Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning

1
Meeting 4 Advanced Topics, Continued Securing
the Apache Server and Apache Performance Tuning

• Rutgers University Internet Institute
• Instructor Chris Uriarte (CU520-03)

2
Todays Session

• Protecting your Web server against attacks.
• Providing authenticated access to your Web site.
• Overview of SSL-enabled Web Servers
• Apache Performance Tuning
• Wrap-up and Evaluations

3
Levels of Web Server Security

• Protecting data supplied through client browsers.
  
• Protecting or restricting access to data stored
  on your Web server.
• Protecting the Web server software.
• Protecting the server that houses your Web
  server.

4
Common Attacks on Systems that Run Web Servers

• CGI exploits
• Badly-written or buggy web applications (CGIs)
  programs allow access to restricted resources or
  consume server resources.
• DoS (Denial of Service)
• Software or operating system server exploits
• Packet sniffers
• Hackers sniff clear-text passwords
• Buffer overflows
• Attacks that cause a piece of software to crash
  and possibly give unprivileged users privileged
  access

5
Securing Your Web Server

• Restrict access (by location or authentication)
  to file systems and resources.
• Password or IP authentication/authorization
• Disable server-side technologies if they are not
  required.
• Disable CGI Access and Server Side Includes
• Remove ExecCGI and Includes from the Options
  directive of your httpd.conf
• Do not run your server as root.
• The User directive in the httpd.conf should
  specify a user other than root (e.g. nobody, www,
  etc.)

6
Securing Your Web Server, cont.

• Filter traffic with a firewall.
• Use of a network device that only allows access
  to particular resources on a network
• Use encryption technologies (ssh, ssl).
• Monitor your logs for problems.
• Secure the system that hosts your Web server
  disable ports and services not in use, install
  security patches, take preventative measures
  against popular exploits.
• Websites like http//www.cert.org and
  www.securityfocus.com have information on current
  exploits

7
Access by Authentication

• Standard Authentication Modules mod_auth,
  mod_auth_anon, mod_auth_dbm, mod_auth_db,
  mod_digest
• Access in Apache can be defined by user or group
• For Basic Authentication
• ltDirectory /home/iti1234/htdocs/restrictedgt
• AuthType Basic
• AuthName Restricted Access
• AuthUserFile/usr/local/apache/passwd.file
• AuthGroupFile /usr/local/apache/group.file
• require user1 group1 group2
• lt/Directorygt

8
Authentication, cont.

• Authenticated access often setup through a
  .htaccess file in the directory you want to
  protect, but can be setup via httpd.conf.
• Passwords sent in the clear for basic
  authentication.

9
Basic Authentication Line by Line

• You can keep authentication info in a ltDIRECTORYgt
  block in the httpd.conf or in an .htaccess file
• First, specify the AuthType, which is Basic
• AuthType Basic
• Next, Specify the text string that will be
  displayed when the username/pw box is presented
  to the user
• AuthName My Secret Webpages
• Next, specify the path to a file that will
  contain the usernames and passwords of your
  users
• AuthUserFile /home/apache/passwd.file
• (best to keep this file out of the DocumentRoot)

10
Basic Authentication cont.

• Finally, add a require statement within a ltLimit
  GETgt block, which can limit the access to a
  specific username, or group. This can contain a
  list of groups, user names or the text
  valid-user to represent any valid user in the
  password file
• ltLimit GETgt
• require valid-user
• lt/Limitgt

11
Basic Authentication cont

• The final block looks like this
• ltDirectory /home/iti1234/htdocs/restrictedgt
• AuthType Basic
• AuthName My Secret Webpage
• AuthUserFile/home/apache/passwd.file
• ltLimit GETgt
• require valid-user
• ltLimit GETgt
• lt/Directorygt
• which will prompt a user for a username/pw when
  any document under /home/iti1234/htdocs/restricted
  is requested.

12
Creating a Password File

• htpasswd is a utility for generating encrypted
  passwords and creating a password file
• Part of apache distribution, located in SERVER
  ROOT/bin/htpasswd
• Usage htpasswd -c password-file username
• The c flag creates a new password file.
• Example, adds a user myname and creates a new
  password file (type all on one line)
• /home/iti1234/bin/htpasswd -c /home/iti1234/apache
  /passwdfile username

13
Exercise Password Protecting Your Website

• For this exercise, you will make the Website
  running on your workstation password restricted
  using a .htaccess file.
• In the directory container for your document root
  (/home/itiXXXX/apache/htdocs), in httpd.conf set
  the following AllowOverride AuthConfig

14
Exercise, cont

• In /home/itiXXX/apache/htdocs, create a .htaccess
  file with the following contents
• AuthUserFile /home/itiXXXX/apache/.htpasswd
• AuthGroupFile /dev/null
• AuthName My Protected Site
• AuthType Basic
• ltLimit GETgt
• require valid-user
• lt/Limitgt

15
Exercise, cont.

• Next, create a password file using htpasswd
• htpasswd c /home/itiXXXX/apache/.htpasswd guest
  
• Provide the password for the guest user when
  prompted.
• Access your website (http//iti.rutgers.eduPORT/)
  and provide the username/password.

16
Restrict Access by Location Authorization

• As discussed in Meeting 2, you can restrict
  access to web resources by IP address, hostname,
  domain name and IP block by using a ltDIRECTORYgt
  block in the httpd.conf or an .htaccess file
• ltDirectory /home/itiXX/htdocs/restrictedgt order
  deny,allow deny from all allow from
  165.230.30.68 .rutgers.edu
• lt/Directorygt

17
Secure Socket Layer (SSL)

• Secure Socket Layer (SSL ) is a technology
  developed by Netscape that can be used to encrypt
  data sent between the client and a server.
• Mainly used for secure Web-based online
  transactions stops network eavesdroppers from
  listening to your personal information, credit
  card numbers, etc.

18
How SSL Works

• Client connects to the server.
• Server sends back a certificate that contains the
  servers public key.
• Server sends a digitally signed messaged
  encrypted with its private key. The client
  decrypts the message using the servers public
  key.
• Client uses servers public key to encrypt a
  secret single-key.
• Secret single-key is used for encryption and
  decryption of all further communications between
  server and client.

19
Certificates and Certificate Authorities

• The weak-link in SSL transactions is initial
  communication between client and server. If
  connection is made to illegitimate server, the
  whole transaction is tainted.
• A certificate is used to pair a public-key with
  an owners identity.
• For this identity assertion to be trusted, the
  certificate must be signed by a Certificate
  Authority (CA) that independently verifies that
  identity of the owner of servers public-key.
• Web browsers only recognize the validity of
  certain certificate authorities.

20
Getting a Signed Certificate

• Web browsers will generate a warning when
  accessing an SSL-enabled site that uses a
  certificate than hasnt been signed by a
  recognized authority.
• Certificate Authorities
• Verisign http//www.verisign.com - Price for
  40-Bit SSL Certificate 349owned by
  NetworkSolutions
• Thawte http//www.thawte.com - Price for 40-Bit
  SSL Certificate 125now owned by Verisign
• Will need to provide a CSR (Certificate Signing
  Request) plus other documentation verifying that
  you are who you say you are and that you own the
  domain specified in the CSR.

21
Apache with SSL Options

• Commercial Solutions
• StrongHold Server http//www.c2.net/products/sh2
  Price 995 (Includes certificate signed by
  Thawte)
• Raven SSL Module http//www.covalent.net/raven
  Price 357
• Red Hat Secure Web Server (Linux Only)
  http//www.redhat.com Price 150 (Part of Red
  Hat Professional Edition)
• Non-Commercial Solutions
• Apache-SSL http//www.apache-ssl.org
• Interface to OpenSSL (mod_ssl) http//www.modssl.o
  rg and http//www.openssl.org

22
Other Non-Apache SSL Servers

• SSL capabilities built into other major web
  servers
• Microsoft IIS
• Sun Java WebServer
• OReilly Website

23
Apache SSL Configuration

• SSL configuration for Apache-based web servers
  differs greatly, depending on the SSL
  distribution you are using. Check the
  documentation for each distribution.
• Generally, SSL setup and configuration is easier
  with commercial distributions.
• Using a non-commercial SSL distribution (mod_ssl,
  Apache-SSL) usually requires you to install
  libraries on your system, re-compile Apache and
  add special configuration lines to the httpd.conf.

24
Apache Performance Tuning Issues

• Three Rules of thumb
• Make sure your server has enough physical
  resources Fast Disk and enough RAM
• Make sure you have enough bandwidth
• Make Apache do as little work as it has to do.

25
Server Requirements

• Generally, the more requests you server has to
  concurrently handle, the more horsepower it must
  have.
• More requests More Access to Disk (Get lots of
  fast disk)
• More requests More Apache processes More RAM
  (Get lots of RAM)

26
Assessing Apache RAM Requirements

• Apache will create a number of child processes
  upon startup and create more of them as needed.
• 1 child process required for each client request
• Generally, each Apache child process will take up
  2-5 MB of RAM. Therefore, you can make RAM
  estimates
• RAM Usage (Apache Process Size) X (Max current
  users)
• Using dynamic content like CGI scripts, Server
  Side Includes, etc. will require more memory and
  CPU power.

27
RAM Requirements, etc.

• If you expect a maximum of 25 simultaneous
  requests to your server and the size of each
  Apache process is 4MB, you will need at least
  100MB dedicated to Apache.
• The size of each Apache process will vary from
  machine to machine, depending on the modules
  used, the machine architecture, etc.
• You can asses the real size of your Apache
  process (httpd) by using a system monitoring
  utility like top.

28
Bandwidth Requirements

• Its important to know whether you have enough
  bandwidth to handle your web requests.
• The fatter the pipe, the quicker contents can
  be delivered.
• Requirements differ depending on contents rich
  multimedia (many graphics, streaming audio/video)
  requires more bandwidth.
• Other network concepts such as website latency
  can play into overall website performance.

29
Making Apache Do As Little as Possible.

• Removing features from Apache during compilation
  and from the httpd.conf after compilation can
  help increase Apaches performance and memory
  requirements.
• Compiling in additional and/or unnecessary
  modules can slow Apaches performance and
  increase memory requirements.

30
Resources on Apache Performance Tuning

• Book Web Performance Tuning Speeding Up the
  Web, Killelea - OReilly 1998
• CUs white paper on Apache Performance Tuning
• Apache performance notes http//httpd.apache.org/
  docs/misc/perf-tuning.html (some very detailed,
  low-level technical details)