Abysssec Security Research

This Post is a bit review to Apache security and not contain all details but i want write all of them.

When you decide to build a web server based on Open source Os for all web publishing -public or private- all the futures not needed . But sometimes some of them mus tow change carefully. We have to case of Apache using here :

Case 1 : In some cases you need to build a simulated ftp server based on HTTP protocol.

Case 2 : You need to build a MAIL server with HTTP interface. Such as HORD or SQURRIER MAIL.

SO what changes needed ?what kind of futures are usable here for Your jobs ?.

In default installation of Apache -as so useful web server – in a big range of open source operating systems you may see auto indexing and directory browsing , its good for HTTP server as FTP server but is it usable as HTTP-mail server ? Of curse response is NO .Why ? Its so simple .In case 1 you just need to give the permission to your users for reading files and browsing directories JUST!.And denied them to reading or browsing other directories . In case 2 the server design may have a complete configuration with case 1 .Here You must use an interpreter for your scripts and language .So is your directory browsing options may not denied is it possible ?.In example an attacker can change his directory to upper or can see most important data such as web server configurations and – or – some log files or a high level script kiddie could copy you password to anywhere .Now your web server is really crackable and an attacker can read your configurations and may change THEM !!. What did you do ? its so good question .

1- You can change permission of all unneeded directories to deny for other users and groups like :

“[[email protected]] # chmod -R 700 some directory that you want to hidden from other ”

2- Change the permission of your files to only readable for www and not executable – if you want to use HTML pages – and for script based pages

do “[[email protected]]# 644 *.php or other scripts
3- If your server pages is PHP you can change a bit the php.ini file

its in my machine :

[[email protected] /usr/home/t4z3v4r3d]# cat /usr/local/etc/php.ini | grep basedir
; open_basedir, if set, limits all file operations to the defined directory
open_basedir = /usr/local/www
[[email protected] /usr/home/t4z3v4r3d]#
open_basedir = /usr/local/www to the your www directory this is he way of blocking of some php-shell scripts lik c99.php.

Hi this is 2′nd part of Apache security .
We want to look how to safe all of our scripts when we have some sites.
In share servers – commercial servers – we can secure our serer by some applications such as Cpanel Plesk or etc.
But how can we secure it by hand ?.Of curse its not so simple but its not hard to do.
Ok lets to see what we can do ?.Let look to this how to from an attacker.
Any of attacker want to get some information to doing a successful attack to any server.
But what is information exactly ?yes any information its correct !,all information may help the attacker to entering in to your server .
What kind of web server , web server version , Os version and type,mod ‘s of your web server is running  , server admin’s mail , dns-server , and …. is a good information to starting an attack.

some of the information can’t be hidden but some of may hidden !!!.
Ok we can change our server’s operating system name , web server name and type and version by some tools and mods – soon – .

All attacks methods are depend  to security of your server .

Ok we have some changes in our apache configuration.
But is it enough?. At the same way :what is the set of security settings for
Apache?.Security is a complex of invisible or bit notes.You can’t deny web viewers to looking your web contents in a little range of time .-in fact you can’t tell to users : Do brows my web contents only one time – but you can denied them to browsing all site in a little range of time  – or attacking such as directory traversal attacks or denial of service attack – .This attack can give a large amount of server resources .you can detect this attack and ban the attacker . Apache developed by some modules now, we can select our needed modules for protection.
Modules may be a helpful tools if you have enough information about how to work this module .Apache have 3 release version : 1.3.X and 2.0.X and 2.X all of this versions can using some modules.
For any platforms that you want to work on it may you need to some changes in configurations and giving resources to web server or changing in firewall rules and etc … . But you are module selector and you are lord of Apache world .Deciding which modules are needed is your job and tuning Apache is your art .
Its end of section one for now because I have no time to continue . i’ll be back very soon – iwant build a http server on my bsd box all of notes are really -In the next section we look for details .