HTTP www Security Essentials _ Server

To invest heavily in maintaining the security of your Web site. Another recent example is that Sina, the largest comprehensive website in the country, was successfully attacked by hackers one morning and its portal page was replaced with a yellow page. To Sina has caused no small side effects. These two examples illustrate the importance of Web site security, and, as the internet has grown rapidly, the importance of web security is increasingly more secure than other applications. At the same time, because the web must be open, that is to say, everyone must be able to have access to the right, thus making prevention more difficult.
Web security is divided into server security and client Security (browser), which is primarily for web builders and the latter for ordinary users. This chapter will discuss these two aspects.

Second, what is HTTP
HTTP (hypertext Transfer Protocol) Hypertext Transfer Protocol allows users to request and accept hypertext content from the WWW (World Wide Web) and other distributed information systems. It runs on top of TCP and binds server port 80, and it can also use other ports and protocols to provide a reliable flow of data. It is a request/response protocol. To obtain information, a browser client (such as Netscape) establishes a TCP connection to an Apache server and requests a resource ("get"). The server checks the request and responds based on the server configuration and the content contained. The server may send a Hypertext Markup Language (HTML) file, text, picture, sound, image, or a Java applet, which can be displayed in the browser. The server can also run a program to respond to requests from browsers (such as the Common Gateway interface or the server's application interface).
An easy way to test an HTTP connection (and also a potential security vulnerability) is to Telnet to port 80 on a Web server host. You can enter "get/" to browse the site's basic HTML documents (such as index.html), as shown below (HTML content is removed):
$ telnet 80
Trying ...
Connected to.
Escape character is ' ^] '
(Typing get/) Get/
The following brushes out an HTML file, for example:
<title> House of Tigers </title>
<meta http-equiv= "Content-type" content= "text/html; charset=gb2312 ">

<frameset rows= "128,327*" frameborder= "YES" border= "0" framespacing= "0" cols= "*
<frame name= "Topframe" scrolling= "NO" noresize src= "index-3.html" >
<frame name= "MainFrame" src= "index-2.html" >
</frameset>
<noframes><body bgcolor= "#FFFFFF" >

</body></noframes>
Connection closed by foreign host.

Iii. Classification of security risks
Web security risks can generally be grouped into three categories:
• Threats to Web servers and their connected LANs
Threats to Web clients
A threat to the communication channel between the server and the client
1. Risk of the server
Usually network security is always set in a variety of restrictions, makes an unidentified person unable to obtain an unauthorized service but the Web server, on the contrary, wants to accept as many customers as possible, with almost no restrictions or requirements on the customer, so that the web is the most vulnerable to attack compared to other network servers. The most common threats are bugs in HTTP Server software, faulty configuration, unsafe CGI programs, or a lack of powerful confidential functionality. The usual violations of the server are: Modifies and replaces server-provided content, obtains access to confidential documents protected by server access control, executes arbitrary commands on the server and destroys the server's system security, examines log files to compromise the user's privacy, and performs a denial-of-service attack that fails the server or network connection.
2. Client risk
Browsing the web is not a very safe activity. Bugs, inappropriate "active content" and scripting, and server management can give viewers the following hazards: Application and system crashes, malicious code including viruses and Tello Trojans, loss of confidential information, privacy violations, etc.
The main web browsers support downloading scripts that are embedded in the HTML home page and performing their functions in the browser. Typically, these programs are used to interact with the user and transfer information between the browser and the server. For example, there are bugs in Netscape's JavaScript and Microsoft's VBScript. Even in the absence of bugs, it is easy for a malicious Web administrator to place scripts that can break the secrecy or cause serious losses on the HTML home page. A common way to attack is to create a JavaScript that is deceptive to produce an error message or a hint that requires the user to provide a network login ID and password. Other customer risks are the result of privacy violations. Many Web sites write a validation for customers Cookie,cookie can track users and expose what sites they go to. The client software should provide a way to indicate which domain the cookie should or should not be saved, as required by the RFC that the specified cookie handles.
3. Transport Security
The information transmitted between the Web client and the Web server may be tapped or intercepted at either end of the connection or in the middle, including the client's LAN, the server's LAN, the client's ISP, the server's ISP, and any intermediary network between the two ISPs.
Fortunately, the current IPSec (IP Protocol security Architecture) of the proposed, so that network traffic can be authenticated and encrypted at the IP layer. But it is not yet popular.

Four, secure the Web server
1. Choosing a Secure Server Software
There are a lot of httpd server Software on Linux. For example:
* America Online INC aolserver2.x
* Allegro Software Rompager 2.x
* Apache Group apache1.x
* Hawkeye Project Hawkeye 1.x.x
* Sun Microsystems Java Server 1.x
* Idonex AB Roxen 1.x
* Spyglass Spyglass Microserver 2.x
* Rapid Logic INC WebControl 2.x
* Imatix Xitami 2.x
* Zeus Technology Zeus Web Application Server 3
* Vqsoft Vqserver 1.x
If you are interested, you can go to the relevant site to visit to understand its performance and characteristics. Of these software, Apache is undoubtedly the most successful. More than half of the sites on the Internet use Apache. The following security features are available in the latest version of Apache:
* Access can be prevented by domain name, IP address, user, and group
* You can configure user groupings (instead of a single user list)
* You can modify the user access control list without restarting the server
* CGI executables can be executed under the owner's UID
* The permissions on the directory document are layered
* A part of a document can be hidden according to security rules
* Support SSL2.0 and 3.0
* There is an available password mechanism
* Security rules can be made based on URLs
2. General rules for server configuration
Typically, a Web server should combine some good system security paths, configurations, and tools to enhance security. For example:
Try to put a host into the Web server, do not allow unreasonable interactive login. Delete a user other than the Web Administrator account
Prohibit unwanted services from/etc/inetd.conf. If the site requires FTP functionality, make another host an FTP server. Other services should be banned or restricted, including telnet, finger, netstat/systat, Echo, and so on.
Remove unwanted shells and interpreters. If you don't run Perl CGI scripts, remove Perl
Automatic column catalogs, symbolic chain follow, and server-side inclusion options are not supported
Closely detect web Logs
Apply secure Web server software, such as Secure Sockets Layer (SSL)-enabled software
Consider running a server in a chroot environment
Use a firewall to control access to the server
It is important to plan carefully who can access the content directory on a secure server. Most Web servers support a variety of access control methods. You can usually access permissions in a specified IP address or DNS host name, or specify that you must provide a password to interview a specific directory user. If you have confidential company information in a Web server, you need to take steps to ensure that the information is in your own hands. Use CGI on one server with extra care. A CGI program might do anything in the system, from providing access to external personnel to deleting important files.

V. Secure Web Clients
Client software is usually Microsoft's IE, or Netscape squeezed by Microsoft (fortunately under X-window), there are simple lynx and so on.
1. Good client-side security experience
Carefully consider the security settings provided by the program, and if Java and JavaScript are banned, it makes the browser more secure. Cache and cookie files should be cleaned regularly to avoid reputable sites and use the "open" option to use the "save" option to make files that are not trusted.
2. Mozilla
In 1998, Netscape decided to issue Navigator's source code and create a separate organization to monitor its release and maintenance: mozilla.org. If we have the time, analysis of its source code is believed to improve our client security has a great advantage. See
3. Lynx
No pictures, no sound text browsers, I like to use it (under Linux), but note that SSL is not supported by default.
4. User privacy
Some sites require users to register before they have access rights. Most sites maintain server logs, which can leak sensitive information, including IP addresses, ISPs, previous visited sites, and so on. Other sites push cookies into the pipeline so that the sites that the user accesses later are associated.
Users can follow the following rules:
Do not require user registration
Collect only the user's e-mail address and not the full contact information
Do not share e-mail addresses with third parties
Do not allow log files on the Web to be accessed
Delete the log files when they are no longer needed
At present, the World Wide Web Consortium has begun to specify a declaration called Platform for Privacy preferences, allowing users to control the disclosure of identity information according to their wishes. However, it is not used in our country.

Vi. Protection of transmission security
From the user's point of view, Web browsing can compromise privacy. It allows TCP/IP to provide an anonymous stream of data between two machines, but it does not provide confidentiality, integrity, and authentication services. There are several scenarios for adding a security layer to TCP/IP, including secure Shell (SSH) and Microsoft's Pct. Secure Sockets Layer (SSL) is currently dominant.
1. Ssl
SSL is a protocol that Netscape uses to provide data security between application protocols such as HTTP, Telnet, NNTP, or FTP, and the lower TCP/IP layer. He offers three basic security features:
Confidentiality is achieved by encryption of the process. Symmetric encrypted keys are unique to each connection, based on the secret negotiation between the two sides of the connection
Server Authentication Client to check a valid server X.508v3 proof, whether it is a RSA public key proof, a digital signature standard (DSS) proof, or a diffie-hellman proof. The proof is usually issued by a credible certification agent.
Integrity of information integrity (not altered or lost) is protected by MAC (message authentication Code), a single hash function based on information and secret data.
In addition, SSL provides an optional client authentication. Other features of SSL and special server authentication are widely used in electronic commerce. Although different Web browsers indicate a secure SSL connection in different ways, a URL starting with "https://" indicates that a secure connection has been established between the client and the server.
See
2. Tls
TLS (transport Layer Security) was drafted by Transport Layer Security Working Group, resulting in an RFC document.
TLS is used to establish a secure "session"-an association between a client and a server that avoids costly negotiation to establish an additional connection for each new security parameter. The protocol is divided into the upper TLS handshake protocol and the lower TLS record protocol. The TLS Handshake protocol establishes cryptographic parameters for a secure session. When clients and servers using TLS establish communications, they agree on protocol versions, choose cryptographic algorithms, authenticate each other, and use public key cryptography to generate shared secrets.
See

3. Create a TLS/SSL server
Use SSL for most commercial Web server products. Ssleay uses several cryptographic algorithms, some of which may require a commercial license. The Ssleay implements 5 different algorithms: DES, RSA, RC4, Idea, and Blowfish. RSA's patents belong to the United States. It requires a license to use it.
Both Ssleay and OpenSSL can be integrated into the Apache Web server. Programmer Ben Laurie has developed a APACHE-SSL package that provides Apache with a set of patches, some extra source code, some help files, and a configuration file instance. Patches need to be used in the Apache source code, and the results are compiled and linked with Ssleay or OpenSSL.
You can download from the following site:
If both parties know that the other party uses TLS/SSL, then any TCP-based protocol that runs on either end of the port can be transparently secured. However, for practical reasons, there are several port numbers reserved for each protocol that uses TLS/SSL protection, allowing packet filtering firewalls to allow these secure transmissions to pass. For example:
Name Port number Description
Nsiiops 261/tcp IIOP Name Service
HTTPS 443/tcp HTTP protocol
Ddm-ssl 448/tcp Ddm-ssl
Smtps 465/tcp SMTP protocol
Nntps 563/tcp NNTP Protocol
Sshell 614/tcp Sslshell
Ldaps 636/tcp LDAP protocol
Ftp-data 989/tcp FTP protocol and data
Ftps 990/tcp FTP control
Telnets 992/tcp Telnet Protocol
Imaps 993/tcp IMAP4 Protocol
IRCs 994/tcp IRC protocol
Pop3s 995/tcp POP3 Protocol

Vii. Other
Most Web servers are designed to be started by Superuser. The server must be running as root so that he can monitor port 80. Once the server starts running, it changes the user name in its UID that is specified in the configuration file. Do not run your server as root, although your server must be started with root, http.conf file must not include the user root line. If so, every script that your Web server executes will run as a superuser, creating many potential problems.
Be careful to mix HTTP and anonymous FTP. Many sites use the same directory to store documents that are accessed via anonymous FTP and through the Web site. For example, you might have a directory called/netdocs, which is both your FTP user's home directory and your Web server's root directory. This allows the file to be grouped into two types of URLs, such as or. The main advantage of HTTP on FTP is that it is fast and efficient. But there are a variety of security issues in the mix:
Allows anonymous FTP access to the HTTP directory, providing users with a way to restrict access to files on any Web server. Therefore, if you have confidential documents on your Web server for a long time, you may lose the confidentiality of your files.
If an attacker could download your CGI script, he could search the path of the attack.
You must be completely sure that the FTP user cannot upload a script that can run on your server
The/etc/passwd file shown to you may also be seen by someone who is using the WWW service, causing its content to be corrupted.
In addition, there are some things to note:
Remove unnecessary users (previously mentioned)
Do not place NFS or output any directories
To delete all the compiled programs
Remove all utilities that are not used as a boot or Web server
Provide as few network services as possible (re-reiterate)
Do not run Mail server
If you want to know more about HTTP/WWW security, please visit