• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Creating "Secure" PHP applications, Part 2, Server Hardening
 

Creating "Secure" PHP applications, Part 2, Server Hardening

on

  • 603 views

 

Statistics

Views

Total Views
603
Views on SlideShare
603
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Creating "Secure" PHP applications, Part 2, Server Hardening Creating "Secure" PHP applications, Part 2, Server Hardening Presentation Transcript

    • Server Hardening
    • So, who are you, anyway? Bryan C. Geraghty Security Consultant at Security PS @archwisp I’m a Sr. PHP developer with a systems and security engineering background - turned application security consultant
    • Remember, layersSimpler is easier to testDon’t make assumptionsCompromised browser = game over
    • If you’re not using it, you don’t know what it’s doing.If you don’t know what it does, find someone who does.
    • NetstatShow any listening servicesbryan@bryan-sps ~ $ sudo netstat -lntp[sudo] password for bryan:Active Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 127.0.0.1:1194 0.0.0.0:* LISTEN 4786/openvpntcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1175/mysqldtcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4792/dnsmasqtcp 0 0 127.0.0.1:8182 0.0.0.0:* LISTEN 5083/firefoxtcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 966/sshdtcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1058/cupsdtcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 10521/mastertcp6 0 0 :::80 :::* LISTEN 1609/apache2tcp6 0 0 :::22 :::* LISTEN 966/sshdtcp6 0 0 ::1:631 :::* LISTEN 1058/cupsdtcp6 0 0 ::1:25 :::* LISTEN 10521/master
    • update-rc.dInit utility for Debian based systemsbryan@bryan-sps ~ $ sudo update-rc.d cups disableupdate-rc.d: warning: /etc/init.d/cups missing LSB informationupdate-rc.d: see <http://wiki.debian.org/LSBInitScripts> Disabling system startup links for /etc/init.d/cups ... Removing any system startup links for /etc/init.d/cups ... /etc/rc0.d/K20cups /etc/rc1.d/K20cups /etc/rc2.d/S20cups /etc/rc3.d/S20cups /etc/rc4.d/S20cups /etc/rc5.d/S20cups /etc/rc6.d/K20cups Adding system startup for /etc/init.d/cups ... /etc/rc0.d/K20cups -> ../init.d/cups /etc/rc1.d/K20cups -> ../init.d/cups /etc/rc6.d/K20cups -> ../init.d/cups /etc/rc2.d/K80cups -> ../init.d/cups /etc/rc3.d/K80cups -> ../init.d/cups /etc/rc4.d/K80cups -> ../init.d/cups /etc/rc5.d/K80cups -> ../init.d/cups
    • chkconfigInit utility for pretty much everyone elsebryan@bryan-sps ~ $ sudo chkconfig --list | fgrep ":on"acpi-support 0:off 1:off 2:on 3:on 4:on 5:on 6:offapache2 0:off 1:off 2:on 3:on 4:on 5:on 6:offapparmor 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:onbrltty 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:oncryptdisks 0:on 1:off 2:off 3:off 4:off 5:off 6:offcryptdisks-early 0:on 1:off 2:off 3:off 4:off 5:off 6:offdns-clean 0:off 1:on 2:on 3:on 4:on 5:on 6:offgrub-common 0:off 1:off 2:on 3:on 4:on 5:on 6:offkerneloops 0:off 1:off 2:on 3:on 4:on 5:on 6:offkillprocs 0:off 1:on 2:off 3:off 4:off 5:off 6:offnetworking 0:on 1:off 2:off 3:off 4:off 5:off 6:offondemand 0:off 1:off 2:on 3:on 4:on 5:on 6:offopenvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:offpostfix 0:off 1:off 2:on 3:on 4:on 5:on 6:offpppd-dns 0:off 1:on 2:on 3:on 4:on 5:on 6:offpulseaudio 0:off 1:off 2:on 3:on 4:on 5:on 6:offrc.local 0:off 1:off 2:on 3:on 4:on 5:on 6:offrsync 0:off 1:off 2:on 3:on 4:on 5:on 6:offsaned 0:off 1:off 2:on 3:on 4:on 5:on 6:offsendsigs 0:on 1:off 2:off 3:off 4:off 5:off 6:offspeech-dispatcher 0:off 1:off 2:on 3:on 4:on 5:on 6:offsudo 0:off 1:off 2:on 3:on 4:on 5:on 6:offumountfs 0:on 1:off 2:off 3:off 4:off 5:off 6:offumountnfs.sh 0:on 1:off 2:off 3:off 4:off 5:off 6:offumountroot 0:on 1:off 2:off 3:off 4:off 5:off 6:offurandom 0:on 1:off 2:off 3:off 4:off 5:off 6:off S:onwinbind 0:off 1:off 2:on 3:on 4:on 5:on 6:offx11-common 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:onxrdp 0:off 1:off 2:on 3:on 4:on 5:on 6:off
    • Beyond chmod
    • Access Control Rules Never set directory permissions to 777 The web server user should be able to read from the web root only The web server user should be able to write to log and cache directories only Other users should not be able to access cache & log Files Dont allow web applications to self-update
    • Enable ACLsEdit /etc/fstab and add the “acl” mount option to your volumes# <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc nodev,noexec,nosuid 0 0/dev/mapper/bryan--sps-root / ext4 errors=remount-ro,acl 0 1UUID=ecddec0c-10c0-4fa8-8421-98ede0b19ac6 /boot ext2 defaults 0 2/dev/mapper/bryan--sps-swap_1 none swap sw 0 0/dev/mapper/cryptswap1 none swap sw 0 0
    • grant-apache-readA simple wrapper script for grant operations. I have one for write as well.#!/bin/bash# Author :: Bryan Geraghty# Date :: 2007-09-12# Notes :: This script resets permissionssource ~/lib/acl.bash;if [ -z $1 ]; then DIR=.;else DIR=$1;figrantUserRead www-data $DIR *;
    • grantUserReadhttps://github.com/archwisp/linux-home/blob/master/lib/acl.bash### Grants read permissions to all files/folders with names matching $3, which reside# inside of directory $2, to user $1.## @param string $1 Username The user to whom read permissions will be granted# @param string $2 Base path Path in which all operations will take place# @param string $3 Target Name of the file/directory on which to set the permissions#function grantUserRead{ echo "Granting read permission to user $1 on files/folders named $3 in directory $2"; ## Set the default permissions for new files on the specified directory echo "Setting defaults..."; find $2 -name "$3" -type d -exec setfacl -d -m u:$1:rx {} ; ## Recusively set the permissions on all existing directories and files within the ## specified directory echo "Setting directory permissions..."; find $2 -name "$3" -type d -exec setfacl -R -m u:$1:rx {} ; ## Grant permissions to any files with the specified name echo "Setting file permissions..."; find $2 -name "$3" -type f -exec setfacl -m u:$1:r {} ;}
    • Prevent anything you havent approved from being executed
    • There are a few MAC options SELinux AppArmor TOMOYO TrustedBSD TrustedSolaris Others
    • How SELinux Works You assign security labels to all users, roles, files, network interfaces, ports, etc. You create policies for each user/role that needs to perform an action on a file (read, write, execute, etc.) using the security labels. The SELinux kernel module enforces access If a new file in introduced to the system, it must be labeled and a new policy must be created in order for it to be accessed.
    • Installing SELinux in Ubuntu 12.04? I tried to set it up recently and haven’t been able to figure out how to enable the strict policy. I’ll do a blog post on this once I get it working.
    • Blanket controls with a poor history of effectiveness
    • Blanket controls can be beneficial but don’trely on them for protection. Magic Quotes Safe Mode Suhosin mod_security
    • Know your bounds
    • Set a Reasonable PHP Memory Limit Never remove the limit in a production system It only takes one large request to bring your server to a halt You get to decide what is reasonable A larger limit means less work for you but allows your server to handle fewer requests
    • topOnce in top, hit SHIFT-M to sort by memory. This will allow you to examine thememory footprint of your web server instances. (This is a dev server with no load)top - 03:14:26 up 5:23, 2 users, load average: 0.09, 0.05, 0.05Tasks: 138 total, 1 running, 137 sleeping, 0 stopped, 0 zombieCpu(s): 0.7%us, 1.2%sy, 0.0%ni, 98.2%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%stMem: 2062248k total, 1352564k used, 709684k free, 302624k buffersSwap: 0k total, 0k used, 0k free, 696664k cached1830 www-data 20 0 70176 6908 2732 S 0 0.3 0:00.15 apache21831 www-data 20 0 70176 6704 2568 S 0 0.3 0:00.11 apache2
    • Set your web server process limits If you run Apache, set MaxClients to a value lower than your total memory divided by the size of the memory footprint for each web server process. MaxClients is the number or simultaneous connections that will be served. http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
    • PHPMyAdmin bypasses MySQL host filtering!
    • Error HandlersException HandlersStatus CodesEnvironmentsGotchas
    • If you’re interested in an application security career, come talk withme.