11.1 Webserver Concepts
Web Server Security Issue
- Web server is a program (both hardware and software) that hosts websites; attackers usually target software vulnerabilities and configuration errors to compromise web servers.
- Nowadays, network and OS level attacks can be well defended using proper network security measures such as firewalls, IDS, etc., however, web servers are accessible from anywhere on the web, which makes them less secured and more vulnerable to attacks.
- 使用像firewall, IDS, IPS可防禦大部份的Network level和OS level攻擊
- 因此攻擊者轉向webserver和web application-level攻擊
Why Web Servers Are Compromised
- Improper file and directory permissions.
- Installing the server with default settings.
- Unnecessary services enabled, including content management and remote administration.
- Security conflicts with business ease-of-use case
- Lack of proper security policy, procedures, and maintenance.
- Improper authentication with external systems.
- Default accounts with their default or no passwords.
- Unnecessary default, backup, or sample files.
- Misconfiguration in web server, operating systems, and networks.
- Bugs in server software, OS, and web applications.
- Misconfigured SSL certificates and encryption settings.
- Administrative or debugging functions that are enabled or accessible on web servers.
- Use of self-signed certificates and default certificates.
主要兩點:Misconfiguration和Security Bug
Impact of Webserver Attacks
- Compromise of user accounts.
- Website defacement.
- Secondary attacks from the Website.
- Root access to other applications or servers.
- Data tampering and data theft.
Open Source Webserver Architecture
- Functions of principal components in open source webserver architecture:
- Linux is a the server's OS that provides secure platform for the webserver.
- Apache is a the web server component that handles each HTTP request and response.
- MySQL is a relational database used to store the webserver's content and configuration information.
- PHP is the application layer technology used to generate dynamic web content.
IIS Web Server Architecture
- Internet Information Services (IIS) for Windows Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web.