csn09101 networked services
play

CSN09101 Networked Services Week 10: Using Apache Week 10: Using - PowerPoint PPT Presentation

Sep 18, 2022 •289 likes •803 views

CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr Gordon Russell Lecturers: G. Russell This lecture Apache Basic Authentication Log Analysis Security Issues Discussions

  1. CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr Gordon Russell Lecturers: G. Russell

  2. This lecture • Apache Basic Authentication • Log Analysis • Security Issues • • Discussions Discussions

  3. Basic Authentication

  4. Basic Authentication • Often you might want simple usernames and passwords to control access you parts of a website. • There are many approaches for this. • The easiest way is to use Basic Authentication. • This, when required, asks the browser to ask you for a username and password for accessing protected pages. • The username and password is sent as clear text for every page request made by the browser.

  5. .htaccess • The best way to control basic authentication is via an .htaccess file in the directory to protect. • To allow this the <directory> definition which includes the directory to be protected must have AllowOveride AuthConfig

  6. Building a Password File • You have to create a file with usernames and passwords. • It is a good idea if this file is not one which someone can access via a URL. > htpasswd –c /home/gordon/password andrew New Password: ******* Retype New Password: ******* Adding password for user andrew. -c is only the first time running the command, as this creates the file too. Miss out –c after the first run.

  7. .htaccess AuthType Basic AuthName "Restricted Files" AuthUserFile /home/gordon/password Require user andrew • Authtype Digest – This is another option, which requests the passwords in an encrypted format. It is not as widely supported as Basic.

  8. The password file • The password file created is just a text file. • As a text file it does not scale well… – As more users are added the file gets bigger. – On every page request the file has to be parsed again. • There are other formats available using hashed files (either db or dbm). These are faster to access but more complex to manage.

  9. Any valid user Require user andrew • Can be changed to Require valid-user • In this way any user in the password file can access the directory.

  10. Groups • Just as in passwd users are also in groups, you can use the same idea for apache. • Create a plain text file with the following format: Groupname: user1 user2 user3 … Groupname: user1 user2 user3 … • If users gordon and andrew exists, and you want them to be known as group staff… staff: gordon andrew

  11. Add to .htaccess AuthType Basic AuthName "By Invitation Only" AuthUserFile /home/gordon/password AuthUserFile /home/gordon/password AuthGroupFile /home/gordon/groups Require group staff

  12. Basic Auth Problems • Its simple protection. • Passwords in the clear. • Every request need the password file lookup • • Large numbers of users difficult to manage Large numbers of users difficult to manage • Not a good idea for commercial systems – Yet some big sites use it! • However, users recognise it and understand it.

  13. Control by IP • .htaccess can offer more control than just Basic Authentication. • You can also restrict access to directories by IP. • To do this you need to use – – Order – read deny then allow or vice versa Order – read deny then allow or vice versa – Allow from – allow this match to access – Deny from – stop this match

  14. Example • Stop 10.0.0.1 accessing a directory… • Edit the .htaccess in that directory: order allow,deny order allow,deny allow from all deny from 10.0.0.1

  15. Order is important order allow,deny allow from all deny from 10.0.0.1 • This is identical to: order allow,deny deny from 10.0.0.1 allow from all

  16. Domain Names • You want to block anyone from jim.com and bob.com: order allow, deny deny bob.com jim.com deny bob.com jim.com allow all

  17. Development site • You want only 10.0.1.0/24 and 10.0.0.2 to access the site: order deny, allow deny 10.0.1.0/24 deny 10.0.1.0/24 deny 10.0.0.2 allow all

  18. Log Analysis

  19. Logs • Apache produces two types of log files – Error Logs – Access Logs • Error logs are useful for debugging • Access logs are excellent for monitoring how your site is being used. – Fun for people who have hobby sites – Life or death if your business relies on the web site.

  20. Where are the logs • Normally they go to /var/log/httpd/access_log and error_log • In a virtual host we set them to what we liked: <VirtualHost> … ErrorLog logs/gr-error_log CustomLog logs/gr-access_log combined </VirtualHost>

  21. Logging in /var/log/http access file • The normally used log format is called “combined”. • It contains significant amounts of information about each page request. • • Specifically, the log format is: Specifically, the log format is: %h %l %u %t %r %>s %b Referrer UserAgent

  22. %h %l %u %t %r %>s %b Referrer UserAgent • h – IP of the client • l – useless ident info • u – username in basic authentication • u – username in basic authentication • t – time of request • r – the request itself • s – The response code (e.g. 200 is a successful request) • b – size of the response page • Referrer – who the client things told it to come here • User Agent – identification info of the browser

  23. Analysing the log • The log is useful in itself for checking the proper function of the server. • However, traffic analysis is also valuable. • There are a number of tools available to do this. • • One of the best free ones is webaliser. One of the best free ones is webaliser.

  24. Webaliser Summary

  25. Analysis • The summer is quiet for linuxzoo. • Students are enthusiastic in October… • After that it settles down to “kept busy”.

  26. Per day activity – October

  27. • I wonder which day was the first tutorial? • Look at the 7 day oscillations. This is common in many web sites. Who stole all my web site data on the 25 th ? •

  28. Hour analysis – October

  29. • Peak learning time (so they say) is 11am. • Students here seem to like 9am-4pm. • American students produce another bump later at night.

  30. Users

  31. Referrer Info

  32. What search terms?

  33. Where from?

  34. Google Analytics • Another approach to web logging is to use JavaScript embedded in each web page. • This does away with the need to access the web log. – Good if you don’t have access! • • It does mean that It does mean that – You only get logs where there is javascript switched on. – Each page is slowed by having extra stuff on it. – It’s a little more complex.

  35. db.grussell.org

  37. Logging Summary • What is best? • I have used both and have mixed feelings… • Things to consider – Convenience – – Reliability Reliability – Availability – Performance – Cost – Privacy – Complexity

  38. Apache Security

  39. Security • Hackers often consider a web server a good hacking target • You should be very careful how apache is configured. • The main problem is CGI scripts – – CGI is a program which runs when you view a page. CGI is a program which runs when you view a page. – Its output is sent back to the user’s browser. – As it is an active process it can do permanent things to your server.

  40. Simple CGI: who.cgi #!/bin/sh echo 'Content-Type: text/html; charset=ISO-8859-1' echo echo '<body><pre>' echo '<body><pre>' whoami env echo '</pre></body>'

  41. http://servername/who.cgi apache SERVER_SIGNATURE= Apache/2.0.51 (Fedora) Server at servername Port 80 UNIQUE_ID=umn4CZKwogYAADNFYkcAAAAI HTTP_KEEP_ALIVE=300 HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en- GB; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 SERVER_PORT=80 SERVER_PORT=80 HTTP_HOST=servername DOCUMENT_ROOT=/home/gordon/public_html

  42. Issues • This cgi program only prints. • However, it could also delete things, or transfer data, copy passwords, etc. • • A hacker is rarely wanting distruction. A hacker is rarely wanting distruction. • Hackers want access! This requires either – Transferring hacking programs to the server – Copying files from the server (e.g. /etc/passwd).

  43. Ideas • Make sure apache runs as a user just for the server – The user “apache” is commonly used here. – In the httpd.conf, make sure there is: user apache user apache group apache • Hide the apache version number. – Might be useful if a hacker is searching for a buggy apache version. – In httpd.conf ServerSignature Off ServerTokens Prod

  44. • Don’t allow apache to ever give pages from “/” <Directory /> Order Deny,Allow Deny from all </Directory> </Directory> • Do you really need directory browsing? Options -Indexes

  45. • The apache user should not own its conf files $ chown -R root:apache /etc/httpd $ chmod -R u=rwx,g=r,o-rwx /etc/httpd • Do not allow apache to surf the web: $ iptables -A OUTPUT -m owner --uid-owner apache -m state --state NEW -j DROP

  46. Discussion

Recommend

CSN09101 Networked Services Week 9: Early revision session Week 9: Early revision session

CSN09101 Networked Services Week 9: Early revision session Week 9: Early revision session

CSN09101 Networked Services Week 9: Early revision session Week 9: Early revision session Module Leader: Dr Gordon Russell Lecturers: G. Russell This lecture Preparation for Class Test Past Paper Exercises Practical Class Test

491 views • 27 slides
CSN09101 Networked Services Week 5 : Networking Week 5 : Networking Module Leader: Dr Gordon

CSN09101 Networked Services Week 5 : Networking Week 5 : Networking Module Leader: Dr Gordon

CSN09101 Networked Services Week 5 : Networking Week 5 : Networking Module Leader: Dr Gordon Russell Lecturers: G. Russell This lecture Linux networking for end systems Linux as a router Linux as a switch Debugging

875 views • 58 slides
CSN09101 Networked Services Week 11: Email Management Week 11: Email Management Module Leader:

CSN09101 Networked Services Week 11: Email Management Week 11: Email Management Module Leader:

CSN09101 Networked Services Week 11: Email Management Week 11: Email Management Module Leader: Dr Gordon Russell Lecturers: G. Russell This lecture SMTP Linux Email Discussions SMTP SMTP Email is send between source

672 views • 53 slides
CSN09101 Networked Services Week 8: Essential Apache Week 8: Essential Apache Module Leader: Dr

CSN09101 Networked Services Week 8: Essential Apache Week 8: Essential Apache Module Leader: Dr

CSN09101 Networked Services Week 8: Essential Apache Week 8: Essential Apache Module Leader: Dr Gordon Russell Lecturers: G. Russell This lecture Configuring Apache Mod_rewrite Discussions Configuring Apache Apache

624 views • 48 slides
Experiences with Tracing Causality in Networked Services Rodrigo

Experiences with Tracing Causality in Networked Services Rodrigo

Experiences with Tracing Causality in Networked Services Rodrigo Fonseca, Brown Michael Freedman, Princeton George Porter, UCSD April 2010 INM/WREN San

779 views • 35 slides
Networked VR Ashweeni Beeharee Ashweeni Beeharee VE Course - Networked VR 1 Content

Networked VR Ashweeni Beeharee Ashweeni Beeharee VE Course - Networked VR 1 Content

Networked VR Ashweeni Beeharee Ashweeni Beeharee VE Course - Networked VR 1 Content Networked VR scenarios Architectures Peer-to-peer Consistency Full Partial Predicted Conclusion Ashweeni Beeharee VE Course -

567 views • 22 slides
Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a simple, modular approach to networked access control with scalability in mind. Easy management from a central location PC from anywhere with an

196 views • 9 slides
Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks for semester ECTS: 6.0 Web: http://ti.tuwien.ac.at/rts/teaching/courses/networked-embedded-systems Type: Lessons (VU Vorlesung) with

700 views • 20 slides
NAG : Motivating Deployment of Networked Systems Mohit Lad UCLA Deployment of Networked Systems

NAG : Motivating Deployment of Networked Systems Mohit Lad UCLA Deployment of Networked Systems

NAG : Motivating Deployment of Networked Systems Mohit Lad UCLA Deployment of Networked Systems Goal: How do you convince users to deploy applications? Prior work: Lottery System (Sigcomm 07) Probabilistic incentive to motivate

448 views • 7 slides
Web Services and Linked Data INFM 603 Session 10 Networked Data Exchange Service-Oriented

Web Services and Linked Data INFM 603 Session 10 Networked Data Exchange Service-Oriented

Web Services and Linked Data INFM 603 Session 10 Networked Data Exchange Service-Oriented Network of Workstations Web API Web services Service Oriented Architecture Content-oriented Web scraping Microformats

169 views • 15 slides
Whats Next for Networked Games? Wu-chang Feng W. Feng, &quot;What's Next for Networked

Whats Next for Networked Games? Wu-chang Feng W. Feng, &quot;What's Next for Networked

Whats Next for Networked Games? Wu-chang Feng W. Feng, &quot;What's Next for Networked Games&quot;, NetGames 2007 keynote talk, Sept. 19-20, 2007. Networked Games ? A smashing success W. Feng, &quot;What's Next for Networked Games&quot;,

622 views • 37 slides
Digitalization for the networked society Jose Luis Ayala July 18 th , 2017 Ericsson The

Digitalization for the networked society Jose Luis Ayala July 18 th , 2017 Ericsson The

CANTO 33 rd Annual Conference Punta Cana, Dominican Republic Digitalization for the networked society Jose Luis Ayala July 18 th , 2017 Ericsson The Networked society is Accelerating change 50 Our Vision: A networked society where every

313 views • 9 slides
networked control systems Massimo Franceschetti PhD School on Control of Networked and

networked control systems Massimo Franceschetti PhD School on Control of Networked and

Elements of information theory for networked control systems Massimo Franceschetti PhD School on Control of Networked and Large-Scale Systems, Lucca, Italy, July 2013 Motivation Motivation January 2007 January 2012 January 2014 Motivation

554 views • 52 slides
Self-Organizing Search in the Web of Things Kay Rmer, University of Lbeck Networked Embedded

Self-Organizing Search in the Web of Things Kay Rmer, University of Lbeck Networked Embedded

Self-Organizing Search in the Web of Things Kay Rmer, University of Lbeck Networked Embedded Sensing Research Protocols Adaptation to interference Programming Models Role assignment Services Content-based Sensor Search

404 views • 26 slides
Networked Insurance Personal Lines Networked gives you the tools you need to make your Personal

Networked Insurance Personal Lines Networked gives you the tools you need to make your Personal

Networked Insurance Personal Lines Networked gives you the tools you need to make your Personal Lines business grow! Personal Lines Management Scott Smith Personal Lines Manager 530-274-6981 Scott.smith@networkedins.com Charna

477 views • 33 slides
Electricity and heat from waste Expansion of district heat 2009-2012 : More networked schools

Electricity and heat from waste Expansion of district heat 2009-2012 : More networked schools

Electricity and heat from waste Expansion of district heat 2009-2012 : More networked schools 5,000 MWh/a Networked police buildings and universities 6,000 MWh/a Newly networked

394 views • 18 slides
Goal Appreciate the importance of complexity management in networked computing

Goal Appreciate the importance of complexity management in networked computing

Understanding Networked Applications: A First Course Goal Appreciate the importance of complexity management in networked computing Understand better the role of architecture in Chapter 6 complexity management Examine

391 views • 9 slides
Where do you keep your photos? Personal Information Management in a Networked World

Where do you keep your photos? Personal Information Management in a Networked World

Where do you keep your photos? Personal Information Management in a Networked World Understand some of the problems relating to the management of digital belongings Understand how these are shifting in an online, socially networked

497 views • 38 slides
Observations COTS software in government systems is generally out of date at IOC and falls

Observations COTS software in government systems is generally out of date at IOC and falls

World Wide Consortium for the Grid (W2COG) Institute: Assured Value-of-Information-Service (V oIS) across a networked enterprise ACQUISTION LITE: Better networked capability - faster, and cheaper - through adaptive collaborative,

397 views • 17 slides
Networked Embedded Software: Introduction Luca Mottola Politecnico di Milano, Italy and SICS

Networked Embedded Software: Introduction Luca Mottola Politecnico di Milano, Italy and SICS

Networked Embedded Software: Introduction Luca Mottola Politecnico di Milano, Italy and SICS Swedish ICT ( home.deib.polimi.it/mottola ) Who am I? Whats the course about? Networked Embedded Software Software that powers networked embedded

530 views • 35 slides
Networked Systems Laboratory (NetSysLab) University of British Columbia A golf course a

Networked Systems Laboratory (NetSysLab) University of British Columbia A golf course a

How well do CPU, GPU and Hybrid Graph Processing Frameworks Perform? Tanuj Kr Aasawat , Tahsin Reza, Matei Ripeanu Networked Systems Laboratory (NetSysLab) University of British Columbia Networked Systems Laboratory (NetSysLab) University of

978 views • 28 slides
From control of networks to networked control Wing Shing Wong Department of Information

From control of networks to networked control Wing Shing Wong Department of Information

From control of networks to networked control Wing Shing Wong Department of Information Engineering The Chinese University of Hong Kong Objective: Explore impacts of recent Internet development on network control and networked control

875 views • 60 slides
System Architecture Directions for Networked Systems Based on paper written by Jason Hill,

System Architecture Directions for Networked Systems Based on paper written by Jason Hill,

System Architecture Directions for Networked Systems Based on paper written by Jason Hill, Robert Szewczyk, Seth Collar, David Culler, Kristofer Pister UC Berkeley Outline Introduction Networked sensor characteristics Example

738 views • 30 slides
Networked I/O for Virtual Machines Approaches and Challenges Muli Ben-Yehuda , Ben-Ami Yassour,

Networked I/O for Virtual Machines Approaches and Challenges Muli Ben-Yehuda , Ben-Ami Yassour,

Networked I/O for Virtual Machines Approaches and Challenges Muli Ben-Yehuda , Ben-Ami Yassour, Orit Wasserman { muli,benami,oritw } @il.ibm.com IBM Haifa Research Lab IBM Corporation 2008 c Israeli Networking Seminar, May 2008 Networked

488 views • 17 slides

More recommend