Firewall Wizards mailing list archives

Re: WWW protectors

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Fri, 06 Mar 1998 09:21:27 -0500

I'm looking for pointers to packages that protect web servers.
So far I've found:


The question to me is "how do they protect the web server?"
One of the ways a web server gets broken into is through
stupid flaws in CGI-bin scripts. There's not a good way for
an externally developed engine to know about all the stupid
CGI-flaws the end user might invent. Another way web servers
get broken into is through buggy code in the http daemon.
This is unfortunate, since you NEED something serving web,
and that's a main point of attack. Trusted operating systems
(CMWs, etc) can help prevent the web server software from
letting an attacker gain access to the whole system, but
unless it's set up carefully they may be able to gain
access to the web pages and alter them.

My favorite design for a secure web server was one that
a sick, twisted buddy of mine came up with. You just put
a lot of lines in /etc/inetd.conf that look like:
http-8081 stream  tcp   nowait  nobody  /bin/cat  cat /cdrom/index.html
http-8082 stream  tcp   nowait  nobody  /bin/cat  cat /cdrom/docs/index.html
http-8083 stream  tcp   nowait  nobody  /bin/cat  cat /cdrom/text/doc1.html
http-8084 stream  tcp   nowait  nobody  /bin/cat  cat /cdrom/text/doc2.html
http-8085 stream  tcp   nowait  nobody  /bin/cat  cat /cdrom/text/doc3.html

Then your system needs to only have a copy of cat, inetd, and the
kernel.:) For extra credit, modify udp_input.c to throw away
anything not destined for port 53, and ip_input.c to throw away
anything destined for ports below 8081 and over 20000.

Of course it won't *DO* much but that's kind of the point. :)

The thing I don't see explained by the vendors of the products
you listed is how their products effectively manage complexity
and the fact that mistakes are end-user installable. I think
they wave their hands over the mistake issue. Which is sad because
it gives the customer a sense of false confidence. If you, the
customer, need to protect your web site, you can make a huge step
in the right direction by installing some in-kernel filtering to
restrict access to ONLY the web server daemon and DNS. Then make
sure the web server daemon runs with reduced permissions and
if possible chrooted. Lastly, audit your CGI scripts. You'll be
in pretty good shape that way.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

WWW protectors Mark Le Vea (Mar 06)
- Re: WWW protectors Marcus J. Ranum (Mar 06)
- Re: WWW protectors Bennett Todd (Mar 06)
- Re: WWW protectors Aleph One (Mar 06)
- <Possible follow-ups>
- Re: WWW protectors Paul McNabb (Mar 06)
- RE: WWW protectors firstcat (Mar 06)