Securing A Linux Web Server In 10 steps or Less
-
Upload
akash-mahajan -
Category
Technology
-
view
9.701 -
download
1
description
Transcript of Securing A Linux Web Server In 10 steps or Less
2
Reduce Attack Surface
#rootconf | @makash | akashm.com
F 117 Nighthawk
World’s first modern stealth aircraft, avoided radars
because of very low radar signature
http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg
#rootconf | @makash | akashm.com
3
What is the Attack Surface
all the TCP and UDP ports listening on the external
interfaces
# netstat -nltup
#rootconf | @makash | akashm.com
4
Reducing the attack surface
by stopping services fromrunning
# /etc/init.d/<servicename> stop
listen on external IP bind-address=127.0.0.1
starting at boot time # update-rc.d <servicename> remove
#rootconf | @makash | akashm.com
6
Mini Distro
start with a 12 MB mini iso
install OpenSSH server
install required LAMP packages using tasksel
there are no compilers, extra libraries
#rootconf | @makash | akashm.com
7
Patching and Updates
choose Long Term Support release (10.04 LTS, 12.04 LTS)
one command to patch & update
# apt-get update && apt-get upgrade
#rootconf | @makash | akashm.com
9
Reason #1 for Hacked Linux Servers
SSH Server Password Brute Forcing
#rootconf | @makash | akashm.com
10
Secure Shell aka SSH
Conventional wisdom says
don’t allow root to login
don’t use passwords ; use keys
only use SSH version 2.0
#rootconf | @makash | akashm.com
11
Attack Surface in SSH
password bruteforcing requires valid users who are allowed to login
lot of people use keys without passphrases
make one change in /etc/sshd_config
AllowUsers <user@Host>
#rootconf | @makash | akashm.com
12
Files and Permissions
Read (r) Write (w) Execute (x)
User 4 2 1
Group 4 - 1
Others 4 - -
-rwxr-xr-- | 0754
#rootconf | @makash | akashm.com
13
Apache Web Server
/etc/apache2/conf.d/security
line number 27 ServerTokens Prod line number 39 ServerSignature Off
#rootconf | @makash | akashm.com
14
MySQL Database Server
if database and web server are
on the same host, then mysql
server should only listen on
localhost
/etc/mysql/my.cnf
bind-address=127.0.0.1
#rootconf | @makash | akashm.com
15
MySQL Database Server
run # mysql_secure_installation
create new user for each new
database
only give SELECT, UPDATE, INSERT,
DELETE, ALTER, CREATE privileges
to new user
new user should be for localhost and don’t
give %
#rootconf | @makash | akashm.com
16
Uncomplicated Firewall
• ufw enabled
• ufw allow 22 // SSH Access
• ufw allow 80 // Website Access
• ufw allow 443 // Secure Website
Access
• ufw default deny // Kitchen Sink
#rootconf | @makash | akashm.com
17
Uncomplicated Firewall
ufw allow from <external DB IP> to
<current host IP> port 3306
#rootconf | @makash | akashm.com
18
Reference Web App Architecture
Document Root should only contain
files that are meant to be served to
the user
everything should be in a folder
outside it
#rootconf | @makash | akashm.com
19
Reference Web App Architecture
/var/www/site/public for files to
serve
/var/www/site/private for config
files
keep files user as person who uploads
Keep the group as www-data
#rootconf | @makash | akashm.com
20
My name is list, Check List
Start from a mini iso
Remove unwanted services
Whitelist user for SSH login
MySQL users need to be protected
Default Deny and Allow Specific
#rootconf | @makash | akashm.com
21
Wait, there is more you can do
• Logs of SSH, web servers
• Monitoring of these services
• Add whitelisted to /etc/host.allow or
blacklisted /etc/host.deny
Akash MahajanThat Web Application Security
Guy
http://akashm.com | @makash
[email protected] | 9980527182
Questions and Answers
#rootconf | @makash | akashm.com
23
References• Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk• Unable to find out where I got the stair case image from. If you know please do let me know.• Rest of the images are from istockphoto.com