How to avoid Clickjacking and SlowLoris attacks in CentOS

To avoid Clickjacking and SlowLoris attacks in CentOS

In this article we will learn how to avoid Clickjacking and SlowLoris attacks in CentOS.

Clickjacking
Clickjacking is a method in which the users are attacked in a practical manner. For an instance, you may click some images or any part of the web, but it automatically redirects you to the hidden page. In this the users will never know that they are hacked. Example of such case is, following someone on Facebook, sharing the news or anything on Twitter, and other Google AdSense clicks.

Fixing Clickjacking

Before starting, make sure that your server is running or not by using the following command.

[root@linuxhelp ~]# systemctl status httpd 
? httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service  enabled  vendor preset: disabled)
   Active: active (running) since Fri 2016-09-16 11:58:26 IST  3 days ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 16546 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 16622 (httpd)
   Status: " Total requests: 0  Current requests/sec: 0  Current traffic:   0 B/sec" 
   CGroup: /system.slice/httpd.service
           ??16622 /usr/sbin/httpd -DFOREGROUND
           ??16623 /usr/sbin/httpd -DFOREGROUND
           ??16624 /usr/sbin/httpd -DFOREGROUND
           ??16625 /usr/sbin/httpd -DFOREGROUND
           ??16627 /usr/sbin/httpd -DFOREGROUND
           ??16628 /usr/sbin/httpd -DFOREGROUND

Sep 16 11:58:25 linuxhelp systemd[1]: Starting The Apache HTTP Server...
Sep 16 11:58:25 linuxhelp httpd[16622]: AH00558: httpd: Could not reliably determine t...age
Sep 16 11:58:26 linuxhelp systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.


Run the following command to check the X-frame parameter in the Apache servers. It is used to prevent the user from the Clickjacking attacks.

[root@linuxhelp ~]# curl -I http://192.168.7.190/ 
HTTP/1.1 403 Forbidden
Date: Tue, 20 Sep 2016 01:16:14 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: " 1321-5058a1e728280" 
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html  charset=UTF-8


As the output does not show any sign of “ X-Frame” parameter, our server is vulnerable and can be attacked easily. To enable it open the apache configuration file and edit as follows.

[root@linuxhelp ~]# vim /etc/httpd/conf/httpd.conf 
Header always append X-Frame-Options SAMEORIGIN
Then save and exit.


Run the following command to verify the syntax error.

[root@linuxhelp ~]# httpd -t 
Syntax OK


In order to apply the changes, restart apache web server.

[root@linuxhelp ~]# systemctl restart httpd

Run the following command to check whether the X-Frame parameter is enabled or not.

[root@linuxhelp ~]# systemctl restart httpd
[root@linuxhelp ~]# curl -I http://192.168.7.190/ 
HTTP/1.1 403 Forbidden
Date: Tue, 20 Sep 2016 01:25:32 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Frame-Options: SAMEORIGIN
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: " 1321-5058a1e728280" 
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html  charset=UTF-8

Now your system is secured from Clickjacking attack.

SlowLoris

SlowLoris is a service denied attack. In this one web server attacks another server and destroys all the resources and services running inside the server. If you open a web page it will be blocked automatically, and creates a Deadlock situation.

Fixing SlowLoris

Many parameters are used to prevent server from SlowLoris attack. Here, we will implement QOS module to stop SlowLoris attacks in Apache. Edit apache configuration file and add the QOS module configuration as follows.

[root@linuxhelp ~]# vim /etc/httpd/conf/httpd.conf 

      QS_ClientEntries                  100000
      QS_SrvMaxConnPerIP                50
      MaxClients                        256
      QS_SrvMaxConnClose                180
      QS_SrvMinDataRate                 150 1200

:wq

Save and exit from the file.


Explanations
QS_ClientEntries - shows the connection limits.
MaxClients - shows the maximum clients per connections.
QS_SrvMaxConnClose - it keeps the server Alive when at least 180(mentioned) connections are in use.
QS_SrvMinDataRate - requires a minimum of 150 bytes per second per connection and limits the connection to 1200 bytes per second when the server reaches the MaxClients limit.
QS_SrcMaxConnPerIP - shows the connection per IP

Now our system is safe from Clickjacking and SlowLoris attacks.

Tag : Clickjacking
FAQ
Q
What is the slow loris?
A
SlowLoris is a service denied attack. In this one, web server attacks another server and destroys all the resources and services running inside the server. If you open a web page it will be blocked automatically, and creates a Deadlock situation.
Q
What is the Cursorjacking?
A
Cursorjacking is a UI redressing technique to change the cursor from the location the user perceives.
Q
Does it affect the browsing speed using Clickjacking?
A
No, it won't do much effect on internet speed while using Clickjacking.
Q
What is clickjacking attack?
A
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different.
Q
How does clickjacking work?
A
In a classic clickjacking scenario, an attacker establishes a malicious website that invisibly embeds the Facebook “Like” or “Share” button in a transparent iframe.