Securing A Linux Web Server In 10 steps or Less

10,190
-1

Published on

Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access.

You don't need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security.

The following types of servers running Linux Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2

Not going to help if you have your website on Shared servers like Dreamhost/Go Daddy/Host Gator

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
10,190
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
174
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • starting at boot time#update-rc.d <servicename> removelistening on external IPbind-address=127.0.0.1
  • Securing A Linux Web Server In 10 steps or Less

    1. 1. Akash MahajanThat Web Application Security Guy
    2. 2. Reduce Attack Surface F 117Nighthawk http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg #rootconf | @makash | akashm.com 2
    3. 3. What is the Attack Surfaceall the TCP and UDP ports listening on the external interfaces # netstat -nltup #rootconf | @makash | akashm.com 3
    4. 4. Reducing the attack surfaceby stopping services fromrunning # /etc/init.d/<servicename> stoplisten on external IP bind-address=127.0.0.1starting at boot time # update-rc.d <servicename> remove #rootconf | @makash | akashm.com 4
    5. 5. After Reduction #rootconf | @makash | akashm.com 5
    6. 6. Mini Distrostart with a 12 MB mini iso install OpenSSH server install required LAMP packages using tasksel there are no compilers, extra libraries #rootconf | @makash | akashm.com 6
    7. 7. Patching and Updates choose Long Term Supportrelease (10.04 LTS, 12.04 LTS)one command to patch & update # apt-get update && apt-get upgrade #rootconf | @makash | akashm.com 7
    8. 8. Protecting Your Access #rootconf | @makash | akashm.com 8
    9. 9. Reason #1 for Hacked Linux Servers SSH Server Password Brute Forcing #rootconf | @makash | akashm.com 9
    10. 10. Secure Shell aka SSHConventional wisdom says don’t allow root to login don’t use passwords ; use keys only use SSH version 2.0 #rootconf | @makash | akashm.com 10
    11. 11. Attack Surface in SSHpassword bruteforcing requires valid users who are allowed to loginlot of people use keys without passphrasesmake one change in /etc/sshd_config AllowUsers <user@Host> #rootconf | @makash | akashm.com 11
    12. 12. Files and Permissions Read (r) Write (w) Execute (x) User 4 2 1Group 4 - 1Others 4 - - -rwxr-xr-- | 0754 #rootconf | @makash | akashm.com 12
    13. 13. Apache Web Server/etc/apache2/conf.d/securityline number 27 ServerTokens Prodline number 39 ServerSignature Off #rootconf | @makash | akashm.com 13
    14. 14. MySQL Database Serverif database and web server are onthe same host, then mysql server should only listen on localhost /etc/mysql/my.cnf bind-address=127.0.0.1 #rootconf | @makash | akashm.com 14
    15. 15. MySQL Database Serverrun # mysql_secure_installationcreate new user for each new databaseonly giveSELECT, UPDATE, INSERT, DELETE, ALTER, CREATE privileges to new usernew user should be for localhost and don’t give % #rootconf | @makash | akashm.com 15
    16. 16. Uncomplicated Firewall• ufw enabled• ufw allow 22 // SSH Access• ufw allow 80 // Website Access• ufw allow 443 // Secure Website Access• ufw default deny // Kitchen Sink #rootconf | @makash | akashm.com 16
    17. 17. Uncomplicated Firewallufw allow from <external DB IP> to <current host IP> port 3306 #rootconf | @makash | akashm.com 17
    18. 18. Reference Web App ArchitectureDocument Root should only contain files that are meant to be served to the usereverything should be in a folder outside it #rootconf | @makash | akashm.com 18
    19. 19. Reference Web App Architecture/var/www/site/public for files to serve/var/www/site/private for config files keep files user as person who uploads Keep the group as www-data #rootconf | @makash | akashm.com 19
    20. 20. My name is list, Check ListStart from a mini isoRemove unwanted servicesWhitelist user for SSH loginMySQL users need to be protectedDefault Deny and Allow Specific #rootconf | @makash | akashm.com 20
    21. 21. Wait, there is more you can do• Logs of SSH, web servers• Monitoring of these services• Add whitelisted to /etc/host.allow or blacklisted /etc/host.deny #rootconf | @makash | akashm.com 21
    22. 22. Questions and Answers Akash MahajanThat Web Application Security Guy http://akashm.com | @makash akashmahajan@gmail.com | 9980527182
    23. 23. References• Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk• Unable to find out where I got the stair case image from. If you know please do let me know.• Rest of the images are from istockphoto.com #rootconf | @makash | akashm.com 23

    ×