Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting TYPO3 With Suhosin And Modsecurity

How to protect TYPO3 and your Apache web server as a whole with Suhosin (for PHP) and ModSecurity (Apache module)

  • Login to see the comments

Protecting TYPO3 With Suhosin And Modsecurity

  1. 1. National Swiss-TUG Event Presentation by Xavier Perseguers Monday, January 26, 2009
  2. 2. Overview Introduction Suhosin ModSecurity Summary / Further Protection Monday, January 26, 2009
  3. 3. Introduction Monday, January 26, 2009
  4. 4. Introduction About me Senior Consultant / Developer @ ELCA Informatique SA Server administrator Using TYPO3 since 2005/2006 Actively developing for TYPO3 since 2008 Monday, January 26, 2009
  5. 5. Introduction The Problem Wide variety of threats Integration of popular software packages Server updates not installed SQL injection, XSS Unknown exploits Monday, January 26, 2009
  6. 6. Introduction The Problem (Big Picture) Input Validation SQL Error Injection Z Web Database Client Server + extensions Server R W X Command XSS Execution Filesystem File Privilege Disclosure Escalation Monday, January 26, 2009
  7. 7. Introduction Solutions Prompt patching and updating for server software Code quality in your extensions Developing extensions with security in mind Firewall / Server hardening Monday, January 26, 2009
  8. 8. Introduction Solution, is that all? Secure development practices? Firewall TCP/IP layer XSS, remote file inclusion, ... SSL encrypted traffic? Monday, January 26, 2009
  9. 9. Suhosin Monday, January 26, 2009
  10. 10. Suhosin What’s that? Advanced protection system for PHP (module / patch) Runtime protection: Transparent cookie / session encryption Function black- and whitelist ... With patch: Low-level protection (buffer overflow, ...) Monday, January 26, 2009
  11. 11. Suhosin Sample Code Very basic ACL check: Monday, January 26, 2009
  12. 12. Suhosin Sample Code (cont.) read Monday, January 26, 2009
  13. 13. Suhosin Sample Code (cont.) write Monday, January 26, 2009
  14. 14. Suhosin Sample Code (cont.) Monday, January 26, 2009
  15. 15. Suhosin Sample Code (cont.) TYPO3 does not have such code (hopefully) But the extensions you use? Let’s try Suhosin as PHP module Monday, January 26, 2009
  16. 16. Suhosin How To Install (Debian) Install as usual # apt-get install php5-suhosin Edit file /etc/php5/conf.d/suhosin.ini Activate any feature you wish Do not use characters {}[] and the like for cryptkeys Restart Apache Monday, January 26, 2009
  17. 17. Suhosin Sample Code (again) Monday, January 26, 2009
  18. 18. Suhosin Sample Code (again) Monday, January 26, 2009
  19. 19. Suhosin Sample Code (again) Monday, January 26, 2009
  20. 20. Suhosin (Some) Other Features Scanning uploaded files Use a script that outputs “1” if the file is valid. If not, $_FILES will be empty! Disallow script to change memory limit or force an upper bound when not using safe_mode Monday, January 26, 2009
  21. 21. ModSecurity Monday, January 26, 2009
  22. 22. ModSecurity Web Application Firewall Filtering requests with regular expressions Able to scan uploaded files (just as Suhosin does) Prevents JavaScript/SQL injection much more Application ModSecurity Monday, January 26, 2009
  23. 23. ModSecurity How To Install Compile from source or Use a package (available from official website) Debian, Fedora, FreeBSD, RedHat, ... Core rules included in distribution (more on this later) Monday, January 26, 2009
  24. 24. ModSecurity Let’s Start Blocking! Create file /etc/apache2/conf.d/mod-security2 Open your browser Monday, January 26, 2009
  25. 25. ModSecurity Let’s Start Blocking! Create file /etc/apache2/conf.d/mod-security2 Open your browser Monday, January 26, 2009
  26. 26. ModSecurity Let’s Start Blocking! --b1361a18-A-- [23/Jan/2009:10:27:01 +0100] SXmNY38AAQEAADmWkaQAAAAG 46474 80 GET /?attack HTTP/1.1 --b1361a18-B-- GET /?attack HTTP/1.1 Host: Host: User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/2008120121 Firefox/3.0.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: fe_typo_user=kCTZx3iDYyAZxRI2UWtEv4xZSTBM96VPknodB1dnx1OPzDcA0is0q8ewWvOb16XM --b1361a18-F-- HTTP/1.1 412 Precondition Failed Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 267 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Message: Access denied with code 412 (phase 2). --b1361a18-H-- Message: Access denied with code 412 (phase 2). Pattern match "attack" at REQUEST_LINE. [file "/etc/apache2/conf.d/mod-security2"] [line "7"] Action: Intercepted (phase 2) Pattern match "attack" at REQUEST_LINE. Stopwatch: 1232702819271014 2259647 (3639 3892 -) Producer: ModSecurity for Apache/2.5.7 ( Server: Apache/2.2.9 (Debian) mod_gnutls/0.5.1 --b1361a18-Z-- Monday, January 26, 2009
  27. 27. ModSecurity What about real protection? Willing to write “real” set of SecRules yourself? # Validate request line # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}s+(?:w{3,7}?://[w-./]*(?::d+)?)?/[^?#]*(?:?[^#s]*)?(?:#[S]*)?|connect (?:d{1,3}.){3}d{1,3}.?(?::d+)?|options *)s+[w./]+|get /[^?#]*(?:?[^#s]*)?(?:#[S]*)?)$" "t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'" # HTTP Request Smuggling # SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'1'" # Block request with malformed content. # ModSecurity will not inspect these, but the server application might do so # SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'" # Accept only digits in content length # SecRule REQUEST_HEADERS:Content-Length "!^d+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'" # Do not accept GET or HEAD requests with bodies # HTTP standard allows GET requests to have a body but this # feature is not used in real life. Attackers could try to force # a request body on an unsuspecting web applications. # SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'" SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none # Require Content-Length to be provided with every POST request. # SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none # Don't accept transfer encodings we know we don't know how to handle # Monday, JanuaryModSecurity does not support chunked transfer encodings at # NOTE 26, 2009
  28. 28. ModSecurity What about real protection? Willing to write “real” set of SecRules yourself? I don’t! Monday, January 26, 2009
  29. 29. ModSecurity What about real protection? Core rules installed with Debian package /usr/share/doc/mod-security2-common/examples/rules/ Copy them to /var/lib/modsecurity2/core/ Edit your configuration Monday, January 26, 2009
  30. 30. ModSecurity What about real protection? Edit core rule file modsecurity_crs_10_config.conf Fit your needs Hint: modsecurity.conf-minimal (from package) Restart Apache Monday, January 26, 2009
  31. 31. ModSecurity Let’s Use TYPO3 Monday, January 26, 2009
  32. 32. ModSecurity TYPO3 needs some tuning... --1a422639-A-- [23/Jan/2009:16:08:59 +0100] SXndi38AAQEAADs5YUUAAAAB 37436 80 --1a422639-B-- POST /typo3/alt_doc.php POST /typo3/alt_doc.php?&returnUrl=%2Ftypo3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php%3Fid %3D12&edit[tt_content][12]=edit HTTP/1.1 ... ... ... --1a422639-H-- id “950001” Message: Access denied with code 412 (phase 2). Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b. {1,100}?bfrom|fromb.{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?: (?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at ARGS:data[tt_content][12] msg “SQL Injection Attack” [bodytext]. [file "/var/lib/modsecurity2/core/modsecurity_crs_40_generic_attacks.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data "insert into"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] Monday, January 26, 2009
  33. 33. ModSecurity Tuning for TYPO3 Add exceptions to /etc/apache2/conf.typo3.d/exceptions POST /typo3/alt_doc.php id “950001” msg “SQL Injection Attack” Monday, January 26, 2009
  34. 34. ModSecurity Tuning for TYPO3 Add exceptions to /etc/apache2/conf.typo3.d/exceptions Reference this file for TYPO3 virtual hosts Monday, January 26, 2009
  35. 35. ModSecurity Tuning for TYPO3 (cont.) Manual tuning with “common” extensions > 100 lines TYPO3 WAF project Ready set of rules for ModSecurity Lars Houmark and Lars E. D. Jensen "Our goals with TYPO3 WAF. To create a minimal (server performance wise) rule set for TYPO3 and extensions which address very generic methods of attacking and TYPO3/extension security holes." Monday, January 26, 2009
  36. 36. Summary & Further Protection Monday, January 26, 2009
  37. 37. Summary Suhosin Protects PHP and lock down the system ModSecurity Focused on Web protocols Can analyze SSL traffic Do not only rely on those systems Monday, January 26, 2009
  38. 38. Summary Be Proactive Think like the adversary What is wrong with my system? How can I exploit it? Never too late to add security Do not ignore risk but mitigate it Compartmentalize / Least privilege Fail safely w/o information disclosure Monday, January 26, 2009
  39. 39. Summary System Lock Down Fix filesystem permission Do not allow write unless needed (typo3conf, uploads, ...) Prevent file execution Use SSL whenever possible mod_ssl (dedicated ip / port) mod_gnutls (not well supported though) Reverse proxy (Apache, pound, nginx, ...) Monday, January 26, 2009
  40. 40. Summary Monitoring Know if you are compromised / attacked Offsite backups Recovery procedures Monday, January 26, 2009
  41. 41. Links Suhosin Website ModSecurity Website Additional Ruleset for ModSecurity WAF Project Newsgroup news:// Monday, January 26, 2009