creating "secure" php applications, part 2, server hardening

Creating “Secure” PHP Applications, Part 2

Server Hardening

So, who are you, anyway?

Bryan C. GeraghtySecurity Consultant at Security PS

@archwisp

I’m a Sr. PHP developer with a systems and security engineering background - turned application security

consultant

Security BasicsRemember, layersSimpler is easier to testDon’t make assumptionsCompromised browser = game over

Disable Unused ServicesIf you’re not using it, you don’t know what it’s doing.If you don’t know what it does, find someone who does.

Netstat

bryan@bryan-sps ~ $ sudo netstat -lntp[sudo] password for bryan:Active Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program

nametcp 0 0 127.0.0.1:1194 0.0.0.0:* LISTEN 4786/openvpntcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1175/mysqldtcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4792/dnsmasqtcp 0 0 127.0.0.1:8182 0.0.0.0:* LISTEN 5083/firefoxtcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 966/sshdtcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1058/cupsdtcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 10521/mastertcp6 0 0 :::80 :::* LISTEN 1609/apache2tcp6 0 0 :::22 :::* LISTEN 966/sshdtcp6 0 0 ::1:631 :::* LISTEN 1058/cupsdtcp6 0 0 ::1:25 :::* LISTEN 10521/master

Show any listening services

update-rc.d

bryan@bryan-sps ~ $ sudo update-rc.d cups disableupdate-rc.d: warning: /etc/init.d/cups missing LSB informationupdate-rc.d: see <http://wiki.debian.org/LSBInitScripts> Disabling system startup links for /etc/init.d/cups ... Removing any system startup links for /etc/init.d/cups ... /etc/rc0.d/K20cups /etc/rc1.d/K20cups /etc/rc2.d/S20cups /etc/rc3.d/S20cups /etc/rc4.d/S20cups /etc/rc5.d/S20cups /etc/rc6.d/K20cups Adding system startup for /etc/init.d/cups ... /etc/rc0.d/K20cups -> ../init.d/cups /etc/rc1.d/K20cups -> ../init.d/cups /etc/rc6.d/K20cups -> ../init.d/cups /etc/rc2.d/K80cups -> ../init.d/cups /etc/rc3.d/K80cups -> ../init.d/cups /etc/rc4.d/K80cups -> ../init.d/cups /etc/rc5.d/K80cups -> ../init.d/cups

Init utility for Debian based systems

chkconfig

bryan@bryan-sps ~ $ sudo chkconfig --list | fgrep ":on"acpi-support 0:off 1:off 2:on 3:on 4:on 5:on 6:offapache2 0:off 1:off 2:on 3:on 4:on 5:on 6:offapparmor 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:onbrltty 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:oncryptdisks 0:on 1:off 2:off 3:off 4:off 5:off 6:offcryptdisks-early 0:on 1:off 2:off 3:off 4:off 5:off 6:offdns-clean 0:off 1:on 2:on 3:on 4:on 5:on 6:offgrub-common 0:off 1:off 2:on 3:on 4:on 5:on 6:offkerneloops 0:off 1:off 2:on 3:on 4:on 5:on 6:offkillprocs 0:off 1:on 2:off 3:off 4:off 5:off 6:offnetworking 0:on 1:off 2:off 3:off 4:off 5:off 6:offondemand 0:off 1:off 2:on 3:on 4:on 5:on 6:offopenvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:offpostfix 0:off 1:off 2:on 3:on 4:on 5:on 6:offpppd-dns 0:off 1:on 2:on 3:on 4:on 5:on 6:offpulseaudio 0:off 1:off 2:on 3:on 4:on 5:on 6:offrc.local 0:off 1:off 2:on 3:on 4:on 5:on 6:offrsync 0:off 1:off 2:on 3:on 4:on 5:on 6:offsaned 0:off 1:off 2:on 3:on 4:on 5:on 6:offsendsigs 0:on 1:off 2:off 3:off 4:off 5:off 6:offspeech-dispatcher 0:off 1:off 2:on 3:on 4:on 5:on 6:offsudo 0:off 1:off 2:on 3:on 4:on 5:on 6:offumountfs 0:on 1:off 2:off 3:off 4:off 5:off 6:offumountnfs.sh 0:on 1:off 2:off 3:off 4:off 5:off 6:offumountroot 0:on 1:off 2:off 3:off 4:off 5:off 6:offurandom 0:on 1:off 2:off 3:off 4:off 5:off 6:off S:onwinbind 0:off 1:off 2:on 3:on 4:on 5:on 6:offx11-common 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:onxrdp 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Init utility for pretty much everyone else

Access Control Lists (ACLs)Beyond chmod

Access Control Rules Never set directory permissions to 777 The web server user should be able to read from the web

root only The web server user should be able to write to log and

cache directories only Other users should not be able to access cache & log Files Don't allow web applications to self-update

Enable ACLs

# <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc nodev,noexec,nosuid 0 0/dev/mapper/bryan--sps-root / ext4 errors=remount-ro,acl 0 1UUID=ecddec0c-10c0-4fa8-8421-98ede0b19ac6 /boot ext2 defaults 0 2/dev/mapper/bryan--sps-swap_1 none swap sw 0 0/dev/mapper/cryptswap1 none swap sw 0 0

Edit /etc/fstab and add the “acl” mount option to your volumes

grant-apache-read

#!/bin/bash# Author :: Bryan Geraghty# Date :: 2007-09-12# Notes :: This script resets permissions

source ~/lib/acl.bash;

if [ -z $1 ]; then DIR='.';else DIR=$1;fi

grantUserRead 'www-data' $DIR '*';

A simple wrapper script for grant operations. I have one for write as well.

grantUserRead

### Grants read permissions to all files/folders with names matching $3, which reside# inside of directory $2, to user $1.## @param string $1 Username The user to whom read permissions will be granted# @param string $2 Base path Path in which all operations will take place# @param string $3 Target Name of the file/directory on which to set the permissions#function grantUserRead{ echo "Granting read permission to user $1 on files/folders named $3 in directory $2";

## Set the default permissions for new files on the specified directory echo "Setting defaults..."; find $2 -name "$3" -type d -exec setfacl -d -m u:$1:rx {} \;

## Recusively set the permissions on all existing directories and files within the ## specified directory echo "Setting directory permissions..."; find $2 -name "$3" -type d -exec setfacl -R -m u:$1:rx {} \;

## Grant permissions to any files with the specified name echo "Setting file permissions..."; find $2 -name "$3" -type f -exec setfacl -m u:$1:r {} \;}

https://github.com/archwisp/linux-home/blob/master/lib/acl.bash

Mandatory Access Control (MAC)Prevent anything you haven't approved from being executed

There are a few MAC options SELinux AppArmor TOMOYO TrustedBSD TrustedSolaris Others

How SELinux Works You assign security labels to all users, roles, files, network

interfaces, ports, etc. You create policies for each user/role that needs to

perform an action on a file (read, write, execute, etc.) using the security labels.

The SELinux kernel module enforces access If a new file in introduced to the system, it must be

labeled and a new policy must be created in order for it to be accessed.

Installing SELinux in Ubuntu 12.04? I tried to set it up recently and haven’t been able to figure

out how to enable the strict policy. I’ll do a blog post on this once I get it working.

Automatic ProtectionBlanket controls with a poor history of effectiveness

Blanket controls can be beneficial but don’t rely on them for protection. Magic Quotes Safe Mode Suhosin mod_security

Memory & Thread LimitsKnow your bounds

Set a Reasonable PHP Memory Limit Never remove the limit in a production system It only takes one large request to bring your server to a

halt You get to decide what is reasonable A larger limit means less work for you but allows your

server to handle fewer requests

top

top - 03:14:26 up 5:23, 2 users, load average: 0.09, 0.05, 0.05Tasks: 138 total, 1 running, 137 sleeping, 0 stopped, 0 zombieCpu(s): 0.7%us, 1.2%sy, 0.0%ni, 98.2%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%stMem: 2062248k total, 1352564k used, 709684k free, 302624k buffersSwap: 0k total, 0k used, 0k free, 696664k cached

1830 www-data 20 0 70176 6908 2732 S 0 0.3 0:00.15 apache2

1831 www-data 20 0 70176 6704 2568 S 0 0.3 0:00.11 apache2

Once in top, hit SHIFT-M to sort by memory. This will allow you to examine the memory footprint of your web server instances. (This is a dev server with no load)

Set your web server process limits If you run Apache, set MaxClients to a value lower than

your total memory divided by the size of the memory footprint for each web server process.

MaxClients is the number or simultaneous connections that will be served.

http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients

And Don’t ForgetPHPMyAdmin bypasses MySQL host filtering!

Next Month: Part 3, Error HandlingError HandlersException HandlersStatus CodesEnvironmentsGotchas

Thanks!If you’re interested in an application security career, come talk with me.