National
          Swiss-TUG Event




                            Presentation by Xavier Perseguers
Monday, January 26, 2...
Overview
                      Introduction

                      Suhosin

                      ModSecurity

           ...
Introduction




Monday, January 26, 2009
Introduction


               About me
                      Senior Consultant / Developer @ ELCA Informatique SA

       ...
Introduction


               The Problem
                      Wide variety of threats
                           Integra...
Introduction


               The Problem (Big Picture)
                                          Input
                  ...
Introduction


               Solutions
                      Prompt patching and updating for server software

          ...
Introduction


               Solution, is that all?
                      Secure development practices?

                ...
Suhosin




Monday, January 26, 2009
Suhosin


               What’s that?
                      Advanced protection system for PHP (module / patch)

         ...
Suhosin


               Sample Code
                      Very basic ACL check:




Monday, January 26, 2009
Suhosin


               Sample Code (cont.)



                                 read




Monday, January 26, 2009
Suhosin


               Sample Code (cont.)



                                write




Monday, January 26, 2009
Suhosin


               Sample Code (cont.)




Monday, January 26, 2009
Suhosin


               Sample Code (cont.)
                      TYPO3 does not have such code (hopefully)

            ...
Suhosin


               How To Install (Debian)
                      Install as usual
                      # apt-get in...
Suhosin


               Sample Code (again)




Monday, January 26, 2009
Suhosin


               Sample Code (again)




Monday, January 26, 2009
Suhosin


               Sample Code (again)




Monday, January 26, 2009
Suhosin


               (Some) Other Features
                      Scanning uploaded files
                           Use...
ModSecurity




Monday, January 26, 2009
ModSecurity


               Web Application Firewall
                      Filtering requests with regular expressions

 ...
ModSecurity


               How To Install
                      Compile from source or

                      Use a pack...
ModSecurity


               Let’s Start Blocking!
                      Create file /etc/apache2/conf.d/mod-security2




...
ModSecurity


               Let’s Start Blocking!
                      Create file /etc/apache2/conf.d/mod-security2




...
ModSecurity


               Let’s Start Blocking!
                --b1361a18-A--
                [23/Jan/2009:10:27:01 +0...
ModSecurity


                      What about real protection?
                                  Willing to write “real” ...
ModSecurity


               What about real protection?
                      Willing to write “real” set of SecRules you...
ModSecurity


               What about real protection?
                      Core rules installed with Debian package
  ...
ModSecurity


               What about real protection?
                      Edit core rule file modsecurity_crs_10_config...
ModSecurity


               Let’s Use TYPO3




Monday, January 26, 2009
ModSecurity


               TYPO3 needs some tuning...


                --1a422639-A--
                [23/Jan/2009:16:0...
ModSecurity


               Tuning for TYPO3
                      Add exceptions to /etc/apache2/conf.typo3.d/exceptions...
ModSecurity


               Tuning for TYPO3
                      Add exceptions to /etc/apache2/conf.typo3.d/exceptions...
ModSecurity


               Tuning for TYPO3 (cont.)
                      Manual tuning with “common” extensions > 100 l...
Summary
                                   &
                           Further Protection



Monday, January 26, 2009
Summary
                      Suhosin
                           Protects PHP and lock down the system

                  ...
Summary


               Be Proactive
                      Think like the adversary
                           What is wr...
Summary


               System Lock Down
                      Fix filesystem permission

                      Do not all...
Summary


               Monitoring
                      Know if you are compromised / attacked

                      Of...
Links
                      Suhosin Website
                      http://www.hardened-php.net/suhosin/

                  ...
Upcoming SlideShare
Loading in …5
×

Protecting TYPO3 With Suhosin And Modsecurity

7,979 views

Published on

How to protect TYPO3 and your Apache web server as a whole with Suhosin (for PHP) and ModSecurity (Apache module)

Published in: Technology, Business
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,979
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
79
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Protecting TYPO3 With Suhosin And Modsecurity

  1. 1. National Swiss-TUG Event Presentation by Xavier Perseguers Monday, January 26, 2009
  2. 2. Overview Introduction Suhosin ModSecurity Summary / Further Protection Monday, January 26, 2009
  3. 3. Introduction Monday, January 26, 2009
  4. 4. Introduction About me Senior Consultant / Developer @ ELCA Informatique SA Server administrator Using TYPO3 since 2005/2006 Actively developing for TYPO3 since 2008 Monday, January 26, 2009
  5. 5. Introduction The Problem Wide variety of threats Integration of popular software packages Server updates not installed SQL injection, XSS Unknown exploits Monday, January 26, 2009
  6. 6. Introduction The Problem (Big Picture) Input Validation SQL Error Injection Z Web Database Client Server + extensions Server R W X Command XSS Execution Filesystem File Privilege Disclosure Escalation Monday, January 26, 2009
  7. 7. Introduction Solutions Prompt patching and updating for server software Code quality in your extensions Developing extensions with security in mind Firewall / Server hardening Monday, January 26, 2009
  8. 8. Introduction Solution, is that all? Secure development practices? Firewall TCP/IP layer XSS, remote file inclusion, ... SSL encrypted traffic? Monday, January 26, 2009
  9. 9. Suhosin Monday, January 26, 2009
  10. 10. Suhosin What’s that? Advanced protection system for PHP (module / patch) Runtime protection: Transparent cookie / session encryption Function black- and whitelist ... With patch: Low-level protection (buffer overflow, ...) Monday, January 26, 2009
  11. 11. Suhosin Sample Code Very basic ACL check: Monday, January 26, 2009
  12. 12. Suhosin Sample Code (cont.) read Monday, January 26, 2009
  13. 13. Suhosin Sample Code (cont.) write Monday, January 26, 2009
  14. 14. Suhosin Sample Code (cont.) Monday, January 26, 2009
  15. 15. Suhosin Sample Code (cont.) TYPO3 does not have such code (hopefully) But the extensions you use? Let’s try Suhosin as PHP module Monday, January 26, 2009
  16. 16. Suhosin How To Install (Debian) Install as usual # apt-get install php5-suhosin Edit file /etc/php5/conf.d/suhosin.ini Activate any feature you wish Do not use characters {}[] and the like for cryptkeys Restart Apache Monday, January 26, 2009
  17. 17. Suhosin Sample Code (again) Monday, January 26, 2009
  18. 18. Suhosin Sample Code (again) Monday, January 26, 2009
  19. 19. Suhosin Sample Code (again) Monday, January 26, 2009
  20. 20. Suhosin (Some) Other Features Scanning uploaded files Use a script that outputs “1” if the file is valid. If not, $_FILES will be empty! Disallow script to change memory limit or force an upper bound when not using safe_mode Monday, January 26, 2009
  21. 21. ModSecurity Monday, January 26, 2009
  22. 22. ModSecurity Web Application Firewall Filtering requests with regular expressions Able to scan uploaded files (just as Suhosin does) Prevents JavaScript/SQL injection much more Application ModSecurity Monday, January 26, 2009
  23. 23. ModSecurity How To Install Compile from source or Use a package (available from official website) Debian, Fedora, FreeBSD, RedHat, ... Core rules included in distribution (more on this later) Monday, January 26, 2009
  24. 24. ModSecurity Let’s Start Blocking! Create file /etc/apache2/conf.d/mod-security2 Open your browser Monday, January 26, 2009
  25. 25. ModSecurity Let’s Start Blocking! Create file /etc/apache2/conf.d/mod-security2 Open your browser Monday, January 26, 2009
  26. 26. ModSecurity Let’s Start Blocking! --b1361a18-A-- [23/Jan/2009:10:27:01 +0100] SXmNY38AAQEAADmWkaQAAAAG 84.73.171.189 46474 193.33.30.197 80 GET /?attack HTTP/1.1 --b1361a18-B-- GET /?attack HTTP/1.1 Host: yoursite.com Host: yoursite.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: fe_typo_user=kCTZx3iDYyAZxRI2UWtEv4xZSTBM96VPknodB1dnx1OPzDcA0is0q8ewWvOb16XM --b1361a18-F-- HTTP/1.1 412 Precondition Failed Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 267 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Message: Access denied with code 412 (phase 2). --b1361a18-H-- Message: Access denied with code 412 (phase 2). Pattern match "attack" at REQUEST_LINE. [file "/etc/apache2/conf.d/mod-security2"] [line "7"] Action: Intercepted (phase 2) Pattern match "attack" at REQUEST_LINE. Stopwatch: 1232702819271014 2259647 (3639 3892 -) Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/). Server: Apache/2.2.9 (Debian) mod_gnutls/0.5.1 --b1361a18-Z-- Monday, January 26, 2009
  27. 27. ModSecurity What about real protection? Willing to write “real” set of SecRules yourself? # Validate request line # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}s+(?:w{3,7}?://[w-./]*(?::d+)?)?/[^?#]*(?:?[^#s]*)?(?:#[S]*)?|connect (?:d{1,3}.){3}d{1,3}.?(?::d+)?|options *)s+[w./]+|get /[^?#]*(?:?[^#s]*)?(?:#[S]*)?)$" "t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'" # HTTP Request Smuggling # SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'1'" # Block request with malformed content. # ModSecurity will not inspect these, but the server application might do so # SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'" # Accept only digits in content length # SecRule REQUEST_HEADERS:Content-Length "!^d+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'" # Do not accept GET or HEAD requests with bodies # HTTP standard allows GET requests to have a body but this # feature is not used in real life. Attackers could try to force # a request body on an unsuspecting web applications. # SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'" SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none # Require Content-Length to be provided with every POST request. # SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none # Don't accept transfer encodings we know we don't know how to handle # Monday, JanuaryModSecurity does not support chunked transfer encodings at # NOTE 26, 2009
  28. 28. ModSecurity What about real protection? Willing to write “real” set of SecRules yourself? I don’t! Monday, January 26, 2009
  29. 29. ModSecurity What about real protection? Core rules installed with Debian package /usr/share/doc/mod-security2-common/examples/rules/ Copy them to /var/lib/modsecurity2/core/ Edit your configuration Monday, January 26, 2009
  30. 30. ModSecurity What about real protection? Edit core rule file modsecurity_crs_10_config.conf Fit your needs Hint: modsecurity.conf-minimal (from package) Restart Apache Monday, January 26, 2009
  31. 31. ModSecurity Let’s Use TYPO3 Monday, January 26, 2009
  32. 32. ModSecurity TYPO3 needs some tuning... --1a422639-A-- [23/Jan/2009:16:08:59 +0100] SXndi38AAQEAADs5YUUAAAAB 84.73.171.189 37436 193.33.30.197 80 --1a422639-B-- POST /typo3/alt_doc.php POST /typo3/alt_doc.php?&returnUrl=%2Ftypo3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php%3Fid %3D12&edit[tt_content][12]=edit HTTP/1.1 ... ... ... --1a422639-H-- id “950001” Message: Access denied with code 412 (phase 2). Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b. {1,100}?bfrom|fromb.{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?: (?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at ARGS:data[tt_content][12] msg “SQL Injection Attack” [bodytext]. [file "/var/lib/modsecurity2/core/modsecurity_crs_40_generic_attacks.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data "insert into"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] Monday, January 26, 2009
  33. 33. ModSecurity Tuning for TYPO3 Add exceptions to /etc/apache2/conf.typo3.d/exceptions POST /typo3/alt_doc.php id “950001” msg “SQL Injection Attack” Monday, January 26, 2009
  34. 34. ModSecurity Tuning for TYPO3 Add exceptions to /etc/apache2/conf.typo3.d/exceptions Reference this file for TYPO3 virtual hosts Monday, January 26, 2009
  35. 35. ModSecurity Tuning for TYPO3 (cont.) Manual tuning with “common” extensions > 100 lines TYPO3 WAF project Ready set of rules for ModSecurity Lars Houmark and Lars E. D. Jensen "Our goals with TYPO3 WAF. To create a minimal (server performance wise) rule set for TYPO3 and extensions which address very generic methods of attacking and TYPO3/extension security holes." Monday, January 26, 2009
  36. 36. Summary & Further Protection Monday, January 26, 2009
  37. 37. Summary Suhosin Protects PHP and lock down the system ModSecurity Focused on Web protocols Can analyze SSL traffic Do not only rely on those systems Monday, January 26, 2009
  38. 38. Summary Be Proactive Think like the adversary What is wrong with my system? How can I exploit it? Never too late to add security Do not ignore risk but mitigate it Compartmentalize / Least privilege Fail safely w/o information disclosure Monday, January 26, 2009
  39. 39. Summary System Lock Down Fix filesystem permission Do not allow write unless needed (typo3conf, uploads, ...) Prevent file execution Use SSL whenever possible mod_ssl (dedicated ip / port) mod_gnutls (not well supported though) Reverse proxy (Apache, pound, nginx, ...) Monday, January 26, 2009
  40. 40. Summary Monitoring Know if you are compromised / attacked Offsite backups Recovery procedures Monday, January 26, 2009
  41. 41. Links Suhosin Website http://www.hardened-php.net/suhosin/ ModSecurity Website http://www.modsecurity.org Additional Ruleset for ModSecurity http://www.gotroot.com/mod_security+rules http://typo3.org/waf.txt WAF Project Newsgroup news://news.netfielders.de/typo3.projects.waf Monday, January 26, 2009

×