Muutke küpsiste eelistusi

Preventing Web Attacks with Apache [Pehme köide]

4.33/5 (12 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 624 pages, kõrgus x laius x paksus: 233x179x31 mm, kaal: 866 g
  • Ilmumisaeg: 09-Feb-2006
  • Kirjastus: Addison-Wesley Educational Publishers Inc
  • ISBN-10: 0321321286
  • ISBN-13: 9780321321282
Teised raamatud teemal:
  • Pehme köide
  • Hind: 64,66 €*
  • * saadame teile pakkumise kasutatud raamatule, mille hind võib erineda kodulehel olevast hinnast
  • See raamat on trükist otsas, kuid me saadame teile pakkumise kasutatud raamatule.
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Lisa soovinimekirja
Preventing Web Attacks with ApacheSuurem pilt
  • Formaat: Paperback / softback, 624 pages, kõrgus x laius x paksus: 233x179x31 mm, kaal: 866 g
  • Ilmumisaeg: 09-Feb-2006
  • Kirjastus: Addison-Wesley Educational Publishers Inc
  • ISBN-10: 0321321286
  • ISBN-13: 9780321321282
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9780321321282.html
Märksõnad:
"Ryan Barnett has raised the bar in terms of running Apache securely. If you run Apache, stop right now and leaf through this book; you need this information." --Stephen Northcutt, The SANS Institute The only end-to-end guide to securing Apache Web servers and Web applications Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won't protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you'll need to do that: step-by-step guidance, hands-on examples, and tested configuration files. Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more.Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured "in the wild." For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security. With this book, you will learn to *Address the OS-related flaws most likely to compromise Web server security *Perform security-related tasks needed to safely download, configure, and install Apache *Lock down your Apache httpd.conf file and install essential Apache security modules *Test security with the CIS Apache Benchmark Scoring Tool *Use the WASC Web Security Threat Classification to identify and mitigate application threats *Test Apache mitigation settings against the Buggy Bank Web application *Analyze an Open Web Proxy Honeypot to gather crucial intelligence about attackers *Master advanced techniques for detecting and preventing intrusions
About the Author xix
Foreword xxi
Acknowledgments xxv
Introduction xxvii
Web Insecurity Contributing Factors
1(12)
A Typical Morning
1(2)
Why Web Security Is Important
3(1)
Web Insecurity Contributing Factors
4(1)
Managerial/Procedural Issues
4(3)
Management and the Bottom Line
4(1)
Selling Loaded Guns
5(1)
The Two-Minute Drill
5(1)
Development Environment Versus Production Environment
6(1)
Firefighting Approach to Web Security (Reacting to Fires)
7(1)
Technical Misconceptions Regarding Web Security
7(4)
``We have our web server in a Demilitarized Zone (DMZ).''
8(1)
``We have a firewall.''
9(1)
``We have a Network-Based Intrusion Detection System.''
9(2)
``We have a Host-Based Intrusion Detection System.''
11(1)
``We are using Secure Socket Layer (SSL).''
11(1)
Summary
11(2)
CIS Apache Benchmark
13(40)
CIS Apache Benchmark for UNIX: OS-Level Issues
13(37)
Minimize/Patch Non-HTTP Services
13(6)
Example Service Attack: 7350wu---FTP Exploit
19(3)
Vulnerable Services' Impact on Apache's Security
22(1)
Apply Vendor OS Patches
23(1)
Tune the IP Stack
24(1)
Denial of Service Attacks
25(3)
Create the Web Groups and User Account
28(3)
Lock Down the Web Server User Account
31(1)
Implementing Disk Quotas
32(3)
Accessing OS-Level Commands
35(4)
Update the Ownership and Permissions of System Commands
39(1)
Traditional Chroot
40(1)
Chroot Setup Warning
41(1)
Mod_Security Chroot
41(1)
Chroot Setup
41(9)
Summary
50(3)
Downloading and Installing Apache
53(28)
Apache 1.3 Versus 2.0
53(1)
Using Pre-Compiled Binary Versus Source Code
54(2)
Downloading the Apache Source Code
56(7)
Why Verify with MD5 and PGP?
56(7)
Uncompress and Open: Gunzip and Untar
63(17)
Patches---Get `em While They're Hot!
64(2)
Monitoring for Vulnerabilities and Patches
66(4)
What Modules Should I Use?
70(10)
Summary
80(1)
Configuring the httpd.conf File
81(44)
CIS Apache Benchmark Settings
84(1)
The httpd.conf File
85(1)
Disable Un-Needed Modules
86(1)
Directives
86(1)
Server-Oriented Directives
87(3)
Multi-Processing Modules (MPMs)
87(1)
Listen
88(1)
ServerName
88(1)
ServerRoot
89(1)
DocumentRoot
89(1)
HostnameLookups
89(1)
User-Oriented Directives
90(2)
User
90(1)
Group
91(1)
ServerAdmin
91(1)
Denial of Service (DoS) Protective Directives
92(7)
Testing with Apache HTTP Server Benchmarking Tool (ab) in Default Configuration
92(2)
TimeOut
94(1)
KeepAlive
95(1)
KeepAliveTimeout
95(1)
MaxKeepAliveRequests
95(1)
StartServers
96(1)
MinSpareServers and MaxSpareServers
96(1)
ListenBacklog
96(1)
MaxClients and ServerLimit
97(1)
Testing with Apache HTTP Benchmarking Tool (ab) with Updated Configuration
97(2)
Forward Reference
99(1)
Software Obfuscation Directives
99(5)
ServerTokens
99(2)
ServerSignature
101(1)
ErrorDocument
102(2)
Directory Functionality Directives
104(3)
All
104(1)
ExecCGI
104(1)
FollowSymLinks and SymLinksIfOwnerMatch
105(1)
Includes and IncludesNoExec
105(1)
Indexes
106(1)
AllowOverride
106(1)
Multiviews
107(1)
Access Control Directives
107(1)
Authentication Setup
108(1)
Authorization
109(2)
Order
110(1)
Order deny, allow
110(1)
Order allow, deny
110(1)
Access Control: Where Clients Come From
111(3)
Hostname or Domain
111(1)
IP Address and IP Range
112(1)
Client Request ENV
112(1)
Protecting the Root Directory
113(1)
Limiting HTTP Request Methods
114(1)
Logging General Directives
114(2)
LogLevel
114(1)
ErrorLog
115(1)
LogFormat
115(1)
CustomLog
115(1)
Removing Default/Sample Files
116(2)
Apache Source Code Files
116(1)
Default HTML Files
116(1)
Sample CGIs
117(1)
Webserv User Files
118(1)
Updating Ownership and Permissions
118(2)
Server Configuration Files
119(1)
DocumentRoot Files
119(1)
CGI-Bin
119(1)
Logs
120(1)
Bin
120(1)
Updating the Apachectl Script
120(2)
Nikto Scan After Updates
122(1)
Summary
122(3)
Essential Security Modules for Apache
125(46)
Secure Socket Layer (SSL)
125(19)
Why Should I Use SSL?
126(2)
How Does SSL Work?
128(4)
Software Requirements
132(1)
Installing SSL
133(1)
Creating an SSL Certificate
133(1)
Testing the Initial Configuration
134(3)
Configuring mod_ssl
137(7)
SSL Summary
144(1)
Mod_Rewrite
144(3)
Enabling Mod_Rewrite
145(2)
Mod_Rewrite Summary
147(1)
Mod_Log_Forensic
147(2)
Mod_Dosevasive
149(6)
What Is Mod_Dosevasive?
149(1)
Installing Mod_Dosevasive
149(1)
How Does Mod_Dosevasive Work?
150(1)
Configuration
151(4)
Mod_Dosevasive Summary
155(1)
Mod_Security
155(14)
Installing Mod_Security
156(1)
Mod_Security Overview
156(1)
Features and Capabilities of Mod_Security
157(1)
Anti-Evasion Techniques
158(1)
Special Built-In Checks
159(3)
Filtering Rules
162(2)
Actions
164(4)
Wait, There's Even More!
168(1)
Summary
169(2)
Using the Center for Internet Security Apache Benchmark Scoring Tool
171(10)
Downloading, Unpacking, and Running the Scoring Tool
171(9)
Unpacking the Archive
173(1)
Running the Tool
174(6)
Summary
180(1)
Mitigating the WASC Web Security Threat Classification with Apache
181(74)
Contributors
182(1)
Web Security Threat Classification Description
182(2)
Goals
183(1)
Documentation Uses
183(1)
Overview
183(1)
Background
184(1)
Classes of Attack
184(2)
Threat Format
186(1)
Authentication
186(9)
Brute Force
187(4)
Insufficient Authentication
191(1)
Weak Password Recovery Validation
192(3)
Authorization
195(10)
Credential/Session Prediction
195(3)
Insufficient Authorization
198(1)
Insufficient Session Expiration
199(2)
Session Fixation
201(4)
Client-Side Attacks
205(5)
Content Spoofing
205(2)
Cross-Site Scripting
207(3)
Command Execution
210(22)
Buffer Overflow
210(5)
Format String Attack
215(3)
LDAP Injection
218(2)
OS Commanding
220(3)
SQL Injection
223(5)
SSI Injection
228(2)
XPath Injection
230(2)
Information Disclosure
232(11)
Directory Indexing
232(4)
Information Leakage
236(3)
Path Traversal
239(3)
Predictable Resource Location
242(1)
Logical Attacks
243(10)
Abuse of Functionality
244(2)
Denial of Service
246(4)
Insufficient Anti-Automation
250(1)
Insufficient Process Validation
251(2)
Summary
253(2)
Protecting a Flawed Web Application: Buggy Bank
255(40)
Installing Buggy Bank
256(5)
Buggy Bank Files
257(1)
Turn Off Security Settings
258(1)
Testing the Installation
258(3)
Functionality
261(1)
Login Accounts
262(1)
Assessment Methodology
262(4)
General Questions
262(1)
Tools Used
263(1)
Configuring Burp Proxy
263(3)
Buggy Bank Vulnerabilities
266(16)
Comments in HTML
266(1)
Enumerating Account Numbers
267(3)
How Much Entropy?
270(1)
Brute Forcing the Account Numbers
270(3)
Enumerating PIN Numbers
273(1)
Account Unlocked
274(1)
Account Locked
274(2)
Brute Forcing the PIN Numbers
276(1)
Command Injection
277(1)
Injecting Netstat
278(4)
SQL Injection
282(5)
SQL Injection Mitigation
285(2)
Cross-Site Scripting (XSS)
287(3)
Mitigations
289(1)
Balance Transfer Logic Flaw
290(3)
Mitigation
292(1)
Summary
293(2)
Prevention and Countermeasures
295(136)
Why Firewalls Fail to Protect Web Servers/Applications
296(3)
Why Intrusion Detection Systems Fail as Well
299(5)
Deep Packet Inspection Firewalls, Inline IDS, and Web Application Firewalls
304(5)
Deep Packet Inspection Firewall
304(1)
Inline IDS
305(2)
Web Application Firewall (WAF)
307(2)
Web Intrusion Detection Concepts
309(33)
Signature-Based
309(5)
Positive Policy Enforcement (White-Listing)
314(11)
Header-Based Inspection
325(4)
Protocol-Based Inspection
329(7)
Uniform Resource Identifier (URI) Inspection
336(3)
Heuristic-Based Inspection
339(1)
Anomaly-Based Inspection
340(2)
Web IDS Evasion Techniques and Countermeasures
342(10)
HTTP IDS Evasion Options
342(5)
Anti-Evasion Mechanisms
347(1)
Evasion by Abusing Apache Functionality
348(4)
Identifying Probes and Blocking Well-Known Offenders
352(11)
Worm Probes
352(2)
Blocking Well-Known Offenders
354(3)
Nmap Ident Scan
357(1)
Nmap Version Scanning
358(1)
Why Change the Server Banner Information?
359(2)
Masking the Server Banner Information
361(2)
HTTP Fingerprinting
363(16)
Implementation Differences of the HTTP Protocol
364(6)
Banner Grabbing
370(1)
Advanced Web Server Fingerprinting
370(1)
HTTPrint
371(2)
Web Server Fingerprinting Defensive Recommendations
373(6)
Bad Bots, Curious Clients, and Super Scanners
379(9)
Bad Bots and Curious Clients
379(2)
Super Scanners
381(7)
Reacting to DoS, Brute Force, and Web Defacement Attacks
388(11)
DoS Attacks
388(1)
Brute Force Attacks
389(3)
Web Defacements
392(5)
Defacement Countermeasures
397(2)
Alert Notification and Tracking Attackers
399(13)
Setting Up Variables
402(1)
Creating Historical Knowledge
403(1)
Filtering Out Noise and Thresholding Emails
403(1)
Request Snapshot and Attacker Tracking Links
403(1)
Send Alert to Pager
404(1)
Crude Pause Feature
404(1)
Send the HTML
404(1)
Example Email Alerts
404(8)
Log Monitoring and Analysis
412(12)
Real-Time Monitoring with Swatch
413(4)
Heuristic/Statistical Log Monitoring with SIDS
417(7)
Honeypot Options
424(5)
Sticky Honeypot
424(1)
FakePHF
425(2)
OS Commanding Trap and Trace
427(1)
Mod_Rewrite (2.1) to the Rescue
428(1)
Summary
429(2)
Open Web Proxy Honeypot
431(78)
Why Deploy an Open Web Proxy Honeypot?
431(2)
Lack of Knowledge That an Attack Even Occurred
432(1)
Lack of Verbose/Adequate Logging of HTTP Transactions
432(1)
Lack of Interest in Public Disclosure of the Attack
432(1)
What Are Proxy Servers?
433(1)
Open Proxy Background
434(1)
Open Web Proxy Honeypot
435(4)
Linksys Router/Firewall
435(1)
Turn Off Un-Needed Network Services
436(1)
Configure Apache for Proxy
436(3)
Data Control
439(3)
Mod_Dosevasive
439(1)
Mod_Security
439(2)
Utilizing Snort Signatures
441(1)
Brute Force Attacks
441(1)
Data Capture
442(2)
Real-Time Monitoring with Webspy
444(1)
Honeynet Project's Scan of the Month Challenge #31
444(3)
The Challenge
445(1)
Initial Steps
446(1)
Question: How Do You Think the Attackers Found the Honeyproxy?
447(1)
Question: What Different Types of Attacks Can You Identify? For Each Category, Provide Just One Log Example and Detail as Much Info About the Attack as Possible (Such as CERT/CVE/Anti-Virus ID Numbers). How Many Can You Find?
448(22)
Search Logs for Mod_Security-Message
449(1)
Utilization of the AllowConnect Proxying Capabilities
450(1)
Search Logs for Abnormal HTTP Status Codes
451(3)
Abnormal HTTP Request Methods
454(1)
Non-HTTP Compliant Requests
455(2)
Attack Category---SPAMMERS
457(2)
Attack Category---Brute Force Authentication
459(1)
Attack Category---Vulnerability Scans
459(6)
Attack Category---Web-Based Worms
465(3)
Attack Category---Banner/Click-Thru Fraud
468(1)
Attack Category---IRC Connections
469(1)
Question: Do Attackers Target Secure Socket Layer (SSL)-Enabled Web Servers?
470(3)
Did They Target SSL on Our Honeyproxy?
471(1)
Why Would They Want to Use SSL?
472(1)
Why Didn't They Use SSL Exclusively?
472(1)
Question: Are There Any Indications of Attackers Chaining Through Other Proxy Servers? Describe How You Identified This Activity. List Other Proxy Servers Identified. Can You Confirm That These Are Indeed Proxy Servers? Identifying the Activity
473(8)
Confirming the Proxy Servers
475(4)
Targeting Specific Open Proxies
479(1)
Targeting Specific Destination Servers
480(1)
Question: Identify the Different Brute Force Authentication Attack Methods. Can You Obtain the Clear-Text Username/Password Credentials? Describe Your Methods
481(12)
HTTP Get Requests
481(1)
HTTP Post Requests
482(1)
HTTP Basic Authentication
483(2)
Obtaining the Cleartext Authorization Credentials
485(1)
Distributed Brute Force Scan Against Yahoo Accounts
486(1)
Forward and Reverse Scanning
487(6)
Question: What Does the Mod_Security Error Message ``Invalid Character Detected'' Mean? What Were the Attackers Trying to Accomplish?
493(4)
SecFilterCheckURLEncoding---URL-Encoding Validation
493(1)
SecFilterCheckUnicodeEncoding---Unicode-Encoding Validation
494(1)
SecFilterForceByteRange---Byte Range Check
494(1)
Socks Proxy Scan
494(1)
Code Red/NIMDA Worm Attacks
495(2)
Question: Several Attackers Tried to Send SPAM by Accessing the Following URL: http://mail.sina.com.cn/cgi-bin/sendmsg.cgi. They Tried to Send Email with an HTML Attachment (Files Listed in the /upload Directory). What Does the SPAM Web Page Say? Who Are the SPAM Recipients? SPAM Recipients
497(1)
Question: Provide Some High-Level Statistics
498(4)
Top Ten Attacker IP Addresses
498(2)
Top Ten Targets
500(1)
Top User-Agents (Any Weird/Fake Agent Strings?)
500(1)
Attacker Correlation from DShield and Other Sources?
501(1)
Bonus Question: Why Do You Think the Attackers Were Targeting Pornography Web Sites for Brute Force Attacks? (Besides the Obvious Physical Gratification Scenarios)
502(4)
Even Though the Proxypot's IP/Hostname Was Obfuscated from the Logs, Can You Still Determine the Probable Network Block Owner?
504(2)
Summary
506(3)
Putting It All Together
509(14)
Example Vulnerability Alert
509(1)
Verify the Software Version
510(1)
Patch Availability
510(1)
Vulnerability Details
511(6)
Creating a Mod_Security Vulnerability Filter
514(1)
Testing the Vulnerability Filter
515(1)
First Aid Versus a Hospital
516(1)
Web Security: Beyond the Web Server
517(5)
Domain Hijacking
517(1)
DNS Cache Poisoning
517(2)
Caching Proxy Defacement
519(1)
Banner Ad Defacement
520(1)
News Ticker Manipulations
521(1)
Defacement or No Defacement?
521(1)
Summary
522(1)
Appendix A Web Application Security Consortium Glossary 523(10)
Appendix B Apache Module Listing 533(16)
Appendix C Example httpd.conf File 549(12)
Index 561


Ryan C. Barnett is a chief security officer for EDS. He currently leads both Operations Security and Incident Response Teams for a government bureau in Washington, DC. In addition to his nine-to-five job, Ryan is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security, Top 20 Vulnerabilities team member, and local mentor for the SANS Track 4, Hacker Techniques, Exploits, and Incident Handling, course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX), and Security Essentials (GSEC). In addition to the SANS Institute, he is also the team lead for the Center for Internet Security Apache Benchmark Project and a member of the Web Application Security Consortium.