WEB SERVER ARCHITECTURE
VULNERABILITY WEB APPLICATIONS
WHY WEB SERVER ARE COMPROMISED?
TOOLS HTTP PRINT – BANNER WEB SERVER NIKTO - VULNERABILITIES NESSUS – VULNERABILITIES W3AF - AUDITY E EXPLORATION NMAP – SCAN PORT
MITIGATING RISKS DoS Attack DDoS Attack Brutal Force (ssh, telnet) Port Scanning Attack Ping Flooding Attack Elevation of Privilege Man in the Middle Attack Directory Transversal Password Cracking (Spoofing, Phising, Trojar Horse)
DEPLOYING CORRETION What’s Hardening ? Is a process of mapping of threats, risk mitigation and implementation of corrective activities, focusing on infrastructure and primary goal to make it ready to face attempts to attack.
PRATICE IN WEB SERVER APACHE Where you search packages ? - Packages Repository - Md5SUM Verified - Security Update - Pré-Compiled Package or Source Package
PRATICE IN WEB SERVER APACHE #CHROOT JAIL
CHROOT ARCHITETURE APACHE / bin boot chroot dev dev etc etc home lib lib mnt opt usr proc root var sbin tmp usr var
DISABLE UNUSED MODULES  suexec  userdir  cgi / cgid  autoindex
RESTRICT RESOURCES Number Of Process: With RES=7000k, SHR=2500k and 400M available for Apache, the result is: 400/(7-2.5) = 89. RES=Resident
MITIGATE MEMORY LEAKS MaxRequestsPerChild 10000
RESTRICT INCOMMING CONNECTIONS # iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j REJECT --reject-with tcp-reset
FILE PERMISSIONS # find /srv/www -user utahuser # find /srv/www ! -type l ( -perm /o=w -o -perm /g=w -group utahgroup )
SEARCH FILES AND SSL * Search hidden files # find /var/www -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*‘ * SSL key files * Make sure your SSL keys are only readable by the root user.
OTHER APACHE CONFIG * Bewarec of certain RewriteRules # INSECURE configuration, don't use! RewriteRule ^/old/directory/(.*)$ /$1 Use this # SECURE - Use RewriteRule ^/old/directory/(.*)$ /$1 [PT] * Don't use Limit/LimitExcept (conf.d/security) TraceEnable off
OTHER APACHE CONFIG * ServerSignature Off * ServerTokens Prod * Remove PHP scripts (test.php, info.php, i.php, php.info) * Disable directory indexing * Disable WebDAV * Enable PHP basedir * Install a Web Firewall (mod_security) l * Suhosin PHP
SUHOSIN PHP - BASIC suhosin.executor.include.max_traversal =4 (../../../../) suhosin.executor.disable_emodifier=Off (exec function) suhosin.mail.protect=2 (protect spammers attack) suhosin.memory_limit=256M suhosin.filter.action=402 (return code detect error) suhosin.upload.max_uploads=100
SUHOSIN PHP - BASIC suhosin.request.max_array_depth=4096 suhosin.request.max_array_index_length=2048 suhosin.request.max_name_length=2048 suhosin.request.max_value_length=650000 suhosin.request.max_vars=4096 suhosin.post.max_array_depth=8048 suhosin.post.max_array_index_length=1024 suhosin.post.max_name_length=2048 suhosin.post.max_totalname_length=8048 suhosin.post.max_vars=4096
OTHER APACHE CONFIG * ErrorDocument 404 errors/404.html * ErrorDocument 500 errors/500.html * ServerAdmin (Use Alias Mail) * UserDir disabled root
INSTALL PACKAGE # dpkg -i hardening-apache_beta-01.deb Albert Einstein
PROBLEMS l UNIQUE USER l INSERT DIALOG l PORTABLE OTHER DISTROS
DOBTS ?
SOURCES OF RESEARCH APACHE FOUNDATION www.apache.org ECCOUNCIL www.eccouncil.org UTAH HARDENING COURSE www.utah.com.br IMAGES - ECCOUNCIL www.eccouncil.org

More Related Content

PPTX
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
byNahidul Kibria
 
PDF
Velocity 2011 - Our first DDoS attack
byCosimo Streppone
 
PDF
Approach to find critical vulnerabilities
byAshish Kunwar
 
PDF
TLS State of the Union
bySander Temme
 
PDF
SSL State of the Union
bySander Temme
 
PDF
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
byJosephTesta9
 
PDF
Security and Privacy on the Web in 2016
byFrancois Marier
 
PDF
Sinn und Unsinn von SSL
byWalter Ebert
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
byNahidul Kibria
 
Velocity 2011 - Our first DDoS attack
byCosimo Streppone
 
Approach to find critical vulnerabilities
byAshish Kunwar
 
TLS State of the Union
bySander Temme
 
SSL State of the Union
bySander Temme
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
byJosephTesta9
 
Security and Privacy on the Web in 2016
byFrancois Marier
 
Sinn und Unsinn von SSL
byWalter Ebert
 

What's hot

PDF
Secure Your Wordpress
byn|u - The Open Security Community
 
PDF
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
PDF
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
byPhilippe De Ryck
 
PDF
D-DAY 2015 Hawkular powers REDHAT
byDEVOPS D-DAY
 
PPT
How hackers do it
byChris Hammond-Thrasher
 
PDF
JSConfBR - Securing Node.js App, by the community and for the community
byDavid Dias
 
PDF
rsa_usa_2019_paula_januszkiewicz
byZuzannaKornecka
 
PDF
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
byHackIT Ukraine
 
Secure Your Wordpress
byn|u - The Open Security Community
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
byPhilippe De Ryck
 
D-DAY 2015 Hawkular powers REDHAT
byDEVOPS D-DAY
 
How hackers do it
byChris Hammond-Thrasher
 
JSConfBR - Securing Node.js App, by the community and for the community
byDavid Dias
 
rsa_usa_2019_paula_januszkiewicz
byZuzannaKornecka
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
byHackIT Ukraine
 

Similar to HARDENING IN APACHE WEB SERVER

PDF
APACHE WEB SERVER FOR LINUX
bywebhostingguy
 
PDF
PowerPoint Presentation
bywebhostingguy
 
PDF
Secure PHP environment
bySpeedPartner GmbH
 
KEY
Site Performance - From Pinto to Ferrari
byJoseph Scott
 
PPTX
Apache
byranj_mb
 
PPT
Securing Your Webserver By Pradeep Sharma
byOSSCube
 
PPTX
Apache Performance Tuning: Scaling Up
bySander Temme
 
PPTX
Secure programming with php
byMohmad Feroz
 
PPTX
Apache Performance Tuning: Scaling Out
bySander Temme
 
PDF
Session10-PHP Misconfiguration
byzakieh alizadeh
 
PDF
Confining the Apache Web Server with Security-Enhanced Linux
bywebhostingguy
 
PDF
Confining the Apache Web Server with Security-Enhanced Linux
bywebhostingguy
 
KEY
Apache Wizardry - Ohio Linux 2011
byRich Bowen
 
PDF
Meeting 14. web server ii
bySyaiful Ahdan
 
PDF
Apache course contents
bydarshangosh
 
PDF
Scale Apache with Nginx
byBud Siddhisena
 
PDF
E gov security_tut_session_4_lab
byMustafa Jarrar
 
PPTX
Apache_Web_Server_Overviewlklklklklk -.pptx
byaashimait
 
PDF
Securing and Managing the Oracle HTTP Server
bySecureDBA
 
PDF
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
byBIOVIA
 
APACHE WEB SERVER FOR LINUX
bywebhostingguy
 
PowerPoint Presentation
bywebhostingguy
 
Secure PHP environment
bySpeedPartner GmbH
 
Site Performance - From Pinto to Ferrari
byJoseph Scott
 
Apache
byranj_mb
 
Securing Your Webserver By Pradeep Sharma
byOSSCube
 
Apache Performance Tuning: Scaling Up
bySander Temme
 
Secure programming with php
byMohmad Feroz
 
Apache Performance Tuning: Scaling Out
bySander Temme
 
Session10-PHP Misconfiguration
byzakieh alizadeh
 
Confining the Apache Web Server with Security-Enhanced Linux
bywebhostingguy
 
Confining the Apache Web Server with Security-Enhanced Linux
bywebhostingguy
 
Apache Wizardry - Ohio Linux 2011
byRich Bowen
 
Meeting 14. web server ii
bySyaiful Ahdan
 
Apache course contents
bydarshangosh
 
Scale Apache with Nginx
byBud Siddhisena
 
E gov security_tut_session_4_lab
byMustafa Jarrar
 
Apache_Web_Server_Overviewlklklklklk -.pptx
byaashimait
 
Securing and Managing the Oracle HTTP Server
bySecureDBA
 
(ATS4-PLAT01) Core Architecture Changes in AEP 9.0 and their Impact on Admini...
byBIOVIA
 

Recently uploaded

PDF
STurbo M.C. Surge Prevention by CCC Company
byRobertWaters35
 
PDF
🚀 Agentic Automation in Action 1/3 – From RPA to Agentic Automation (Arabic S...
byanabulhac
 
PPTX
xCapture v3: Efficient, Always-On Thread Level Observability with eBPF by Tan...
byScyllaDB
 
PDF
Energia Nowa and byteLAKE Partner to Develop Intelligent Services for Energy ...
bybyteLAKE
 
PPTX
Mosaic: The Agentic AI Video Editing Platform
byDaniel Gimness
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
PDF
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
PDF
The End of the Missed Call - How AI Recaptures Lost Leads and Secures ROI
byiovox
 
PDF
Session 3 - UiPath Coded Agents & MCP Server in Action
byDianaGray10
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
ChatGPT Ain't Got $%@& On Me! by Andy Pavlo
byScyllaDB
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PPTX
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
PPTX
Introduction to WordPress Workshop - WCEH 2025
byShanta Nathwani
 
PDF
Agentic Automation in Action - Future Skills and Opportunities.pdf
byanabulhac
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
"Building Interactive Async UI with React 19 and Ariakit", Aurora Scharff
byFwdays
 
PDF
SAP Building Agentic Systems (Milvus Community Meetup)
byZilliz
 
PPTX
Flutter for Beginners widgets types.pptx
byKongu Engineering College, Perundurai, Erode
 
STurbo M.C. Surge Prevention by CCC Company
byRobertWaters35
 
🚀 Agentic Automation in Action 1/3 – From RPA to Agentic Automation (Arabic S...
byanabulhac
 
xCapture v3: Efficient, Always-On Thread Level Observability with eBPF by Tan...
byScyllaDB
 
Energia Nowa and byteLAKE Partner to Develop Intelligent Services for Energy ...
bybyteLAKE
 
Mosaic: The Agentic AI Video Editing Platform
byDaniel Gimness
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
The End of the Missed Call - How AI Recaptures Lost Leads and Secures ROI
byiovox
 
Session 3 - UiPath Coded Agents & MCP Server in Action
byDianaGray10
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
ChatGPT Ain't Got $%@& On Me! by Andy Pavlo
byScyllaDB
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
Introduction to WordPress Workshop - WCEH 2025
byShanta Nathwani
 
Agentic Automation in Action - Future Skills and Opportunities.pdf
byanabulhac
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
"Building Interactive Async UI with React 19 and Ariakit", Aurora Scharff
byFwdays
 
SAP Building Agentic Systems (Milvus Community Meetup)
byZilliz
 
Flutter for Beginners widgets types.pptx
byKongu Engineering College, Perundurai, Erode
 

HARDENING IN APACHE WEB SERVER

  • 1.
    “Mapping threats, Mitigating risk and Implementing Corrective activities in Web Servers”
  • 2.
    WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
  • 3.
    SOCIAL MEDIA Follow! @fabioandpires Follow!@utah_networxs Enjoy! Utah Networxs
  • 4.
    Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
  • 5.
    TARGET “PRESENT ONE AMONG SEVERAL SOLUTION FOR BUILDING WEB SERVER" hardening "THROUGH THE USE OF TOOLS FREE TO MINIMIZE IMPACTS OF ATTACKS."
  • 6.
  • 7.
  • 8.
    OPEN SOURCE WEBSERVER ARCHITECTURE
  • 9.
    VULNERABILITY WEB APPLICATIONS
  • 10.
    WHY WEB SERVERARE COMPROMISED?
  • 11.
    TOOLS HTTP PRINT –BANNER WEB SERVER NIKTO - VULNERABILITIES NESSUS – VULNERABILITIES W3AF - AUDITY E EXPLORATION NMAP – SCAN PORT
  • 12.
    MITIGATING RISKS DoS Attack DDoS Attack Brutal Force (ssh, telnet) Port Scanning Attack Ping Flooding Attack Elevation of Privilege Man in the Middle Attack Directory Transversal Password Cracking (Spoofing, Phising, Trojar Horse)
  • 13.
    DEPLOYING CORRETION What’s Hardening ? Is a process of mapping of threats, risk mitigation and implementation of corrective activities, focusing on infrastructure and primary goal to make it ready to face attempts to attack.
  • 14.
    PRATICE IN WEBSERVER APACHE Where you search packages ? - Packages Repository - Md5SUM Verified - Security Update - Pré-Compiled Package or Source Package
  • 15.
    PRATICE IN WEBSERVER APACHE #CHROOT JAIL
  • 16.
    CHROOT ARCHITETURE APACHE / bin boot chroot dev dev etc etc home lib lib mnt opt usr proc root var sbin tmp usr var
  • 17.
    DISABLE UNUSED MODULES  suexec  userdir  cgi / cgid  autoindex
  • 18.
    RESTRICT RESOURCES Number Of Process: With RES=7000k, SHR=2500k and 400M available for Apache, the result is: 400/(7-2.5) = 89. RES=Resident
  • 19.
  • 20.
    RESTRICT INCOMMING CONNECTIONS # iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 25 -j REJECT --reject-with tcp-reset
  • 21.
    FILE PERMISSIONS # find/srv/www -user utahuser # find /srv/www ! -type l ( -perm /o=w -o -perm /g=w -group utahgroup )
  • 22.
    SEARCH FILES ANDSSL * Search hidden files # find /var/www -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*‘ * SSL key files * Make sure your SSL keys are only readable by the root user.
  • 23.
    OTHER APACHE CONFIG * Bewarec of certain RewriteRules # INSECURE configuration, don't use! RewriteRule ^/old/directory/(.*)$ /$1 Use this # SECURE - Use RewriteRule ^/old/directory/(.*)$ /$1 [PT] * Don't use Limit/LimitExcept (conf.d/security) TraceEnable off
  • 24.
    OTHER APACHE CONFIG * ServerSignature Off * ServerTokens Prod * Remove PHP scripts (test.php, info.php, i.php, php.info) * Disable directory indexing * Disable WebDAV * Enable PHP basedir * Install a Web Firewall (mod_security) l * Suhosin PHP
  • 25.
    SUHOSIN PHP -BASIC suhosin.executor.include.max_traversal =4 (../../../../) suhosin.executor.disable_emodifier=Off (exec function) suhosin.mail.protect=2 (protect spammers attack) suhosin.memory_limit=256M suhosin.filter.action=402 (return code detect error) suhosin.upload.max_uploads=100
  • 26.
    SUHOSIN PHP -BASIC suhosin.request.max_array_depth=4096 suhosin.request.max_array_index_length=2048 suhosin.request.max_name_length=2048 suhosin.request.max_value_length=650000 suhosin.request.max_vars=4096 suhosin.post.max_array_depth=8048 suhosin.post.max_array_index_length=1024 suhosin.post.max_name_length=2048 suhosin.post.max_totalname_length=8048 suhosin.post.max_vars=4096
  • 27.
    OTHER APACHE CONFIG * ErrorDocument 404 errors/404.html * ErrorDocument 500 errors/500.html * ServerAdmin (Use Alias Mail) * UserDir disabled root
  • 28.
    INSTALL PACKAGE # dpkg-i hardening-apache_beta-01.deb Albert Einstein
  • 29.
    PROBLEMS l UNIQUE USER l INSERT DIALOG l PORTABLE OTHER DISTROS
  • 30.
  • 31.
    SOURCES OF RESEARCH APACHEFOUNDATION www.apache.org ECCOUNCIL www.eccouncil.org UTAH HARDENING COURSE www.utah.com.br IMAGES - ECCOUNCIL www.eccouncil.org