Infra Security (Web Server aka HTTP Server) — How security gets compromised, How to take care of security, How to test & monitor your security provisioning
A web server is server software dedicated to running this software, that can satisfy client requests on the World Wide Web. A web server can, in general, contain one or more websites. A web server processes incoming network requests over HTTP and several other related protocols.
The primary function of a web server is to store, process and deliver web pages to clients.The communication between client and server takes place using the Hypertext Transfer Protocol (HTTP). Pages delivered are most frequently HTML documents, which may include images, style sheets and scripts in addition to the text content.
In modern day architecture, web servers can serve as a proxy server & internal HTTP traffic load balancer.
I have added 3 categories —
How security gets compromised? (Referred henceforth as a CAUSE) How protection can be done?(Referred henceforth as a PREVENTION) How monitoring & testing can be done?(Referred henceforth as a VERIFICATION)
#1
CAUSE:
HTTP Communication over insecure connection.
PREVENTION:Configure TLS (SSL) connection. Encrypt the client-server communication.
Communication should be over HTTPS.
Please find below url to configure TLS for Nginx server
http://nginx.org/en/docs/http/configuring_https_servers.html
Please find below url to configure TLS for Apache server
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
VERIFICATION:Online tools like https://www.cdn77.com/tls-test
#2
CAUSE:
Absence of Firewall. This results in a number of malicious activities reaching your server, like SQL injection, session hijacking, and cross-site scripting.
PREVENTION:ModSecurity is an open source, cross-platform web application firewall (WAF) module.
It enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.
ModSecurity plugin/library available for popular web servers like Apache & Nginx
Please find below url to configure Firewall for Nginx server https://docs.nginx.com/nginx-waf/
Please find below url to configure Firewall for Nginx server https://idiallo.com/blog/firewall-setup
VERIFICATION:Nessus offers a free tool for a limited number of scanning. Tools mentioned in below url
https://firewallguide.com/firewall/firewall-testing/
#3
CAUSE:
Absence of policy, which enables Brute Force or DDoS attack.
PREVENTION:The mod_evasive module is an Apache web services module that helps your server stay running in the event of such attacks. Number of features available in Nginx & Nginx Plus to address these types of attacks.
Setting up HTTP Limits will be a good idea for mitigating DDoS attacks.
Some of the important parameters -
1) KeepAlive=on 2) KeepAliveTimeout 3) LimitRequestBody
4) LimitRequestFields 5) LimitRequestFieldSize 6) LimitRequestLine
7) LimitXMLRequestBody 8) MaxClients 9) MaxKeepAliveRequests
10) MaxRequestWorkers 11) RequestReadTimeout 12) TimeOut
Please find below url to configure DDoS for Nginx server https://www.nginx.com/resources/videos/ddos-beasts-and-how-to-fight-them-part-1/
Please find below url to configure DDoS for Apache server https://www.alibabacloud.com/blog/how-to-prevent-ddos-attacks-with-modevasive-for-apache-web-server_594931
VERIFICATION: DDoS attack testing tools details can be referred from below links —
i) https://www.keysight.com/in/en/solutions/network-security/ddos-attack-mitigation-test.html
ii) https://linuxhint.com/ddos-attack-testing/
#4
CAUSE:
By leaving unused, unmaintained, or expired modules on your web server, you’re leaving your site open to hackers through a point of entry that doesn’t even need to be there.
PREVENTION: Verify the list of active/inactive modules on your web server. Remove the list of inactive modules.
Please find below url to enable modules for Nginx server https://subscription.packtpub.com/book/networking_and_servers/9781849517447/1/ch01lvl1sec11/enabling-various-modules
Please find below url to enable modules for Apache server https://www.tecmint.com/check-apache-modules-enabled/
VERIFICATION: For Apache server, refer the instruction mentioned in below url https://www.tecmint.com/check-apache-modules-enabled/
For Nginx server, refer the instruction mentioned in below url https://subscription.packtpub.com/book/networking_and_servers/9781849517447/1/ch01lvl1sec11/enabling-various-modules
#5
CAUSE:
Directory access available to anyone, allows attackers to inject malicious scripts into your code.
PREVENTION: Block directory access to anyone. For Nginx Server, please refer to below url
https://docs.whmcs.com/Nginx_Directory_Access_Restriction.
For Apache Server, please refer to below url https://httpd.apache.org/docs/2.4/howto/access.html .
VERIFICATION: Please refer below urls
https://portswigger.net/burp
https://gracefulsecurity.com/introduction-to-burp-suite-pro/ https://www.pentestgeek.com/what-is-burpsuite
#6
CAUSE:
Enabled directory listing on web server.Directory listing is a feature that when enabled the web servers list the content of a directory when there is no index file (e.g. index.php or index.html) present.
Therefore if a request is made to a directory on which directory listing is enabled, and there is no index file such as index.php or index.asp, even if there are files from a web application, the web server sends a directory listing as a response.
When this happens there is an information disclosure issue (leakage of sensitive information), and the attackers can use such information to craft other attacks, including direct impact vulnerabilities such as XSS.
PREVENTION: Disable directory listing for Nginx Server can be referred from below url
https://www.netsparker.com/blog/web-security/disable-directory-listing-web-servers/#nginxweb.
Disable directory listing for Apache Server can be referred from below url https://www.netsparker.com/blog/web-security/disable-directory-listing-web-servers/#apacheserver .
VERIFICATION: Tools like https://www.zaproxy.org
#7
CAUSE:
Ignoring web server version updates keeps known vulnerabilities open, and allows attackers to exploit it.
PREVENTION: Update web server regularly to receive security patches.
VERIFICATION: Not aware of.
#8
CAUSE:
Ignorance in capturing web server logs.
PREVENTION: Turn on Logs. Network traffic logging is especially useful for breach assessment and forensics.
For Nginx Server, please refer to below url https://docs.nginx.com/nginx/admin-guide/monitoring/logging/
For Apache Server, please refer to below url https://www.feistyduck.com/library/apache-security/online/apachesc-CHP-8.html .
VERIFICATION: Tools like Splunk/Kibana can help to analyze the traffic logs.
#9
CAUSE:
Installing a web server with default user and group, is easy prey for attackers.
PREVENTION: Please refer below url for better understanding to apply various access control to web server
https://portswigger.net/web-security/access-control
For Nginx Server, please refer to below url https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-18-04
For Apache Server, please refer to below url
https://fideloper.com/user-group-permissions-chmod-apache .
VERIFICATION: Similar as in point#5
#10
CAUSE:
Sensitive information disclosure ( Server details like Server version, OS Version) will make things simpler for attacks to break into your server.
PREVENTION: For Apache Server, take care of below things appropriately — i)ServerSignature ii)ServerTokens iii)ETag
For Nginx Server, disable below things — i)server_tokens ii)more_clear_headers iii)ETag
Please refer below url for both Nginx & Apache https://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/
VERIFICATION: curl — head <<your_domain_url>>
#11
CAUSE:
Enabling Server Side Include (SSI) and Common Gateway Interface (GI) scripts at web server level.This empowers hackers to overload your server or inject malicious scripts into your code.
PREVENTION: Turn these options off. Apache web server hardening.
For Apache Server, please refer to this url https://httpd.apache.org/docs/2.4/howto/ssi.html https://httpd.apache.org/docs/2.4/misc/security_tips.html#page-header
VERIFICATION: Please refer below URL
https://geekflare.com/apache-web-server-hardening-security/
Links referred for the article
https://wpbuffs.com/apache-security-best-practices/
Undoubtedly critical component in client-server technology, to keep secured.
If you found this article useful, please clap. Also, you can leave your constructive comment below.
