Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.

Published byDarrell Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers."— Presentation transcript:

1 Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers University Internet Institute Instructor: Chris Uriarte (CU520-03)

2 Web Technology – Web Server Setup : Chris Uriarte Today’s Session Protecting your Web server against attacks. Providing authenticated access to your Web site. Overview of SSL-enabled Web Servers Apache Performance Tuning Wrap-up and Evaluations

3 Web Technology – Web Server Setup : Chris Uriarte Levels of Web Server Security Protecting data supplied through client browsers. Protecting or restricting access to data stored on your Web server. Protecting the Web server software. Protecting the server that houses your Web server.

4 Web Technology – Web Server Setup : Chris Uriarte Common Attacks on Systems that Run Web Servers CGI exploits –Badly-written or buggy web applications (CGIs) programs allow access to restricted resources or consume server resources. DoS (Denial of Service) –Software or operating system server exploits Packet sniffers –Hackers ‘sniff’ clear-text passwords Buffer overflows –Attacks that cause a piece of software to crash and possibly give unprivileged users privileged access

5 Web Technology – Web Server Setup : Chris Uriarte Securing Your Web Server Restrict access (by location or authentication) to file systems and resources. –Password or IP authentication/authorization Disable server-side technologies if they are not required. –Disable CGI Access and Server Side Includes –Remove ExecCGI and Includes from the Options directive of your httpd.conf Do not run your server as “root.” –The User directive in the httpd.conf should specify a user other than root (e.g. nobody, www, etc.)

6 Web Technology – Web Server Setup : Chris Uriarte Securing Your Web Server, con’t. Filter traffic with a firewall. –Use of a network device that only allows access to particular resources on a network Use encryption technologies (ssh, ssl). Monitor your logs for problems. Secure the system that hosts your Web server: disable ports and services not in use, install security patches, take preventative measures against popular exploits. –Websites like http://www.cert.org and www.securityfocus.com have information on current exploitshttp://www.cert.org www.securityfocus.com

7 Web Technology – Web Server Setup : Chris Uriarte Access by Authentication Standard Authentication Modules – mod_auth, mod_auth_anon, mod_auth_dbm, mod_auth_db, mod_digest Access in Apache can be defined by user or group: For Basic Authentication: AuthType Basic AuthName “Restricted Access” AuthUserFile/usr/local/apache/passwd.file AuthGroupFile /usr/local/apache/group.file require user1 group1 group2

8 Web Technology – Web Server Setup : Chris Uriarte Authentication, con’t. Authenticated access often setup through a.htaccess file in the directory you want to protect, but can be setup via httpd.conf. Passwords sent in the clear for basic authentication.

9 Web Technology – Web Server Setup : Chris Uriarte Basic Authentication: Line by Line You can keep authentication info in a block in the httpd.conf or in an.htaccess file First, specify the AuthType, which is Basic AuthType Basic Next, Specify the text string that will be displayed when the username/pw box is presented to the user: AuthName “My Secret Webpages” Next, specify the path to a file that will contain the usernames and passwords of your users: AuthUserFile /home/apache/passwd.file (best to keep this file out of the DocumentRoot)

10 Web Technology – Web Server Setup : Chris Uriarte Basic Authentication: con’t. Finally, add a require statement within a block, which can limit the access to a specific username, or group. This can contain a list of groups, user names or the text “valid-user” to represent any valid user in the password file require valid-user

11 Web Technology – Web Server Setup : Chris Uriarte Basic Authentication: con’t The final block looks like this: AuthType Basic AuthName “My Secret Webpage” AuthUserFile/home/apache/passwd.file require valid-user …which will prompt a user for a username/pw when any document under /home/iti1234/htdocs/restricted is requested.

12 Web Technology – Web Server Setup : Chris Uriarte Creating a Password File htpasswd is a utility for generating encrypted passwords and creating a password file Part of apache distribution, located in : {SERVER ROOT}/bin/htpasswd Usage: htpasswd [-c] password-file username The –c flag creates a new password file. Example, adds a user myname and creates a new password file (type all on one line): /home/iti1234/bin/htpasswd -c /home/iti1234/apache/passwdfile username

13 Web Technology – Web Server Setup : Chris Uriarte Exercise: Password Protecting Your Website For this exercise, you will make the Website running on your workstation password restricted using a.htaccess file. In the directory container for your document root (/home/itiXXXX/apache/htdocs), in httpd.conf set the following: AllowOverride AuthConfig

14 Web Technology – Web Server Setup : Chris Uriarte Exercise, con’t: In /home/itiXXX/apache/htdocs, create a.htaccess file with the following contents: AuthUserFile /home/itiXXXX/apache/.htpasswd AuthGroupFile /dev/null AuthName “My Protected Site” AuthType Basic require valid-user

15 Web Technology – Web Server Setup : Chris Uriarte Exercise, con’t. Next, create a password file using htpasswd: htpasswd –c /home/itiXXXX/apache/.htpasswd guest Provide the password for the guest user when prompted. Access your website (http://iti.rutgers.edu:PORT/) and provide the username/password.http://iti.rutgers.edu:PORT/

16 Web Technology – Web Server Setup : Chris Uriarte Restrict Access by Location Authorization As discussed in Meeting 2, you can restrict access to web resources by IP address, hostname, domain name and IP block by using a block in the httpd.conf or an.htaccess file: order deny,allow deny from all allow from 165.230.30.68.rutgers.edu

17 Web Technology – Web Server Setup : Chris Uriarte Secure Socket Layer (SSL) Secure Socket Layer (SSL ) is a technology developed by Netscape that can be used to encrypt data sent between the client and a server. Mainly used for secure Web-based online transactions – stops network eavesdroppers from “listening” to your personal information, credit card numbers, etc.

18 Web Technology – Web Server Setup : Chris Uriarte How SSL Works Client connects to the server. Server sends back a certificate that contains the server’s public key. Server sends a digitally signed messaged encrypted with its private key. The client decrypts the message using the server’s public key. Client uses server’s public key to encrypt a secret single-key. Secret single-key is used for encryption and decryption of all further communications between server and client.

19 Web Technology – Web Server Setup : Chris Uriarte Certificates and Certificate Authorities The “weak-link” in SSL transactions is initial communication between client and server. If connection is made to illegitimate server, the whole transaction is tainted. A certificate is used to pair a public-key with an owner’s identity. For this identity assertion to be trusted, the certificate must be signed by a Certificate Authority (CA) that independently verifies that identity of the owner of server’s public-key. Web browsers only recognize the validity of certain certificate authorities.

20 Web Technology – Web Server Setup : Chris Uriarte Getting a Signed Certificate Web browsers will generate a warning when accessing an SSL-enabled site that uses a certificate than hasn’t been signed by a recognized authority. Certificate Authorities: –Verisign http://www.verisign.com - Price for 40-Bit SSL Certificate: $349…owned by NetworkSolutionshttp://www.verisign.com –Thawte http://www.thawte.com - Price for 40-Bit SSL Certificate: $125…now owned by Verisignhttp://www.thawte.com Will need to provide a CSR (Certificate Signing Request) plus other documentation verifying that you are who you say you are and that you own the domain specified in the CSR.

21 Web Technology – Web Server Setup : Chris Uriarte Apache with SSL Options Commercial Solutions –StrongHold Server http://www.c2.net/products/sh2 Price: $995 (Includes certificate signed by Thawte)http://www.c2.net/products/sh2 –Raven SSL Module http://www.covalent.net/raven Price: $357http://www.covalent.net/raven –Red Hat Secure Web Server (Linux Only) http://www.redhat.com Price: $150 (Part of Red Hat Professional Edition) http://www.redhat.com Non-Commercial Solutions –Apache-SSL http://www.apache-ssl.orghttp://www.apache-ssl.org –Interface to OpenSSL (mod_ssl) http://www.modssl.org and http://www.openssl.orghttp://www.modssl.orghttp://www.openssl.org

22 Web Technology – Web Server Setup : Chris Uriarte Other Non-Apache SSL Servers SSL capabilities built into other major web servers: –Microsoft IIS –Sun Java WebServer –O’Reilly Website

23 Web Technology – Web Server Setup : Chris Uriarte Apache SSL Configuration SSL configuration for Apache-based web servers differs greatly, depending on the SSL distribution you are using. Check the documentation for each distribution. Generally, SSL setup and configuration is easier with commercial distributions. Using a non-commercial SSL distribution (mod_ssl, Apache-SSL) usually requires you to install libraries on your system, re-compile Apache and add special configuration lines to the httpd.conf.

24 Web Technology – Web Server Setup : Chris Uriarte Apache Performance Tuning Issues Three Rules of thumb: –Make sure your server has enough physical resources: Fast Disk and enough RAM –Make sure you have enough bandwidth –Make Apache do as little work as it has to do.

25 Web Technology – Web Server Setup : Chris Uriarte Server Requirements Generally, the more requests you server has to concurrently handle, the more horsepower it must have. More requests = More Access to Disk (Get lots of fast disk) More requests = More Apache processes = More RAM (Get lots of RAM)

26 Web Technology – Web Server Setup : Chris Uriarte Assessing Apache RAM Requirements Apache will create a number of child processes upon startup and create more of them as needed. 1 child process required for each client request Generally, each Apache child process will take up 2-5 MB of RAM. Therefore, you can make RAM estimates: –RAM Usage = (Apache Process Size) X (Max current users) Using dynamic content like CGI scripts, Server Side Includes, etc. will require more memory and CPU power.

27 Web Technology – Web Server Setup : Chris Uriarte RAM Requirements, etc. If you expect a maximum of 25 simultaneous requests to your server and the size of each Apache process is 4MB, you will need at least 100MB dedicated to Apache. The size of each Apache process will vary from machine to machine, depending on the modules used, the machine architecture, etc. You can asses the real size of your Apache process (httpd) by using a system monitoring utility like top.

28 Web Technology – Web Server Setup : Chris Uriarte Bandwidth Requirements It’s important to know whether you have enough bandwidth to handle your web requests. The “fatter the pipe”, the quicker contents can be delivered. Requirements differ depending on contents: rich multimedia (many graphics, streaming audio/video) requires more bandwidth. Other network concepts such as website latency can play into overall website performance.

29 Web Technology – Web Server Setup : Chris Uriarte Making Apache Do As Little as Possible…. Removing features from Apache during compilation and from the httpd.conf after compilation can help increase Apache’s performance and memory requirements. –Compiling in additional and/or unnecessary modules can slow Apache’s performance and increase memory requirements.

30 Web Technology – Web Server Setup : Chris Uriarte Resources on Apache Performance Tuning Book: Web Performance Tuning: Speeding Up the Web, Killelea - O’Reilly 1998 CU’s white paper on Apache Performance TuningApache Performance Tuning Apache performance notes: http://httpd.apache.org/docs/misc/perf- tuning.html (some very detailed, low-level technical details) http://httpd.apache.org/docs/misc/perf- tuning.html

Download ppt "Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers."

Similar presentations

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Access control and user management in Apache

Access control and user management in Apache
Access control and user management in Apache 1WUCM1.

Access control and user management in Apache 1WUCM1.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Chapter 22 Web Hosting and Internet Servers Xuanxuan Su.

Chapter 22 Web Hosting and Internet Servers Xuanxuan Su.
Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.

Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Linux Operations and Administration

Linux Operations and Administration

Similar presentations

Ads by Google