High Security LAMPsDutch PHP Conference 2008
The guy in the front Johann-Peter Hartmann
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is...
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is...
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is...
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is...
AgendaWhere Security happens
AgendaWhere Security happensDistributed Denial of Service Attacks
AgendaWhere Security happensDistributed Denial of Service AttacksServer Hardening
AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache Hardening
AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache HardeningMySQL Hardening
AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache HardeningMySQL HardeningPHP Harden...
AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache HardeningMySQL HardeningPHP Harden...
PHP Security - where arewe right now?
PHP Security - where arewe right now?
Know your enemy                      Profit   FunSource: Breach 2007
Know your enemy                      67 %                             Profit   FunSource: Breach 2007
Know your enemy            33 %                      67 %                             Profit   FunSource: Breach 2007
Why they attack You   Informationsdiebstahl                          Defacement                          Malware          ...
Why they attack You      Informationsdiebstahl                             Defacement                             Malware ...
Why they attack You             Informationsdiebstahl                                    Defacement                       ...
Why they attack You             Informationsdiebstahl                                    Defacement                       ...
Why they attack You             Informationsdiebstahl                                    Defacement                       ...
Why they attack You             Informationsdiebstahl                                    Defacement                       ...
Why they attack You              Informationsdiebstahl                                     Defacement                     ...
Why they attack You              Informationsdiebstahl                                     Defacement                     ...
Why they attack You                Informationsdiebstahl                                       Defacement                 ...
Why they attack You                 Informationsdiebstahl                                        Defacement               ...
Why they attack You                 Informationsdiebstahl                                        Defacement               ...
How they attack You                     SQL Injection                     Information Disclosure                     Known...
How they attack You                          SQL Injection                   20 %   Information Disclosure                ...
How they attack You                                 SQL Injection                   20 %          Information Disclosure  ...
How they attack You                                   SQL Injection                     20 %          Information Disclosu...
How they attack You                                          SQL Injection                            20 %          Inform...
How they attack You                                          SQL Injection                            20 %          Inform...
How they attack You                                          SQL Injection                            20 %          Inform...
How they attack You                                          SQL Injection                            20 %          Inform...
How they attack You                                          SQL Injection                            20 %          Inform...
How they attack You                                          SQL Injection              3 %           20 %          Inform...
How they attack You                   3 %                    SQL Injection              3 %           20 %          Inform...
How they attack You               3 %                        SQL Injection                  2 %       20 %          Inform...
How they attack You                   2 %               3 %                        SQL Injection                  2 %     ...
How they attack You                   2 %               3 % 2 %                    SQL Injection                  2 %     ...
A simple view on ourfavourite platforms stack     PHP-ApplicationApache MySQL       PHP          Linux        Network
Network Attacks: DDoSDistributed Denial of Service Attacken          Network
Network Attacks: DDoSDistributed Denial of Service Attacken  from hundreds to millions of compromised  computers (BotNet) ...
Network Attacks: DDoSDistributed Denial of Service Attacken  from hundreds to millions of compromised  computers (BotNet) ...
Network Attacks: DDoSDistributed Denial of Service Attacken  from hundreds to millions of compromised  computers (BotNet) ...
Distributed Denial of Service It‘s a business model           Network
Distributed Denial of Service It‘s a business model   Blackmail (in-ist-drin.de 7/2007, many more)           Network
Distributed Denial of Service It‘s a business model   Blackmail (in-ist-drin.de 7/2007, many more)   Political Reasons (Es...
Distributed Denial of Service It‘s a business model   Blackmail (in-ist-drin.de 7/2007, many more)   Political Reasons (Es...
Distributed Denial of Service It‘s a business model   Blackmail (in-ist-drin.de 7/2007, many more)   Political Reasons (Es...
How to protect againstDDosYou can‘t protect yourself          Network
How to protect againstDDosYou can‘t protect yourself  Your firewall won‘t help you if your uplink is smaller  than 25 G/s  ...
How to protect againstDDosYou can‘t protect yourself  Your firewall won‘t help you if your uplink is smaller  than 25 G/sYo...
How to protect againstDDosYou can‘t protect yourself  Your firewall won‘t help you if your uplink is smaller  than 25 G/sYo...
How to protect againstDDosYou can‘t protect yourself  Your firewall won‘t help you if your uplink is smaller  than 25 G/sYo...
Safety for your local network You got a firewall and a DMZ          Network
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed           ...
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed   FTP, SSH...
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed   FTP, SSH...
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed   FTP, SSH...
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed   FTP, SSH...
How to secure LinuxDeactivate what you don‘t need           Linux
How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t need           Linux
How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel           Linux
How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel            Linux  deactiv...
How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel            Linux  deactiv...
How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel            Linux  deactiv...
SELinuxSecurity Enhanced Linux           Linux
SELinuxSecurity Enhanced Linuxdevelopped by the NSA           Linux
SELinuxSecurity Enhanced Linuxdevelopped by the NSApretty secure from a technical point of view            Linux
SELinuxSecurity Enhanced Linuxdevelopped by the NSApretty secure from a technical point of view             Linuxpart of t...
SELinuxSecurity Enhanced Linuxdevelopped by the NSApretty secure from a technical point of view             Linuxpart of t...
AppArmor - what it is Originally „SubDomain“ developped by Immunix           Linux
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell             Linux
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux ...
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux ...
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux ...
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux ...
AppArmor - what it doessimplified interface to Mandantory Access Control           Linux
AppArmor - what it doessimplified interface to Mandantory Access Control  based on file permissions and POSIX capabilities  ...
AppArmor - what it doessimplified interface to Mandantory Access Control  based on file permissions and POSIX capabilities  ...
AppArmor - what it doessimplified interface to Mandantory Access Control  based on file permissions and POSIX capabilities  ...
AppArmor - what it doessimplified interface to Mandantory Access Control  based on file permissions and POSIX capabilities  ...
AppArmor - what it doessimplified interface to Mandantory Access Control  based on file permissions and POSIX capabilities  ...
AppArmor - what it doessimplified interface to Mandantory Access Control  based on file permissions and POSIX capabilities  ...
Why AppArmor works foridiotsupload.php should be able to write to „/images/“           Linux
Why AppArmor works foridiotsupload.php should be able to write to „/images/“  Default is always deny, so you need to enabl...
Why AppArmor works foridiotsupload.php should be able to write to „/images/“  Default is always deny, so you need to enabl...
Why AppArmor works foridiotsupload.php should be able to write to „/images/“  Default is always deny, so you need to enabl...
Why AppArmor works foridiotsupload.php should be able to write to „/images/“  Default is always deny, so you need to enabl...
Why AppArmor works foridiotsupload.php should be able to write to „/images/“  Default is always deny, so you need to enabl...
Why AppArmor works foridiotsupload.php should be able to write to „/images/“  Default is always deny, so you need to enabl...
Hardening Apache Disable every module you don‘t need.Apache
Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter
Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_sec...
Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_sec...
Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_sec...
Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_sec...
mod_securityApache
mod_security bought by Breach Security, dual-licensedApache
mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache
mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache    Code Executions, Inclusions...
mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache    Code Executions, Inclusions...
mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache    Code Executions, Inclusions...
Web Application Firewalls granular security rules custom tailored for your application
Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or em...
Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or em...
Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or em...
Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or em...
MySQL Security    MySQL
MySQL Security run MySQL in SELinux/AppArmor      MySQL
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking       MySQL
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking       MySQL deactivate file access: set...
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking       MySQL deactivate file access: set...
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking       MySQL deactivate file access: set...
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking       MySQL deactivate file access: set...
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking       MySQL deactivate file access: set...
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking       MySQL deactivate file access: set...
PHP Security          PHP
PHP SecuritySecure PHP configuration:                   PHP
PHP SecuritySecure PHP configuration:  Deactivate: allow_url_fopen, allow_url_include,                      PHP  display_er...
PHP SecuritySecure PHP configuration:  Deactivate: allow_url_fopen, allow_url_include,                      PHP  display_er...
Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP                       PHP
Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP                       PHP  Memory Manager Hardening (Can...
Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP                       PHP  Memory Manager Hardening (Can...
Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP                       PHP  Memory Manager Hardening (Can...
Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP                       PHP  Memory Manager Hardening (Can...
Suhosin ExtensionProtection against unknown php core level bugs                    PHP
Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP                     vhost
Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP                     vhostProtection...
Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP                     vhostProtection...
Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP                     vhostProtection...
Suhosin Loggingfor intrusion detection and configuration                      PHP
Suhosin Loggingfor intrusion detection and configurationsupports several output channels                     PHP
Suhosin Loggingfor intrusion detection and configurationsupports several output channels                        PHP  syslog...
Suhosin Loggingfor intrusion detection and configurationsupports several output channels                        PHP  syslog...
Suhosin Loggingfor intrusion detection and configurationsupports several output channels                        PHP  syslog...
Suhosin Loggingfor intrusion detection and configurationsupports several output channels                        PHP  syslog...
Coding GuidelinesE_ALL/E_STRICT safe coding                   PHP
Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting                       PHP
Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting                       PHPfor...
Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting                       PHPfor...
Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting                       PHPfor...
Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting                       PHPfor...
Input / Output Flow in PHPInput check:               PHP
Input / Output Flow in PHPInput check:  Validation is done based on the knowledge of the  expected content PHP
Input / Output Flow in PHPInput check:  Validation is done based on the knowledge of the  expected content PHP  If the inp...
Input / Output Flow in PHPInput check:  Validation is done based on the knowledge of the  expected content PHP  If the inp...
Input / Output Flow in PHPInput check:  Validation is done based on the knowledge of the  expected content PHP  If the inp...
PHP-IDSIt‘s an IDS, not an XSS filter                      PHP
PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security                     PHP
PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security                     PHPthere has alway...
PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security                     PHPthere has alway...
PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security                     PHPthere has alway...
Questions?
Questions?             Contact me at:  johann-peter.hartmann@sektioneins.de
Upcoming SlideShare
Loading in …5
×

Secure the lamp application stack

2,622 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,622
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • PHP is used in a lot of environments where security is a good idea, like banks, credit data, porn sites etc. Who is working with personal data? who is working with credit card data? Medical information? information with personal sexual information (like a dating site)? \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • Sorry i can‘t go into depth \n
  • \n
  • Der Angreifer ist also keineswegs mehr der Amateur zuhause, sondern Dienstleister in einem funktionierenden Markt. „Für 40.000 Euro bekommt man die Daten jeder Firma“\n
  • Der Angreifer ist also keineswegs mehr der Amateur zuhause, sondern Dienstleister in einem funktionierenden Markt. „Für 40.000 Euro bekommt man die Daten jeder Firma“\n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Nowadays you could start with the layer above, too - but don‘t ask me, ask the ajax in action guys about that. \n
  • \n
  • \n
  • \n
  • \n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • services: sun-rpc, ftp, ssh, etc \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Secure the lamp application stack

    1. 1. High Security LAMPsDutch PHP Conference 2008
    2. 2. The guy in the front Johann-Peter Hartmann
    3. 3. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4
    4. 4. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun
    5. 5. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun
    6. 6. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun Founder and CTO of Mayflower GmbH
    7. 7. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun Founder and CTO of Mayflower GmbH CEO of SektionEins GmbH, founded with Stefan Esser
    8. 8. AgendaWhere Security happens
    9. 9. AgendaWhere Security happensDistributed Denial of Service Attacks
    10. 10. AgendaWhere Security happensDistributed Denial of Service AttacksServer Hardening
    11. 11. AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache Hardening
    12. 12. AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache HardeningMySQL Hardening
    13. 13. AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache HardeningMySQL HardeningPHP Hardening
    14. 14. AgendaWhere Security happensDistributed Denial of Service AttacksServer HardeningApache HardeningMySQL HardeningPHP HardeningApplication Hardening
    15. 15. PHP Security - where arewe right now?
    16. 16. PHP Security - where arewe right now?
    17. 17. Know your enemy Profit FunSource: Breach 2007
    18. 18. Know your enemy 67 % Profit FunSource: Breach 2007
    19. 19. Know your enemy 33 % 67 % Profit FunSource: Breach 2007
    20. 20. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing Information WarfareSource: Breach 2007
    21. 21. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information WarfareSource: Breach 2007
    22. 22. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare 23 %Source: Breach 2007
    23. 23. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
    24. 24. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
    25. 25. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
    26. 26. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud 3 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
    27. 27. Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
    28. 28. Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
    29. 29. Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
    30. 30. Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 %Source: Breach 2007
    31. 31. How they attack You SQL Injection Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRFSource: NSI 2006
    32. 32. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRFSource: NSI 2006
    33. 33. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRFSource: NSI 2006
    34. 34. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    35. 35. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    36. 36. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    37. 37. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    38. 38. How they attack You SQL Injection 20 % Information Disclosure Known Exploits 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    39. 39. How they attack You SQL Injection 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    40. 40. How they attack You SQL Injection 3 % 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    41. 41. How they attack You 3 % SQL Injection 3 % 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    42. 42. How they attack You 3 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    43. 43. How they attack You 2 % 3 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    44. 44. How they attack You 2 % 3 % 2 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRFSource: NSI 2006
    45. 45. A simple view on ourfavourite platforms stack PHP-ApplicationApache MySQL PHP Linux Network
    46. 46. Network Attacks: DDoSDistributed Denial of Service Attacken Network
    47. 47. Network Attacks: DDoSDistributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) Network
    48. 48. Network Attacks: DDoSDistributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) sending out udp, icmp, tcp packet love, reflected DNS, smart attacks with http Network
    49. 49. Network Attacks: DDoSDistributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) sending out udp, icmp, tcp packet love, reflected DNS, smart attacks with http up to 25Network GB/s
    50. 50. Distributed Denial of Service It‘s a business model Network
    51. 51. Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Network
    52. 52. Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) Network
    53. 53. Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) criminal activities (Anti-419, Anti-Dialer-Sites) Network
    54. 54. Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) criminal activities (Anti-419, Anti-Dialer-Sites) actually it was developped by and for script kiddies in Network IRC
    55. 55. How to protect againstDDosYou can‘t protect yourself Network
    56. 56. How to protect againstDDosYou can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Network
    57. 57. How to protect againstDDosYou can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/sYour Provider can, ask for „DDos Managed SecurityServices“ Network
    58. 58. How to protect againstDDosYou can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/sYour Provider can, ask for „DDos Managed SecurityServices“2 solutions: blackhole your traffic, or use cleaning Networkrouters
    59. 59. How to protect againstDDosYou can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/sYour Provider can, ask for „DDos Managed SecurityServices“2 solutions: blackhole your traffic, or use cleaning Networkroutersyou won‘t blackhole your christmas business, andcisco ddos cleaning infrastructure is expensive
    60. 60. Safety for your local network You got a firewall and a DMZ Network
    61. 61. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed Network
    62. 62. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP Network
    63. 63. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need Network
    64. 64. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need packet filtering, an own management ip Network
    65. 65. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need packet filtering, an own management ip Network better: use a vpn
    66. 66. How to secure LinuxDeactivate what you don‘t need Linux
    67. 67. How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t need Linux
    68. 68. How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel Linux
    69. 69. How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel Linux deactivate unneeded kernel features
    70. 70. How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel Linux deactivate unneeded kernel features deactivate loadable kernel modules
    71. 71. How to secure LinuxDeactivate what you don‘t needUninstall what you don‘t needHarden your kernel Linux deactivate unneeded kernel features deactivate loadable kernel modulesMandantory Access Control like SELinux or AppArmor
    72. 72. SELinuxSecurity Enhanced Linux Linux
    73. 73. SELinuxSecurity Enhanced Linuxdevelopped by the NSA Linux
    74. 74. SELinuxSecurity Enhanced Linuxdevelopped by the NSApretty secure from a technical point of view Linux
    75. 75. SELinuxSecurity Enhanced Linuxdevelopped by the NSApretty secure from a technical point of view Linuxpart of the mainline kernel 2.6 and Redhat/Fedora
    76. 76. SELinuxSecurity Enhanced Linuxdevelopped by the NSApretty secure from a technical point of view Linuxpart of the mainline kernel 2.6 and Redhat/Fedoramore than 700 different permission types
    77. 77. AppArmor - what it is Originally „SubDomain“ developped by Immunix Linux
    78. 78. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Linux
    79. 79. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Linux
    80. 80. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions
    81. 81. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions SELinux for idiots
    82. 82. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions SELinux for idiots We use it
    83. 83. AppArmor - what it doessimplified interface to Mandantory Access Control Linux
    84. 84. AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities Linux
    85. 85. AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames Linux
    86. 86. AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenamesrather simple Workflow Linux
    87. 87. AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenamesrather simple Workflow Linux you profile your softwares permissions while using it
    88. 88. AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenamesrather simple Workflow Linux you profile your softwares permissions while using it the profile defines the permissions needed (needs some rework, though)
    89. 89. AppArmor - what it doessimplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenamesrather simple Workflow Linux you profile your softwares permissions while using it the profile defines the permissions needed (needs some rework, though)
    90. 90. Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Linux
    91. 91. Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable it Linux
    92. 92. Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: Linux
    93. 93. Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html
    94. 94. Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/htmlAppArmor:
    95. 95. Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/htmlAppArmor: /var/www/html/config.inc.php w
    96. 96. Why AppArmor works foridiotsupload.php should be able to write to „/images/“ Default is always deny, so you need to enable itSELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/htmlAppArmor: /var/www/html/config.inc.php w
    97. 97. Hardening Apache Disable every module you don‘t need.Apache
    98. 98. Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter
    99. 99. Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_security
    100. 100. Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_security a free, small web application firewall
    101. 101. Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_security a free, small web application firewall filters by regular expressions for every part of the request
    102. 102. Hardening Apache Disable every module you don‘t need. mod_parmguardApache set validation rules for every parameter mod_security a free, small web application firewall filters by regular expressions for every part of the request default rulesets (gotroot)
    103. 103. mod_securityApache
    104. 104. mod_security bought by Breach Security, dual-licensedApache
    105. 105. mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache
    106. 106. mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache Code Executions, Inclusions, SQL-Injections, XSS
    107. 107. mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache Code Executions, Inclusions, SQL-Injections, XSS if a security issue is found, an error message (usually an error 500) is returned to the user
    108. 108. mod_security bought by Breach Security, dual-licensed filtering the low hanging fruitsApache Code Executions, Inclusions, SQL-Injections, XSS if a security issue is found, an error message (usually an error 500) is returned to the user mod_security 2.0 is stateful and implements session support
    109. 109. Web Application Firewalls granular security rules custom tailored for your application
    110. 110. Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software
    111. 111. Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping
    112. 112. Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping can learn the default behavior of your application
    113. 113. Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping can learn the default behavior of your application http parameters are normalized
    114. 114. MySQL Security MySQL
    115. 115. MySQL Security run MySQL in SELinux/AppArmor MySQL
    116. 116. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL
    117. 117. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0
    118. 118. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things:
    119. 119. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases
    120. 120. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights
    121. 121. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights only the needed user rights for a certain task
    122. 122. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights only the needed user rights for a certain task
    123. 123. PHP Security PHP
    124. 124. PHP SecuritySecure PHP configuration: PHP
    125. 125. PHP SecuritySecure PHP configuration: Deactivate: allow_url_fopen, allow_url_include, PHP display_errors, expose_php, file_support, file_uploads, force_redirect, magic_quotes_gpc, register_globals, use_trans_id
    126. 126. PHP SecuritySecure PHP configuration: Deactivate: allow_url_fopen, allow_url_include, PHP display_errors, expose_php, file_support, file_uploads, force_redirect, magic_quotes_gpc, register_globals, use_trans_id Activate: memory_limit, post_max_size, session.save_path, upload_max_filesize, upload_tmp_dir
    127. 127. Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP
    128. 128. Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink)
    129. 129. Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection
    130. 130. Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection Protection against Format String Vulnerabilities
    131. 131. Suhosin Engine PatchesGlobal protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection Protection against Format String VulnerabilitiesRealpath() Hardening
    132. 132. Suhosin ExtensionProtection against unknown php core level bugs PHP
    133. 133. Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP vhost
    134. 134. Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP vhostProtection against Remote Inclusion
    135. 135. Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP vhostProtection against Remote InclusionTransparent Session/Cookie Encryption
    136. 136. Suhosin ExtensionProtection against unknown php core level bugsforbidden methods byPHP vhostProtection against Remote InclusionTransparent Session/Cookie EncryptionVariable and Upload Filtering(poor mans WAF)
    137. 137. Suhosin Loggingfor intrusion detection and configuration PHP
    138. 138. Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP
    139. 139. Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP syslog, shell script, PHP script, file
    140. 140. Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP syslog, shell script, PHP script, fileseveral impact levels
    141. 141. Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP syslog, shell script, PHP script, fileseveral impact levels Log Message with file, line and remote IP
    142. 142. Suhosin Loggingfor intrusion detection and configurationsupports several output channels PHP syslog, shell script, PHP script, fileseveral impact levels Log Message with file, line and remote IPSimulation mode to tune suhosin
    143. 143. Coding GuidelinesE_ALL/E_STRICT safe coding PHP
    144. 144. Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHP
    145. 145. Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHPforbidden functions
    146. 146. Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHPforbidden functionsconstants are used where they can be used
    147. 147. Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHPforbidden functionsconstants are used where they can be usedParameter Binding Datenbank-API
    148. 148. Coding GuidelinesE_ALL/E_STRICT safe codingno global variables, no variable scope overwriting PHPforbidden functionsconstants are used where they can be usedParameter Binding Datenbank-APILibraries for CSRF protection, input validation, filtering,escaping, database access
    149. 149. Input / Output Flow in PHPInput check: PHP
    150. 150. Input / Output Flow in PHPInput check: Validation is done based on the knowledge of the expected content PHP
    151. 151. Input / Output Flow in PHPInput check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitized
    152. 152. Input / Output Flow in PHPInput check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitizedOutput Escaping:
    153. 153. Input / Output Flow in PHPInput check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitizedOutput Escaping: there are 5 escape methods for HTML, 1 for SQL, 2 for Shell usage. No Default escape.
    154. 154. PHP-IDSIt‘s an IDS, not an XSS filter PHP
    155. 155. PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security PHP
    156. 156. PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security PHPthere has always been a IDS evasion
    157. 157. PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security PHPthere has always been a IDS evasionno excuse to abandon proper validation, filtering andescaping
    158. 158. PHP-IDSIt‘s an IDS, not an XSS filterBetter-than-nothing solution, like mod_security PHPthere has always been a IDS evasionno excuse to abandon proper validation, filtering andescapingCan be used to detect attacks and react in theapplication
    159. 159. Questions?
    160. 160. Questions? Contact me at: johann-peter.hartmann@sektioneins.de

    ×