Enviar pesquisa
Carregar
Securing and Managing the Oracle HTTP Server
•
2 gostaram
•
4,962 visualizações
S
SecureDBA
Seguir
Presentation from Collaborate09 - IOUG
Leia menos
Leia mais
Tecnologia
Negócios
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 34
Baixar agora
Baixar para ler offline
Recomendados
Securing and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White Paper
SecureDBA
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linux
webhostingguy
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
Georgi Kodinov
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
PostgreSQL Experts, Inc.
System hardening - OS and Application
System hardening - OS and Application
edavid2685
HNazarianRes_Current_19Feb2015
HNazarianRes_Current_19Feb2015
Harry Nazarian
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
webhostingguy
Recomendados
Securing and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White Paper
SecureDBA
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
nCircle - a Tripwire Company
Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linux
webhostingguy
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
Georgi Kodinov
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
PostgreSQL Experts, Inc.
System hardening - OS and Application
System hardening - OS and Application
edavid2685
HNazarianRes_Current_19Feb2015
HNazarianRes_Current_19Feb2015
Harry Nazarian
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
Feb. 9, 2010 ICACT 2010@Phoenix Park, Korea
webhostingguy
Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
Martin Evans
User Expert forum Wildfire configuration
User Expert forum Wildfire configuration
Alberto Rivai
F5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration Guide
Chris x-MS
Alien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
LAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinux
Kohei KaiGai
Best Practices with IPS on Oracle Solaris 11
Best Practices with IPS on Oracle Solaris 11
glynnfoster
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Dave Stokes
Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQL
Kohei KaiGai
LAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinux
Kohei KaiGai
Derrick_L_resume3
Derrick_L_resume3
Derrick Wiltshire
Karunakar Kondam
Karunakar Kondam
karunakar kondam
Cisco ASA Firepower
Cisco ASA Firepower
Anwesh Dixit
Oracle Fusion Middleware Infrastructure Best Practices
Oracle Fusion Middleware Infrastructure Best Practices
Revelation Technologies
Решение Cisco Collaboration Edge
Решение Cisco Collaboration Edge
Cisco Russia
The Enemy Within: Organizational Insight Through the Eyes of a Webserver
The Enemy Within: Organizational Insight Through the Eyes of a Webserver
Ramece Cave
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Vinod Kumar
ESM_RelNotes_v5.6.pdf
ESM_RelNotes_v5.6.pdf
Protect724migration
ActiveMQ Performance Tuning
ActiveMQ Performance Tuning
Christian Posta
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
Mais conteúdo relacionado
Mais procurados
Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
Martin Evans
User Expert forum Wildfire configuration
User Expert forum Wildfire configuration
Alberto Rivai
F5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration Guide
Chris x-MS
Alien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
LAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinux
Kohei KaiGai
Best Practices with IPS on Oracle Solaris 11
Best Practices with IPS on Oracle Solaris 11
glynnfoster
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Dave Stokes
Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQL
Kohei KaiGai
LAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinux
Kohei KaiGai
Derrick_L_resume3
Derrick_L_resume3
Derrick Wiltshire
Karunakar Kondam
Karunakar Kondam
karunakar kondam
Cisco ASA Firepower
Cisco ASA Firepower
Anwesh Dixit
Oracle Fusion Middleware Infrastructure Best Practices
Oracle Fusion Middleware Infrastructure Best Practices
Revelation Technologies
Решение Cisco Collaboration Edge
Решение Cisco Collaboration Edge
Cisco Russia
The Enemy Within: Organizational Insight Through the Eyes of a Webserver
The Enemy Within: Organizational Insight Through the Eyes of a Webserver
Ramece Cave
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Vinod Kumar
ESM_RelNotes_v5.6.pdf
ESM_RelNotes_v5.6.pdf
Protect724migration
Mais procurados
(20)
Windows server hardening 1
Windows server hardening 1
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
User Expert forum Wildfire configuration
User Expert forum Wildfire configuration
F5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration Guide
Alien vault _policymanagement
Alien vault _policymanagement
LAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinux
Best Practices with IPS on Oracle Solaris 11
Best Practices with IPS on Oracle Solaris 11
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Southeast Linuxfest -- MySQL User Admin Tips & Tricks
Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQL
LAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinux
Derrick_L_resume3
Derrick_L_resume3
Karunakar Kondam
Karunakar Kondam
Cisco ASA Firepower
Cisco ASA Firepower
Oracle Fusion Middleware Infrastructure Best Practices
Oracle Fusion Middleware Infrastructure Best Practices
Решение Cisco Collaboration Edge
Решение Cisco Collaboration Edge
The Enemy Within: Organizational Insight Through the Eyes of a Webserver
The Enemy Within: Organizational Insight Through the Eyes of a Webserver
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
ESM_RelNotes_v5.6.pdf
ESM_RelNotes_v5.6.pdf
Semelhante a Securing and Managing the Oracle HTTP Server
ActiveMQ Performance Tuning
ActiveMQ Performance Tuning
Christian Posta
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
Intro To Selenium
Intro To Selenium
Manish Chakravarty
Database as a Service, Collaborate 2016
Database as a Service, Collaborate 2016
Kellyn Pot'Vin-Gorman
Continuous Load Testing with CloudTest and Jenkins
Continuous Load Testing with CloudTest and Jenkins
SOASTA
Tips for Installing Cognos Analytics: Configuring and Installing the Server
Tips for Installing Cognos Analytics: Configuring and Installing the Server
Senturus
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
Open source: Top issues in the top enterprise packages
Open source: Top issues in the top enterprise packages
Rogue Wave Software
Continuous Load Testing with CloudTest and Jenkins
Continuous Load Testing with CloudTest and Jenkins
SOASTA
From Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your Webservices
kingsfleet
Performance automation 101 @LDNWebPerf MickMcGuinness
Performance automation 101 @LDNWebPerf MickMcGuinness
Stephen Thair
Oracle11g Security
Oracle11g Security
Inprise Group
A Byte of Software Deployment
A Byte of Software Deployment
Gong Haibing
Monitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT Infrastructures
Johnnie Burke-Gaffney
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
Johnnie Burke-Gaffney
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB Atlas
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB Atlas
MongoDB
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
Principles and Practices in Continuous Deployment at Etsy
Principles and Practices in Continuous Deployment at Etsy
Mike Brittain
Securing your Rails application
Securing your Rails application
clucasKrof
XS 2008 Boston Capacity Planning
XS 2008 Boston Capacity Planning
The Linux Foundation
Semelhante a Securing and Managing the Oracle HTTP Server
(20)
ActiveMQ Performance Tuning
ActiveMQ Performance Tuning
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Intro To Selenium
Intro To Selenium
Database as a Service, Collaborate 2016
Database as a Service, Collaborate 2016
Continuous Load Testing with CloudTest and Jenkins
Continuous Load Testing with CloudTest and Jenkins
Tips for Installing Cognos Analytics: Configuring and Installing the Server
Tips for Installing Cognos Analytics: Configuring and Installing the Server
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Open source: Top issues in the top enterprise packages
Open source: Top issues in the top enterprise packages
Continuous Load Testing with CloudTest and Jenkins
Continuous Load Testing with CloudTest and Jenkins
From Developer to Production, Promoting your Webservices
From Developer to Production, Promoting your Webservices
Performance automation 101 @LDNWebPerf MickMcGuinness
Performance automation 101 @LDNWebPerf MickMcGuinness
Oracle11g Security
Oracle11g Security
A Byte of Software Deployment
A Byte of Software Deployment
Monitoring Cloud/Virtual/Physical IT Infrastructures
Monitoring Cloud/Virtual/Physical IT Infrastructures
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
Managing and Monitoring Virtual/Cloud/Physical Infrastructures
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB Atlas
MongoDB World 2019: Why NBCUniversal Migrated to MongoDB Atlas
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Principles and Practices in Continuous Deployment at Etsy
Principles and Practices in Continuous Deployment at Etsy
Securing your Rails application
Securing your Rails application
XS 2008 Boston Capacity Planning
XS 2008 Boston Capacity Planning
Último
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
OnBoard
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
soniya singh
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Sujit Pal
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Pixlogix Infotech
Último
(20)
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Securing and Managing the Oracle HTTP Server
1.
Securing and Managing
the Oracle HTTP Server (706) Real World Examples and Lessons Learned Monday, May 4, 2009 01:15 - 02:15 Kevin Sheehan Brian J. Mulreany
2.
Agenda • Today’s Agenda:
– Presenter Introductions – IOUG Membership B M b hi Benefits fit – Defense in Depth & Role of Web Server – Scoring the OHS configuration – Hardening the OHS setup – Securing with mod_security and mod_rewrite g y – Questions and Answers ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
3.
Presenter – Kevin
Sheehan • 28 years of IT experience • 15 years Oracle experience with Oracle • Currently Technical Director at Unisys • Large Homeland Security Implementations • Formerly Technical Director at Oracle • Email: kpsheehan@gmail.com ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
4.
Presenter – Brian
Mulreany • 20+ years of experience with Oracle Products • 10+ years of experience with Web and Java technology thl • Technical director with AT&T and Oracle Consulting foc sing Cons lting focusing on software architecture soft are architect re • Senior Architect with Unisys supporting DHS • E il bj Email: bjm-uva@alumni.virginia.edu @l i i ii d ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
5.
IOUG Membership Benefits •If
Information ti – Library of Oracle Knowledge – SELECT Journal • Education – Collaborate Conferences • Networking – Member Directory – Special Interest Groups – Discussion Forums • Advocacy y ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
6.
Overview of Defense
in Depth • Layered approach to security • No single point of security failure • Secure ALL layers of the tech stack • Applies to more than the technology – Hiring Practices (Background Investigations) – Procurement Practices –SSecurity A it Awareness T i i Training • Ultimate goal is prevention but … •SSecondary goal i to slow the attacker d d l is l h k down ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
7.
Is Your Web
Server Vulnerable to Attack? Because it sure is a target! • Gateway to your system • Default configuration designed to serve and di dt d NOT protect • Everything is servable content unless you take steps to block it • Block everything and then open up only what is needed ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
8.
So just which
OHS SHOULD You Install? Picture Courtesy of cogdogblog's photostream on Flickr at http://www.flickr.com/photos/cogdog/1576658693/ ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
9.
STOP! Don’t pick
that OHS There are 10+ versions of OHS “It is externally labeled as quot;10.1.3.3quot;, but the component version is actually quot;10.1.3.1quot;, and is a special build, different than the 10.1.3.1 , Oracle Application Server counterpart.“ All OHS versions are not created equal “Something to think about... The Oracle HTTP Server delivered with the Oracle Database 10.2 Companion CD is p p provided for demonstration p p purposes, primarily for HTMLDB. However, its an older version with limited functionality and support. It also installs a mix of 10.2 and 10.1 products which is more difficult to maintain. Consider installing a better package of the Oracle HTTP Server.“ ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
10.
OHS Version Guidelines •
Use App Server OHS, not DB version • Use Stand-alone if possible • Use Apache 2.0 if possible (if using Stand- alone) • Use threaded MPM Worker if using Apache 2.0 ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
11.
How O W
b Ti E l d H Our Web Tier Evolved with apologies to Darwin (& chimpanzees) • 6 years ago - Chimps (Chumps?) – J2EE/Portal Install – Sh td Shutdown everything but Webcache thi b t W b h – Unneeded software • 3 years ago – Neanderthals – Standalone Webcache – Single Threaded – Not scalable – No reverse proxy or application firewall • 2 years ago – Homo Sapiens – Standalone OHS – Apache 2.0 ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
12.
Introducing CIS •
Center for Internet Security (CIS) benchmark • Checking configuration vs. actual scanning • Guess the CIS score after default install • Improving your security and your CIS score – How many IDs does it take to run OHS? – HTTP Headers and Error Documents – Basic B i OHS h d i hardening – Lock down those load modules – Hardening with mod security or mod rewrite mod_security mod_rewrite ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
13.
OHS Baseline CIS
Score #=========[ CIS Apache Benchmark Scoring Tool 2 10 ]==========# 2.10 [Section 1.14] Web Server Software Obfuscation General Directives [FAILED] ServerSignature is quot;On“ [Section 1.18] Access Control Directives [PASSED] Directory entry for quot;/quot; is properly configured. allowoverride None [FAILED] Directory entry for quot;/quot; is not properly configured. options FollowSymLinks [FAILED] Directive quot;denyquot; Directory entry for quot;/quot; is not defined. [Section 1.20] Directory Functionality/Features Directives [FAILED] Did not disable Option directive quot;Includesquot; for DocumentRoot [Section 1.21] Limiting HTTP Request Methods [FAILED] There is no LimitExcept directive for DocumentRoot [Section 1.23] Remove Default/Unneeded Apache Files [VERIFY] Verify DocumentRoot files are not default Apache files. … [Apache Benchmark Score]: 2.79 out of 10.00] ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
14.
Fingerprinting
• What if you knew what weapon to use? • Fingerprinting tries to identify the configuration • Attacks use known vulnerabilities • Stop information leaks ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
15.
Fingerprinting OHS Base
Install Fingerprinting tool has identified the default install as gp g Apache 2.0 with a high degree of confidence. ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
16.
How many User
IDs does it take to run OHS? “Two-Man Rule” or “Four-Eyes Principle” A security control technique that requires more than one person or more than one user ID to compromise an entire system. It takes three User IDs to run OHS. 1. One user ID to own the OHS software 2. One user ID to run the OHS web software 3. One user ID to own the web content ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
17.
Modify Headers and
Error Pages Basic Header B iH d • HTTP headers after HEAD / HTTP/1.0 default install HTTP/1.1 200 OK identifies web server Date: Mon 23 Feb 2009 02:19:58 GMT Mon, Server: Oracle-Application-Server- • Default error pages 10g/10.1.3.1.0 Oracle-HTTP-Server Error Page g show web server <body> version, hostname, <h1>Not Found</h1> and port p <p>The requested URL /notfound was not found on this server.</p> f d thi / • May show internal <hr> <address>Oracle-Application-Server- information if using g 10g/10.1.3.1.0 Oracle-HTTP-Server Server at bjm-desktop Port 80</address> a reverse proxy </body> ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
18.
HTTP h d
headers – L Leave no t trace Original Configuration Revised Configuration ServerAdmin you@example.com ###ServerAdmin you@example.com ServerName bjm-desktop ServerName ohs.collaborate09.org ServerTokens Minimal S ServerTokens None S Limit on OPTIONS method <LimitExcept GET POST> deny from all </LimitExcept> Options None No fake headers to obfuscate server Header onsuccess set X-Powered-By quot;ASP.NET“ and modify order of headers Using default error pages ErrorDocument 403 /error_contactus.htm ErrorDocument 500 quot;There was an error processing your request, please retry.quot; i tl tquot; ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
19.
HTTP headers –
after revisions HTTP/1.1 HTTP/1 1 403 F bidd Forbidden • Headers Date: Sun, 01 Mar 2009 16:07:11 GMT and error X-Cache: MISS from proxy.domain.com page Last-Modified: Sun, 01 M 2009 15 56 50 GMT L t M difi d S Mar 15:56:50 content has ETag: quot;307d5-a0-bffb1480“ Content-Length: 160 been X-Powered-By: ASP.NET scrubbed X-AspNet-Version: 1.1.4322 Content-Type: text/html • Don’t forget g <HTML><HEAD><TITLE>Error – Contact Us</TITLE> to remove </HEAD><BODY> demo <H1>There was an error processing your request</H1> content too. </BODY></HTML> ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
20.
Fingerprinting Revised Setup
After revising headers and error pages the fingerprinting tool guesses that the web server is Orion and reports a low degree of confidence. ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
21.
Lock down those
load modules • Determine how OHS is being used: Application server front-end, Apex front-end, Reverse Proxy 11i Application Front end … Proxy, Front-end • Evaluate which load modules are required based on intended use • Disable those modules that are not required ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
22.
Disable Unused Load
Modules Original C fi O i i l Configuration ti Revised C fi R i d Configuration ti LoadModule status_module LoadModule status_module LoadModule autoindex_module ###LoadModule autoindex_module LoadModule dir_module ###LoadModule dir_module LoadModule imap_module ###LoadModule imap_module LoadModule alias module alias_module LoadModule alias module alias_module LoadModule php4_module ###LoadModule php4_module LoadModule expires_module LoadModule expires_module LoadModule rewrite_module LoadModule rewrite_module N/A LoadModule security_module *CIS flagged modules shown i red h fl d dl in d ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
23.
Mod_Security Mod Security vs
Mod_Rewrite Mod Rewrite Mod_security Mod security Mod_rewrite Mod rewrite • Pro • Pro – Availability of Rules y – Typically already in use yp y y – Detailed logging – Good for simple blocking – Designed as a security tool – Performance •C Con •C Con – New module to maintain – More work to code rules – Parsing adds overhead g – Logging more for debug gg g g – OHS uses old 1.84 version – Not designed for security ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
24.
Compare Blocking Put
Method Mod_rewrite Mod rewrite Rule Mod_security Mod security Rule RewriteCond SecFilterSelective %{REQUEST_METHOD} REQUEST_METHOD ^PUT “PUTquot; RewriteRule .* - [F] quot;id:888000,deny,log, status:405,msg: ‘PUT method denied'quot; ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
25.
Default Logging -
Minimal Default Common Logging format: LogFormat quot;%h %l %u %t quot;%rquot; %>s %B Default Common Logging result: 192.168.0.10 - - [23/Feb/2009:21:45:58 -0500] quot;GET /index.html HTTP/1.1quot; 200 14679 ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
26.
Blackbox + access
log format Blackbox + access log format: LogFormat quot;%h %l %u %t quot;%rquot; %>s %B quot;%{Referer}iquot; quot;%{User- Agent}i %{X FORWARDED FOR}i %{cookie}i Agent}iquot; quot;%{X-FORWARDED-FOR}iquot; quot;%{cookie}iquot; %v %X %P %Tquot; blackbox Blackbox + access log result: 192.168.0.10 - - [10/Mar/2009:21:23:17 -0400] quot;GET /index.html HTTP/1.1quot; 200 14679 quot;http://192.168.0.12:7777/OHSDemos.htmquot; quot;Mozilla/4.0 (compatible; MSIE 7 0 Wi d ( tibl 7.0; Windows NT 6 0 GTB5 SLCC1 .NET 6.0; GTB5; SLCC1; NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)quot; quot;10.0.0.100“ quot;JSESSIONID=8EEEE08C4DEFF1B72F9BCCEC72B58544quot; JSESSIONID=8EEEE08C4DEFF1B72F9BCCEC72B58544 bjm-desktop + 27860 0 ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
27.
Case Study –
The attack • Big increase in 403 not authorized requests • Big increase in 404 not found requests • Big increase in 400 Bad Request or 406 Not Acceptable requests • Unusual 404 pattern, not favicon.ico • Hundreds of requests per minute off-peak • Many requests from one IP in under a minute • Requests for unused technology, PHP • Non-standard user-agent ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
28.
Case Study –
The analysis • OHS access log showed the requests coming from user-agent w3af.sourceforge.net • W b search f Web h found: d w3af is a Web Application Attack and Audit framework. frame ork The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend extend. ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
29.
Case Study –
The response • Added new mod_security rule • SecFilterSelective HTTP_USER_AGENT quot;w3af.sourceforge.netquot; quot; 3 f f tquot; quot;id:888000,deny,log,status:406,msg:'User Agent invalid invalid'“ • The rule blocks access by the user agent w3af and returns a 406 Not Acceptable response. Blocked request information is logged in the mod_security log. gg _ yg • Added rule to list of user agent blocking rules ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
30.
Final CIS Score [Apache
B [A h Benchmark S h k Score]: 8 14 out of 10 00] ] 8.14 t f 10.00] [Section 1.9] Configure the Apache Software [FAILED] Unless required, module quot;mod_statusquot; should not be compiled into Apache. [Section 1.11] Server Oriented General Directives [FAILED] HostnameLookups is off for Apache Web Server [Section 1.13] Denial of Service (DoS) Protective General Directives [FAILED] TimeOut value quot;300quot; is greater than the recommended quot;60“ 300 60 [Section 1.24] Update Ownership and Permissions for Enhanced Security [FAILED] Owner of Log directory should be root. ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
31.
Configure an OHS
reverse proxy A reverse proxy server i an i t is instance of OHS th t f that: • takes an inbound HTTP request and forwards it to your web servers thus providing a layer of obfuscation • based on rules you define, either passes (proxies) a request onward or denies it access and therefore you can configure if to limit probes by individuals trying to fingerprint your environment • can serve up static content to take some load off of your web/application servers • can act as a server-side cache server side • can compress content ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
32.
Configure an OHS
reverse proxy ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
33.
Tips & Tricks
for Managing OHS Best F t B t Feature of OHS 2 not enabled f t bl d Use threads ith U th d with mpm worker k Build your own moat Protect your COTS products Listen up! Make sure you check all ports Use an inclusive OHS configuration Use include to separate configs Can you use mod_plsql and OHS2 Yes, and reduce DB connections Use mod_rewrite or mod_security? y Why choose, use both y , A bit of nostalgia New load modules with 2.2 Virtualization Inherit rules with Virtualhosts Load Module order is important Load Module order matters in 1 3 1.3 Test those changes apachectl configtest is OK Need a little Cache? Take advantage of client caching Terminating SSL in front of OHS Speed up your secure requests ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
34.
Thanks for Attending! Contact
Information Kevin Sheehan Email: kpsheehan@gmail.com E il k h h @ il Brian J. Mulreany Email: bjm-uva@alumni virginia edu bjm-uva@alumni.virginia.edu Web Site: http://securedba.com http://securedba com Remember to fill out a survey please! ©2009 Kevin Sheehan and Brian Mulreany. All Rights Reserved.
Baixar agora