Secure web sites
1. Introduction
For systems such as servers that are designed to be "always active, "security is an important issue. Web servers are the backbone of the Internet. They provide basic services and functionalities in billions Web sites worldwide and, therefore, act as a repository for personal data of everyone who visits them. Ensure that the servers are protected against attacks External is a primary concern of any organization that depend on them.
In the latest attacks against web servers years have increased significantly. As the map shows, it is irrelevant where in the world in which to base a web server: the malicious code does not respect borders. The threat is not only international, but now comes from organized criminal gangs looking to harvest passwords, financial data and other information, rather than teenage hackers who seek to cause damage. In most cases an attack occurs quietly, with servers and web sites corrupted with malware designed to infect as many users as possible.
Web servers are particularly vulnerable because they are "open" by nature, with users sending and receiving information from them. The HTTPD (demon HTTP server), database software and code behind a Web site can each be re-written by a criminal and altered its original function.
However, that does not mean that web servers can not be protected. They can, but requires an integrated approach to Web site administrators, programmers and designers alike with areas such as anti-virus software, operating systems (OS) and access permissions required constant revision.
This document explores many of the areas common leading to a compromised Web server and ways to prevent them.
2. Secure foundations
The first step in designing, build and manage a secure website, is to ensure that the server hosting is as safe as possible.
A web server is composed of layers that provide multiple attack vectors, as the diagram shows. Remember, each block is a possible target.
The basis of any server operating system is the secrecy to ensure that remains safe is simple: keep updated with the latest security patches. If it does, it could not be easier with Microsoft [1], along with many flavors Linux, enabling organizations to apply the patch automatically or launch with a simple mouse click.
However, remember that hackers also automate their own attempts to malware designed to jump from one server to another until it finds one that is unpatched. For this reason, it is important to ensure that the patches are current and correct, as any server running the previous patches will become a victim.
You also have to remember update any software component running on a web server. Everything that is not essential, such as DNS servers and remote administration tools like VNC or Remote Desktop should be disabled or removed. If remote administration tools are essential, however, then avoid the use of default passwords or thing that can be easily guessed [14]. This not only applies to remote access tools, but user accounts, such as switches and routers.
The next area to consider is the anti-virus software. This is a must for any web server – either Windows or Unix – and combined with a flexible firewall is a of stronger forms of protection against security breaches. When a web server is directed the attack was trying to load malware hacking tools or immediately, order to exploit the security breach before it is fixed. Without a good anti-virus package, a breach in security can go unnoticed for a considerable time.
When defense is a multi-layered approach is best. In the first line are the firewall and operating system, while in the trenches is the anti-virus, prepared running to fill the gaps that arise.
In summary:
• Do not install software components is not necessary. Each component is a risk, the there are, the greater the risk
• Keep your operating system and applications patched with the latest security updates.
• Use anti-virus, turn on automatic updates and regularly check that these are installed correctly.
Some of these tasks may seem burdensome, but do not forget that only one security hole is sufficient for an attacker. Potential risks include stolen data and bandwidth, server, IP blacklists, the negative impact on the reputation of an organization and the possibility that your site can become unstable.
The next most important piece of software is HTTPD itself with the ISS two most popular alternatives are and Apache.
2.1 Services Internet Information Server (IIS)
ISS is part of Microsoft Windows and is a popular and commonly used web server, since it requires very little configuration.
When your application however, it is worth remembering the following:
• Turn off default services such as FTP and SMTP unless you need them. Disable navigation directory unless it is required, allowing visitors to see what files are running on your system.
• Disable Extensions FrontPage server not being used.
You should also keep the ISS fully updated, that can be done simply to allow the update automatic feature found in the Windows Control Panel.
Apache HTTP Server 2.2
Apache is a highly configurable and well-maintained open source web server. It requires detailed setup to successfully implement, but provides more control on a web server. Most Apache servers on Linux / BSD, but you can also run on Windows.
Due to the Apache configuration is complex, there's no room in this article to detail the whole procedure. However, the following tips [2,3,4] are worth considering:
• Deny access resources by default and only allow the functionality of resources to their liking.
• Among all web requests and help to identify activities suspicious.
• Subscribe to the mailing list for announcements of Apache you can send updates, patches and security fixes.
Sites Web requiring more complex functionality often increase with an interpreter HTTPD server side using CGI (Common Gateway Interface). The two most popular are PHP and ASP.
2.3 PHP and MySQL
PHP is one of the most common scripting languages server side. You have a functional code base very large, simple syntax, Adaptive code and, above all, interacting with a large number of database formats. MySQL is a database the most popular choices for use in conjunction with PHP because it is fast, rich in features, easy to configure and use.
PHP has frequently been accused of being lax with security as in recent years many exploitable bugs have been found inside. However, it has grown steadily and the majority of errors tend to be avoided, whether the installation settings correctly and / or write secure code.
These are some configuration tips (Writing secure code is covered in the next section) that are related to variables in php.ini "file:
• Establish "Register_globals off '
• Set''in safe_mode
• Establish open_basedir 'for the root directory Web Page
display_errors • Set "of
• Establish log_errors' in
allow_url_fopen • Set'' off
For more information about the configuration directives are important and why, please refer to [6,7,10].
When MySQL installed by default creates a "test" database and following an "open" account that is password free. The root account is automatically Free access to all other databases on the server so it is important
• Change the root password immediately.
• Create new to MySQL and give minimum privileges.
• Remove test database and test users.
Server Pages 2.4 Activities (ASP)
ASP is an add-on Microsoft that is supported by IIS, although there is also an implementation of Apache. ASP is built into IIS and so usually requires little or no configuration.
Security 2.5
Anti-virus is usually the last line of defense against an attack as web servers, especially those associated with dynamically generated content, you must have on-access scanning enabled at all times. The table below shows, no web server is safe from malware. No matter how secure you think your web server is, there is always a chance that it get hacked. On-access scanning significantly reduces the likelihood of malicious code running on the system because it can scan both "reading" and "on write 'modes, and then can give an immediate notification as soon as any piece of malware try to own store on the server.
While scanning in access can affect server performance slightly, but the added security benefits outweigh any possible performance problem. There are also areas of the system such as HTTPD log folder, which can be excluded from the scan, which further reduces impact on the system.
The attacks on servers web in general can be classified into two main types: local and global.
• The local attacks usually attempt to steal information or take control of a server specific site.
• World attacks are generally aimed at multiple sites and the goal of infecting anyone who visits them.
Although Linux and BSD are considered some as more secure than Windows, certainly not free of organized crime. It can – and should – have anti-virus software installed. Even if malware can not run on the host server, as it is protected with anti-virus software, you can still serve as valid content to the website users and that some hackers up in PHP or ASP, so heartbreaking redundant operating system the web server.
It is also possible for servers to be infected through a local network. Fujacks family of worms, for example, infect HTML, PHP and ASP to share files across drives and network shares.
3. Outside Web Hosting
Most organizations do not have the hardware or the stability of bandwidth to host your own web server and that such use external suppliers. There are three alternatives that are suitable for small and large organizations:
• Sharing dedicated hosting.
• Virtual dedicated hosting.
• Dedicated hosting.
3.1 Shared dedicated hosting
This is probably the most used and abused in all forms of web hosting including dedicated server hosting several websites. It is one of the cheapest forms of accommodation and Therefore one of the most dangerous because it can take only one infected user to infect everyone else using the server.
An excellent real life example of the problems inherent in shared accommodation can be found in the following SophosLabs blog posting:
http://www.sophos.com/security/blog/2007/06/172.html
Virtual dedicated hosting 3.2
Virtual dedicated servers – sometimes referred to as elastic servers – are created using virtualization software to run a series of independent, autonomous virtual servers on one machine. This is appropriate for any organization growing, because each user has access to your own operating system and server software.
dedicated hosting 3.3
Dedicated servers reserved for a user. Normally there are two forms available: managed and unmanaged.
• managed servers have staff to care for the management rights as local security issues and troubleshooting.
• Servers do not run out of control and if a little cheaper to operate, and any assistance you have to buy in.
Of the three options presented here, appears to be virtual dedicated hosting the most efficient, being generally cheaper than dedicated hosting, but it retains the flexibility and security.
4. Design you safer
No matter what you do and no matter how small your site, will be attacked. The design is intrinsic to the safety since it can reduce the damage caused by viruses, spyware and other malware.
Try to put yourself in the attacker and use common sense to plug the obvious holes. Some errors page become so common web – For beginners and veterans alike – it's worth going over them here.
4.1 Cookies
One of the main problems encountered in designing a web application is that each application for a new page is dealt with independently from the previous request. Ask a web application to "remember me" is therefore more difficult than it is in normal.
There are two methods for applications used to remember web visitors and are supported by most browsers: cookies and session cookies.
• A cookie is a small file that is created by the browser and is stored in the user's computer. It can include almost anything, but is usually a name, an expiration date and an arbitrary amount of data such as: "Count = 100 "or" members = "false.
• A session cookie is a cookie similar to normal, except that it allows web applications to store data in memory.
The difference between the two is that a cookie is stored directly on the user's computer and remain resident unless removed manually. A session cookie, meanwhile, only saved the time a computer is on, and thus automatically lost as soon as you close the browser. They have something in common: both can be manipulated.
Developers often rely on data retrieved from the cookies, just because have developed code and therefore must be good, right? Incorrect. Hackers can easily modify a cookie (and in some cases live session data) to deceive a website to give them access to a restricted page.
When designing your system never trust user input, whether it comes directly from visitors, or indirectly through cookies. Try to limit the amount of data that are stored in cookies, especially if it is data that should not be made available the public. A good rule is to treat all data that is stored in an end user's machine as a suspect.
MySpace.com was attacked by a trojan (JS / SpaceStalk-A) earlier this year, he stole the information stored in cookies and transmitted to a remote server. This information potentially could contain information Secure, such as usernames, passwords and Internet preferences.
4.2 Authentication
If your website contains areas that are only intended for certain customers or subscribers, you need a way to identify visitors before entering [8].
There are several ways to authenticate users: basic authentication, digest authentication and HTTPS.
• Basic authentication enables a user name and password to be visible within the Web application. Even if the content is not particularly restricted secret that is best avoided, because a user could use the same password in many places. A Sophos survey showed that 41% of users use the same password for all online activity, whether this is a banking site or a local community forum [15]. Try to protect your users from this error by using a more secure authentication method.
• Digest authentication – that all servers and support popular browsers – encrypt the username and password securely in the request. It save usernames and passwords, which creates a better impression on the user and reduces the chances of your server being abused.
• HTTPS encrypts all data transferred between the browser and the server, only the username and password. You must use HTTPS (which is based on a security system called Secure Sockets Layer, or SSL) whenever you are asking users to provide personal or private data, such as your address, credit card or bank account information.
When choosing an authentication system, it is good practice to choose the best available. Anything less will worry security-conscious customers and possibly expose them to unnecessary risks.
4.3 Components, libraries and Accessories
Many web developers have time to reinvent the wheel. When asked to add a feature that is common in other parts of the easiest way is the source of a package that already contains the necessary component and customize it. Outsourcing is mainly with complex, feature-rich applications such as micro-blogs, forums and management systems (CMS).
The reason for using pre-built and customizable systems are obvious: it saves time and money.
Like all parts software, however, supplements may contain errors and so it is wise to keep an eye on the packages that are in use and update them regularly. The popularity of some of these packages they can instill a sense of confidence to mislead the public and many of the popular products have been found to be exploited, including when apparently installed and configured correctly.
Popular server applications that have had problems in the past with critical bugs are exploitable:
• WordPress (blogging software).
• phpBB (forum software).
• CMS Made Simple (CMS Software).
• PHPNuke (CMS Software).
• bBlog (blogging software).
Many of the above (and similar) add-ons are widely used, making them very attractive targets for hackers, because they increase greatly the number of victims as possible. Since most of the operating system and software can be updated HTTPD many developers automatically set and forget "certain characteristics, but forget to update the various accessories: a dangerous mistake.
Once again, the golden rule here is as before if you need it, get rid of it! If your hosting provider supplies such features by default, off. If you can not disable them, then you should think about finding a new supplier.
4.4 Log Files
Server logs are a very important matter in the management of a website. Most HTTP servers can be configured to store access logs and the error logs, and this should be enabled at all times, as it may be important when conducting a review.
Should also be reviewed periodically They can facilitate a better understanding about the threats that face web sites. Log files give an idea of any possible infringement of the recording, with great detail, each access of a single success or tried a site.
5. Breaking the code
Writing code insurance is not always as easy as it sounds. Not only is an advanced programmer, but also one who is knowledgeable about specific security problems [9]. There are whole books dedicated to writing secure code and therefore only cover the basics here [13].
• Always set variables overall because they can be initialized by a purpose GET or POST request false.
• Turn off error reporting and ensure that you log on to apply instead, as this information can help the attackers cause a similar problem and then work to expose vulnerabilities.
• Do not rely in any user data and always use filter functions that must be disposed SQL special characters and escape sequences.
5.2 injection SQL
SQL injection can be used to attack websites that interact with databases. Occurs when the input designated unfiltered user is used in an SQL query.
SQL queries can be used to query a database, inserting data into a database or modify / delete data a database. A lot of modern web sites use scripting and SQL to dynamically generate page content. User input is often used in SQL queries, and this can be dangerous, hackers can try to integrate invalid SQL code within the input data. Without attention, this may be malicious SQL successfully implemented on the server.
Take the following PHP code:
$ Firstname = $ _POST ["name"];
mysql_query ("SELECT * FROM users WHERE name name = 'Name $'");
After submitting your name to the web form, the SQL query returns a list of users who have their first name. If I put my name "Chris" in the form, the SQL query would be:
"SELECT * FROM users Name WHERE name = 'Chris' "
This is a valid claim and work as you would expect, but what would happen if instead of my name, put me in something like "', DROP TABLE, #"? Subsequently, the balance would be:
"SELECT * Name FROM users WHERE name =''; DROP TABLE users; # '"
The semicolon allows multiple commands to be executed, one after another. Suddenly, the simple assertion is now a complex three-part statement:
SELECT * FROM users WHERE first_name last_name ='';
DROP TABLE users;
# '
The original statement is useless, and may be ignored. The second statement indicates the database to drop (delete) all the table and the third party uses the character '#' which tells MySQL to ignore the rest of the line.
This is particularly dangerous and can be used to display data sensitive update fields or delete / remove the information. Some database servers can still be used to execute system commands through SQL.
Fortunately this type of vulnerability is easily avoided by validating input the user. In PHP there is a special function for extracting potential SQL injection code named "mysql_real_escape_string." This function must used to filter the data that is passed to an SQL statement.
5.3 XSS (cross-site scripting)
This type Attack focuses on websites that display the data provided by the user. Instead of trying to control the database with malicious input, the attacker tries to attack code own web site with malicious output.
Many disposal sites usernames of each visitor in a database so they can show a specific name when the user logged in. For an attacker is a simple thing to create a false account, but rather malicious code into the username field instead of a name. These attacks are usually made with malicious scripts Javascript then loads the content from another website. The database stores what you think is the username, but it is actually code malicious. Later, when the site tries to display the username in the top of the page, the malicious code is executed without notice. Because the code could, depending on the circumstances, do just about anything, this is a very real concern, and often overlooked by developers. In recent history many high-profile web sites have been victims of XSS attacks, such as MySpace, Facebook and Google Mail.
Take the following PHP code:
first name = $ _POST ['Name'];
echo "Your name is $ name";
After submitting your name to the web, the site website will display on the page. If I put my name "Chris" on the way, the message said, "Your name is Chris."
What if we decide to use "<script> alert (" You just got hacked !");</ script> "instead of my name?
Unfortunately, XSS attacks can sometimes be difficult to defend against because they depend on correct input filtering and output, then the validation of each field can only be modified by a user. This includes data retrieved from GET and POST requests and queries that have been returned from the database.
If you use PHP is a number of packages that can help filter out easily, an example is CodeIgniter [5]. On the other hand, is not a native PHP function called "htmlspecialchars" that can be used to filter the output.
6. A study of how easy it is
While researching this paper I decided to see how easy it would be to find examples of data leakage and so searched Google the name of the default log file to a common FTP client. I found thousands of websites that were showing publicly (and unknowingly, indexing) this FTP record file seemingly unimportant. Each was a shining example of data leakage.
Here is an example (Censored) Registration:
99.07.16 8:34 A x: xxxxxxxx xxxxxx xxxxxx WS_FTP.LOG <- <site name> / export / home / <name / xxxxxx / xxxxxx WS_FTP.LOG
99.07.16 8:53 A x: xxxxxxxx xxxxxx xxxxxx home.html -> <hostname> / xx / www / xxxxxx-xxx / xxxxhome.html
From this I learned several interesting things:
• The <site name> gave me the name of the web.
• The <name provided that the username on the Linux / BSD.
• The host> <name supplied the server name.
This tells me the following about the host:
• The name and web server IP.
• The path remote copy.
• The local path that was copied.
This information is gold dust to any criminal, as you know the name host and user name that he or she may try to access administrator. It also could simply find the web hosting company number phone or email and try to get the password through social engineering.
The latter is usually easier to attack your own web server as many hosting companies carrying out minimum safety checks before delivery of security credentials. This may be due they often are contacted by individual web contractors who are building a site on behalf of a third, and so too are used to receive calls requesting credentials account or password reset.
I have done this several times – legitimately of course – and only one of the four companies asked required the original business to give permission.
Yes, it really is as easy as that.
About the Author
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.
How to hack Myspace accounts with MyspaceHacker