Countermeasures Against the Acme Travel, Inc. Hack

Previous page
Table of content
Next page

Countermeasures Against the Acme Travel, Inc. Hack

         Successfully countering Acme Travel, Inc.'s hack requires addressing the ability of external clients to use the server as a reverse proxy.

         Obtain user names and passwords through HTTP authentication brute forcing.

         Browse directories on the Web server.

Turning Off Reverse Proxying

To prevent what happened with Acme Travel, Inc.'s proxy server, the first step is to disable reverse HTTP proxying. Different Web servers need to be configured in different ways to allow and block HTTP proxying. The server 10.3.2.1 was running Apache 1.3.12. The Apache configuration file httpd.conf contains the following directives for setting up HTTP proxy services on port 8001:

Listen 8001
...
<VirtualHost _default_:8001>
  ServerAdmin rob@example.com
  DocumentRoot /usr/local/apache/htdocs_8001/
  ServerName redproxy
  ErrorLog logs/8001-error_log
  CustomLog logs/8001-access_log common
  ProxyRequests on
</VirtualHost>

The Listen 8001 directive tells Apache to bind port 8001 on both the interfaces of the proxy server namely, 10.3.2.1 and 10.0.1.1. To restrict the availability of the proxy server on port 8001 to the 10.0.1.x internal network, Apache has to be instructed to allow port 8001 to be bound only to the internal network interface, 10.0.1.1. Changing the Listen directive as follows would cause it to do just that:

Listen 10.0.1.1:8001

It would prevent port 8001 from showing up in an external port scan and effectively block reverse proxying from external hosts.

Using Stronger HTTP Authentication Passwords

Nothing much can be done about strengthening HTTP authentication mechanisms from the server configuration side. The only countermeasure here would be to use stronger HTTP passwords that cannot be easily brute forced. Longer password length and use of symbols along with mixed case alphanumeric characters, among others, would be useful in foiling brute-force attempts.

Most Web servers, including Apache, don't provide features such as account lock-out and limiting the number of retries. A vigilant Web server administrator would be able to spot brute-force attempts when the Web server log shows multiple requests for the protected resource resulting in HTTP 401 Authorization Required response codes.

Turning off Directory Browsing

Unless explicitly required, directory browsing should always be turned off. In the case of Acme Travel, Inc., directory browsing was turned on, as indicated by these lines from httpd.conf:

<Directory "/usr/local/apache/htdocs">
  Options Indexes FollowSymLinks
  AllowOverride All
</Directory>

The directive Options Indexes allows directory listings to be generated by Apache in the absence of a default document such as index.html.

Almost all popular Web servers provide a facility for turning directory browsing on and off. Figure 9-20 shows the IIS configuration screen with directory browsing turned on. Unchecking the Directory browsing check box turns directory browsing off.

Figure 9-20. IIS configuration for directory browsing

graphics/09fig20.gif

 


Previous page
Table of content
Next page
Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Stuart McClure, Saumil Shah, Shreeraj Shah
BUY ON AMAZON
CISSP Exam Cram 2
VBScript Programmers Reference
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
C++ How to Program (5th Edition)
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy