Download It
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
597
On Slideshare
596
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 1

http://www.slideshare.net 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • This is a note

Transcript

  • 1. Apache and PHP Security
  • 2. Abbreviated Talk Outline…
    • Basic machine lockdown
    • Apache Configuration and Hardening
    • PHP Configuration and Hardening
    • Secure Practices for PHP Development
    • Secure Configuration of Common PHP Applications
  • 3. Before taking action understand the Role of the Server
    • Who will have physical access?
    • Who will have shell access?
    • Will apache write to the filesystem?
    • Will you need perl, python etc. within the OS or for apache?
    • If possible can you limit what kind of post/get/cookie/file payloads can be transmitted?
  • 4. Basic Lockdown
    • Turn off unused services, update the machine regularly, use recommended configuration files etc.
    • Enable logwatch or logcheck and actually read the reports.
    • Enable a well configured file integrity checker
    • Configure iptables – Ports 22, 80, 443 tomcat?
  • 5. Lockdown Continued
    • Possibly survive a SYN flood attack
    • In /etc/sysctl.conf set
    • net.ipv4.tcp_syncookies = 1
    • More Information:
    • http://cr.yp.to/syncookies.html
    • Restrict cron and at access using cron.allow and at.allow. chmod/chown /etc/cron* and /var/spool/cron
  • 6. Lockdown Continued
    • Configure NTP for logfile accuracy.
    • Filesystem lockdown:
    • If possible set quota to “1” for apache. Especially /tmp and /var.
    • Sessions can write to a user configured directory OR preferably a database.
    • /var, /data, /home should be mounted nosuid,nodev,rw
    • Is it reasonable to make /usr or /usr/local ro?
  • 7. Securing Apache
  • 8. Configuring Apache
    • Turn off any unnecessary capabilities unfortunately many things are on by default.
    • Before making changes, research potential exploits …especially in the context of the machine’s services.
    • Look into alternatives
    • Example: If running php, use it instead of server side includes.
    • <?php include ‘footer.html’; ?>
    • XBitHack not necessary
  • 9. More Configuration Options
    • Remove /var/www/ directories to protect identity.
    • Create custom /var/www/error files
  • 10. mod_dosevasive
    • Easy to configure
    • Can help evade DoS attacks by blocking ip addresses or URLs temporarily.
    • Blocks if:
    • Requests are made for the same page more than X times per second per host
    • More than X concurrent requests on the same child per second are made
    • First sends 403 error then blacklists.
    • Can log to syslog and send email.
    • Can also communicate with firewall or router and execute system commands.
  • 11. Example Configuration
    • LoadModule dosevasive20_module modules/mod_dosevasive20.so
    • <IfModule mod_dosevasive20.c>
    • DOSHashTableSize 3097
    • DOSPageCount 2
    • DOSPageInterval 1
    • DOSSiteCount 50
    • DOSSiteInterval 1
    • DOSBlockingPeriod 10
    • DOSEmailNotify [email_address]
    • DOSLogDir &quot;/tmp/mod_dosevasive“ (make writable by apache only)
    • </IfModule>
  • 12. mod_security
    • Very Powerful
    • Can be tricky to configure. Lots of testing.
    • Especially useful if web server runs a small amount of applications.
  • 13. mod_security Features
    • Filters requests before apache.
    • Filters all requests including post payloads and SSL.
    • Understands the http protocol, allowing fine tuning.
    • Complete logging, including post data.
    • Custom rules using regular expressions can be applied at the virtual host level.
  • 14. More mod_security features
    • Upon “catch” can filter, email, log, redirect, send error code, or execute system binary.
    • Can execute action upon file upload. Example – virus scan.
    • Easier and better apache chrooting. No modules or libraries needed. Logs already open. One Line: SecChrootDir /chroot/apache
    • Can use snort web attack signatures
    • Rules are created and posted for web application vulnerabilities.
    • Can change the identity of the web server without editing the source.
  • 15. Example mod_security Configuration
    • <IfModule mod_security.c>
    • SecFilterEngine On
    • # Prevent OS specific keywords #index.php?include=filename
    • SecFilter /etc/passwd
    • # Prevent path traversal (..) attacks
    • SecFilter &quot;../&quot;
    • # Very crude filters to prevent SQL injection attacks
    • SecFilter &quot;delete[[:space:]]+from&quot;
    • SecFilter &quot;insert[[:space:]]+into&quot;
    • SecFilter &quot;select.+from&quot;
    • </IfModule>
  • 16. Scanning your server
    • Nmap
    • Nessus
    • www.nessus.org
    • CIS Linux Benchmark Scan
    • http://www.cisecurity.org/bench_linux.html
  • 17. PHP Security
  • 18. Types of PHP Attacks
    • Command execution and/or writing to the filesystem.
    • Sql injection
    • Session Hijacking
    • Cross Site Scripting (xss)
    • Cross Site Request Forgeries (CSRF)
    • Session reading/predicting
  • 19. Securing PHP
    • Default php.ini < V.4.8
    • ; WARNING ;
    • ; This is the default settings file for new PHP installations.
    • ; By default, PHP installs itself with a configuration suitable for
    • ; development purposes, and *NOT* for production purposes.
    • Newer installs are better.
    • Many php applications are installed with a default php.ini. Therefore vulnerabilities can be exploited.
  • 20. Secure PHP Settings
    • Recommended configurations
    • display_errors = Off (turn on with ini_set or .htaccess)
    • log_errors = On
    • error_reporting = E_ALL (better error reporting)
    • session.save_path=/opt/php/session (Should be specified by the user. Where /opt has no apache quota)
    • session.gc_maxlifetime=600 (ten minutes of inactivity)
    • safe_mode = On (enable if possible)
    • safe_mode_gid = On (enable if possible)
    • Most “highly critical” vulnerabilities can be mitigated with safe_mode.
  • 21. More Settings
    • magic_quotes_gpc = Off
    • Escapes incoming get/post/cookie data, but for what application/database. Broken Crutches.
    • Better to use specific php functions.
  • 22. More Settings
    • register_globals = Off
    • Never turn on
    • Too easy to write insecure code
    • Auto initializes variables from Get/Post/Cookie data
    • URL= index.php?administrator=xyz
    • <?php if (isset($administrator)) {     $authorized = true; } ?>
  • 23. Developing Best Practices
    • Develop with security and production in mind.
    • Form strict policies concerning how data is sanitized and at what stage.
    • $_GET, $_COOKIE, $_POST should always be sanitized according to where it’s going not where it came from.
    • Pear DB class handles database data with ? replacements.
    • Mysql = mysql_real_escape_string()
    • Postgres = pg_escape_string ()
    • To browser = htmlentities () or strip_tags()
    • To Shell = escapeshellcmd()
  • 24. To Remove Javascript
    • Use preg_replace() on …
    • javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|'. 'onmousemove|onmouseout|onkeypress|onkeydown|onkeyup
  • 25. Developing Best Practices cont.
    • Form strict policies concerning sessions. (storage, timeouts, session id length, etc.)
    • If on a multiuser machine make a custom session.save_path or save session data to a database.
    • Use session_regenerate_id() to prevent fixation.
  • 26. Developing Best Practices cont. Securing Includes
    • Place them outside of document root.
    • ini_set(&quot;include_path&quot;,&quot;.:/home/user/libs&quot;);
    • But, if you have to place them in root…
    • End them in .php, so source is not revealed. Ex. database.inc.php
    • <Files ~ &quot;.inc$&quot;>     Order allow,deny     Deny from all
    • </Files>
  • 27. Where to put db_connect.inc.php
    • Not in document root.
    • If possible, make it non-world readable. Apache group readable.
  • 28. Web Applications
    • When installing free web applications always be aware of security advisories.
    • Maintain a backup of your database.
    • Practice restoring the database.
    • Be familiar with how to update the application.
  • 29. Secure Configuration of Common PHP Applications phpMyAdmin
    • Protect config.inc.php if db access is “config”
    • If using http authentication force ssl using mod_rewrite
    • RewriteRule ^/$ /index.php RewriteCond %{SERVER_PORT}!443$ RewriteRule ^(.*) https://host.com:443$1 [R=301,L]
  • 30. Secure Configuration of Common PHP Applications Gallery
    • Verify that gallery has written to the .htaccess and config.php file after install.
    • Then:
    • chmod 644 .htaccess
    • chmod 644 config.php
    • chmod 400 setup
  • 31. Secure Configuration of Common PHP Applications phpnuke
    • Move config.php outside of DocumentRoot
    • Edit mainfile.php to path of moved config.php.
  • 32. Questions?