Title: Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning
1Meeting 4 Advanced Topics, Continued Securing
the Apache Server and Apache Performance Tuning
- Rutgers University Internet Institute
- Instructor Chris Uriarte (CU520-03)
2Todays Session
- Protecting your Web server against attacks.
- Providing authenticated access to your Web site.
- Overview of SSL-enabled Web Servers
- Apache Performance Tuning
- Wrap-up and Evaluations
3Levels of Web Server Security
- Protecting data supplied through client browsers.
- Protecting or restricting access to data stored
on your Web server. - Protecting the Web server software.
- Protecting the server that houses your Web
server.
4Common Attacks on Systems that Run Web Servers
- CGI exploits
- Badly-written or buggy web applications (CGIs)
programs allow access to restricted resources or
consume server resources. - DoS (Denial of Service)
- Software or operating system server exploits
- Packet sniffers
- Hackers sniff clear-text passwords
- Buffer overflows
- Attacks that cause a piece of software to crash
and possibly give unprivileged users privileged
access
5Securing Your Web Server
- Restrict access (by location or authentication)
to file systems and resources. - Password or IP authentication/authorization
- Disable server-side technologies if they are not
required. - Disable CGI Access and Server Side Includes
- Remove ExecCGI and Includes from the Options
directive of your httpd.conf - Do not run your server as root.
- The User directive in the httpd.conf should
specify a user other than root (e.g. nobody, www,
etc.)
6Securing Your Web Server, cont.
- Filter traffic with a firewall.
- Use of a network device that only allows access
to particular resources on a network - Use encryption technologies (ssh, ssl).
- Monitor your logs for problems.
- Secure the system that hosts your Web server
disable ports and services not in use, install
security patches, take preventative measures
against popular exploits. - Websites like http//www.cert.org and
www.securityfocus.com have information on current
exploits
7Access by Authentication
- Standard Authentication Modules mod_auth,
mod_auth_anon, mod_auth_dbm, mod_auth_db,
mod_digest - Access in Apache can be defined by user or group
- For Basic Authentication
- ltDirectory /home/iti1234/htdocs/restrictedgt
- AuthType Basic
- AuthName Restricted Access
- AuthUserFile/usr/local/apache/passwd.file
- AuthGroupFile /usr/local/apache/group.file
- require user1 group1 group2
- lt/Directorygt
8Authentication, cont.
- Authenticated access often setup through a
.htaccess file in the directory you want to
protect, but can be setup via httpd.conf. - Passwords sent in the clear for basic
authentication.
9Basic Authentication Line by Line
- You can keep authentication info in a ltDIRECTORYgt
block in the httpd.conf or in an .htaccess file - First, specify the AuthType, which is Basic
- AuthType Basic
- Next, Specify the text string that will be
displayed when the username/pw box is presented
to the user - AuthName My Secret Webpages
- Next, specify the path to a file that will
contain the usernames and passwords of your
users - AuthUserFile /home/apache/passwd.file
- (best to keep this file out of the DocumentRoot)
10Basic Authentication cont.
- Finally, add a require statement within a ltLimit
GETgt block, which can limit the access to a
specific username, or group. This can contain a
list of groups, user names or the text
valid-user to represent any valid user in the
password file - ltLimit GETgt
- require valid-user
- lt/Limitgt
11Basic Authentication cont
- The final block looks like this
- ltDirectory /home/iti1234/htdocs/restrictedgt
- AuthType Basic
- AuthName My Secret Webpage
- AuthUserFile/home/apache/passwd.file
- ltLimit GETgt
- require valid-user
- ltLimit GETgt
- lt/Directorygt
- which will prompt a user for a username/pw when
any document under /home/iti1234/htdocs/restricted
is requested.
12Creating a Password File
- htpasswd is a utility for generating encrypted
passwords and creating a password file - Part of apache distribution, located in SERVER
ROOT/bin/htpasswd - Usage htpasswd -c password-file username
- The c flag creates a new password file.
- Example, adds a user myname and creates a new
password file (type all on one line) - /home/iti1234/bin/htpasswd -c /home/iti1234/apache
/passwdfile username
13Exercise Password Protecting Your Website
- For this exercise, you will make the Website
running on your workstation password restricted
using a .htaccess file. - In the directory container for your document root
(/home/itiXXXX/apache/htdocs), in httpd.conf set
the following AllowOverride AuthConfig
14Exercise, cont
- In /home/itiXXX/apache/htdocs, create a .htaccess
file with the following contents - AuthUserFile /home/itiXXXX/apache/.htpasswd
- AuthGroupFile /dev/null
- AuthName My Protected Site
- AuthType Basic
- ltLimit GETgt
- require valid-user
- lt/Limitgt
15Exercise, cont.
- Next, create a password file using htpasswd
- htpasswd c /home/itiXXXX/apache/.htpasswd guest
- Provide the password for the guest user when
prompted. - Access your website (http//iti.rutgers.eduPORT/)
and provide the username/password.
16Restrict Access by Location Authorization
- As discussed in Meeting 2, you can restrict
access to web resources by IP address, hostname,
domain name and IP block by using a ltDIRECTORYgt
block in the httpd.conf or an .htaccess file - ltDirectory /home/itiXX/htdocs/restrictedgt order
deny,allow deny from all allow from
165.230.30.68 .rutgers.edu - lt/Directorygt
17Secure Socket Layer (SSL)
- Secure Socket Layer (SSL ) is a technology
developed by Netscape that can be used to encrypt
data sent between the client and a server. - Mainly used for secure Web-based online
transactions stops network eavesdroppers from
listening to your personal information, credit
card numbers, etc.
18How SSL Works
- Client connects to the server.
- Server sends back a certificate that contains the
servers public key. - Server sends a digitally signed messaged
encrypted with its private key. The client
decrypts the message using the servers public
key. - Client uses servers public key to encrypt a
secret single-key. - Secret single-key is used for encryption and
decryption of all further communications between
server and client.
19Certificates and Certificate Authorities
- The weak-link in SSL transactions is initial
communication between client and server. If
connection is made to illegitimate server, the
whole transaction is tainted. - A certificate is used to pair a public-key with
an owners identity. - For this identity assertion to be trusted, the
certificate must be signed by a Certificate
Authority (CA) that independently verifies that
identity of the owner of servers public-key. - Web browsers only recognize the validity of
certain certificate authorities.
20Getting a Signed Certificate
- Web browsers will generate a warning when
accessing an SSL-enabled site that uses a
certificate than hasnt been signed by a
recognized authority. - Certificate Authorities
- Verisign http//www.verisign.com - Price for
40-Bit SSL Certificate 349owned by
NetworkSolutions - Thawte http//www.thawte.com - Price for 40-Bit
SSL Certificate 125now owned by Verisign - Will need to provide a CSR (Certificate Signing
Request) plus other documentation verifying that
you are who you say you are and that you own the
domain specified in the CSR.
21Apache with SSL Options
- Commercial Solutions
- StrongHold Server http//www.c2.net/products/sh2
Price 995 (Includes certificate signed by
Thawte) - Raven SSL Module http//www.covalent.net/raven
Price 357 - Red Hat Secure Web Server (Linux Only)
http//www.redhat.com Price 150 (Part of Red
Hat Professional Edition) - Non-Commercial Solutions
- Apache-SSL http//www.apache-ssl.org
- Interface to OpenSSL (mod_ssl) http//www.modssl.o
rg and http//www.openssl.org
22Other Non-Apache SSL Servers
- SSL capabilities built into other major web
servers - Microsoft IIS
- Sun Java WebServer
- OReilly Website
23Apache SSL Configuration
- SSL configuration for Apache-based web servers
differs greatly, depending on the SSL
distribution you are using. Check the
documentation for each distribution. - Generally, SSL setup and configuration is easier
with commercial distributions. - Using a non-commercial SSL distribution (mod_ssl,
Apache-SSL) usually requires you to install
libraries on your system, re-compile Apache and
add special configuration lines to the httpd.conf.
24Apache Performance Tuning Issues
- Three Rules of thumb
- Make sure your server has enough physical
resources Fast Disk and enough RAM - Make sure you have enough bandwidth
- Make Apache do as little work as it has to do.
25Server Requirements
- Generally, the more requests you server has to
concurrently handle, the more horsepower it must
have. - More requests More Access to Disk (Get lots of
fast disk) - More requests More Apache processes More RAM
(Get lots of RAM)
26Assessing Apache RAM Requirements
- Apache will create a number of child processes
upon startup and create more of them as needed. - 1 child process required for each client request
- Generally, each Apache child process will take up
2-5 MB of RAM. Therefore, you can make RAM
estimates - RAM Usage (Apache Process Size) X (Max current
users) - Using dynamic content like CGI scripts, Server
Side Includes, etc. will require more memory and
CPU power.
27RAM Requirements, etc.
- If you expect a maximum of 25 simultaneous
requests to your server and the size of each
Apache process is 4MB, you will need at least
100MB dedicated to Apache. - The size of each Apache process will vary from
machine to machine, depending on the modules
used, the machine architecture, etc. - You can asses the real size of your Apache
process (httpd) by using a system monitoring
utility like top.
28Bandwidth Requirements
- Its important to know whether you have enough
bandwidth to handle your web requests. - The fatter the pipe, the quicker contents can
be delivered. - Requirements differ depending on contents rich
multimedia (many graphics, streaming audio/video)
requires more bandwidth. - Other network concepts such as website latency
can play into overall website performance.
29Making Apache Do As Little as Possible.
- Removing features from Apache during compilation
and from the httpd.conf after compilation can
help increase Apaches performance and memory
requirements. - Compiling in additional and/or unnecessary
modules can slow Apaches performance and
increase memory requirements.
30Resources on Apache Performance Tuning
- Book Web Performance Tuning Speeding Up the
Web, Killelea - OReilly 1998 - CUs white paper on Apache Performance Tuning
- Apache performance notes http//httpd.apache.org/
docs/misc/perf-tuning.html (some very detailed,
low-level technical details)