OGH DBA Dag 14 september 2010 Frits Hoogland

Oracle HTTP serversecurityOGH DBA Dag14 september 2010Frits HooglandTuesday, September 14, 2010

What is security?Information security (wikipedia):Information security means protecting informationand information systems from unauthorized access,use, disclosure, disruption, modification ordestruction.6Tuesday, September 14, 2010

Firewall!7Tuesday, September 14, 2010

Firewallhost.example.comWebserverhttpd (tcp/80)ssh (tcp/22)portmap (tcp/111)rpc.statd (tcp/676)sendmail (tcp/25)cups (tcp/631)8Tuesday, September 14, 2010

Firewallhost.example.comFirewallhost.dmz.localWebserverhttpd (tcp/80)ssh (tcp/22)portmap (tcp/111)rpc.statd (tcp/676)sendmail (tcp/25)cups (tcp/631)9Tuesday, September 14, 2010

Firewall A firewall manages network traffic– Denies or permits network access based on rules– This means either full access to daemon/service/process or no access10Tuesday, September 14, 2010

Firewall Examples of firewalls:– PIX (Cisco)– Netscreen (Juniper)– Firewall Software Blade (Check Point) But also– iptables (linux)11Tuesday, September 14, 2010

Architecturehost.example.comhost.dmz.localapp.localdb.localFirewallWebserverAppserverAppserverhttpd (tcp/80)java httpd (tcp/8007) (tcp/80)tnslsnr httpd (tcp/1521) (tcp/80)ssh (tcp/22)ssh (tcp/22)ssh (tcp/22)portmap (tcp/111)portmap (tcp/111)portmap (tcp/111)rpc.statd (tcp/676)rpc.statd (tcp/676)rpc.statd (tcp/676)sendmail (tcp/25)sendmail (tcp/25)sendmail (tcp/25)cups (tcp/631)cups (tcp/631)cups (tcp/631)12Tuesday, September 14, 2010

Architecturehost.example.comhost.dmz.localapp.localdb.localFirewallWebserverFAppserverAppserverhttpd (tcp/80)ajp13 httpd (tcp/8007) (tcp/80)tnslsnr httpd (tcp/1521) (tcp/80)ssh (tcp/22)ssh (tcp/22)ssh (tcp/22)portmap (tcp/111)portmap (tcp/111)portmap (tcp/111)rpc.statd (tcp/676)rpc.statd (tcp/676)rpc.statd (tcp/676)sendmail (tcp/25)sendmail (tcp/25)sendmail (tcp/25)cups (tcp/631)cups (tcp/631)cups (tcp/631)13Tuesday, September 14, 2010

Architecturehost.example.comhost.dmz.localapp.localdb.localFirewallWebserverFAppserverFAppserverhttpd (tcp/80)ajp13 httpd (tcp/8007) (tcp/80)tnslsnr httpd (tcp/1521) (tcp/80)ssh (tcp/22)ssh (tcp/22)ssh (tcp/22)portmap (tcp/111)portmap (tcp/111)portmap (tcp/111)rpc.statd (tcp/676)rpc.statd (tcp/676)rpc.statd (tcp/676)sendmail (tcp/25)sendmail (tcp/25)sendmail (tcp/25)cups (tcp/631)cups (tcp/631)cups (tcp/631)14Tuesday, September 14, 2010

Webserver Clients communicate with the webserverdirectly. Traffic from and to the webserver is unfiltered.– In most cases- Juniper SSG, Cisco ASA- Netasq, Astaro, Sonicwall, Fortinet- Snort inline15Tuesday, September 14, 2010

Webserver Apache http daemon– Functionality– Configuration Default configuration after install16Tuesday, September 14, 2010

Tuesday, September 14, 201017


Figure 6 shows the change over time in the socio-demographic composition of children at risk.This population is made up increasingly of migrants and children living with lone parents.While in 1996 around 62% of all children at risk of poverty were either migrants or lived with a loneparent, this had risen to 75% in 2007.Figure 6: Composition of children in poverty in Germany 1996-2007, by household typeand migration status100%Composition of Poor Children in Germany 1996-2007,by Type of Household and Migration Background80%60%native | couples and other hhmigrant | couples and other hh40%migrant | lone parentsnative | lone parents20%0%1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007Note: Poverty defined on the basis of annual Post-Government Income of the previous calendar year, including Imputed Rent. Imputation of missing data due to item non-response and partial unit nonresponse.Modified OECD equivalent scale. Source: SOEP 1996-2007.As well as these cross-sectional and chronological findings there is empirical evidence thatintergenerational mobility in Germany is relatively low (according to PISA, see also Breen 2004).These results are complemented by Frick, Grabka and Groh-Samberg (2008) who analyse the redistributionaleffects of non-monetary income benefits arising from publicly-provided education, takingaccount of regional and education-specific variations.In a simple cross-sectional perspective, publicly provided education has the expected levellingeffect, since all households with children attending any type of school benefit from public education.However, the effects of accumulated educational transfers in kind are larger for households with higherincomes, since the children concerned attend educational institutions for a much longer time (includingpre-primary, higher secondary and tertiary education) than low-income households. There is,therefore, evidence of a reinforcement of economic inequalities through public funding of noncompulsoryeducation.1.3 Absolute povertyThere are no representative data on absolute poverty among children in Germany, thoughestimates of the number of homeless children are in the range of 1,500 to 2,500 (www.offroadkids.de).19

How to harden? Webserver scanner: Nikto2– Demo: usage of nikto20Tuesday, September 14, 2010


How to harden? Webserver scanner: Nikto2– Demo: usage of nikto Global vulnerability scanner: Nessus– Demo: usage of nessus 4.223Tuesday, September 14, 2010



How to harden? Webserver scanner: Nikto2– Demo: usage of nikto Global vulnerability scanner: Nessus– Demo: usage of nessus 4.2 Scan, resolve findings, scan, resolve, etc.26Tuesday, September 14, 2010

How to harden? Upgrades can alter behavior Upgrades can introduce new findings Configuration changes can add/removebehavior Scans are no guarantee for having a correctconfiguration27Tuesday, September 14, 2010

Example: incorrect config We got a host: oel5-http / 10.0.1.12 This host has a webserver at 7777/tcp– Default port of an ohs version 11.1 on linux Open ports:vxlt090101:~ fritshoogland$ nmap 10.0.1.12 -PNStarting Nmap 4.85BETA8 ( http://nmap.org ) at 2010-05-04 14:49 CESTInteresting ports on 10.0.1.12:Not shown: 999 filtered portsPORT STATE SERVICE7777/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 25.92 seconds28Tuesday, September 14, 2010

Example: incorrect config The host and webserver was hardened. Some administrator tried to configuresomething in apache, and added to httpd.conf:ProxyRequests OnProxyVia OnAllowCONNECT 25 22 80 443– Probably to use some proxy functionality– Application keeps functioning correctly- Let’s see what this introduces...29Tuesday, September 14, 2010



HTTPSQ: Does HTTPS make your site more secure?33Tuesday, September 14, 2010

HTTPS Same host: oel5-http / 10.0.1.12 This host has a webserver at 4443/tcp– Default SSL port of an ohs version 11.1 on linux Open ports:vxlt090101:~ fritshoogland$ nmap -PN 10.0.1.12Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2010-05-05 14:45 CESTInteresting ports on 10.0.1.12:Not shown: 999 filtered portsPORT STATE SERVICE4443/tcp open pharosNmap done: 1 IP address (1 host up) scanned in 19.00 seconds34Tuesday, September 14, 2010



HTTPS HTTPS encrypts communication– It doesn’t make your site more secure It’s not possible to access sendmail, though– A proxy relays communication– This means a ‘connect’ will try to do an SSLhandshake with sendmail37Tuesday, September 14, 2010

Scans Most scans are done in an automated way– MOSTLY simple scans, searching for known vuln.(from apache access_log:)- CONNECT :- GET ../../../etc/passwd- GET /scripts/..%c0%af../winnt/system32/cmd.exe?+/c+dir+c:\- GET /scripts/root.exe?/c+dir+c:\38– Some are targeted attacks- Often careful investigations- Often hardly visible- Low pace- Different ip addressesTuesday, September 14, 2010

Scanning yourself To harden for the ‘outside’, you need to scan from the ‘outside’! This is doable with ‘tor’– Tor is implemented as a proxy- It hops a few tor hosts- Then comes out somewhere randomly- After 10 minutes, it re-does this, and comes outsomewhere else- It’s not very fast...– Any tool which is able to use a proxy can use it- Nessus does not use a proxy39Tuesday, September 14, 2010

Information spilling A webserver ‘spills’ information about itself– This is controlled with the ‘ServerTokens’ directive– Ranges from ‘Full’ (most information):vxlt090101:~ fritshoogland$ printf "HEAD / HTTP/1.0\n\n" | nc 10.0.1.12 7777HTTP/1.1 200 OKDate: Thu, 06 May 2010 07:59:57 GMTServer: Oracle-Application-Server-11g/11.1.1.2.0Oracle-HTTP-Server (Unix) mod_ssl/11.0.0.0.0 OtherSSL/0.0.0 mod_plsql/11.1.1.0.0 mod_onsint/2.0Last-Modified: Sun, 25 Apr 2010 12:22:40 GMTETag: "25d84f-2b16-4850eb7692400"Accept-Ranges: bytesContent-Length: 11030Connection: closeContent-Type: text/htmlContent-Language: en40Tuesday, September 14, 2010

Information spilling– To ‘Prod’ (least information):vxlt090101:~ fritshoogland$ printf "HEAD / HTTP/1.0\n\n" | nc 10.0.1.12 7777HTTP/1.1 200 OKDate: Thu, 06 May 2010 08:06:04 GMTServer: Oracle-Application-Server-11gLast-Modified: Sun, 25 Apr 2010 12:22:40 GMTETag: "25d84f-2b16-4850eb7692400"Accept-Ranges: bytesContent-Length: 11030Connection: closeContent-Type: text/htmlContent-Language: en41Tuesday, September 14, 2010

Information spilling– Lesser known is ‘custom’- Which lets you specify the Server field (!):In httpd.conf:ServerTokens custom "Ping/Pong"vxlt090101:~ fritshoogland$ printf "HEAD / HTTP/1.0\n\n" | nc 10.0.1.12 7777HTTP/1.1 200 OKDate: Thu, 06 May 2010 08:12:16 GMTServer: Ping/PongLast-Modified: Sun, 25 Apr 2010 12:22:40 GMTETag: "25d84f-2b16-4850eb7692400"Accept-Ranges: bytesContent-Length: 11030Connection: closeContent-Type: text/htmlContent-Language: en42Tuesday, September 14, 2010

Information spilling No guarantee, just a precaution– Oracle 11.1.1.2.0 HTTP Server => Apache 2.2.13 This is what the HMAP nessus plugin says:This web server was fingerprinted as : Apache/2.2.11(Gentoo) mod_ssl/2.2.11 OpenSSL/0.9.8kwhich is not consistent with the displayed banner :Ping/Pong43Tuesday, September 14, 2010

Information spilling By default, the webcache spills too:vxlt090101:~ fritshoogland$ printf "HEAD / HTTP/1.0\n\n" | nc 10.0.1.12 7785HTTP/1.1 200 OKDate: Thu, 06 May 2010 08:54:31 GMTETag: "25d84f-2b16-4850eb7692400"Accept-Ranges: bytesContent-Length: 11030Content-Type: text/htmlContent-Language: enConnection: CloseServer: Oracle-Fusion-Middleware/11g (11.1.1.2) Ping/Pong Oracle-Web-Cache-11g/11.1.1.2.0(N;ecid=19496115347,0)Last-Modified: Sun, 25 Apr 2010 12:22:40 GMT44Tuesday, September 14, 2010

Information spilling Web cache manager– Properties, Security settings- Servertokens: full/prod/none– When set to none:vxlt090101:~ fritshoogland$ printf "HEAD / HTTP/1.0\n\n" | nc 10.0.1.12 7785HTTP/1.1 200 OKDate: Thu, 06 May 2010 09:02:13 GMTETag: "25d84f-2b16-4850eb7692400"Accept-Ranges: bytesContent-Length: 11030Content-Type: text/htmlContent-Language: enConnection: CloseServer: Ping/PongLast-Modified: Sun, 25 Apr 2010 12:22:40 GMT(N;ecid=19496588444,0)45Tuesday, September 14, 2010

Information spilling This is what HMAP nessus plugin says:Nessus was not able to exactly identify this server. Itmight be :Apache/2.2 (Mandriva Linux)Oracle AS10g/9.0.4 Oracle HTTP Server OracleAS-Web-Cache-10g/9.0.4.0.0 (N)Apache/2.0.50-54 (Unix)The fingerprint differs from the known signatures on 4point(s).46Tuesday, September 14, 2010

Ports < 1024 On Linux/Unix requires root privileges– Webcache:- webcache_setuser.sh setroot oracle- set port 80 in admin site– Oracle HTTP Server:- chown root $ORACLE_HOME/ohs/bin/.apachectl- chmod 6750 $ORACLE_HOME/ohs/bin/.apachectl- change portnumber in httpd.conf chroot jail– No common practice with Oracle products– Would break OPMN47Tuesday, September 14, 2010

Instances New configuration setup– Used with ‘webtier’ and Weblogic server– Idea probably borrowed from Bea weblogic All variable files are put in directory structure– ‘Webtier’: OPMN, OHS, WebCache– Structure resides inside $ORACLE_HOME, in adirectory beneath ‘instances’48Tuesday, September 14, 2010

mod_security Apache module– Function: OSI Layer 7 firewall– Used to be installed with 10g AS- But not configured.– Not delivered anymore49Tuesday, September 14, 2010

mod_security Some websites need filtering– Filtering inside SSL/HTTPS– Scanner&Robot detection– Protocol enforcement– Limit argument number, name length– Filtering of known attacks– Ability to log & block simple DoS attacks– Possibility to specify your specific application URL’s50Tuesday, September 14, 2010

mod_security It’s easy to add mod_security...– Add the EPEL repository# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm– Install mod_security# yum install mod_security– Copy relevant files$ cp /etc/httpd/modules/mod_security2.so $ORACLE_HOME/ohs/modules/$ cp /etc/httpd/conf.d/mod_security.conf $ORACLE_INSTANCE/config/OHS//moduleconf/$ cp -r /etc/httpd/modsecurity.d $ORACLE_INSTANCE/config/OHS//– Modify the path’s in mod_security.conf to thisinstance.51Tuesday, September 14, 2010

mod_security Example:– “CONNECT localhost:25 HTTP/1.0” with telnet– Now results in “403 Forbidden”– Registration in modsecurity audit file:--7d565676-A--[20/May/2010:09:27:40 +0200] S-TkbH8AAAEAABQLqt4AAABF 10.0.1.2 55491 10.0.1.12 7777--7d565676-B--CONNECT localhost:25 HTTP/1.0--7d565676-F--HTTP/1.1 403 ForbiddenContent-Length: 210Connection: closeContent-Type: text/html; charset=iso-8859-152Tuesday, September 14, 2010

mod_security Some of the rules it triggered:Message: Operator EQ matched 0 at REQUEST_HEADERS. [file "/oracle/Oracle_WT1/instances/instance1/config/OHS/ohs1/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "28"] [id "960008"] [rev "2.0.5"] [msg"Request Missing a Host Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]– Request missing a Host headerMessage: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/oracle/Oracle_WT1/instances/instance1/config/OHS/ohs1/modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf"] [line "30"] [id "960032"] [msg "Method is not allowedby policy"] [data "CONNECT"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag"WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]53– CONNECT is not an accepted methodMessage: Access denied with code 403 (phase 2). [file "/oracle/Oracle_WT1/instances/instance1/config/OHS/ohs1/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"][line "25"] [msg "Anomaly Score Exceeded (score 30): Method is not allowed by policy"]Action: Intercepted (phase 2)– And intercepted based on score!Tuesday, September 14, 2010

Recap Apache vs. Oracle database administration Apache configuration is specialised task Oracle HTTP Server 11.x security This presentation only touched the surface ofsecuring (public) websites This presentation was about the webserver,which is very static of nature. An applicationserver is very dynamic of nature...54Tuesday, September 14, 2010

Q & AThank you for attending!55Tuesday, September 14, 2010

Bibliography & Links Google hacking– http://www.certconf.org/presentations/2005/files/WD4.pdf– http://www.thenetworkadministrator.com/googlesearches.htm Corkscrew (getting ssh through a proxy)– http://www.agroman.net/corkscrew/ Center for Internet Security (securityconfiguration benchmarks)– http://www.cisecurity.org/ Mod_security (apache http audit / filter)– http://www.modsecurity.org/ nmap (network mapper / scanner)56– http://nmap.org/Tuesday, September 14, 2010

Bibliography & Links hping (packet generator and analyzer)– http://www.hping.org/ Wireshark (protocol analyzer)– http://www.wireshark.org/ Nessus (vulnerability scanner)– http://www.nessus.org/nessus/ OpenVAS (open source vulnerability scanner)– http://www.openvas.org/ Metasploit (creating tools and using exploits)– http://www.metasploit.com/home/ Nikto (web server scanner)57– http://cirt.net/nikto2Tuesday, September 14, 2010

Bibliography & Links WebScarab (http(s) analyzer / manipulator)– http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project Burpsuite (web application attacker platform)– http://portswigger.net/suite/ OWASP (web application security project)– http://www.owasp.org/index.php/Main_Page58Tuesday, September 14, 2010

OGH DBA Dag 14 september 2010 Frits Hoogland

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?