Web server security

Dr Jim Briggs

WEBP security 1
What do we mean by secure?
• 100% security
• Trading off security versus convenience
• Particular vulnerabilities of the Internet
– The "wild west"

WEBP security 2
 Vulnerability of web systems
• Visitors are largely anonymous and can be very
• Open to the outside world
remote
– Aim to attract
• Communication canstrangers!
be eavesdropped (unless
• encrypted)
Left unattended (largely)
• Difficult (impossible?) to test exhaustively
• Lots of potential security holes
– Running other people's buggy software
– Running own buggy software (even worse!)
– Large amount of code (often)
WEBP security 3
 Server risks
• Bugs or misconfiguration problems in the Web
server that allow unauthorized remote users to:
– Steal confidential documents not intended for their
eyes.
– Execute commands on the server host machine,
allowing them to modify the system.
– Gain information about the Web server's host
machine that will allow them to break into the system.
– Launch denial-of-service attacks, rendering the
machine temporarily unusable.
WEBP security 4
 Client risks
• Browser-side risks, including:
– Active content (e.g. Java, JavaScript, ActiveX) that
• crashes the browser
• damages the user's system
• breaches the user's privacy, or
• merely creates an annoyance
– The misuse of personal information knowingly or
unknowingly provided by the end-user
• passwords
• credit card numbers
• other sensitive data
WEBP security 5
 Network risks
• Interception of network data sent from browser to server
or vice versa via network eavesdropping.
• Eavesdroppers can operate from any point on the
pathway between browser and server including:
– The network on the browser's side of the connection
– The network on the server's side of the connection (including
intranets).
– The end-user's Internet service provider (ISP)
– The server's ISP
– Either ISPs' regional access provider
WEBP security 6
 General security techniques
• Keep your software up to date with security patches
• Try not to use unsafe techniques (e.g. CGI, SSI)
• If you have to use them, test them thoroughly
– Include own use of hacker tools
• Design and implement an access control policy
(both via the web and to the host server)
• Log everything; monitor the logs; and investigate
suspicious activity
WEBP security 7
 Specific server side issues
• Back door access to the server
– Remote/local login
– FTP
– Alternative web sites hosted on same machine
• Don't run the server as "root"
• Turn off un-needed …
– features in software
– IP ports
• Firewalls
WEBP security 8
 Denial of service (DoS)
attacks
• Definition:
– attack designed to render a computer or network incapable of
providing normal services
• Typical attacks
– Bandwidth attacks
• flood network with high volume of traffic
• consequence – all available network resources are consumed and
legitimate user requests can not get through
– Connectivity attacks
• flood computer with high volume of connection requests
• consequence – all available operating system resources are consumed,
and computer can not process legitimate requests
WEBP security 9
 Distributed DoS (DDoS)
attacks
• Many hosts simultaneously attack target
• Typically caused by agent hijacking
vulnerable hosts (e.g. via virus)
• As important to protect your machine from
hijack as it is to protect it from attack
• Techniques:
– Scan regularly for DDoS tools
– Do egress filtering (check for spoofed packets)

WEBP security 10
 HTTP security
• Authentication
– Basic
– Digest
• Secure transport
– SSL

WEBP security 11