Security Enhanced Web Application Server
This VM Image is a web server designed for security of the operating system, daemons, and any web applications and websites.
Description
**We apologize that the formatting appears so poorly in plaintext format. A word/OO document of this info is stored in the compressed archive**
1 Introduction
Web applications have become fairly common in the computing world due to their scalability, accessibility, flexibility, and centralized management. Both open source web applications and “in-house” web applications are employed by corporate institutions, home users, and academic institutions to fulfill a variety of needs, from group collaboration and forums to webmail access.
One of the greatest risks with web based applications is that they are often targeted for attacks, since web application development is a relatively new field and many holes exist. Web apps are vulnerable at several points including the web server OS, the HTTP and database services, the language that the program was written in, and the application itself. It is a challenge to build a server to host web applications in a secure manner since there are so many points for failure. Constructing a secure web server requires significant time, effort, and knowledge.
The Security Enhanced Web Application Server is a VMware image that has been designed with many operating system and web application protection measures by default. By using this image, web developers and system administrators can host a web application quickly and know that security is in place to protect the server and the information that the server is hosting and processing.
----------
2 Network Overview
Server OS: OpenSuSE 10.1 (Linux Kernel 2.6.16.13-4)
Services:
Apache 2.2.0-21
PHP 5.1.2-27
MySQL 5.0.18-16
VSFTPD 2.0.4-16
AppArmor 2.0
This virtual appliance can be run on a bridged or NAT connection. By default it has been designed for a bridged connection with DHCP enabled, since this is the least secure configuration from a networking standpoint.
To use this appliance, do the following:
1. Uncompress the image and start the image up. You may adjust the required memory, we chose 256 MB by default because this is running a database, which requires more resources.
2. Log in as root, password = vmware.
3. Change the password for root and webadmin to something more complex. We suggest the passwords be different, eight characters, and contain capitol and lowercase letters, plus numbers and/or special characters.
4. Use yast to change the network settings to use a static address (if necessary). To do this type in the command "yast" and then when the text GUI loads, go to Network Devices > Network Card. Don't forget to set a name server and default gateway.
5. Install your web application or website in /srv/www/htdocs/. You may replace the default HTML page.
6. See the section regarding the Apache configuration (section 3.8) with details on setting up SSL. This is a complex task in some respects, and there are entire howtos on how to accomplish this. There are simplified instructions in this section.
7. Patch the OS for any vulnerabilities. SuSE is extremely good about releasing patches, check periodically. Automatic updating is not enabled because in general patching servers is done during a planned change window. To patch the OS using YAST, refer to the howto movie on patching.
8. Read this entire document! This is very important, since there are important notes about possible configuration decisions.
9. View howtos as necessary. Howtos are located in the “howto” folder, and show you quick demos on how to leverage YAST.
----------
3 OS Configuration Changes
This section highlights the changes that I made to the OS and services to make administration more simple and/or more secure.
3.1 Created users “root” and “webadmin”
username: root, webadmin
password: vmware
Please change the password, it is not secure. It is merely a default password for users of this appliance and you are placing your system in great risk by not changing it.
3.2 Created the /etc/issue as a basic access disclaimer
When anyone logs in locally or over SSH, they must view the disclaimer below before authenticating.
This is a restricted server, only authorized users are permitted to access this resource.
3.3 Enabled online installation sources
Mirrors.kernel.org has been added as an installation source, so that CDs are no longer necessary.
3.4 Changed services that start on boot
Disabled: nfs, nfsboot, portmap, powersaved, alsasound
Enabled: mysqld, apache2
3.5 Patched the OS
One of the easiest and most reliable operations in SuSE is patching. To patch, simply run the command “yast” from command-line. In the “Software” category there is an option to run an “online update”. Select this option and YAST will check for updates, let you know which ones are available for installed software, and automatically select to install security related patches.
3.6 Firewall changes
Enabled external requests from anywhere to the following ports:
1.80 (HTTP)
2.443 (HTTPS)
3.22 (SSH)
Security recommendations:
Remove port 22 (SSH) if you do not want to allow remote access.
Only allow ports 20, 21 if you desire FTP access. If you would rather, SSH is a more secure way to transmit data since it requires a local account.
3.7 SSH service installed and started by default
By default, root cannot log into the system remotely. This is why the user “webadmin” was created. This should protect against brute-force login attacks.
3.8 Apache2
Created a default web page
Removed the following modules- CGI, userdir, autoindex, asis, imagemap
Added modules- ldap, security, apparmor
Disabled Apache from printing the server information at the bottom of error pages. This makes service fingerprinting more difficult.
SSL has not been enabled by default because it requires the domain to be correct, which cannot be predetermined. To configure apache with SSL support, do the following items:
1.Enable the SSL module by opening /etc/sysconfig/apache2 and appending “ssl” to the APACHE_MODULES variable.
2.While in /etc/sysconfig/apache2, change “APACHE_SERVER_FLAGS to equal “SSL”
3.Follow the directions in the apache2 online documentation to create a server CA (if not using Verisign, Thawte, or the likes) and server public/private key.
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
Another preferred resource is the following:
http://www.tc.umn.edu/~brams006/selfsign.html
4.You may need to edit “/etc/apache2/vhost.d/vhost-ssl.conf” (although it should work without needing to)
3.9 PHP5
Disabled global_vars
Disabled file_uploads
Disabled display_errors
3.10 Enabled Apparmor
Apparmor is a host-based IPS originally developed by Immunex, which is now a part of Novell/SuSE. Apparmor is only shipped with SuSE products at the present time, and uses profiles to determine what files different services may access, and how they can access them (read, write, exec, link, etc). For our purposes, we use it to control what Apache can read, so if an attacker ever managed to exploit the web service their visibility would be limited to an extremely small part of the file system. Also, mod_apparmor (previously mod_changehat) controls where the processes that apache creates via scripts (php, asp, etc) can go. This implementation focuses mostly on the apparmor profiles for apache, which can be viewed and modified through YAST.
Loaded profile for Apache2
Loaded profile for MySQL
Loaded profile for SSH
Loaded profile for vsftpd
Loaded profile for other general services as well...
3.11 Compiled and loaded Mod_security
Mod_security is a module for Apache that will identify web attacks like SQL/code injection, URL manipulation, directory traversal, etc. and either log. Upon interception, mod_security can log the traffic, drop traffic, or forward to a general 404 page. Most open source Linux distributions do not ship with this module by default, so we have added it and some basic rule lists.
Added default rule lists to /etc/apache2/modsecurity/
Included mod_security config file “/etc/apache2/modsecurity/modsecurity_general_custom.conf” in /etc/apache2/httpd.conf, line 105. Logs attacks but does not drop them. To drop attacks on detection, edit the modsecurity_general_custom.conf file to “drop” wherever it specifies “pass”.
Fingerprints web server as “tinyhttpd”, not apache2. This can defeat some reconnaissance scans, or at least confuse the attackers.
3.12 Secured MySQL
Database security can be tricky since most do not know how to secure it initially. We have fixed a few of the risky defaults to make it more secure.
Deleted default databases Temp and Tmp
created root@localhost password = “vmware_sql”
*you really really (I can't stress this enough) should change this to a different password.
Removed anonymous users and root@DOMAIN
3.13 VSFTPD disabled
Vsftpd was installed and configured as an anonymous FTP server (download only). However, since FTP is not always required, it is disabled by default. To enable FTP do the following:
Run the command “/etc/init.d/vsftpd start”
Run the command “chkconfig vsftpd on” for vsftpd to start on boot.
Open ports 20, 21 in the firewall. To do this use YAST and look under security>firewall. See the howto movie for more additional help using the firewall.
----------
4 References
AppArmor
FOSDEM Conference; http://www.fosdem.org/2006/index/speakers/slides/
AppArmor Linux Application Security; http://www.novell.com/products/apparmor/
Mod-Security
ModSecurity; www.modsecurity.org
OpenSuSE
OpenSuse.org; http://en.opensuse.org/Welcome_to_openSUSE.org
Documentation- OpenSUSE; http://en.opensuse.org/Documentation
Web Application Security
Open Web Application Security Project; http://www.owasp.org/index.jsp
Last updated: 05/27/2006
Operating system:
OpenSuSE 10.1
Applications installed:
Apache 2.2.0-21
PHP 5.1.2-27
MySQL 5.0.18-16
VSFTPD 2.0.4-16
AppArmor 2.0
YAST
VMware Tools installed:
Yes
Size:
463 MB MB
Torrent available:
Yes
(What is BitTorrent?)
Primary account
Username: root
Password: vmware
Submitted by: netracer
Download link provided by the submitter, not VMware. Report broken downloads here.
« BACK...