Network Security Hacks [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Network Security Hacks [Electronic resources] - نسخه متنی

Andrew Lockhart

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Network Security Hacks

Table of Contents

Copyright

Credits

About the Author

Contributors

Acknowledgments

Preface

Why Network Security Hacks?

How This Book Is Organized

Conventions Used in This Book

Using Code Examples

How to Contact Us

Got a Hack?

Chapter 1. Unix Host Security

Hacks #1-20

Hack 1 Secure Mount Points

Hack 2 Scan for SUID and SGID Programs

Hack 3 Scan For World- and Group-Writable Directories

Hack 4 Create Flexible Permissions Hierarchies with POSIX ACLs

Hack 5 Protect Your Logs from Tampering

Hack 6 Delegate Administrative Roles

Hack 7 Automate Cryptographic Signature Verification

Hack 8 Check for Listening Services

Hack 9 Prevent Services from Binding to an Interface

Hack 10 Restrict Services with Sandboxed Environments

Hack 11 Use proftp with a MySQL Authentication Source

Hack 12 Prevent Stack-Smashing Attacks

Hack 13 Lock Down Your Kernel with grsecurity

Hack 14 Restrict Applications with grsecurity

Hack 15 Restrict System Calls with Systrace

Hack 16 Automated Systrace Policy Creation

Hack 17 Control Login Access with PAM

Hack 18 Restricted Shell Environments

Hack 19 Enforce User and Group Resource Limits

Hack 20 Automate System Updates

Chapter 2. Windows Host Security

Hacks #21-30

Hack 21 Check Servers for Applied Patches

Hack 22 Get a List of Open Files and Their Owning Processes

Hack 23 List Running Services and Open Ports

Hack 24 Enable Auditing

Hack 25 Secure Your Event Logs

Hack 26 Change Your Maximum Log File Sizes

Hack 27 Disable Default Shares

Hack 28 Encrypt Your Temp Folder

Hack 29 Clear the Paging File at Shutdown

Hack 30 Restrict Applications Available to Users

Chapter 3. Network Security

Hacks #31-53

Hack 31 Detect ARP Spoofing

Hack 32 Create a Static ARP Table

Hack 33 Firewall with Netfilter

Hack 34 Firewall with OpenBSD's PacketFilter

Hack 35 Create an Authenticated Gateway

Hack 36 Firewall with Windows

Hack 37 Keep Your Network Self-Contained

Hack 38 Test Your Firewall

Hack 39 MAC Filtering with Netfilter

Hack 40 Block OS Fingerprinting

Hack 41 Fool Remote Operating System Detection Software

Hack 42 Keep an Inventory of Your Network

Hack 43 Scan Your Network for Vulnerabilities

Hack 44 Keep Server Clocks Synchronized

Hack 45 Create Your Own Certificate Authority

Hack 46 Distribute Your CA to Clients

Hack 47 Encrypt IMAP and POP with SSL

Hack 48 Set Up TLS-Enabled SMTP

Hack 49 Detect Ethernet Sniffers Remotely

Hack 50 Install Apache with SSL and suEXEC

Hack 51 Secure BIND

Hack 52 Secure MySQL

Hack 53 Share Files Securely in Unix

Chapter 4. Logging

Hacks #54-60

Hack 54 Run a Central Syslog Server

Hack 55 Steer Syslog

Hack 56 Integrate Windows into Your Syslog Infrastructure

Hack 57 Automatically Summarize Your Logs

Hack 58 Monitor Your Logs Automatically

Hack 59 Aggregate Logs from Remote Sites

Hack 60 Log User Activity with Process Accounting

Chapter 5. Monitoring and Trending

Hacks #61-66

Hack 61 Monitor Availability

Hack 62 Graph Trends

Hack 63 Run ntop for Real-Time Network Stats

Hack 64 Audit Network Traffic

Hack 65 Collect Statistics with Firewall Rules

Hack 66 Sniff the Ether Remotely

Chapter 6. Secure Tunnels

Hacks #67-81

Hack 67 Set Up IPsec Under Linux

Hack 68 Set Up IPsec Under FreeBSD

Hack 69 Set Up IPsec in OpenBSD

Hack 70 PPTP Tunneling

Hack 71 Opportunistic Encryption with FreeS/WAN

Hack 72 Forward and Encrypt Traffic with SSH

Hack 73 Quick Logins with SSH Client Keys

Hack 74 Squid Proxy over SSH

Hack 75 Use SSH as a SOCKS Proxy

Hack 76 Encrypt and Tunnel Traffic with SSL

Hack 77 Tunnel Connections Inside HTTP

Hack 78 Tunnel with VTun and SSH

Hack 79 Automatic vtund.conf Generator

Hack 80 Create a Cross-Platform VPN

Hack 81 Tunnel PPP

Chapter 7. Network Intrusion Detection

Hacks #82-95

Hack 82 Detect Intrusions with Snort

Hack 83 Keep Track of Alerts

Hack 84 Real-Time Monitoring

Hack 85 Manage a Sensor Network

Hack 86 Write Your Own Snort Rules

Hack 87 Prevent and Contain Intrusions with Snort_inline

Hack 88 Automated Dynamic Firewalling with SnortSam

Hack 89 Detect Anomalous Behavior

Hack 90 Automatically Update Snort's Rules

Hack 91 Create a Distributed Stealth Sensor Network

Hack 92 Use Snort in High-Performance Environments with Barnyard

Hack 93 Detect and Prevent Web Application Intrusions

Hack 94 Simulate a Network of Vulnerable Hosts

Hack 95 Record Honeypot Activity

Chapter 8. Recovery and Response

Hacks #96-100

Hack 96 Image Mounted Filesystems

Hack 97 Verify File Integrity and Find Compromised Files

Hack 98 Find Compromised Packages with RPM

Hack 99 Scan for Root Kits

Hack 100 Find the Owner of a Network

Colophon

Index

index_SYMBOL

index_A

index_B

index_C

index_D

index_E

index_F

index_G

index_H

index_I

index_J

index_K

index_L

index_M

index_N

index_O

index_P

index_R

index_S

index_T

index_U

index_V

index_W

index_X

index_Z

توضیحات
افزودن یادداشت جدید









Hack 50 Install Apache with SSL and suEXEC



Help secure your web applications with mod_ssl
and suEXEC.


Web
server security is a
very important
issue these days, especially since people are always finding new and
creative ways to put the Web to use. If you''re using
any sort of web application that needs to handle authentication or
provides some sort of restricted information, you should seriously
consider installing a web server with SSL capabilities. Without SSL,
any authentication information your users send to the web server is
sent over the network in the clear, and any information that clients
can access can be viewed by anyone with a sniffer. If you are already
using Apache, you can easily add SSL capabilities with
mod_ssl (http://www.modssl.org).


In addition, if your web server serves up dynamic content for
multiple users, you may want to enable Apache''s
suEXEC
functionality. suEXEC allows your web server to execute server-side
scripts as the user that owns them, rather than as the account under
which the web server is running. Otherwise, any user could create a
script and run code as the account the web server is running under.
This is a bad thing, particularly on a multiuser web server. If you
don''t review the scripts that your users write
before allowing them to be run, they could very well write code that
allows them to access other users'' data or other
sensitive information, such as database accounts and passwords.


To compile Apache
with mod_ssl, download the appropriate
mod_ssl source distribution for the version of
Apache that you''ll be using. (If you
don''t want to add mod_ssl to an
existing Apache source tree, you will also need to download and
unpack the Apache source.) After you''ve done that,
unpack the mod_ssl distribution and go into the
directory that it created. Then run a command like this:


# ./configure \ 
--with-apache=../apache_1.3.29 \ 
--with-ssl=SYSTEM \ 
--prefix=/usr/local/apache \ 
--enable-module=most \ 
--enable-module=mmap_static \ 
--enable-module=so --enable-shared=ssl
 --disable-rule=SSL_COMPAT --server-uid=www 
--server-gid=www --enable-suexec --suexec-caller=
www --suexec-uidmin=500 --suexec-gidmin=500


This will both patch the Apache source tree with extensions provided
with mod_ssl and configure Apache for the build
process.


You will probably need to change a number of options in order to
build Apache. The directory specified in the
--with-apache switch should point to the directory
that contains the Apache source code for the version that you are
building. In addition, if you want to use a version of
OpenSSL that has not been installed
yet, specify the location of its build tree with the
--with-ssl switch. If you elect to do that, you
should configure and build OpenSSL in the specified directory before
attempting to build Apache and mod_ssl. The
--server-uid and --server-gid
switches are used to specify what user and group the web server will
run under. Apache defaults to the
"nobody" account.
However, many programs that can be configured to drop their
privileges also default to the nobody account; if you end up
accepting these defaults with every program, the nobody account can
become quite privileged. So, it is recommended that you create a
separate account for every program that provides this option.


The remaining options enable and configure Apache''s
suEXEC. To provide the suEXEC
functionality, Apache uses a SUID wrapper program to
execute users'' scripts. This wrapper program makes
several checks before it will allow a program to execute. One thing
that the wrapper checks is the UID of the process that invoked it. If
it is not the account that was specified with the
--suexec-caller option, then execution of the
user''s script will abort. Since the suEXEC wrapper
will be called by the web server, this option should be set to the
same value as --server-uid. Additionally, since
most privileged accounts and groups on a system usually all have a

UID and GID beneath a certain value, the
suEXEC wrapper will check to see if the UID or GID of the process
invoking it is less than this threshold. For this to work, you must
specify the appropriate value for your system. In this example,
Apache and mod_ssl are being built on a Red Hat
system, which starts regular user accounts and groups at UID and GID
500. In addition to these checks, suEXEC performs a multitude of
other checks, such as ensuring that the script is writable only by
the owner, that the owner is not root, and that the script is not
SUID or SGID.


After the configure script completes, change to the directory that
contains the Apache source code and run make and
make install. You can run make
certificates if you would like to generate an SSL
certificate to test out your
installation. You can also run make certificate
TYPE=custom to generate a certificate signing request to be
signed by either a commercial Certificate Authority or your own CA.
See [Hack #45]
if you would like to run your own Certificate Authority.


After installing Apache, you can start it by running this command:


# /usr/local/apache/bin/apachectl startssl


If you want to start out by testing it without SSL, run this:


# /usr/local/apache/bin/apacectl start


You can then verify that suEXEC support is enabled by running this
command:


# grep suexec /usr/local/apache/logs/error_log
[Thu Jan  1 16:48:17 2004] [notice] suEXEC mechanism enabled (wrapper: 
/usr/local/apache/bin/suexec)


Now add a Directory entry similar to this to
enable CGI scripts for user directories:


<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch Includes ExecCGI
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>


In addition, add this line to enable CGI scripts outside of the
ScriptAlias directories:


AddHandler cgi-script .cgi


After you''ve done that, you can restart Apache by
running this:


# /usr/local/apache/bin/apachectl restart


Now test out suEXEC with a simple script that runs the
id command, which will print out
information about the user the script is executed as:


#!/bin/sh
echo -e "Content-Type: text/plain\r\n\r\n"
/usr/sbin/id


Put this script in a directory such as
/usr/local/apache/cgi-bin, name it
suexec-test.cgi, and make it executable. Now
enter the URL for the script (i.e., http://webserver/cgi-bin/suexec-test.cgi)
into your favorite web browser. You should see something like this:


uid=80(www) gid=80(www) groups=80(www)


As you can see, it is being executed as the same user that the web
server runs as.


Now copy the script into a user''s
public_html directory:


$ mkdir public_html && chmod 711 ~/ ~/public_html
$ cp /usr/local/apache/cgi-bin/suexec-test.cgi .


After you''ve done that, enter the URL for the script
(i.e., http://webserver/~user/suexec-test.cgi) in
your web browser. You should see something similar to this:


uid=500(andrew) gid=500(andrew) groups=500(andrew)


In addition to handling scripts in users'' private
HTML directories, suEXEC can also execute scripts as another user
within a virtual host. However, to do this, you
will need to create all of your virtual host''s
directories beneath the web server''s document root
(i.e., /usr/local/apache/htdocs). When doing
this, you can configure what user and group the script will execute
as by using the

User and
Group configuration directives within the
VirtualHost statement.


For example:


<VirtualHost>
User myuser
Group mygroup
DocumentRoot /usr/local/apache/htdocs/mysite
...
</VirtualHost>


Unfortunately, suEXEC is incompatible with
mod_perl and
mod_php because the modules run within the Apache
process itself instead of a separate program. Since the Apache
process is running as a nonroot user it cannot change the UID under
which the scripts execute. suEXEC works by having Apache call a
special SUID wrapper (e.g.,
/usr/local/apache/bin/suexec) that can only be
invoked by Apache processes. If you care to make the
security/performance trade-off by using suEXEC but still need to run
Perl scripts, you can do so through the standard

CGI
interface. Just as with Perl, you can also run PHP programs through
the CGI interface, but you''ll have to create a
php binary and specify it as the interpreter in
all the PHP scripts you wish to execute through suEXEC. You can also
execute your scripts through mod_perl or
mod_php by locating them outside the directories
where suEXEC will work.


/ 158