Hardened Hosting. Quintin Russ. OWASP New Zealand Chapter 2011 6th December 2011

Similar documents

Railo Installation on CentOS Linux 6 Best Practices

Linux Security Ideas and Tips

Penetration Testing Workshop

Linux MDS Firewall Supplement

Host/Platform Security. Module 11

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

SCP - Strategic Infrastructure Security

Magento Security Best practices 2015

Network Security and Firewall 1

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Nixu SNS Security White Paper May 2007 Version 1.2

Firewalls. Pehr Söderman KTH-CSC

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Install and configure a Debian based UniFi controller

Rapid Access Cloud: Se1ng up a Proxy Host

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

BF2CC Daemon Linux Installation Guide

Deployment - post Xserve

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Automated CPanel Backup Script. for home directory backup, remote FTP backup and Amazon S3 backup

What is included in the ATRC server support

Secure Network Filesystem (Secure NFS) By Travis Zigler

Lab Objectives & Turn In

Smartphone Pentest Framework v0.1. User Guide

Linux VPS with cpanel. Getting Started Guide

Securing Linux. Presented by: Darren Mobley

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Nessus Agents. October 2015

Parallels Plesk Panel

Install Cacti Network Monitoring Tool on CentOS 6.4 / RHEL 6.4 / Scientific Linux 6.4

CS Computer and Network Security: Firewalls

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

System Admin Module User Guide. Schmooze Com Inc.

Project 2: Firewall Design (Phase I)

Network Security In Linux: Scanning and Hacking

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

CS Computer and Network Security: Firewalls

Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

Hacking the WordpressEcosystem

AT&T CLOUD SERVICES. AT&T Synaptic Compute as a Service SM : How to Get Started. Version 2.0 January 2012

System Security Guide for Snare Server v7.0

Oracle Security Auditing

Oracle Security Auditing

Remotely Owning Secure Parking Systems

Mailborder. User Manual. Advanced Protection. Version Build 2. Copyright Mailborder Systems

Linux Firewalls (Ubuntu IPTables) II

CloudPassage Halo Technical Overview

System Management. Leif Nixon. a security perspective 1/37

Easy Setup Guide 1&1 CLOUD SERVER. Creating Backups. for Linux

Penetration Testing Report Client: Business Solutions June 15 th 2015

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

PCI Compliance. by: David Koston

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

How To Fix A Snare Server On A Linux Server On An Ubuntu (Amd64) (Amd86) (For Ubuntu) (Orchestra) (Uniden) (Powerpoint) (Networking

Wordpress Security. A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) Twitter: Dave_ReL1K

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Viking VPN Guide Linux/UNIX

Pen Test Tips 2. Shell vs. Terminal

Hardening MySQL. Maciej Dobrzański maciek at

Case Study 2 SPR500 Fall 2009

Operating System Security Hardening for SAP HANA

Manuale Turtle Firewall

OS Installation: CentOS 5.8

How to Secure RHEL 6.2 Part 2

Snare System Version Release Notes

WordPress Security Scan Configuration

Linux: 20 Iptables Examples For New SysAdmins

Parallels Plesk Automation

Internal Penetration Test

Linux Networking Basics

Linux MPS Firewall Supplement

Getting Started with RES Automation Manager Agent for Linux

dotdefender v5.12 for Apache Installation Guide Applicure Web Application Firewall Applicure Technologies Ltd. 1 of 11 support@applicure.

Networks and Security Lab. Network Forensics

HIPAA Compliance Use Case

Small Systems Solutions is the. Premier Red Hat and Professional. VMware Certified Partner and Reseller. in Saudi Arabia, as well a competent

CSC574 - Computer and Network Security Module: Firewalls

How to install PowerChute Network Shutdown on VMware ESXi 3.5, 4.0 and 4.1

ip6tables testing ip6tables Oliver Eggert (Universität Potsdam) ft6: firewall tester for IPv6 Folie 1 von 12

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

CloudPassage Halo Technical Overview

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Vulnerability Scan. January 6, 2015

Snare System Version Release Notes

The current version installed on your server is el6.x86_64 and it's the latest available.

Securing shared hosting using CageFS

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

Parallels Plesk Panel

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Firewalls. Chien-Chung Shen

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

Transcription:

Hardened Hosting Quintin Russ OWASP New Zealand Chapter 2011 6th December 2011 1

About Me Quintin Russ Technical Director, SiteHost http://www.sitehost.co.nz quintin@sitehost.co.nz Web Developer in previous life Focused on web infrastructure for last 5 years 2

Disclaimer There is no substitute for bug-free code 3

Hardening Hardening a Linux web server Searching returns a lot of information on this topic Not very useful, focused on Linux less on Web Start by picking the right distribution Ubuntu Their security features are continually getting better Their LTS releases are supported for longer periods https://wiki.ubuntu.com/security/features http://en.wikipedia.org/wiki/list_of_ubuntu_releases#version_timeline 4

Ubuntu Security Features 5

Ubuntu Release Timeline 6

Debian Release Timeline 7

Basic Hardening Your (web?) server is soft by default No Firewalling Soft SSH config remote root enabled / pw auth Weak directory permissions Web Server runs as a single user Apache has /icons/ alias Numerous other weak defaults often found Weak passwords on MySQL (Percona builds) Poor PHP defaults (magic quotes?) Trace enabled in Apache (fixed in modern distros) 8

File Uploads File Uploads Completely disabled is the best option If you cannot disable then filter the uploads Mod_Security - SecUploadApproveScript Suhosin suhosin.upload.verification_script PHP auto-prepend-file Easy to customize behaviour on a global basis 9

File Uploads File Uploads LFI to Remote Code Execution PHP local file inclusion to arbitrary code execution PHP uploads file to /tmp before running script Just need to guess the filename to execute Protect against with open_basedir restrictions or... by completely disabling uploads http://www.insomniasec.com/releases/whitepapers-presentations 10

Firewalling Firewalling Outbound is very important on web servers Whitelist if you can, blocking all other services, irc etc Test first iptables -I OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT then check counters: iptables -L -v 11

Firewalling Mod Security Very good when configured correctly I personally found the CRS to be too prohibative WHM / cpanel distributed rules much less painful Based on AtomicCorp.com rules Can be configured to block known bad behaviour Handy for blocking known vulnerabilities (timthumb.php) Also have seen it identify other bad behaviour I will go into this aspect in more detail in the future https://www.owasp.org/index.php/category:owasp_modsecurity_core_rule_set_project 12

Firewalling Example of good firewalling Proftpd vulnerability exploited late 2010 Used reverse shell connect back on port 45295 More work to change this value to port 80 or 443 Harder to automate however Ubuntu's stack protection helped mitigate exploitation 13

Firewalling Example of good firewalling timthumb.php included in thousands of WP Templates Remote code execution bug massively exploited Customers asked us to loosen Mod_Security rules Can also protect your network from outbound DoS Is UDP outbound valid for your application? Need to monitor number of dropped packets 14

Auditing + Automation Auditing Lsat Runs a number of host checks Lists SUID binaries Produces and Diffs MD5's of system / important files Backups Handy for should you get compromised Not optional, make sure you manage them directly 15

Auditing + Automation Process Accounting apt-get install acct No configuration it just works Can filter by binary / command 16

Auditing + Automation Process Accounting Can filter by user Unfortunately it does not display arguments :( It can also report CPU usage, using sa 17

Auditing + Automation AuditD monitoring file and syscall events Really easy to install - apt-get install auditd Does need configuring however. Monitor read, write, attributes to /etc/passwd auditctl -w /etc/passwd -p war -k password-file Monitor execution of /bin/dash binary auditctl -w /bin/dash -k dash -p x Monitor EXECVE syscall from web server user auditctl -S execve -A exit,always -F uid=33 -F gid=33 Use an external syslog server if you can 18

Auditing + Automation AuditD monitoring file and syscall events 19

More Hardening Apparmor / SELinux Are a sysadmins worst enemy A lot of documentation tells you to turn these off Can be very helpful depending on your environment Will go into these technologies in a future talk 20

Thank you for listening, questions? We're Hiring! Hardened Hosting Quintin Russ quintin@sitehost.co.nz 21