Download It


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This is a note
  • Download It

    1. 1. Apache and PHP Security
    2. 2. Abbreviated Talk Outline… <ul><li>Basic machine lockdown </li></ul><ul><li>Apache Configuration and Hardening </li></ul><ul><li>PHP Configuration and Hardening </li></ul><ul><li>Secure Practices for PHP Development </li></ul><ul><li>Secure Configuration of Common PHP Applications </li></ul>
    3. 3. Before taking action understand the Role of the Server <ul><li>Who will have physical access? </li></ul><ul><li>Who will have shell access? </li></ul><ul><li>Will apache write to the filesystem? </li></ul><ul><li>Will you need perl, python etc. within the OS or for apache? </li></ul><ul><li>If possible can you limit what kind of post/get/cookie/file payloads can be transmitted? </li></ul>
    4. 4. Basic Lockdown <ul><li>Turn off unused services, update the machine regularly, use recommended configuration files etc. </li></ul><ul><li>Enable logwatch or logcheck and actually read the reports. </li></ul><ul><li>Enable a well configured file integrity checker </li></ul><ul><li>Configure iptables – Ports 22, 80, 443 tomcat? </li></ul>
    5. 5. Lockdown Continued <ul><li>Possibly survive a SYN flood attack </li></ul><ul><li>In /etc/sysctl.conf set </li></ul><ul><li>net.ipv4.tcp_syncookies = 1 </li></ul><ul><li>More Information: </li></ul><ul><li> </li></ul><ul><li>Restrict cron and at access using cron.allow and at.allow. chmod/chown /etc/cron* and /var/spool/cron </li></ul>
    6. 6. Lockdown Continued <ul><li>Configure NTP for logfile accuracy. </li></ul><ul><li>Filesystem lockdown: </li></ul><ul><li>If possible set quota to “1” for apache. Especially /tmp and /var. </li></ul><ul><li>Sessions can write to a user configured directory OR preferably a database. </li></ul><ul><li>/var, /data, /home should be mounted nosuid,nodev,rw </li></ul><ul><li>Is it reasonable to make /usr or /usr/local ro? </li></ul>
    7. 7. Securing Apache
    8. 8. Configuring Apache <ul><li>Turn off any unnecessary capabilities unfortunately many things are on by default. </li></ul><ul><li>Before making changes, research potential exploits …especially in the context of the machine’s services. </li></ul><ul><li>Look into alternatives </li></ul><ul><li>Example: If running php, use it instead of server side includes. </li></ul><ul><li><?php include ‘footer.html’; ?> </li></ul><ul><li>XBitHack not necessary </li></ul>
    9. 9. More Configuration Options <ul><li>Remove /var/www/ directories to protect identity. </li></ul><ul><li>Create custom /var/www/error files </li></ul>
    10. 10. mod_dosevasive <ul><li>Easy to configure </li></ul><ul><li>Can help evade DoS attacks by blocking ip addresses or URLs temporarily. </li></ul><ul><li>Blocks if: </li></ul><ul><li>Requests are made for the same page more than X times per second per host </li></ul><ul><li>More than X concurrent requests on the same child per second are made </li></ul><ul><li>First sends 403 error then blacklists. </li></ul><ul><li>Can log to syslog and send email. </li></ul><ul><li>Can also communicate with firewall or router and execute system commands. </li></ul>
    11. 11. Example Configuration <ul><li>LoadModule dosevasive20_module modules/ </li></ul><ul><li><IfModule mod_dosevasive20.c> </li></ul><ul><li>DOSHashTableSize 3097 </li></ul><ul><li>DOSPageCount 2 </li></ul><ul><li>DOSPageInterval 1 </li></ul><ul><li>DOSSiteCount 50 </li></ul><ul><li>DOSSiteInterval 1 </li></ul><ul><li>DOSBlockingPeriod 10 </li></ul><ul><li>DOSEmailNotify [email_address] </li></ul><ul><li>DOSLogDir &quot;/tmp/mod_dosevasive“ (make writable by apache only) </li></ul><ul><li></IfModule> </li></ul>
    12. 12. mod_security <ul><li>Very Powerful </li></ul><ul><li>Can be tricky to configure. Lots of testing. </li></ul><ul><li>Especially useful if web server runs a small amount of applications. </li></ul>
    13. 13. mod_security Features <ul><li>Filters requests before apache. </li></ul><ul><li>Filters all requests including post payloads and SSL. </li></ul><ul><li>Understands the http protocol, allowing fine tuning. </li></ul><ul><li>Complete logging, including post data. </li></ul><ul><li>Custom rules using regular expressions can be applied at the virtual host level. </li></ul>
    14. 14. More mod_security features <ul><li>Upon “catch” can filter, email, log, redirect, send error code, or execute system binary. </li></ul><ul><li>Can execute action upon file upload. Example – virus scan. </li></ul><ul><li>Easier and better apache chrooting. No modules or libraries needed. Logs already open. One Line: SecChrootDir /chroot/apache </li></ul><ul><li>Can use snort web attack signatures </li></ul><ul><li>Rules are created and posted for web application vulnerabilities. </li></ul><ul><li>Can change the identity of the web server without editing the source. </li></ul>
    15. 15. Example mod_security Configuration <ul><li><IfModule mod_security.c> </li></ul><ul><li>SecFilterEngine On </li></ul><ul><li># Prevent OS specific keywords #index.php?include=filename </li></ul><ul><li>SecFilter /etc/passwd </li></ul><ul><li># Prevent path traversal (..) attacks </li></ul><ul><li>SecFilter &quot;../&quot; </li></ul><ul><li># Very crude filters to prevent SQL injection attacks </li></ul><ul><li>SecFilter &quot;delete[[:space:]]+from&quot; </li></ul><ul><li>SecFilter &quot;insert[[:space:]]+into&quot; </li></ul><ul><li>SecFilter &quot;select.+from&quot; </li></ul><ul><li></IfModule> </li></ul>
    16. 16. Scanning your server <ul><li>Nmap </li></ul><ul><li>Nessus </li></ul><ul><li> </li></ul><ul><li>CIS Linux Benchmark Scan </li></ul><ul><li> </li></ul>
    17. 17. PHP Security
    18. 18. Types of PHP Attacks <ul><li>Command execution and/or writing to the filesystem. </li></ul><ul><li>Sql injection </li></ul><ul><li>Session Hijacking </li></ul><ul><li>Cross Site Scripting (xss) </li></ul><ul><li>Cross Site Request Forgeries (CSRF) </li></ul><ul><li>Session reading/predicting </li></ul>
    19. 19. Securing PHP <ul><li>Default php.ini < V.4.8 </li></ul><ul><li>; WARNING ; </li></ul><ul><li>; This is the default settings file for new PHP installations. </li></ul><ul><li>; By default, PHP installs itself with a configuration suitable for </li></ul><ul><li>; development purposes, and *NOT* for production purposes. </li></ul><ul><li>Newer installs are better. </li></ul><ul><li>Many php applications are installed with a default php.ini. Therefore vulnerabilities can be exploited. </li></ul>
    20. 20. Secure PHP Settings <ul><li>Recommended configurations </li></ul><ul><li>display_errors = Off (turn on with ini_set or .htaccess) </li></ul><ul><li>log_errors = On </li></ul><ul><li>error_reporting = E_ALL (better error reporting) </li></ul><ul><li>session.save_path=/opt/php/session (Should be specified by the user. Where /opt has no apache quota) </li></ul><ul><li>session.gc_maxlifetime=600 (ten minutes of inactivity) </li></ul><ul><li>safe_mode = On (enable if possible) </li></ul><ul><li>safe_mode_gid = On (enable if possible) </li></ul><ul><li>Most “highly critical” vulnerabilities can be mitigated with safe_mode. </li></ul>
    21. 21. More Settings <ul><li>magic_quotes_gpc = Off </li></ul><ul><li>Escapes incoming get/post/cookie data, but for what application/database. Broken Crutches. </li></ul><ul><li>Better to use specific php functions. </li></ul>
    22. 22. More Settings <ul><li>register_globals = Off </li></ul><ul><li>Never turn on </li></ul><ul><li>Too easy to write insecure code </li></ul><ul><li>Auto initializes variables from Get/Post/Cookie data </li></ul><ul><li>URL= index.php?administrator=xyz </li></ul><ul><li><?php if (isset($administrator)) {     $authorized = true; } ?> </li></ul>
    23. 23. Developing Best Practices <ul><li>Develop with security and production in mind. </li></ul><ul><li>Form strict policies concerning how data is sanitized and at what stage. </li></ul><ul><li>$_GET, $_COOKIE, $_POST should always be sanitized according to where it’s going not where it came from. </li></ul><ul><li>Pear DB class handles database data with ? replacements. </li></ul><ul><li>Mysql = mysql_real_escape_string() </li></ul><ul><li>Postgres = pg_escape_string () </li></ul><ul><li>To browser = htmlentities () or strip_tags() </li></ul><ul><li>To Shell = escapeshellcmd() </li></ul>
    24. 24. To Remove Javascript <ul><li>Use preg_replace() on … </li></ul><ul><li>javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|'. 'onmousemove|onmouseout|onkeypress|onkeydown|onkeyup </li></ul>
    25. 25. Developing Best Practices cont. <ul><li>Form strict policies concerning sessions. (storage, timeouts, session id length, etc.) </li></ul><ul><li>If on a multiuser machine make a custom session.save_path or save session data to a database. </li></ul><ul><li>Use session_regenerate_id() to prevent fixation. </li></ul>
    26. 26. Developing Best Practices cont. Securing Includes <ul><li>Place them outside of document root. </li></ul><ul><li>ini_set(&quot;include_path&quot;,&quot;.:/home/user/libs&quot;); </li></ul><ul><li>But, if you have to place them in root… </li></ul><ul><li>End them in .php, so source is not revealed. Ex. </li></ul><ul><li><Files ~ &quot;.inc$&quot;>     Order allow,deny     Deny from all </li></ul><ul><li></Files> </li></ul>
    27. 27. Where to put <ul><li>Not in document root. </li></ul><ul><li>If possible, make it non-world readable. Apache group readable. </li></ul>
    28. 28. Web Applications <ul><li>When installing free web applications always be aware of security advisories. </li></ul><ul><li>Maintain a backup of your database. </li></ul><ul><li>Practice restoring the database. </li></ul><ul><li>Be familiar with how to update the application. </li></ul>
    29. 29. Secure Configuration of Common PHP Applications phpMyAdmin <ul><li>Protect if db access is “config” </li></ul><ul><li>If using http authentication force ssl using mod_rewrite </li></ul><ul><li>RewriteRule ^/$ /index.php RewriteCond %{SERVER_PORT}!443$ RewriteRule ^(.*)$1 [R=301,L] </li></ul>
    30. 30. Secure Configuration of Common PHP Applications Gallery <ul><li>Verify that gallery has written to the .htaccess and config.php file after install. </li></ul><ul><li>Then: </li></ul><ul><li>chmod 644 .htaccess </li></ul><ul><li>chmod 644 config.php </li></ul><ul><li>chmod 400 setup </li></ul>
    31. 31. Secure Configuration of Common PHP Applications phpnuke <ul><li>Move config.php outside of DocumentRoot </li></ul><ul><li>Edit mainfile.php to path of moved config.php. </li></ul>
    32. 32. Questions?