Unit 11

Apache Security

Objectives

Upon completion of this unit, you should be able to:
  • Using the Directory directive
  • Configuring mod_ssl
  • Using suEXEC

Vulnerabilities

  • Default Apache installation is usually more open than desired.
  • Careless use of CGI scripts can cause major security failures.
  • HTTP messages are sent unencrypted by default.

Resolutions

  • Avoid common misconfigurations.
  • Establish policy to deny all access that is not specifically allowed.
  • Use SSL when possible.

Service Profile: Apache

  • Type: System V-launched service
  • Packages: httpd
  • Daemons: httpd
  • Script: httpd
  • Ports: 80/tcp (http), 443/tcp (https)
  • Configuration: /etc/httpd/*, /var/www/*
  • Related: tux, mod_ssl, many others

  • Directives
  • Controls the configuration for a directory
  • Absolute paths must be used

Apache Access Configuration

  • Apache provides directory- and file-level host-based access control
  • Host specifications may include dot notation numerics, network/netmask, and dot notation hostnames and domains
  • The Order statement provides control over “order”, but not always in the way one might expect

Flat File Authentication

  • AuthName "realm"
  • AuthType basic
  • AuthUserFile /path/to/passwords
  • Require valid-user

Flat File Authentication

  • Require user user1 user2 ...
  • Require groupgroup1 group2 ...
  • Require valid-user
  • Multiple Requires possible

Managing Passwords

  • htpasswd administers password files
    • -c creates a new file
    • -m uses Apache MD5 encryption
$ htpasswd -c -m /etc/httpd/htpasswd bob
New password: secret
Re-type new password: secret
Adding password for user bob

Kerberos Authentication

  • mod_auth_kerb provides Kerberos authentication to Apache
  • Based on Kerberos ticket exchange
  • Could also be used for Basic Auth mechanism
  • Use of SSL is strongly recommended

Options

  • Indexes
  • ExecCGI
  • Includes
  • IncludesNoEXEC

Common Misconfigurations

  • Some Options can lead to problems
    • FollowSymLinks
    • ExecCGI
    • Indexes
  • UserDir
  • Serving directories that should not be shared

Options FollowSymLinks

  • FollowSymLinks is default for both the / (root) and /var/www/html directories
  • Any web content that is a soft link will be followed - beware of users:
    • $ ln -s / banner.jpg
    • $ wget http://server/banner.jpg/etc/passwd
  • FollowSymLinks should be disabled if not needed.

Options Indexes

  • The Indexes option allow directory browsing, if no DirectoryIndex file (like index.html) exists.
  • Disable Indexes if automatic directory indexing is not intended.

Installing mod_ssl

  • Stop httpd before installing mod_ssl
  • $ yum install -y mod_ssl*
  • /etc/httpd/conf/ssl.* directories
  • Generate SSL key and certificate
    • Manually with openssl
    • Using /etc/pki/tls/certs/Makefile
  • Edit /etc/httpd/conf.d/ssl.conf

SSL Virtual Hosts

  • SSL virtual hosting requires a unique IP address per site
    • Limitation of SSL, not mod_ssl or Apache
  • Generate or obtain key and certificate, add three lines to VirtualHost block
    • SSLEngine On
    • SSLCertificateFile /etc/httpd/conf/ssl.crt/name.crt
    • SSLCertificateKeyFile /etc/httpd/conf/ssl.key/name.key

CGI - Common Gateway Interface

  • Programs run on server
  • CGI programs interact with server
    • Environment variables
    • CGI variables (forms)
    • Read and write files
  • CGI programs can be written in any language

Options ExecCGI

  • CGI scripts (and ExecCGI) should be limited to particular directories
  • Users with write access to those directories must be trusted to audit the CGI programs before deploying them

CGI Secure Programming

  • As with every language, there are good coding practices, and things to avoid.
  • General Rules to follow:
    • Do not trust user input; check it!
    • Do not directly execute user input
    • Do not assume input is in the expected format

CGI With Unix Shell Script

  • Poor security!
    • Do not use in a production environment
  • Works for quick and dirty CGI scripts
  • Slower than other languages
  • The shell is the program
    • Easy to work with environment variables
    • Trivial to pass bad input to the shell

suEXEC

  • CGIs run as user apache
  • suEXEC forces CGI programs run as a specified user/group
  • Will not execute any program unless:
    • It is owned and only writable by the user
    • It is in a directory only writable by the user

End of Unit 11

  • Questions and Answers
  • Summary
    • Per-directory access controls
    • Common misconfigurations
    • Configuring mod_ssl