HP OSMS white paper: Security of Open Source Middleware Stacks
attacker, and might provide enough time for the intrusion to be detected, or the multiple layers might
provide enough protection that the system is difficult to breach.
The following is an example Apache setup that has a layered security defense:
• Require authentication to administer the host system, and provide non-repudiation and
an audit trail.
• Ensure that the Apache process does not run under root and also does not run using the
same account that is used to administer Apache.
• Use HTTPS for remote administration and commercial transactions, to guard against
man-in-the-middle attacks through an encrypted communication protocol.
• Use a local firewall filter, which limits open ports and the set of IP addresses allowed for
a connection.
• Do not display information about the serving protocol or platform to clients to avoid
providing information for an attack vector.
• Refuse client connections after several unsuccessful logins to limit brute force attacks.
• Configure the Apache server within a chroot jail or run the www-data account to limit
breaches.
Test Your System
It is tempting to believe that after all your configuration efforts, you have successfully created a secure
system. However, the true test of whether your system is secure is when a hacker attempts to penetrate
your carefully deployed defenses. You should try to break into the system and have someone who does
not know the system do so, to simulate what an attacker might do to penetrate your defenses.
There are several open source tools to help you simulate hacker attacks. Two scanning tools effective in
determining how robust your security implementation is are Nessus and Nmap. The Nessus tool uses a
library of known exploit attack vectors to determine if a system is vulnerable to any of them. The library
must be updated with new exploit vectors as soon as they are discovered, and it must be used periodically
to ensure that systems continues to be secure.
The Nmap tool uses raw IP packets to determine available hosts on the network, what services (application
name and version) those hosts are offering, what operating systems versions they are running, what type
of packet filters and firewalls are in use, and other information.
3
The problem with using scanning tools is that they can detect only known vulnerabilities. Exploits threaten
a system for its life cycle, but unfortunately scanners cannot detect vulnerabilities that are not recognized.
Therefore, although scanners are effective tools, other layers of security are required to ensure systems
are less susceptible to unrecognized, yet real, vulnerabilities. For example, you could place exposed services
in chroot jails and limit the privilege of their processes, which mitigates the risk of exposure to the rest
of the system if they are compromised.
For more information regarding Nessus and Nmap, see the following Web sites:
http://www.nessus.org
http://www.insecure.org/nmap
Never Assume the System Is Secure
Security is time sensitive. A system that appears to be secure can suddenly become insecure. This change
can occur when change occurs in the Security Policy, a new package is installed, there are personnel
changes, or configuration modifications are made. Additionally, a system that has no known vulnerabilities
can suddenly become susceptible to attacks that use new methods to exploit a previously unknown
vulnerability.
Security requires constant vigilance and maintenance. New vulnerabilities appear suddenly and the
systems they affect must obtain patches or be removed from a risky environment at a moment's notice.
Knowing the moment at which a system becomes vulnerable and having a predefined plan to deal with
contingencies is critical.
Advanced Security
The previous sections describe a basis for configuring and maintaining secure systems. Configuring
installed components in a secure manner, minimizing their exposure to network risks, and maintaining
patches reduces the risks components face. The initial security practices described previously do not
3.
The nmap manpage is open source and licensed under the GNU General Public License, Version 2. Seehttp://insecure.org/nmap/man/
22