Railo Installation on CentOS Linux 6 Best Practices



Similar documents
Addressing Application Layer Attacks with Mod Security

Nixu SNS Security White Paper May 2007 Version 1.2

Tibbr Installation Addendum for Amazon Web Services

SECURITY DOCUMENT. BetterTranslationTechnology

Install Cacti Network Monitoring Tool on CentOS 6.4 / RHEL 6.4 / Scientific Linux 6.4

Parallels Plesk Automation

OS Installation: CentOS 5.8

Content Management System

24x7 Scheduler Multi-platform Edition 5.2

Getting Started With Halo for Windows

First Steps after Installation Guide

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

VMware vcenter Log Insight Security Guide

Cloud.com CloudStack Community Edition 2.1 Beta Installation Guide

Installation Guide for contineo

Advanced Web Security, Lab

GpsGate Server. Installation and Administration Guide. Version: 2.2 Rev: 2

INUVIKA OVD INSTALLING INUVIKA OVD ON RHEL 6

Wordpress Security. A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) Twitter: Dave_ReL1K

Application Security Testing. Generic Test Strategy

IUCLID 5 Guidance and support. Installation Guide Distributed Version. Linux - Apache Tomcat - PostgreSQL

RemotelyAnywhere. Security Considerations

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

Securing your Apache Tomcat installation. Tim Funk November 2009

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Online Backup Client User Manual

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

How To Set Up The Barclaycard Epdq Cardholder Payment Interface (Cpi) On Papercut (Barclay Card) On A Microsoft Card (For A Credit Card) With A Creditcard (For An Account)

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

System Administration Training Guide. S100 Installation and Site Management

GWAVA 5. Migration Guide for Netware GWAVA 4 to Linux GWAVA 5

Hadoop Data Warehouse Manual

Virtual Machine daloradius Administrator Guide Version 0.9-9

Setting Up SSL on IIS6 for MEGA Advisor

5. At the Windows Component panel, select the Internet Information Services (IIS) checkbox, and then hit Next.

Secure Messaging Server Console... 2

Hardened Hosting. Quintin Russ. OWASP New Zealand Chapter th December 2011

FortiWeb 5.0, Web Application Firewall Course #251

LDAP and Active Directory Guide

Lucid Key Server v2 Installation Documentation.

Online Backup Client User Manual Mac OS

Online Backup Client User Manual Mac OS

Sonian Getting Started Guide October 2008

Installation Instructions

VMware vcenter Log Insight Security Guide

Lab Objectives & Turn In

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

Installation, Configuration and Administration Guide

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

HP IMC Firewall Manager

JMETER - MONITOR TEST PLAN

Creating an ESS instance on the Amazon Cloud

Penetration Testing LAB Setup Guide

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

CS 558 Internet Systems and Technologies

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

How To Link Tomcat 5 with IIS 6 on Windows 2003 Server using the JK2 ajp13 connector

SysPatrol - Server Security Monitor

Deployment - post Xserve

Quick Note 052. Connecting to Digi Remote Manager SM Through Web Proxy

Security Correlation Server Quick Installation Guide

PC Monitor Enterprise Server. Setup Guide

How can I keep my account safe from hackers, scammers and spammers?

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Lecture 15 - Web Security

TypingMaster Intra. LDAP / Active Directory Installation. Technical White Paper (2009-9)

Installing Booked scheduler on CentOS 6.5

STABLE & SECURE BANK lab writeup. Page 1 of 21

Filr 2.0 Administration Guide. April 2016

Locking down a Hitachi ID Suite server

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Dataworks System Services Guide

SnapLogic Sidekick Guide

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

UQC103S1 UFCE Systems Development. uqc103s/ufce PHP-mySQL 1

Monitoring Clearswift Gateways with SCOM

PaperCut Payment Gateway Module - PayPal Payflow Link - Quick Start Guide

Revolution R Enterprise DeployR 7.1 Installation Guide for Windows

A Roadmap for Securing IIS 5.0

Eucalyptus User Console Guide

Install and configure a Debian based UniFi controller

Web Application Vulnerability Testing with Nessus

Linux Networking Basics

Configure Single Sign on Between Domino and WPS

SSH and Basic Commands

How To Install An Org Vm Server On A Virtual Box On An Ubuntu (Orchestra) On A Windows Box On A Microsoft Zephyrus (Orroster) 2.5 (Orner)

Security Advice for Instances in the HP Cloud

The current version installed on your server is el6.x86_64 and it's the latest available.

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

IceWarp Server. Log Analyzer. Version 10

IPPBX FAQ. For Firmware Version: V2.0/V

Online Vulnerability Scanner Quick Start Guide

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Troubleshooting / FAQ

Transcription:

Railo Installation on CentOS Linux 6 Best Practices Purpose: This document is intended for system administrators who want to deploy their Mura CMS, Railo, Tomcat, and JRE stack in a secure but easy to follow manner. This document is not intended to guarantee foolproof security, but rather serve as a set of guidelines for common security minded best practices. It is important for the reader to understand that no system, no matter how well protected, will ever be 100% guaranteed secure; however, by following these simple guidelines the reader can ensure that their systems will deter the vast majority of common intrusion techniques. This document will assume that you, the reader, will have basic knowledge of installing CentOS Linux and editing files within it using the editor of your choice. Preparing Your Server 1. Start With a Blank Slate It is recommended that your begin by installing a fresh copy of CentOS 6 on to your server. The fresh copy of the Operating System will ensure that there are no lingering abnormalities in the system you'll be installing your Railo stack on to. It is also recommended that you perform a minimal install of CentOS, as it will mean that only the bare minimum will be installed initially. Anything that you need to add you can add manually. This also means that you won't have any superfluous programs running or even available on the server itself, and again it will minimize the initial attack vectors available on your server.

2. Start With a Very Minimal and Restrictive Firewall During the installation process, the CentOS installer will prompt you if you want to configure any initial firewall rules. It is recommended that you both enable the firewall, and only allow the most basic firewall exceptions, such as SSH access (port 21) and HTTP access (port 80). Again, this will minimize the attack vectors that an attacker could exploit. Once the initial minimal firewall is configured by the installation process, you should only add rules as absolutely necessary and if you can, add incoming IP Address restrictions on them so that only connections coming from approved ranges will be able to connect. For example, the following rule (added by editing the /etc/sysconfig/iptables file which was created by the install process) would restrict who can connect to your SSH port to only a specific Class C range of IP Addresses: A RH Firewall 1 INPUT m state state NEW m tcp p tcp dport 22 s 192.168.254.0/24 j ACCEPT Note the line above, the dport or Destination Port is port 22, which is the default SSH port. Next, note the IP range we used as an example here, which is 192.168.254.0 a very common internal network range. Please adjust the allowed IP ranges as necessary for your network. Once you've added or edited the line for the SSH port 22, don't forget to restart the iptables firewall with the following command: # /etc/init.d/iptables restart or... # service iptables restart Whichever you prefer. 3. Install All Available Patches It is important to install all available patches as soon as possible on your new system. You can patch the system manually with the following commands: # yum y upgrade yum # yum y upgrade As long as your system has access to the Internet and is able to download files from public repositories, YUM will go download all the latest patches that are available for your system. The first command updates the YUM program itself. The next line tells YUM to grab all other available updates. Because YUM itself was just updated, it should have the most recent patching information available to it. 4. Configure Automatic OS Patching Now that the system is all patched up, we need to configure a process that will run those same updates on a regular basis. I would recommend nightly for the most up to date patching. Also, if you run nightly, chances are good that the patch download will be quick and small every time.

To do this, we first need to create a shell script using the text editor of our choice. Let's call it yumupdate.sh. Now, we need to add the following commands to it: #!/bin/bash /usr/bin/yum y upgrade yum /usr/bin/yum y upgrade Once you've added those lines, save the file and place it in either of the following directories: /etc/cron.daily/yumupdate.sh /etc/cron.weekly/yumupdate.sh Just to be clear, files placed in cron.daily will be run every day, and files placed in cron.weekly will be run each week. The exact time that each are executed is controlled by the /etc/crontab file, which you can also customize as needed. Install Minimal Apache Modules As Apache will most likely be your most prominent and most important public facing server, it is a good idea to keep it as simple as possible to keep attack vectors at a minimum. Don't install modules that you're not sure you'll use, such as PHP, user directory support, or CGI BIN support. Hide Apache Version Number You can tell Apache to hide it s version number by modifying the ServerTokens attribute in the main Apache config file (httpd.conf in RHEL/CentOS or apache2.conf in Debian/Ubuntu): ServerTokens Prod Setting this value will cause Apache simply to report Apache and not include a version number. You can also disable the server signature, which is deisplayed at the bottom of any error messages Apache generates, by using the following parameter: ServerSignature Off 5. Additional Suggestions for the Security Minded a. Run SSH on a non standard port (instead of port 22) b. Leave SELinux enabled and create rules to allow Railo to function through it (Pete Freitag / Foundeo can provide additional assistance in getting SELinux working with Railo) Using the Railo Installer 1. Consider a Non Standard Installation Directory The standard installation directory for Railo is /opt/railo/. If an attacker knows this they can craft attacks based off that information. For example, attacks which use parent directory traversal mechanisms, such as../../opt/railo/ in the URL s. A non standard installation directory will simply make your server less

vulnerable to customized attacks. Maybe something unpredictable like /railo 04 21 78/ or /opt/cfml/server/railorocks/ The downside of this is that documentation is often written with the defaults in mind, and many examples are based on the defaults. As a reader, you will be required to interpolate the default documentation for your own specific environment. 2. Be Creative With Your Dedicated Railo System User It is far more difficult to brute force a username and password combination if an attacker has no idea where to begin with a username. To that end, be creative when you pick a username for your new Railo installation. Do not use obvious usernames such as admin or railo, but still keep it recognisable and memorable. For example, you could call your new Railo user theflash, after the speedy but fictional superhero character. You know... because he runs fast. 3. Consider Using a Phrase as a Password Using phrases as passwords is not a new idea, but it is possible to do with Railo and is a proven method for addressing brute force password break ins as well as makes it easy to remember a specific password. For example, consider the following pass phrase: I always thought about getting 1 but I never did! This phrase makes an excellent password. As far as number of characters goes, it's a whopping 49 characters long. It contains a mix of upper and lower case letters, numbers, and special characters. In the world of passwords, this easy to remember phrase is a behemoth, and very unlikely to be brute forced unless someone knew you were using a phrase and specifically targeted that kind of a pass phrase. At the time of this writing, most brute force attacks do not specifically target full phrases. Even if you don't decide to use a phrase as a password, it's a good idea to use as many characters as you can remember and mix it up with letters (mixed case), numbers, and special characters. Locking Down Your Railo Stack 1. Open Port 8888 Only to a Specific IP Port 8888 in a default Railo Installer configuration is the Tomcat web server port. This port is used as the default access point for the Railo Server Administrator. As the server administrator, you will likely access this URL in order to implement server wide policy for your Railo server. Restrict access to this port to only a single IP via the CentOS firewall by editing the /etc/sysconfig/iptables file and adding a line similar to the following: A RH Firewall 1 INPUT m state state NEW m tcp p tcp dport 8888 s 192.168.254.250 j ACCEPT As before, edit the source IP address by changing 192.168.254.250 to whatever is appropriate for your network. 2. Do Not Open Ports 8005 (Shutdown) or 8009 (AJP) to the Public

The Railo 4 BETA3 and newer installers will use mod_proxy_html by default, so the AJP port 8009, while available, is not used by default. If you need to open the AJP port to an external web server in order to connect to it from mod_proxy_ajp or mod_jk, then it is recommend you only open port 8009 to the IP address of the web server that needs to connect to it. You can use a firewall line similar to the example above and change the port and IP to match your network. The Tomcat Shutdown port 8005 by default should not be open to the public. It is recommended that you only initiate Tomcat shutdown commands from the local console. 3. Block Access to Railo Administrators Through Apache In your Apache host configuration for the site or sites you will be serving through Apache and Railo, you can add the following in order to deny access to all but approved IP's: <Location /railo context/admin> Order deny,allow Deny from all Allow from 192.168.254.250 Allow from 127.0.0.1 </Location> This same concept can be implemented to deny access to the Mura Administrator. If assets in the railo context are not needed (eg cfform javascript), then you may block the entire /railo context/ instead of just the administrator. 4. Lock down Apache and Railo Users The user accounts that Railo and Apache run as should be restricted such that they only have the ability to do what the application requires and nothing more. The default shell should be specified to /sbin/nologinprevent login over ssh. File system permissions should be restricted as well, Apache or Railo will typically only need read permission for most files in the web root. The execute permission may be required on directories. Railo and Apache should not be setup to run under the root account. 5. Ensure the JVM is up to date Ensure that the JVM version you are using contains all known security patches. 6. Additional Suggestions for the Security Minded: a. Create an additional Apache based password (.htpasswd) for sensitive areas. b. Force the use of SSL when accessing the Administrators c. Disguise Railo by either using full SES URL's or by replacing the extension to something other then a CFML related extension. IE: rename your.cfm files to.php and pass.php files off to Railo for processing. d. Ensure that the umaskhas been specified appropriately in the Tomcat/Railo startup script to prevent it from creating files with more permission than necessary. e. Consider setting up auditing with auditd

f. If the Tomcat/Apache AJP connector is used specify a shared secret. g. Remove any servlet/filter mappings from web.xmlthat are not required. Locking Down Railo Server 1. Disable Public Debugging Error Output To disable detailed error messages in Railo, log in to the Railo server administrator and go to Settings Error and select error public.cfm from the drop down options. This will only display an extremely generic and uninformative error message to the end users. If you like, you can customise these error templates to send an email off to your development team, informing them that an error occurred and possibly giving them more details about the error. 2. Ensure All Administrators for All Contexts Have Passwords Assigned and Use Captcha In the Railo Server Administrator, go to Security Password. From this screen you can set the passwords of all existing web contexts and enable captcha s to prevent brute forcing password breaking attempts on your Railo Server & Web Administrators

3. Reduce Request Timeouts as Low as Possible To change the Request Timeout value, log in to the Railo server administrator and go to Settings Application Request Timout. It is recommended you change it from 50 seconds to about 10 or so. Experiment with this to make sure the request timeouts do not effect needed functionality that may exist in your application. 4. Ensure Railo's Script Protect feature is enabled Railo's built in Script Protect feature is designed to protect your site from cross site scripting attacks. Script Protect will automatically filter dangerous tags in incoming variable scopes like CGI, cookie, form, and URL scopes.

To ensure Railo's Script Protect feature is enabled, log in to the Railo server administrator and go to Settings Application Script Protect and ensure it's set to all. Note: This setting does not provide comprehensive cross site scripting prevention, additional steps must be taken in your custom source code to alleviate risk. 5. Avoid Using System Heavy Client Variables Instead, try to keep as many variables as possible session based, so they expire and are removed when the session expires. 6. Set Session Timeouts to as Low as Possible This helps free up RAM and prevents some forms of DoS attacks. You can configure session timeout values globally in the Railo Server Administrator Settings Application screen. 7. Keep Datasource Permissions Simple If you can, only enable SELECT, INSERT, UPDATE, and DELETE permissions. This will almost nullify SQL injection attacks. What commands are accepted by Railo is configurable for each DSN, and is controlled when you create or edit a DSN. 8. Use a Separate DB User for Each DSN Isolating your Database users will help mitigate attacks should a site be found vulnerable. For example should a SQL injection attack occur in one site, the attacker will only have gained the powers of the single Database user account and would only have access to the sites and data for that site not any other sites that may be present on the system. 9. Consider Using a Web Application Firewall (like FuseGuard) Web Application Firewalls are excellent at detecting and deterring attacks on a system. High quality Web Application Firewalls also have the ability to log attacks to let you know what kind of attacks are being directed at your servers, so you can better prepare your defenses. Web Application Firewalls are well worth their initial investment. Additional information on FuseGuard can be found at this URL: http://foundeo.com/security/ This document prepared by:: Jordan Michaels (jordan@getrailo.org) Pete Freitag (pete@foundeo.com) Matt Levine (matt@blueriver.com)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information