Build a secure E-Commerce server
Creation time: 2001-06-01
Article properties: reprint
Article Source:
http://sinbad.dhs.org
Article submission:
Quack (QUACK_AT_XFOCUS.ORG)
By sinbad
May 25, 2001
http://sinbad.dhs.org
One. BACKGROUND
Internet-based network economy has always attracted people's eye, with the situation of the portal, now emerged
A group of online companies named "e-commerce". In contrast, they are calm and cautious. In enterprise applications,
They are not only satisfied with assisting SMEs Internet access, but more about providing some e-commerce, the main products: CRM, ERP
, SCM, etc., or provide a dragon service from IDC to ASP.
However, as far as I have experienced, the company that really can bury the product is minimal. First, because of too big investment, two
It is because it is difficult to find a suitable market positioning. Doing the plan and integration, nothing more than Dongzhu, confusing the primary customer, completely
Have your own things. Then, in addition to making some website construction and application projects, e-commerce companies have any profit points.
? I have seen, because the domestic e-commerce environment is still immature, there is no complete credit system and payment method, in this
On the basis, many e-commerce activities are difficult to carry out. There are also many customers' concerns, only from safety, such as
You do ASP (Application Service Provider), the customer is difficult to accept a hard drive with others, hand over the data over to you.
Worried; Xin Xi has developed a system, put it online, and it is easy to steal the source code by hackers.
The rack is in an unbearable system, and the hacker tampered with the page and data, it is difficult to rely on the customer, affecting oneself
Self-reputation and further business cooperation.
This reflects the importance of safety. Yes, safety and hacking technology is relatively biased, some people who engage in software development are even
This is the nose, but we can't deny the role of security in e-commerce, do not consider safe and unaffected system
Analyzer to design and develop an e-commerce system, and finally failed to fail.
Safety is a very complex system engineering, from the initial system strategy, to the last system of IMPLEMENT,
Many links. This article only introduces the construction of an E-Commerce server, which will be placed on the Internet.
The e-commerce web server that is fully run is not so simple.
two. Apache
Why choose Apache? SMEs are more enjoyable to receive lower system quotes, UNIX's network management can also be from technology
I explain this problem for me. Yes, the Apache has a good sound in the security interface compared to the IIS of the vulnerability.
Reputation, but a default installed Apache is still not enough.
1) Operating system
Although the version of Windows, Linux, BSD families and other operating systems is released, unii is unii
X is the best choice. The first is the convenience of remote management, while SSH provides an encrypted channel for remote management maintenance. At the department
In terms of system, UNIX class systems are easier to optimize configuration.
2) Self-vulnerability
Although apache's kernel does not have much Buffer overflows and Exploits, there is a version before 1.3.19.
MOD_REWRITE vulnerability. It is recommended to install the latest version 1.3.20.
3) External hidden dangers
The content of the current e-commerce website is not static, but dynamically generated, so some modules are required, such as Java (JServ), Perl (MOD_PERL), PHP (MOD_PHP). These modules introduce a security hazard to apache. If w
Apache PHP on the Indows platform exists traversal vulnerability, UNIX platform, some versions of Tomcat Engine (Java
Servlets and JSPs also exist in directory traversal, and even leakage. Vulnerability of JSP source code.
Apache is the same as other software products, there are fewer security issues. We don't laugh at the IIS full of gums,
Apache is holding 100% assured. Under normal circumstances, there are two factors that lead to unsafeness of software: technology and configuration. Such as
There are very good configuration servers, compared to some of the bugs in software, compared to some bugs.
three. SSL
Internet is an open system. Most of the network communications is unsafe, just a postcard in traditional postals.
Mailing, malicious users can steal the content, tampering, and forgery.
SSL,, Secure Socket Layer, is a protocol between work on the network layer and the charter, which is in TCP / IP and HTTP.
An encrypted layer is added, mainly to use the public key system and X.509 digital certificate technology to protect information transmission confidentiality
And integrity, it does not guarantee the unrecobability of information, mainly suitable for information transmission between point-to-peer points, commonly used for web
Server mode.
In e-commerce systems, the most commonly used encryption protocol is SSL and SET. Set is the application layer, while SSL is in the session layer,
For users above the HTTP protocol, encryption is transparent. For comparisons for SSL and SET, please refer to other articles. thing
In fact, the most easy implementation is to use SSL, and new TLS has not been widely used.
four. Apache SSL
Ok, some practices will be given below, describing how to install a secure Apache SSL Server. First, it is necessary to protect
Safety of the network and operating system: The firewall and router are installed and the configuration is correct, the operating system has patted and do
Safe optimization, individual storage of system logs, etc.
The Apache server itself does not support SSL, we have many options that can complete the merge of Apache / SSL: (1) Apache-S
SL plan (
http://www.apache-ssl.org, it integrates Apache Server and SSL; (2) Third Party SSL
Patch, such as Covalent SSL of Covalent NetWorks (
http://www.covalent.com); (3) MOD_SS
L, it is a modular MOD_SSL (
http://www.modssl.org to support SSL; (4) Based on A
Pache and integrates an SSL capability business web server, however, using these commercial web servers is mainly North America, this is because
The algorithm for the public key used there to SSL has patent, such as Redhat Secure Server.
http: // stor
E.Redhat.com/commerce/).
We choose the third method so that we use the latest version of Apache. Go to three sites to download the following software package: Apache:
http://www.apache.org
OpenSSL:
http://www.openssl.org
MOD_SSL:
http://www.modssl.org
Here is the installation steps:
A. ready
Unlock Apache, OpenSSL, and Mod_ssl to / usr / local / src directory.
B. Compile OpenSSL
Switch to the directory /usr/local/src/openssl-0.9.6:
(1) ./ Configure Linux-Elf threads -fpic -prefix = / usr / local / ssl
(2) Make
(3) Make Test
(4) Make Install
C. Configure mod_ssl
Go to Directory /usR/local/src/mod_ssl-2.8.0-1.3.17 Execute the following command:
./configure --with-apache = .. / apache_1.3.17
D. Configuring Apache
Enter the directory /usR/local/src/apache_1.3.17:
1. Export SSL_BASE = .. / OpenSSL-0.9.6
2. ./configure /
--Prefix = / usr / local / apache /
--enable-module = SSL /
--disable-rule = SSL_COMPAT /
--enable-module = REWRITE /
--enable-module = auth-digest / # used MD5 Hashes for http
# Basic Authentication
--enable-module = vhost_alias / # enable Virtual Hosts
--enable-module = log_referer / # enhance logging
--Disable-module = userdir / # not buy in e-Commerce Apps
--Disable-module = autoducturedex / # do not list directories
3. Make
4. make certificate type = dummy
5. make install
6. / src / httpd -l
Now Apache is already installed, you can view the installed modules via httpd -l.
Here are some security settings to check:
SSL:
Open SSL in httpd.conf
Port 80
Listen 80
Listen 443
SSLSessionCache dbm: / usr / local / apache / logs / ssl_scache
SSLSESSIONCACHETIMEOUT 1200
# For increased Performance Use "SSLMutex Sem" instead of the line below
SSLMUTEX FILE: / USR / local / apache / logs / ssl_mutex
SSLLOG / USR / LOCAL / APACHE / LOGS / SSL_ENGINE_LOG
# Change the log level default from "info" to "warn"
SSLLoglevel Warn
SSLOPTIONS OPTRENEGOTIATE
Open the SSL support for the virtual host:
# Within the
SSLENGINE ON
# Replace
SSLCERTIFICATEFILE / USR / local / apache / conf / ssl.
CERT /
# Replace
SSLKEYFILE /USR /LOCAL/APache/conf/ssl.key/
SSLVERIFYCLIENT NONE
Custom SSL's Log format:
Logformat CLFA "% H% L% U% T /"% r / "%> S% b /% {ssl_protocol} x% {ssl_cipher} x /"% {
SSL_CLIENT_S_DN_CN} X / "" "
Customlog / usr / local / apache / logs / access_log CLFA
Protected directory:
SSLCIPHERSUITE HIGH: Medium
Authtype Digest
Authname "Beta Code Testing"
AuthdigestDomain / TEST /
http://test.my.dom/beta/
AuthdigestFile / usr / local / apache / conf /
DiGest_PW
Require Valid-User
Last file check:
1. The SSL certificate and public key cannot be stored under DocumentRoot;
2. SSL certificate and public key must be owned by root, CHMOD 400 * .CRT;
3. Remove all sample files in / htdocs and / cgi-bin;
4. All files under HTDOCS are owned by Nobody.
If you are not afraid to configure trouble, it is best to put Apache in a chroot environment. :)
For how to generate a certificate request package and to the CA center to sign, please refer to another article. There are also many CA centers in China.
Such as China Telecom E-Commerce Safety Certification Center (
Http://www.sinocol.com/), you can issue a certificate.
Fives. Hardening E-Commerce Server
Although apache installation and configuration is safe, it is unsafe in a weak password or running like Wu-ftpd.
The service Linux is still very easy to be broken. Generally speaking, one web server only needs only SSH- far
Cheng Management. Don't install x-windows, compilers such as GCC should be deleted after the system is stable, so that you can avoid
Free Script-Kiddiez destruction.
At the same time, some package filtration rules (IPFW, IPChains, iptables) should be applied. Here we will discuss linux
Ipchains, assuming the following requirements:
1. Server has two network cards
2. INCOMING is allowed to allow 80 and 443 port data
3. Outgo network card only allows> 1023 port data Outgoing
4. The intranet card only allows the 22, 80, 443 ports of incoming5. The intranet card only allows> 1023 port data Outgoing. The general connection is a database, Oracle is 1524port,
SQL Server is 1443, and SSH can add -P option to specify user ports greater than 1023.
6. Net card allows ICMP response
The order is as follows (Eth0 network card, Eth1 intra network card):
Ipchains -a in-eth0 -p TCP - Dport 80 -J ACCEPT
Ipchains -a in-eth0 -p TCP - Dport 443 -J ACCEPT
Ipchains -a in-eth0 -p udp --dport 53 -j acid
Ipchains -a in-eth0 -j deny
Ipchains -a Out-Eth0 -P TCP - Dport 1024: 65535 -J ACCEPT
ipchains -a out-eth0 -p udp --dport 53 -j accept
Ipchains -a out-eth0 -j deny
Ipchains -a in-eth1 -p TCP - Dport 22 -J ACCEPT
ipchains -a in-eth1 -p tcp --dport 80 -j accept
Ipchains -a in-eth1 -p tcp --dport 443 -j accept
ipchains -a in-eth1 -p udp --dport 53 -j acceptpt
Ipchains -a in-eth1 -p Icmp -j accept
Ipchains -a in-eth1 -j deny
Ipchains -a Out-Eth1 -P TCP - Dport 22 -J ACCEPT
Ipchains -a out-eth1 -p tcp --dport 1024: 65535 -J ACCEPT
Ipchains -a Out-Eth1 -P UDP - Dport 53 -J ACCEPT
Ipchains -a out-eth1 -p ICMP -J ACCEPT
Ipchains -a out-eth1 -j deny
The rest of the work is to recompile the system kernel, disable unwanted modules, which can make some rootkits invalid.
Finally, check the security of the program running on the Web Server, there is a security issue such as buffer overflow.
six. Reference
Improving apache, by Gary Bahadur & Mike Shema
SSL: THEORY AND PRACTICE, ZEUS TECHNOLOGY
LASG, I.E. Linux Administrators Security Guide
(END)
