[PENDING] Διερέυνηση ασφαλείας Apache Web Server

. Unix Windows

. Apache Web Server

Web Server

Unix. ! ! Apache

Web Server , . "

Web Server

SSL. # $

Apache.

1. UNIX... 4

1.1 Unix ... 4

1.2 Linux... 10

1.3 !" # # Windows NT/2000 # $ UNIX ... 12

1.3.1 ! % (Indentification) ... 12

1.3.2 & !' # ( ) (Access Control)... 13

1.3.3 ! * ) + (Log Files)... 15

1.3.4 " + (Networking)... 15

2. , -... 16

2.1 # !"( Unix... 16

2.1.1 Denial-Of-Service Attacks... 17

2.1.2 Access Attacks ... 17

2.1.3 Repudiation Attacks... 18

2.2 Problems with Operating System... 18

2.2.1 +/"( # ( ) ... 19

2.3 0 ) * " " # ! ... 19

2.3.1 ( + /" + ... 20

2.3.2 Modification Attacks... 22

2.3.3 " "( ' / ... 24

2.3.4 ' + (FTP)... 24

3. UNIX... 25

3.1 Utilities... 25

3.2 ' + ... 25

3.3 Shell ... 26

3.2.4 " ... 26

3.2.5 " "( ' / ... 26

3.3 ' ... 27

3.3.1 ' " " (! ... 27

3.3.2 1 * ... 28

3.3.3 +/"( # ( ) ... 28

4. PERL... 29

5. 0 , ... 31

5.1 0 "* ... 31

5.1.1 ' * + (Administrator)... 32

5.1.2 0 # / , ' *, * # +# "(... 32

5.1.3 0 " ! * / + # / % * # +# " ... 33

5.2 ' ! ! ... 34

5.2.1 0 + "+/"% # ( ) ... 34

5.2.2 0 server #( client ... 36

5.2.3 0 + $ + # % ... 41

5.3.1 ( "(... 43

5.3.2 0% ! (... 44

5.3.3 $ ( + # % # # (" # '$ server /" ... 44

6. APACHE WEB SERVER ... 45

6.1 !" Apache Web Server ... 48

6.2 / ! !" ... 49

7. . , ... 51

7.1 # "( ... 51

7.2 " ( ... 51

7.3 $ " # ... 51

8. 0 - SSL... 52

8.1 # "( . ... 53

8.2 " ( ... 55

8.3 # " + ... 56

8.4 SSL " # # "... 57

8.5 0 2 # + "( SSL... 58

8.6 !" SSL ... 58

8.7 OpenSSL ... 59

8.8 ' + # # "% ... 61

8.9 ! ( 3 ! " /% ... 61

8.10 ! ( # # " # # ! ... 62

8.11 ! ( (- # ! ( # # " ... 64

8.12 ( + SSL ... 64

8.13 "" Server ... 65

8.14 !( $ ... 66

8.15 0 # " # % ... 66

8.16 #(/ ... 67

8.17 ! *... 67

8.18 * SSLOptions ... 67

8.19 & !' # ( ) ... 68

8.20 Reverse Proxy ' * SSL... 68

9. 4 4 , ……….70

1. UNIX

1.1 Unix

% Unix '60 & ' (

% Bell. #

!

. ) Unix , ! !

. * !

! .

') 1991 "

+ , Linus Benedict Torvalds,

MS-DOS 5.0

. ,

$ $ Unix

.

Minix Andrew S.

Tanenbaum !

. % Minix

- 8086. .

Tanenbaum,

, 12000

!! “Operating System”,

.

« Linux $ # . 5 +

#( $ ) (, /( $

' ' ( ! " /

' * desktop, # " #

/ ' % . 6# %

Linux ' ) # ) * ,

/ / ( Linux / (

$ ( " " . #

!+ * *

# ( , (' " / 3….»

Eric Raymond, Open

Source Initation

linuxvalue.com

Linus Torvalds

3 / 1991 Linus Torvalds

newsgroup comp.os.minix project

posix. " -

. , 2

0.1. ( $

. # , “Freax”,

free Unix “ ” freaking.

FTP hacking 0 !

Linux . " “1

. %

Freax”.

% . ! 1991 0 0.2

. ( Unix !

. % !

-, ! $

- $ . 2

Linux - . # 0.96 40000

. ( GNU project Richard Stallman

- -

GNU C compiler

! Linux. 2

100.000 1.0 170.000 . #

- . % 1995

Linux Digital Alpha

Sun Sparc. To Linux

500.000 250.000 . "

- Linux

- . % 5

Linus Torvalds . % Linux

- - - . ,

3 ,

Linux Desktop

2.0 400.000 1,5 . .

$ .

2 . ( !

. .

- Linux !

IT Industry, ! « . ( !

. Linux

1996: FVWM '" # !

#( Robert Nation,

" # $ +

" ' window manager. O FVWM

# '$ " % 5

# /

#( + " # '

" *

!"(

3D # )

! .

1997: Afterstep

4 3 FVWM,

+ ( '

'/ %

3 $

"

# ) !

Nextstep. $

#+ "

" (

customization "

" + #

# "

« ».

1998:

Window Maker

# / Nextstep,

(#+ " # # + Afterstep, o

Window Maker $ + "( "

* #( # ' "

#+ " window

managers Linux.

KDE 1.0

# % % # # $ !

/ ! ( " + ! "

# ) ! Linux $

# % "/ " KDE 1.0

!! (. 7 " " 5/.

1999:

Enlightenment + ( " +

« » ) 3(

'"

FVWM2 %

# '

!

%

/ $

" " (

"%/"

# /*#

Manager.

0

#+ "*

# 5

# / "

2000:

ICEWM

#( #

window manager ! Linux " #(

/ # !

5 + # +

' % Linux.

" "(

# / " ) "(

" $ * ' * . KDE 2.0

* "/

'3 #

'% Linux

desktop " $%

/ " " ( #(

2 * ' "(

" 2 ! $ "*

2002: GNOME 2

" +

GNU Network Object Model Enviroment.

# ! "(

# )

GNU project "

/

/ "(

" +

! "(

# )

Linux. #

# " $

GUI RED

HAT.

2003: KDE 3.1.4 '* 5 5 "

# (

/ " "

' !

desktop

'3 . /% "

" ( ( KDE ( " GNOME

"

' * "( " !

# ' * , %

«# !"(

" ' » #

" #( # .

! " UNIX

/ “root” " ! . ! ( #( # " (! .

/bin 0 ' # + # ! ! ! ( *

Linux

/boot 0 ' ( ' # # ! "" ( * .

/dev 6 " # # ' (# ! " * " " ) / $

* # ( ' ( " ! (' !

" $ # %, ! #(/ /" + + # ( ) "

! "( ! # " + % ' OS).

/etc ( " " ' $ + * (system wide).

# / # '* # 5 ! .

/home ( " ! / ( home directories + ' % .

# / ! , /home/zazi ' * zazi ' /" + !! * , % (

" ! # $ " ( *$+ " " (! ) '

$ + # " $ 3 $ # ' " ' * ! /

internet, ! # / ! , * ! # # ! .

/lib 0 ' ) " )) $*" * .

/opt '" # 3( ! 5 # /*# # " ! "

# ! ' * !" * . # ( / " + #( (

!" $ KDE, GNOME, MOZILLA, OpenOffice " Apache.

/root Home " ! # ' * (root)

/sbin 0 ' ( ! # $ + ) " ! / '

* .

/usr # " /*# ' * . 0 ' ! , # ! ,

)) $*" * .

!

- ,

Microsoft. " Intel, IBM, Compaq, Hewlett Packard, Sun, Silicon Graphics, Corel, Oracle, Sybase, Informix

, ! desktop

Linux. . - 10

, -

10.000.

% 1,5 . O Linus 1998 $ , Transmeta.

# . 1

! - . . %

- palmtops

- - (fully scalable kernel). %

desktop. Linus

- (raid), ,

. (

! X-windows. 2 Linux

'* 1. Suse Linux ! "( # ) KDE

LinuxExpo, $ . 4 !

$ ,

standard .

2. Slackware Linux

- Linux

, Tanenbaum,

Torvalds Linux, : «

! .» % Torvalds.

1.2 Linux To Linux

. .

. .

Linux $ !

Gigabyte .

5 - CD . .

download .

http://www.redhat.com/

Red Hat, Red Hat Software

. 2 Graphical User Interface

text-based , Red Hat

Linux . #

! packages “RPM”. # !

GNU Network Object Model Environment (GNOME) “K Desktop Environment” (KDE), GUI X Window System.

Intel, Alpha, Sparc .

http://www.debian.org/

Debian, The

Debian Project 6 . #

! packages “dpkg”.

Intel, Alpha, Sparc , Motorola (Macintosh,

Amiga, Atari) .

http://www.suse.com/

S.u.S.E., S.u.S.E.,

, " . # ! “K Desktop

Environment” (KDE),

packages “YaST”. Intel

Alpha .

http://www.caldera.com/

OpenLinux, Caldera,

. 2 OpenLinux 2.2, Caldera

$ Linux.

" “K Desktop Environment” (KDE).

Intel .

http://www.linux-mandrake.com/

Mandrake, MandrakeSoft S.A.,

Red Hat Debian ( )

!

.

http://www.slackware.com/

Slackware, Patrick Volkerding Walnut Creek Software,

Linux. #

, -

! packages.

! $ !! libc

glibc. $ Linux.

Intel .

1.3 !" # # Windows NT/2000 "

# $" " UNIX

2icrosoft $ Windows NT/ 2000

. 4 Windows NT

1992. 7 $

, ,

threads,

- , distributed

computing

. Windows &%

!

client/server[2].

% Unix AT&T Bell.

“ ” kernel mode

user mode. . ,

[1][9]. #

UNIX $ , , -

, user mode.

1.3.1 % (Indentification)

Windows

. % Windows

$ SID !

$ (Security

Accounts Manager, SAM). 1 (LM-hash & NT-native)

. . NT-native

MD4 LM-hash

DES.

UNIX

2 UNIX $

! !

.

) !

DES

/etc/passwd.

$

.

% /etc/passwd

. 2

! /etc/passwd

/etc/shadow .

1.3.2 & !" ' # ( ) (Access Control) Windows

( ! (Access Control List, ACL).

« ! » (Access Control

Entries, ACE). ( !

-

. .

. . ACL NTFS

. )

! ! .

" ! ,

. 2

!

!

.

.

UNIX

. !

UNIX

. (

, , bits !

identifier $ .

% bits ! ,

,

. : -rwxr-x—x

$ ! , 5 ,

, !

.

3." Slackware Linux

.

1.3.3 * ) + (Log Files)

Windows

. (Security Reference Monitor), $

! (Event Logger) windows ! . 1

! !

[10].

UNIX

# UNIX

! $ log files !

server . )

syslog.[8]

1.3.4 + (Networking) Windows

windows ! $ Server Message Block (SMB).

Microsoft

. , !

Internet (Common Internet File System protocol

(CIFS)) [4][6][7]. ! Windows SMB !

NET-BIOS over TCP/IP [11][12], ! NET-BIOS.

Unix

% Unix .

! $ TCP/IP. ! ,

. % (Network

File System, NFS) [13] - $

, Network Information System (NIS) [5] !

, ! . %

Network Information System ,

Unix ! /7

! DES [5]

. " ! $

Kerberos [3][14].

2. , -.

2 , ,

$ . .

, ! ,

, , ,

. .

! . ( ,

! - .

2.1 #"! " ( Unix

. !

, ,

server.

2.1.1 Denial-Of-Service Attacks

. Denial-of-service (Dos) , ,

. 2 DOS $

.

.

. # ,

! Internet,

! .

Snooping ! -

! . "

, -

! .

2.1.2 Access Attacks

2 « ! » 5

- .

.

.

Eavesdropping - " 5 -

. " !

- , 5

.

Interception - " . )

$ , !

! . 8 -

5

.

2.1.3 Repudiation Attacks

« -» . 2

, - 5 !

! .

Masquerading- H -

. ,

, - .

Denying an Event-

.

# ,

. ) ,

.

2.2 Problems with Operating System

,

, , , . .

, $

. " , !

.

2.2.1 +/ ( # ( )

,

, . 2 , , , ,

$ .

" , ! « »

. ( ! .

. ( , !

. " ,

, .

!

! . " , $ ! $

! ,

! . 2

! - . 1 -

$ . ,

! -

. , !

! . . !

! - .

. ! ! !

. ,

! $

$ ! . % !

$ ! .

2.3 0 )!* " " # !

, -

- .

- , bytes

client. .

. . .

2.3.1 ( + / +

. /

. . Web Servers

!

. 4 Web Server

- . 2

. CGI (common gateway interface) Web

server

. " http. % script CGI

, server.

CGI !

CGI

. CGI script CGI

server

$ Web, CGI script

server .

( , server

! server.

" Web Server ! ,

! server. 7

.

1 script CGI : ,

CGI script

CGI. 4

httpd.conf CGI. ScriptAlias server

! script CGI. . !

script CGI $ . #

, : “ ScriptAlias /store-

cgi/usr/local/apache/store/cgi httpd.conf, .

$ -

. $

! script CGI

. 1

script CGI

: .

script CGI

$

, *.cgi.

. ( ' ,

script CGI server. 1 ,

HTML

script CGI. % , -

CGI. # , $

file.cgi Emac,

file.cgi~. " browser

! ,

.

'* 4. ! (# # " + 5 client " Web Server

2.3.2 Modification Attacks

2 « » -

. ,

. .

! . # , -

.

. ,

. ) , -

.

.

. ,

.

. . !

-

! . " - ! ,

- !

. ( , - ! ,

. . !

. ,

!

'* 5. $ Mail Server

. ,

.

2.3.3 !" ( ' / "

% ! . , mail

server ! - . .

. , :

agent 5 agent - $

. 1 ,

, agent -

. .

, agent

5 .

.

2.3.4 " '"+ (FTP)

!

. % FTP . .

FTP 5 ! ,

server,

.

2

( ! 2

!

1 2

" 2

2

2 2

!

Denial of Service Attacks 2

" ! 2

3. UNIX

% Unix

. ) hacking $ !

, Unix ! . 9 ,

Unix !

! .

3.1 Utilities

% Unix utilities, VI, exac - , Telnet

, mail . utilities

Unix. . !

. .

utilities Unix.

7 utilities - ,

, ,

, - ,

, .

3.2 '"+

! Unix

. % Unix ,

, , . %

, . ,

, , Unix

$ . # ,

$ ,

. 1 (

) $ - .

3.3 Shell

% « » ! $

, $ . "

shell $ , . " -

, shell .

, -

.

3.2.4

% Unix . .

Telnet !

,

.

.

3.2.5 !" ( ' / "

% Unix

! ! $ , $

, ,

. % !

- , - -'

! , !! , . %

Unix, mail,

! . "

, mail .

3.3 ' !"

% Unix ,

Unix . ,

Unix - .

3.3.1 '" !" !(

% Unix

! . ( !

. . ,

, ! Unix (

).

Unix.

$ ! !

. 7 !

Unix. , .

! ! ,

. %

, 5 , ,

. 9 , 5

5 .

3.3.2 1 * " " !

LS - . "

! ,

- 5

Trojans ( ).

Who- . 2

-

. !

- - logins,

- .

Finger- " Who

! .

Finger . 3.3.3 +/ ( # ( )

Unix ( )

! . . !

. . ! Unix

, ,

! . . ! $ passwd.

$ - ! .

. ! Unix

crypt () !

- . . !

! !

5 .

$

! .

% Unix - ! ,

! . .

- ! , -

- ! ! . " ,

- ! ,

! -

.

4. PERL

Perl

World Wide Web.

# , shell Perl

Perl, LS, Who,

finger Perl. # , 5

! ,

passwd !

Unix. ( ,

. " , Perl ! $

Unix, .

. Open Perl -

Unix.

Perl , ,

, . Perl

glue language Unix Perl

Unix . Perl ,

! MS-DOS, Macintosh. "

.

Perl Wed

developers. Perl , !

client-server, script CGI. Perl

CGI script.

H Perl compile,

shell script. .

Perl .

Perl ! (strings)

. Perl

$

- ( C ).

H Perl data-reduction, ,

, ,

! . 4

, , ! ,

client-server , , !

WEB ,

. # , Perl !

Unix. .

Unix 5 script -

.

H Perl

5 . .

Perl ,

Perl. 2 ,

-

Perl. . - !!

Perl. # , shell (Unix)

Perl.

utilities Unix shell Perl. %

( ! switches) utilities string.

% Perl ! 5 .

"

$ 5

! . % , Perl

Perl ! ,

. . CGI

.

5. 0 ,

# !! ' / ", ' / " ' # ( 2

# * .

5.1 0 ! * !"

!

. .

- . %

.

, ! ,

-

. % -

.

5.1.1 '" * + (Administrator)

. !

, , , . .

- $ ,

- ! ,

- . 2 -

. . !

! . " , , ,

5

. .

- . ! !

5 !

.

5.1.2 0" # / , ' !*, * # + # (

. , , . ,

, , , - $

.

. , ,

. # - ! .

# ,

! ! -

. "

- $

. " ,

!

! .. #

, li

tsering . .

. ( , li tsering -

5.1.3 0" " * / ! + # / % *

# +#

!

! . " ,

! . "

,

$ ! .

5.2 ' " ! " !"

5.2.1 0 + + / % # ( )

% !

passwd Linux 5

! ! !

. ( ,

! interface .

! ,

! , .

%

:

% !

. ! ! !

%

% !

. !

Type in command: perl passwd Enter your name

Lihua (my user name) Enter your password (If I enter lihua)

Password cannot equal to your name. (Program will be terminated) (If I enter wer)

Password has to contain 7 characters. (Program will be terminated) (If I enter wererwerwe)

Password has to contain at least one number and one letter. (Program will be terminated) (If I enter wwwwww5)

The number of repeated characters in password cannot be greater than 3. (Program will be terminated) (If I enter 411yuiq and it is in the password file)

411yuiq is used in the system, it is not allowed to use again. (Program will be terminated) (If I enter werty56)

New Unix password Type in your password Retype your password

Lihua and werty56 have been successfully entered into the password file.

. ! ! -

! ! ! -

! . " ! ,

!

! .

/etc/passwd Linux

- . - ,

!

! Linux !

! . "

! (*) ! .

0 0

) , -

! Linux.

5.2.2 0 server #( client

4 ,

! . .

, . # ,

! ,

. -

5 , , 5 .

" ! . .

script CGI

script

. .

error_log - . %

error_log ! . " ,

script

CGI ! ,

. 2

script CGI cgi-bin

.

# access_log error_log

client . % access_log

. %

-

:

# ,

# ! (

)

# $ $

# $ , ,

% ! ,

! - ! .

" ! site,

! .

World Wide Web server.

%

web page. "

-

!

.

" access_log:

Type in command: perl accinfo.pl

Please enter the name of the information you want to view.

Lmei

Do you want to view the particular site address?

(If I enter yes)

yes 10.2.41.39 [05/Mar/2002:14:39:59 -0500] <br>

10.2.41.39 [05/Mar/2002:14:39:59 -0500] <br>

10.2.41.39 [05/Mar/2002:14:39:59 -0500] <br>

10.2.41.39 [05/Mar/2002:14:39:59 -0500] <br>

10.2.41.39 [05/Mar/2002:14:40:05 -0500] <br>

10.2.41.39 [05/Mar/2002:14:40:05 -0500] <br>

10.2.41.39 [05/Mar/2002:14:40:14 -0500] <br>

10.3.41.129 [27/Mar/2002:19:47:36 -0500] <br>

10.3.41.129 [27/Mar/2002:19:47:37 -0500] <br>

10.3.41.129 [27/Mar/2002:19:47:37 -0500] <br>

10.3.41.129 [27/Mar/2002:19:47:37 -0500] <br>

10.3.41.129 [27/Mar/2002:19:47:39 -0500] <br>

10.3.41.129 [27/Mar/2002:19:47:39 -0500] <br>

10.3.41.129 [27/Mar/2002:19:47:39 -0500] <br>

10.3.41.129 [27/Mar/2002:19:47:39 -0500] <br>

10.3.41.129 [27/Mar/2002:19:47:44 -0500] <br>

Total number of lmei is : 16 (If I enter no)

no Total number of lmei is : 16

. - .

" error_log:

Type in command: perl erinfo.pl Do you want to view errors by date.

(If I enter yes) yes

Please enter your name srs

Please enter the year 2002

Please enter the month Jan

Please enter the day 14

[Mon Jan 14 08:46:23 2002] [srs File does not exist<br>

[Mon Jan 14 09:17:19 2002] [srs File does not exist<br>

[Mon Jan 14 09:31:11 2002] [srs File does not exist<br>

[Mon Jan 14 09:31:13 2002] [srs File does not exist<br>

[Mon Jan 14 09:47:36 2002] [srs File does not exist<br>

[Mon Jan 14 09:55:55 2002] [srs File does not exist<br>

[Mon Jan 14 10:24:56 2002] [srs File does not exist<br>

[Mon Jan 14 10:56:55 2002] [srs File does not exist<br>

[Mon Jan 14 11:04:54 2002] [srs File does not exist<br>

[Mon Jan 14 11:13:29 2002] [srs File does not exist<br>

[Mon Jan 14 12:00:55 2002] [srs File does not exist<br>

[Mon Jan 14 12:03:06 2002] [srs File does not exist<br>

[Mon Jan 14 12:18:30 2002] [srs File does not exist<br>

[Mon Jan 14 12:19:52 2002] [srs File does not exist<br>

[Mon Jan 14 12:32:13 2002] [srs File does not exist<br>

[Mon Jan 14 12:32:29 2002] [srs File does not exist<br>

[Mon Jan 14 12:51:36 2002] [srs File does not exist<br>

[Mon Jan 14 13:10:31 2002] [srs File does not exist<br>

[Mon Jan 14 13:10:31 2002] [srs File does not exist<br>

[Mon Jan 14 13:12:59 2002] [srs File does not exist<br>

(if I enter no) no

please enter your name srs

File does not exist[Mon Jan 14 12:51:36 2002] [ /home/srs/public_html/Math251-F all01/Sig_vs_hypoth.htm

<br>

File does not exist[Mon Jan 14 13:10:31 2002] [ /home/srs/public_html/Math151hw 25.htm

<br>

File does not exist[Mon Jan 14 13:10:31 2002] [ /home/srs/public_html/Math151hw 28.htm

<br>

File does not exist[Mon Jan 14 13:12:59 2002] [ /home/srs/public_html/Math251-F all01/index.htm

<br>

File does not exist[Tue Mar 5 14:44:01 2002] [ /home/srs/public_html/Math151hw 33.htm

<br>

File does not exist[Wed Mar 27 16:24:42 2002] [ /home/srs/public_html/Math151-S p02/Day24.htm

<br>

File does not exist[Wed Mar 27 16:45:39 2002] [ /home/srs/public_html/Math251hw 20.htm

<br>

File does not exist[Wed Mar 27 18:03:20 2002] [ /home/srs/public_html/Math151-S p02/Day24.htm

<br>

. - $

script ! .

5.2.3 0 + " $ + #! %

% Unix

! . % Unix ! (log files)

5 , , . %

,

. * ,

- 5 bug,

, $ . )

$ , .

! $

- , - , , $

, ! . " ,

. "

! , -

5 - .

, Unix /var/log/secure,

logins

Unix . % /var/log/messages

logins, logout, logins

Unix .

!

! Unix .

,

! .

% logins

var/log/secure Unix

. ,

! . (

- ! 5 .

% logins var/log/messages

logins Unix .

Unix , 8 6 .

5

.

# logins:

Type in command: perl fail Please enter your user name:

(If I enter root) root

Please enter the month (If I enter April) Apr Please enter the day (If I enter 17)

17 Here is the information on failed logins:

Apr 17 1:30 Failed Login Authentication Failure Apr 17 2:30 Failed Login Authentication Failure 8 is the number of failure.

# logins:

5.3 !" ( + # + # " % /

!" * .

/ ,

server. # server -

. ,

.

5.3.1

server

:

: server

- . (

-

server

server.

. . 2

server ,

- (

).

Type command: perl logins Apr 17 1:30 root LOGIN Apr 17 19:38 Li LOGIN

. server

. 1

,

.

2 ,

, .

5.3.2 0% " (

, " ,

." 1

- . "

.

5.3.3 $ ( + # " % # # ( " # '$ " server

/ .

. server -

server . . -

, - ,

- .

workstation server o

.

( server

( . .,

server. % NFS

.)

( . ., ,

)

server. ,

server

server. ( , -

, , shell, script,

server (

! server -).

1 (DNS vs. NIS). 1 server

. !

DNS spoofing. .

. !

server - .

# (IP, IPX, AppleTalk, DecNet, . .)

" . 2

, .

6. APACHE WEB SERVER

% + ! 1995 software server web “public

domain HTTP daemon” Rob McCool

- Illinois. # -

“ ” HTTP Rob McCool NCSA

1994

. 2

email

$ . . Brian Behlendorf

Cliff Skolnick $ email,

, logins - server

( bandwidth HotWired.

+ ! , 8 “Apache Group”.[19]

* HTTPD NCSA !

! !

server (0.6.2)

Apache Server 1995. NCSA - -

HTTPD Brandon Long Beth Frank -

NCSA project

- . . Apache server

$

. % 2 1995 -

-

Apache, o Robert Thau server

! modular API . Apache

! server /

0.7 0.8.8 1995.[19]

2 - , ,

modules Apache 1.0 1 ! 1995.

Apache server

1 HTTP server HTTPD NCSA

$ ! .

% 1999 Apache Group Apache Software

- , -

Apache HTTP Server.

$ (The Core)

Apache.

5

. )

!

site

apache -

apache server.

. %

Apache Group

- - . %

email. # 40 email

$

'* 6. Apache web server Windows

, , !

$

. -

site

. . 5

$

. " !

5 . [19]

6.1 Apache Web Server

# Apache

Apache.

7 . .

Apache Foundation

compile . 2

.

, modules

( . PHP)

. .

. )

! (security patches)

.

" Apache

binary Apache

modules ! $ . binary

. " backdoor.

binary $ - Apache $ -

module. ( binary .

6.2 / "

! Apache $ internet

. # -

! Apache. :

$ ./configure –prefix=/usr/local/apache

configure Makefile

- compile,

5 –prefix

apachectl - Apache.

$ make

# make install

# /usr/local/apache/bin/apachectl start

2 Apache -

$ Apache -

- .

# cd /etc/rc3.d

# ln –s /usr/local/apache/bin/apachectl 585httpd

4 - o Apache

- internet browser ! server (

localhost ) - .

% Modules

. modules

server. #

module

mod_ssl. % modules - :

1. mod_userdir – " Web server

~username. module

! server .

2. mod_info – 1 server web

3. mod_status – 1 server

web.

4. mod_include – 1 SSI. "

.

,

module .

$ ./configure\

> --prefix=/usr/local/apache \

> --enable-module=rewrite \

> --enable-module=so \

> --disable-module=imap \

> --disable-module=userdir

Apache 2 - .

$ ./configure\

> --prefix=/usr/local/apache \

> --enable-rewrite \

> --enable-so \

> --disable-imap \

> --disable-userdir

7. . ,

(

$ « »

. / internet

! .

4 internet

-

.

7.1 # " (

( -

,

.

7.2 " (

.

- . 4 100

- 1000 .

" !

.

7.3 $" #

# - .

4

.

!!

, .

$

.

8. 0 - SSL

% SSL (Secure Socket Layer) TLS ( Transport Layer Security)

HTTP

IMAP

NNTP. ) HTTP

$ SSL

HTTP (HTTPS).

H Netscape

SSL 1994

1995. % TLS IETF

SSL . "

SSL

! . %

TLS

- Netscape Microsoft

. #

SSL. 4

SSL server

http browser https.

SSL 443.[18]

8.1 # " ( .

% SSL . (

!

, . 2

$

. ,

, $

.

$

.

" ( #

"

, . .

DES,

triple-Des, RC4, RC2. #

bits. 4 , ! 5

, bits ,

’ - -

.

%

, - . %

, . ,

$ , 5

!

. % ! ! :

# ! ;

,

, !

- $ .

" #

% .

! $ , $ :

. % ,

. ,

.

( !!

, ! !

. ,

.

%

. . RSA .

.

,

$

. " , .

% SSL

( $ handshaking) -

. 8.2 " (

.

) ,

. " -,

.

. digest algorithms ! , 5

. 5

$ .

2 « » . ,

5 5 ,

. 2 5

- .

5 . # 5 MD5 SHA.

5 , ,

- 5

. . , MACs, 5

, . %

- ! . "

! ,

5 . . HMAC .

% SSL MAC

5 ! ! .

8.3 # +

% SSL !

. %

5 . ,

, .

: 5 $

. 2

$

.

1 ,

-

, .

5 .

( , , ). 4 ,

( , CA)

. 7 . 2

,

1 . : CAs

.

. %

- . %

. # ,

,

.

" ,

-

.

"- , browser ! $

.

8.4 SSL # #

% $ X.509,

1 . , X.509 :

/( : %

' : %

# ( " / ( !"/: %

0! " "! ' :

# *:

2 -

server browser. "

, -

browser. 2 Internet Explorer,

-

SSL (server).

. ,

. : browser, Netscape, Mozilla,

Konqueror .

https://www.ibm.com browser ,

! . 2

Equifax Secure E-Business Certification Authority-2

Thawte CA.

Thawte Internet Explorer

. 4 internet Explorer

- : Tools, Internet Options, Content, Certificates, Trusted Root Certification Authorities.

8.5 0" ! 2 # + (!! SSL

, SSL ,

,

5 .

SSL :

1. . browser Apache server.

2. 5 $ , browser server

.

3. . browser server,

! - , CA.

4. # , server

.

5. . server client

.

6. 5 $

.

$ - server

browser

! .

8.6 SSL

4 SSL server, - SSL

Apache. . Apache web server !

plug-ins

. % plug-ins Apache $ mods. - SSL

mod_ssl, ! Apache

- . % ^mod_ssl, , OpenSSL library open source

SSL&TLS . %

OpenSSL ! !! SSLeay Eric A. Young

Tim J. Hudson.

8.7 OpenSSL

Windows

4 Apache

installer Windows . )

Windows .

Unix

Linux FreeBSD OpenSSL

$

.

packages

$

! $ $ :

http://www.openssl.org. [17] !

:

# gunzip < openssl*.tar.gz | tar xvf -

# cd openssl*

% OpenSSL config script ! .

# .

: /usr/local/ssl/install

. 2

build .

# ./config --prefix=/usr/local/ssl/install --openssldir=/usr/local/ssl/install/openssl

# make

# make install

" , OpenSSL Toolkit.

OpenSSL ! /usr/local/ssl/install/bin/.

.

mod_ssl

, SSL extensions Apache

- ; .

,

, mod_ssl

Apache 2.0. # !

build module. To mod_ssl - !! OpenSSL,

OpenSSL .

" o Apache server 2.0 mod_ssl

! . * packages

.

build Apache 2.0

build ^mod_ssl compile.

--enable-ssl --with-ssl=/usr/local/ssl/install/openssl

OpenSSL

.

" mod_ssl compile statically Apache,

,

compiled-in modules.

# /usr/local/apache2/bin/httpd -l

o Apache usr/local/apache2.

" mod_ssl dynamic loadable module, configuration file:

LoadModule ssl_module modules/libmodssl.so [17]

8.8 '" + # # %

4 server SSL, !

server. " SSL site ,

- site .

8.9 " ( 3" !"/ %

# / $

. 7 site

www.example.com. (<

FQDN Apache.) %

:

# ./usr/local/ssl/install/bin/openssl genrsa -des3 -rand file1:file2:file3

-out www.example.com.key 1024

% genrsa OpenSSL ! $ .

% des3

.

% rand to OpenSSL -

! 5 . 4

file1, file2, . . ., ,

( (kernel), , ).

" /den/random. option

Windows

.

% out .

To 1024 bits .

% $ :

625152 semi-random bytes loaded

Generating RSA private key, 1024 bit long modulus ...++++++

...++++++

e is 65537 (0x10001) Enter PEM pass phrase:

Verifying password - Enter PEM pass phrase:

) , . "

. .

$ server. 2 -

. !

server,

! ! . "

, 5 5

option - des3 :

# ./usr/local/ssl/install/bin/openssl rsa -in www.example.com.key \ -out www.example.com.key.unsecure

" www.example.com.key.

2 :

# ./usr/local/ssl/bin/openssl rsa -noout -text -in www.example.com.key

8.10 " ( # # # # "

4 (CA),

! . 4 ,

:

# ./usr/local/ssl/install/bin/openssl req -new -key www.example.com.key -out www.example.com.csr

< $ :

Using configuration from /usr/local/ssl/install/openssl/openssl.cnf Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated

7. % $ Internet Explorer

.

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank.

---

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []: San Francisco

Organization Name (eg, company) [Internet Widgits Pty Ltd]:.

Organizational Unit Name (eg, section) []:.

Common Name (eg, YOUR name) []:www.example.com

Email Address []:administrator@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

"

Common Name $

browser .

browser server . " ,

$ .

% www.example.com.csr. 2

:

# ./usr/local/ssl/install/bin/openssl req -noout -text -in www.example.com.csr

2 !

CA. . VeriSign Thawte -

. . ! .

VeriSign: http://digitalid.verisign.com/server/apacheNotice.htm

Thawte: http://www.thawte.com

8.11 " ( (- # ( " # #

2 - . 1

.

,

mod_ssl server

CA.

#./usr/local/ssl/install/bin/openssl x509 -req -days 30 -in www.example.com.csr -signkey www.example.com.key -out www.example.com.cert

# 5 www.example.com.cert

( CA -

) /usr/local/ssl/install/openssl/certs/

/usr/local/ssl/install/openssl/private/.

2 :

# chmod 400 www.example.com.key

8.12 ( + SSL

% , , Apache - SSL. %

mod_ssl ,

, LoadModule .

Apache:

Listen 80 Listen 443

<VirtualHost _default_:443>

ServerName http://www.example.com SSLEngine on

SSLCertificateFile \

/usr/local/ssl/install/openssl/certs/http://www.example.com.cert SSLCertificateKeyFile \

/usr/loca/ssl/install/openssl/certs/http://www.example.com.key

</VirtualHost>

2 , $ host

443 ( HTTPS) SSL

host SSLEngine.[18]

# - ! server

, SSLCertificateFile

SSLCertificateKeyfile.

8.13 Server

server.

"

(pass phrase), $

. 2 , Apache

server

URL https://www.example.com/.

" Apache server -

-

! . # ,

- Apache

. # (administrator)

443 , - 8443

! URL https://www.example.com:8443. [18]

8.14 ! ( $

2 - ciphers

SSLCipherSuite SSLProtocol. # ,

: SSLProtocol

SSLCipherSuite HIGH:MEDIUM

8.15 0 # #"! %

. clients - server

, server -

.

. SSLCACertificateFile SSLCACertificatePath Apache

. 2

clients $

! server.

SSLCACertificateFile

.

" ,

SSLCACertificatePath

. %

. ^% SSLVerifyClient

. SSLVerifyDepth

client. . SSLCARevocationFile SSLCARevocationPath

.

8.16 #(/

% SSL . % mod_ssl

OpenSSL

(cache) . 2

SSLSessionCache

SSLSessionCacheTimeout. 7 - -

-

-

. SSLMutex

SSL. SSLRandomSeed

. .

- server.

8.17 *

To mod_ssl Apache -

$ SSL,

!

client.

CGI script ! ! StdEnvVars

Options.

8.18 " !* SSLOptions

# !

. . SSL URLs.

SSLOptions.

SSLPassPhraseDialog

(pass phrase) $ -

.

8.19 & !" ' # ( )

SSLRequireSSL clients

SSL ! server.

SSLRequire

! client. - SSLRequire

, - . $

mod_ssl $ !

! client .

! - ! :

SSL - ( ) cipher

(NULL) cipher,

, !

(1 # )

(8:00 . . 8:00 . .). # .

. , . [18]

0 /"

!

SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

8.20 Reverse Proxy "' * SSL

- reverse proxy

.

reverse proxy server

server client [18]. . : SSLProxyMachineCertificatePath,

SSLProxyMachineCertificateFile, SSLProxyVerify, SSLProxyVerifyDepth, SSLProxyCACertificatePath,

SSLProxyEngine, and SSLProxyCACertificateFile.

9. 4 4 ,

[1] Maurice J Bach, The Design of the UNIX Operating System, Prentice Hall Inc, 1986 [2] Helen Custer, Inside Windows NT, Microsoft Press 1993

[3] Simson Garfinkel and Gene Spafford, Practical UNIX and Internet Security, 2nd edition, O’Reilly & Associates Inc 1996.

[4] I Heizer, P.Leach, D.Perry Common Internet File System Protocol (CIFS), Internet Draft 1996

[5] David K. Hess, David R. Safford and Udo W. Pooch, A UNIX Network Protocol Security Study: Network Information Service. Texas A&M University.

[6] Paul J. Leach, CIFS Authentication Protocols Specification. Microsoft, Preliminary Draft, Author’s draft: 4.

[7] Paul J. Leach and Dilip C. Naik, CIFS Logon and Pass Through Authentication.

Internet Draft, 1997.

[8] LeFebvre-W, Simply syslog. Unix-Review, vol. 15, no. 12, November 1997.

[9] Marshall Kirk McKusick, Keith Bostic, Michael J. Karels and John S. Quarterman, The Design and Implementation of the 4.4BSD Operating System. Addison-

Wesley, 1996.

[10] NCSC, FINAL EVALUATION REPORT Microsoft Inc.: Windows NT Workstation and Server Version 3.5 with U.S. Service Pack 3. National Computer Security

Center, 1996.

[11] RFC 1001, Protocol Standard for a NetBIOS Service on a TCP/UDP Transport:

Concepts and Methods. March, 1987.

[12] RFC 1002, Protocol Standard for a NetBIOS Service on a TCP/UDP Transport:

Detailed Specifications. March, 1987.

[13] Russel Sandberg, David Goldberg, Steve Kleiman, Dan Walsh and Bob Lyon, Design and Implementation of the Sun Network Filesystem. Summer USENIX Conference Proceedings, Portland, 1985.

[14] Jennifer G. Steiner, Clifford Neumann and Jeffery I. Schiller, Kerberos: An Authentication Service for Open Network Systems. USENIX Winter Conference, Dallas, Texas, USA, February, 1988.

[15] Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition, by

Bruce Schneier

[16] SSL and TLS: Designing and Building Secure Systems, by Eric Rescorla [17] OpenSSL project: http://www.openssl.org

[18]ModSSL project: http://www.modssl.org [19]Apache reference: http://www.apacheref.com