Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing A Linux Web Server In 10 steps or Less

Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access.

You don't need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security.

The following types of servers running Linux Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2

Not going to help if you have your website on Shared servers like Dreamhost/Go Daddy/Host Gator

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Securing A Linux Web Server In 10 steps or Less

  1. 1. Akash MahajanThat Web Application Security Guy
  2. 2. Reduce Attack Surface F 117Nighthawk http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg #rootconf | @makash | akashm.com 2
  3. 3. What is the Attack Surfaceall the TCP and UDP ports listening on the external interfaces # netstat -nltup #rootconf | @makash | akashm.com 3
  4. 4. Reducing the attack surfaceby stopping services fromrunning # /etc/init.d/<servicename> stoplisten on external IP bind-address=127.0.0.1starting at boot time # update-rc.d <servicename> remove #rootconf | @makash | akashm.com 4
  5. 5. After Reduction #rootconf | @makash | akashm.com 5
  6. 6. Mini Distrostart with a 12 MB mini iso install OpenSSH server install required LAMP packages using tasksel there are no compilers, extra libraries #rootconf | @makash | akashm.com 6
  7. 7. Patching and Updates choose Long Term Supportrelease (10.04 LTS, 12.04 LTS)one command to patch & update # apt-get update && apt-get upgrade #rootconf | @makash | akashm.com 7
  8. 8. Protecting Your Access #rootconf | @makash | akashm.com 8
  9. 9. Reason #1 for Hacked Linux Servers SSH Server Password Brute Forcing #rootconf | @makash | akashm.com 9
  10. 10. Secure Shell aka SSHConventional wisdom says don’t allow root to login don’t use passwords ; use keys only use SSH version 2.0 #rootconf | @makash | akashm.com 10
  11. 11. Attack Surface in SSHpassword bruteforcing requires valid users who are allowed to loginlot of people use keys without passphrasesmake one change in /etc/sshd_config AllowUsers <user@Host> #rootconf | @makash | akashm.com 11
  12. 12. Files and Permissions Read (r) Write (w) Execute (x) User 4 2 1Group 4 - 1Others 4 - - -rwxr-xr-- | 0754 #rootconf | @makash | akashm.com 12
  13. 13. Apache Web Server/etc/apache2/conf.d/securityline number 27 ServerTokens Prodline number 39 ServerSignature Off #rootconf | @makash | akashm.com 13
  14. 14. MySQL Database Serverif database and web server are onthe same host, then mysql server should only listen on localhost /etc/mysql/my.cnf bind-address=127.0.0.1 #rootconf | @makash | akashm.com 14
  15. 15. MySQL Database Serverrun # mysql_secure_installationcreate new user for each new databaseonly giveSELECT, UPDATE, INSERT, DELETE, ALTER, CREATE privileges to new usernew user should be for localhost and don’t give % #rootconf | @makash | akashm.com 15
  16. 16. Uncomplicated Firewall• ufw enabled• ufw allow 22 // SSH Access• ufw allow 80 // Website Access• ufw allow 443 // Secure Website Access• ufw default deny // Kitchen Sink #rootconf | @makash | akashm.com 16
  17. 17. Uncomplicated Firewallufw allow from <external DB IP> to <current host IP> port 3306 #rootconf | @makash | akashm.com 17
  18. 18. Reference Web App ArchitectureDocument Root should only contain files that are meant to be served to the usereverything should be in a folder outside it #rootconf | @makash | akashm.com 18
  19. 19. Reference Web App Architecture/var/www/site/public for files to serve/var/www/site/private for config files keep files user as person who uploads Keep the group as www-data #rootconf | @makash | akashm.com 19
  20. 20. My name is list, Check ListStart from a mini isoRemove unwanted servicesWhitelist user for SSH loginMySQL users need to be protectedDefault Deny and Allow Specific #rootconf | @makash | akashm.com 20
  21. 21. Wait, there is more you can do• Logs of SSH, web servers• Monitoring of these services• Add whitelisted to /etc/host.allow or blacklisted /etc/host.deny #rootconf | @makash | akashm.com 21
  22. 22. Questions and Answers Akash MahajanThat Web Application Security Guy http://akashm.com | @makash akashmahajan@gmail.com | 9980527182
  23. 23. References• Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk• Unable to find out where I got the stair case image from. If you know please do let me know.• Rest of the images are from istockphoto.com #rootconf | @makash | akashm.com 23

×