View and vote on the article here: Protecting Apache from attackers
Protecting Apache from attackers| Category | | | Summary | The first step any serious attacker will perform against a target is to
footprint it. Footprinting consists basically in obtaining as
much information about the target as possible. Later, attackers will
use that info to exploit specific bugs/misconf |
| | Body | There are several measures to cope with this risk: one is to cut off all response, not
prodivig any information. While this is a very useful technique (and
we will see in next tutorials how to hide some details to outsiders),
it's possibly more useful to provide incorrect information, for a
simple reason: 90% of your attackers will use it as correct.
Here will concentrate in basic modifications to the Apache server. For
our example, we use a Unix version.
This steps have to be done before you run any command to prepare your
server for instalation. Wait 2 minutes to configure your Apache server and you
will be rewarded.
1. Modify the Apache version.
Uncompress the sources and go to the src/include directory. Edit the
"httpd.h" file. Look for the following lines:
#define SERVER_BASEREVISION "1.3.23"
#define APACHE_RELEASE 10323100
Just replace the number for another previous version:
#define SERVER_BASEREVISION "1.2.1"
and the right release (just for added safety):
#define APACHE_RELEASE 10201100
2. Modify the operating system (optional)
If you want, you can also fake the fingerprint for the OS Apache is running
on. The file to change is: src/os/your_os/os.h (in this case,
src/os/unix/os.h).
Look for the line:
#define PLATFORM "Unix"
and change it to look:
#define PLATFORM "Win32"
Take note of the time of your machine, and change it to a couple of months after the fake Apache version was released (say October 1999). Issue a date, touch all the files in the Apache directory tree, run configure, make and make build, and the reissue date with the correct time:
# date
Sun Feb 17 18:09:18 CET 2002
# date 9910232043
Sat Oct 23 20:43:00 CEST 1999
# pwd
/root/apache_1.3.23
# find . -exec touch {} ";"
#
# ./configure --prefix=/www
# make
# make install
# date 0202171810
Sun Feb 17 18:09:18 CET 2002
Now, we have successfully installed a faked Apache. Let's see it in action:
#/www/bin/httpd -v
Server version: Apache/1.2.1 (Win32)
Server built: Oct 23 1999 22:36:05
#lynx localhost/noexists
Not Found
The requested URL /noexists was not found on this server
Apache/1.2.1 Server at 127.0.0.1 Port 80
Looks good! :)
A couple of things left to change: the manual pages and the Apache manual.
Download the original source code for the version you are faking and copy
the documentation in the proper directories. This way you won't get newer docs
if you request those pages. You can also remove them altogether.
With this simple steps, most attackers will be misleaded in their quest for vulnerabilities in your webserver. They will try other exploits that work against a different version of Apache, and on different operating systems. These attempts will be very noisy and your error_log will catch many people trying to exec command.com... ;)
Don't forget preventive steps: instruct your IDS to detect specific attacks for the faked version of Apache, check your logs for those attacks...
Before finishing this tutorial, a minimal warning about the use of a different (faked) operating system. In our example, we have a Unix box and we simulate Windows under Apache (Win32). This is probably always an error, since most attackers (even beginners) can tell the difference from a Unix and a Windows box. Faking a whole machine is much more challenging that necessary. Also, Apache is typically used in Unix boxes. Don't follow step two unless you know what else to change to simulate minimally a different OS. Next tutorials will cover some of these stages.
A final remainder: this will not stop all attempts, and will not mislead all
people, but it will prevent a good part of them. |
|
This article was imported from zZine. (original author: alfer)
There are no replies to this post yet.
|