Your SlideShare is downloading. ×
Download It
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Download It

401
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
401
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • This is a note
  • Transcript

    • 1. Apache and PHP Security
    • 2. Abbreviated Talk Outline…
      • Basic machine lockdown
      • Apache Configuration and Hardening
      • PHP Configuration and Hardening
      • Secure Practices for PHP Development
      • Secure Configuration of Common PHP Applications
    • 3. Before taking action understand the Role of the Server
      • Who will have physical access?
      • Who will have shell access?
      • Will apache write to the filesystem?
      • Will you need perl, python etc. within the OS or for apache?
      • If possible can you limit what kind of post/get/cookie/file payloads can be transmitted?
    • 4. Basic Lockdown
      • Turn off unused services, update the machine regularly, use recommended configuration files etc.
      • Enable logwatch or logcheck and actually read the reports.
      • Enable a well configured file integrity checker
      • Configure iptables – Ports 22, 80, 443 tomcat?
    • 5. Lockdown Continued
      • Possibly survive a SYN flood attack
      • In /etc/sysctl.conf set
      • net.ipv4.tcp_syncookies = 1
      • More Information:
      • http://cr.yp.to/syncookies.html
      • Restrict cron and at access using cron.allow and at.allow. chmod/chown /etc/cron* and /var/spool/cron
    • 6. Lockdown Continued
      • Configure NTP for logfile accuracy.
      • Filesystem lockdown:
      • If possible set quota to “1” for apache. Especially /tmp and /var.
      • Sessions can write to a user configured directory OR preferably a database.
      • /var, /data, /home should be mounted nosuid,nodev,rw
      • Is it reasonable to make /usr or /usr/local ro?
    • 7. Securing Apache
    • 8. Configuring Apache
      • Turn off any unnecessary capabilities unfortunately many things are on by default.
      • Before making changes, research potential exploits …especially in the context of the machine’s services.
      • Look into alternatives
      • Example: If running php, use it instead of server side includes.
      • <?php include ‘footer.html’; ?>
      • XBitHack not necessary
    • 9. More Configuration Options
      • Remove /var/www/ directories to protect identity.
      • Create custom /var/www/error files
    • 10. mod_dosevasive
      • Easy to configure
      • Can help evade DoS attacks by blocking ip addresses or URLs temporarily.
      • Blocks if:
      • Requests are made for the same page more than X times per second per host
      • More than X concurrent requests on the same child per second are made
      • First sends 403 error then blacklists.
      • Can log to syslog and send email.
      • Can also communicate with firewall or router and execute system commands.
    • 11. Example Configuration
      • LoadModule dosevasive20_module modules/mod_dosevasive20.so
      • <IfModule mod_dosevasive20.c>
      • DOSHashTableSize 3097
      • DOSPageCount 2
      • DOSPageInterval 1
      • DOSSiteCount 50
      • DOSSiteInterval 1
      • DOSBlockingPeriod 10
      • DOSEmailNotify [email_address]
      • DOSLogDir &quot;/tmp/mod_dosevasive“ (make writable by apache only)
      • </IfModule>
    • 12. mod_security
      • Very Powerful
      • Can be tricky to configure. Lots of testing.
      • Especially useful if web server runs a small amount of applications.
    • 13. mod_security Features
      • Filters requests before apache.
      • Filters all requests including post payloads and SSL.
      • Understands the http protocol, allowing fine tuning.
      • Complete logging, including post data.
      • Custom rules using regular expressions can be applied at the virtual host level.
    • 14. More mod_security features
      • Upon “catch” can filter, email, log, redirect, send error code, or execute system binary.
      • Can execute action upon file upload. Example – virus scan.
      • Easier and better apache chrooting. No modules or libraries needed. Logs already open. One Line: SecChrootDir /chroot/apache
      • Can use snort web attack signatures
      • Rules are created and posted for web application vulnerabilities.
      • Can change the identity of the web server without editing the source.
    • 15. Example mod_security Configuration
      • <IfModule mod_security.c>
      • SecFilterEngine On
      • # Prevent OS specific keywords #index.php?include=filename
      • SecFilter /etc/passwd
      • # Prevent path traversal (..) attacks
      • SecFilter &quot;../&quot;
      • # Very crude filters to prevent SQL injection attacks
      • SecFilter &quot;delete[[:space:]]+from&quot;
      • SecFilter &quot;insert[[:space:]]+into&quot;
      • SecFilter &quot;select.+from&quot;
      • </IfModule>
    • 16. Scanning your server
      • Nmap
      • Nessus
      • www.nessus.org
      • CIS Linux Benchmark Scan
      • http://www.cisecurity.org/bench_linux.html
    • 17. PHP Security
    • 18. Types of PHP Attacks
      • Command execution and/or writing to the filesystem.
      • Sql injection
      • Session Hijacking
      • Cross Site Scripting (xss)
      • Cross Site Request Forgeries (CSRF)
      • Session reading/predicting
    • 19. Securing PHP
      • Default php.ini < V.4.8
      • ; WARNING ;
      • ; This is the default settings file for new PHP installations.
      • ; By default, PHP installs itself with a configuration suitable for
      • ; development purposes, and *NOT* for production purposes.
      • Newer installs are better.
      • Many php applications are installed with a default php.ini. Therefore vulnerabilities can be exploited.
    • 20. Secure PHP Settings
      • Recommended configurations
      • display_errors = Off (turn on with ini_set or .htaccess)
      • log_errors = On
      • error_reporting = E_ALL (better error reporting)
      • session.save_path=/opt/php/session (Should be specified by the user. Where /opt has no apache quota)
      • session.gc_maxlifetime=600 (ten minutes of inactivity)
      • safe_mode = On (enable if possible)
      • safe_mode_gid = On (enable if possible)
      • Most “highly critical” vulnerabilities can be mitigated with safe_mode.
    • 21. More Settings
      • magic_quotes_gpc = Off
      • Escapes incoming get/post/cookie data, but for what application/database. Broken Crutches.
      • Better to use specific php functions.
    • 22. More Settings
      • register_globals = Off
      • Never turn on
      • Too easy to write insecure code
      • Auto initializes variables from Get/Post/Cookie data
      • URL= index.php?administrator=xyz
      • <?php if (isset($administrator)) {     $authorized = true; } ?>
    • 23. Developing Best Practices
      • Develop with security and production in mind.
      • Form strict policies concerning how data is sanitized and at what stage.
      • $_GET, $_COOKIE, $_POST should always be sanitized according to where it’s going not where it came from.
      • Pear DB class handles database data with ? replacements.
      • Mysql = mysql_real_escape_string()
      • Postgres = pg_escape_string ()
      • To browser = htmlentities () or strip_tags()
      • To Shell = escapeshellcmd()
    • 24. To Remove Javascript
      • Use preg_replace() on …
      • javascript:|onclick|ondblclick|onmousedown|onmouseup|onmouseover|'. 'onmousemove|onmouseout|onkeypress|onkeydown|onkeyup
    • 25. Developing Best Practices cont.
      • Form strict policies concerning sessions. (storage, timeouts, session id length, etc.)
      • If on a multiuser machine make a custom session.save_path or save session data to a database.
      • Use session_regenerate_id() to prevent fixation.
    • 26. Developing Best Practices cont. Securing Includes
      • Place them outside of document root.
      • ini_set(&quot;include_path&quot;,&quot;.:/home/user/libs&quot;);
      • But, if you have to place them in root…
      • End them in .php, so source is not revealed. Ex. database.inc.php
      • <Files ~ &quot;.inc$&quot;>     Order allow,deny     Deny from all
      • </Files>
    • 27. Where to put db_connect.inc.php
      • Not in document root.
      • If possible, make it non-world readable. Apache group readable.
    • 28. Web Applications
      • When installing free web applications always be aware of security advisories.
      • Maintain a backup of your database.
      • Practice restoring the database.
      • Be familiar with how to update the application.
    • 29. Secure Configuration of Common PHP Applications phpMyAdmin
      • Protect config.inc.php if db access is “config”
      • If using http authentication force ssl using mod_rewrite
      • RewriteRule ^/$ /index.php RewriteCond %{SERVER_PORT}!443$ RewriteRule ^(.*) https://host.com:443$1 [R=301,L]
    • 30. Secure Configuration of Common PHP Applications Gallery
      • Verify that gallery has written to the .htaccess and config.php file after install.
      • Then:
      • chmod 644 .htaccess
      • chmod 644 config.php
      • chmod 400 setup
    • 31. Secure Configuration of Common PHP Applications phpnuke
      • Move config.php outside of DocumentRoot
      • Edit mainfile.php to path of moved config.php.
    • 32. Questions?