creating "secure" php applications, part 2, server hardening
TRANSCRIPT
Creating “Secure” PHP Applications, Part 2
Server Hardening
So, who are you, anyway?
Bryan C. GeraghtySecurity Consultant at Security PS
@archwisp
I’m a Sr. PHP developer with a systems and security engineering background - turned application security
consultant
Security BasicsRemember, layersSimpler is easier to testDon’t make assumptionsCompromised browser = game over
Disable Unused ServicesIf you’re not using it, you don’t know what it’s doing.If you don’t know what it does, find someone who does.
Netstat
bryan@bryan-sps ~ $ sudo netstat -lntp[sudo] password for bryan:Active Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program
nametcp 0 0 127.0.0.1:1194 0.0.0.0:* LISTEN 4786/openvpntcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1175/mysqldtcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4792/dnsmasqtcp 0 0 127.0.0.1:8182 0.0.0.0:* LISTEN 5083/firefoxtcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 966/sshdtcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1058/cupsdtcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 10521/mastertcp6 0 0 :::80 :::* LISTEN 1609/apache2tcp6 0 0 :::22 :::* LISTEN 966/sshdtcp6 0 0 ::1:631 :::* LISTEN 1058/cupsdtcp6 0 0 ::1:25 :::* LISTEN 10521/master
Show any listening services
update-rc.d
bryan@bryan-sps ~ $ sudo update-rc.d cups disableupdate-rc.d: warning: /etc/init.d/cups missing LSB informationupdate-rc.d: see <http://wiki.debian.org/LSBInitScripts> Disabling system startup links for /etc/init.d/cups ... Removing any system startup links for /etc/init.d/cups ... /etc/rc0.d/K20cups /etc/rc1.d/K20cups /etc/rc2.d/S20cups /etc/rc3.d/S20cups /etc/rc4.d/S20cups /etc/rc5.d/S20cups /etc/rc6.d/K20cups Adding system startup for /etc/init.d/cups ... /etc/rc0.d/K20cups -> ../init.d/cups /etc/rc1.d/K20cups -> ../init.d/cups /etc/rc6.d/K20cups -> ../init.d/cups /etc/rc2.d/K80cups -> ../init.d/cups /etc/rc3.d/K80cups -> ../init.d/cups /etc/rc4.d/K80cups -> ../init.d/cups /etc/rc5.d/K80cups -> ../init.d/cups
Init utility for Debian based systems
chkconfig
bryan@bryan-sps ~ $ sudo chkconfig --list | fgrep ":on"acpi-support 0:off 1:off 2:on 3:on 4:on 5:on 6:offapache2 0:off 1:off 2:on 3:on 4:on 5:on 6:offapparmor 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:onbrltty 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:oncryptdisks 0:on 1:off 2:off 3:off 4:off 5:off 6:offcryptdisks-early 0:on 1:off 2:off 3:off 4:off 5:off 6:offdns-clean 0:off 1:on 2:on 3:on 4:on 5:on 6:offgrub-common 0:off 1:off 2:on 3:on 4:on 5:on 6:offkerneloops 0:off 1:off 2:on 3:on 4:on 5:on 6:offkillprocs 0:off 1:on 2:off 3:off 4:off 5:off 6:offnetworking 0:on 1:off 2:off 3:off 4:off 5:off 6:offondemand 0:off 1:off 2:on 3:on 4:on 5:on 6:offopenvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:offpostfix 0:off 1:off 2:on 3:on 4:on 5:on 6:offpppd-dns 0:off 1:on 2:on 3:on 4:on 5:on 6:offpulseaudio 0:off 1:off 2:on 3:on 4:on 5:on 6:offrc.local 0:off 1:off 2:on 3:on 4:on 5:on 6:offrsync 0:off 1:off 2:on 3:on 4:on 5:on 6:offsaned 0:off 1:off 2:on 3:on 4:on 5:on 6:offsendsigs 0:on 1:off 2:off 3:off 4:off 5:off 6:offspeech-dispatcher 0:off 1:off 2:on 3:on 4:on 5:on 6:offsudo 0:off 1:off 2:on 3:on 4:on 5:on 6:offumountfs 0:on 1:off 2:off 3:off 4:off 5:off 6:offumountnfs.sh 0:on 1:off 2:off 3:off 4:off 5:off 6:offumountroot 0:on 1:off 2:off 3:off 4:off 5:off 6:offurandom 0:on 1:off 2:off 3:off 4:off 5:off 6:off S:onwinbind 0:off 1:off 2:on 3:on 4:on 5:on 6:offx11-common 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:onxrdp 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Init utility for pretty much everyone else
Access Control Lists (ACLs)Beyond chmod
Access Control Rules Never set directory permissions to 777 The web server user should be able to read from the web
root only The web server user should be able to write to log and
cache directories only Other users should not be able to access cache & log Files Don't allow web applications to self-update
Enable ACLs
# <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc nodev,noexec,nosuid 0 0/dev/mapper/bryan--sps-root / ext4 errors=remount-ro,acl 0 1UUID=ecddec0c-10c0-4fa8-8421-98ede0b19ac6 /boot ext2 defaults 0 2/dev/mapper/bryan--sps-swap_1 none swap sw 0 0/dev/mapper/cryptswap1 none swap sw 0 0
Edit /etc/fstab and add the “acl” mount option to your volumes
grant-apache-read
#!/bin/bash# Author :: Bryan Geraghty# Date :: 2007-09-12# Notes :: This script resets permissions
source ~/lib/acl.bash;
if [ -z $1 ]; then DIR='.';else DIR=$1;fi
grantUserRead 'www-data' $DIR '*';
A simple wrapper script for grant operations. I have one for write as well.
grantUserRead
### Grants read permissions to all files/folders with names matching $3, which reside# inside of directory $2, to user $1.## @param string $1 Username The user to whom read permissions will be granted# @param string $2 Base path Path in which all operations will take place# @param string $3 Target Name of the file/directory on which to set the permissions#function grantUserRead{ echo "Granting read permission to user $1 on files/folders named $3 in directory $2";
## Set the default permissions for new files on the specified directory echo "Setting defaults..."; find $2 -name "$3" -type d -exec setfacl -d -m u:$1:rx {} \;
## Recusively set the permissions on all existing directories and files within the ## specified directory echo "Setting directory permissions..."; find $2 -name "$3" -type d -exec setfacl -R -m u:$1:rx {} \;
## Grant permissions to any files with the specified name echo "Setting file permissions..."; find $2 -name "$3" -type f -exec setfacl -m u:$1:r {} \;}
https://github.com/archwisp/linux-home/blob/master/lib/acl.bash
Mandatory Access Control (MAC)Prevent anything you haven't approved from being executed
There are a few MAC options SELinux AppArmor TOMOYO TrustedBSD TrustedSolaris Others
How SELinux Works You assign security labels to all users, roles, files, network
interfaces, ports, etc. You create policies for each user/role that needs to
perform an action on a file (read, write, execute, etc.) using the security labels.
The SELinux kernel module enforces access If a new file in introduced to the system, it must be
labeled and a new policy must be created in order for it to be accessed.
Installing SELinux in Ubuntu 12.04? I tried to set it up recently and haven’t been able to figure
out how to enable the strict policy. I’ll do a blog post on this once I get it working.
Automatic ProtectionBlanket controls with a poor history of effectiveness
Blanket controls can be beneficial but don’t rely on them for protection. Magic Quotes Safe Mode Suhosin mod_security
Memory & Thread LimitsKnow your bounds
Set a Reasonable PHP Memory Limit Never remove the limit in a production system It only takes one large request to bring your server to a
halt You get to decide what is reasonable A larger limit means less work for you but allows your
server to handle fewer requests
top
top - 03:14:26 up 5:23, 2 users, load average: 0.09, 0.05, 0.05Tasks: 138 total, 1 running, 137 sleeping, 0 stopped, 0 zombieCpu(s): 0.7%us, 1.2%sy, 0.0%ni, 98.2%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%stMem: 2062248k total, 1352564k used, 709684k free, 302624k buffersSwap: 0k total, 0k used, 0k free, 696664k cached
1830 www-data 20 0 70176 6908 2732 S 0 0.3 0:00.15 apache2
1831 www-data 20 0 70176 6704 2568 S 0 0.3 0:00.11 apache2
Once in top, hit SHIFT-M to sort by memory. This will allow you to examine the memory footprint of your web server instances. (This is a dev server with no load)
Set your web server process limits If you run Apache, set MaxClients to a value lower than
your total memory divided by the size of the memory footprint for each web server process.
MaxClients is the number or simultaneous connections that will be served.
http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
And Don’t ForgetPHPMyAdmin bypasses MySQL host filtering!
Next Month: Part 3, Error HandlingError HandlersException HandlersStatus CodesEnvironmentsGotchas
Thanks!If you’re interested in an application security career, come talk with me.