![Netstat
Show any listening services
bryan@bryan-sps ~ $ sudo netstat -lntp
[sudo] password for bryan:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program
name
tcp 0 0 127.0.0.1:1194 0.0.0.0:* LISTEN 4786/openvpn
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1175/mysqld
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4792/dnsmasq
tcp 0 0 127.0.0.1:8182 0.0.0.0:* LISTEN 5083/firefox
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 966/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1058/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 10521/master
tcp6 0 0 :::80 :::* LISTEN 1609/apache2
tcp6 0 0 :::22 :::* LISTEN 966/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1058/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 10521/master](https://image.slidesharecdn.com/creatingsecurephpapplicationspart2-120915140608-phpapp01/85/Creating-Secure-PHP-applications-Part-2-Server-Hardening-5-320.jpg)
![grant-apache-read
A simple wrapper script for grant operations. I have one for write as well.
#!/bin/bash
# Author :: Bryan Geraghty
# Date :: 2007-09-12
# Notes :: This script resets permissions
source ~/lib/acl.bash;
if [ -z $1 ]; then
DIR='.';
else
DIR=$1;
fi
grantUserRead 'www-data' $DIR '*';](https://image.slidesharecdn.com/creatingsecurephpapplicationspart2-120915140608-phpapp01/85/Creating-Secure-PHP-applications-Part-2-Server-Hardening-11-320.jpg)
Creating "Secure" PHP applications, Part 2, Server Hardening
- 2. So, who are you, anyway? Bryan C. Geraghty Security Consultant at Security PS @archwisp I’m a Sr. PHP developer with a systems and security engineering background - turned application security consultant
- 3. Remember, layers Simpler is easier to test Don’t make assumptions Compromised browser = game over
- 4. If you’re not using it, you don’t know what it’s doing. If you don’t know what it does, find someone who does.
- 5. Netstat Show any listening services bryan@bryan-sps ~ $ sudo netstat -lntp [sudo] password for bryan: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:1194 0.0.0.0:* LISTEN 4786/openvpn tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1175/mysqld tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4792/dnsmasq tcp 0 0 127.0.0.1:8182 0.0.0.0:* LISTEN 5083/firefox tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 966/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1058/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 10521/master tcp6 0 0 :::80 :::* LISTEN 1609/apache2 tcp6 0 0 :::22 :::* LISTEN 966/sshd tcp6 0 0 ::1:631 :::* LISTEN 1058/cupsd tcp6 0 0 ::1:25 :::* LISTEN 10521/master
- 6. update-rc.d Init utility for Debian based systems bryan@bryan-sps ~ $ sudo update-rc.d cups disable update-rc.d: warning: /etc/init.d/cups missing LSB information update-rc.d: see <http://wiki.debian.org/LSBInitScripts> Disabling system startup links for /etc/init.d/cups ... Removing any system startup links for /etc/init.d/cups ... /etc/rc0.d/K20cups /etc/rc1.d/K20cups /etc/rc2.d/S20cups /etc/rc3.d/S20cups /etc/rc4.d/S20cups /etc/rc5.d/S20cups /etc/rc6.d/K20cups Adding system startup for /etc/init.d/cups ... /etc/rc0.d/K20cups -> ../init.d/cups /etc/rc1.d/K20cups -> ../init.d/cups /etc/rc6.d/K20cups -> ../init.d/cups /etc/rc2.d/K80cups -> ../init.d/cups /etc/rc3.d/K80cups -> ../init.d/cups /etc/rc4.d/K80cups -> ../init.d/cups /etc/rc5.d/K80cups -> ../init.d/cups
- 7. chkconfig Init utility for pretty much everyone else bryan@bryan-sps ~ $ sudo chkconfig --list | fgrep ":on" acpi-support 0:off 1:off 2:on 3:on 4:on 5:on 6:off apache2 0:off 1:off 2:on 3:on 4:on 5:on 6:off apparmor 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:on brltty 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:on cryptdisks 0:on 1:off 2:off 3:off 4:off 5:off 6:off cryptdisks-early 0:on 1:off 2:off 3:off 4:off 5:off 6:off dns-clean 0:off 1:on 2:on 3:on 4:on 5:on 6:off grub-common 0:off 1:off 2:on 3:on 4:on 5:on 6:off kerneloops 0:off 1:off 2:on 3:on 4:on 5:on 6:off killprocs 0:off 1:on 2:off 3:off 4:off 5:off 6:off networking 0:on 1:off 2:off 3:off 4:off 5:off 6:off ondemand 0:off 1:off 2:on 3:on 4:on 5:on 6:off openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off pppd-dns 0:off 1:on 2:on 3:on 4:on 5:on 6:off pulseaudio 0:off 1:off 2:on 3:on 4:on 5:on 6:off rc.local 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsync 0:off 1:off 2:on 3:on 4:on 5:on 6:off saned 0:off 1:off 2:on 3:on 4:on 5:on 6:off sendsigs 0:on 1:off 2:off 3:off 4:off 5:off 6:off speech-dispatcher 0:off 1:off 2:on 3:on 4:on 5:on 6:off sudo 0:off 1:off 2:on 3:on 4:on 5:on 6:off umountfs 0:on 1:off 2:off 3:off 4:off 5:off 6:off umountnfs.sh 0:on 1:off 2:off 3:off 4:off 5:off 6:off umountroot 0:on 1:off 2:off 3:off 4:off 5:off 6:off urandom 0:on 1:off 2:off 3:off 4:off 5:off 6:off S:on winbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off x11-common 0:off 1:off 2:off 3:off 4:off 5:off 6:off S:on xrdp 0:off 1:off 2:on 3:on 4:on 5:on 6:off
- 8. Beyond chmod
- 9. Access Control Rules Never set directory permissions to 777 The web server user should be able to read from the web root only The web server user should be able to write to log and cache directories only Other users should not be able to access cache & log Files Don't allow web applications to self-update
- 10. Enable ACLs Edit /etc/fstab and add the “acl” mount option to your volumes # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc nodev,noexec,nosuid 0 0 /dev/mapper/bryan--sps-root / ext4 errors=remount-ro,acl 0 1 UUID=ecddec0c-10c0-4fa8-8421-98ede0b19ac6 /boot ext2 defaults 0 2 /dev/mapper/bryan--sps-swap_1 none swap sw 0 0 /dev/mapper/cryptswap1 none swap sw 0 0
- 11. grant-apache-read A simple wrapper script for grant operations. I have one for write as well. #!/bin/bash # Author :: Bryan Geraghty # Date :: 2007-09-12 # Notes :: This script resets permissions source ~/lib/acl.bash; if [ -z $1 ]; then DIR='.'; else DIR=$1; fi grantUserRead 'www-data' $DIR '*';
- 12. grantUserRead https://github.com/archwisp/linux-home/blob/master/lib/acl.bash ## # Grants read permissions to all files/folders with names matching $3, which reside # inside of directory $2, to user $1. # # @param string $1 Username The user to whom read permissions will be granted # @param string $2 Base path Path in which all operations will take place # @param string $3 Target Name of the file/directory on which to set the permissions # function grantUserRead { echo "Granting read permission to user $1 on files/folders named $3 in directory $2"; ## Set the default permissions for new files on the specified directory echo "Setting defaults..."; find $2 -name "$3" -type d -exec setfacl -d -m u:$1:rx {} ; ## Recusively set the permissions on all existing directories and files within the ## specified directory echo "Setting directory permissions..."; find $2 -name "$3" -type d -exec setfacl -R -m u:$1:rx {} ; ## Grant permissions to any files with the specified name echo "Setting file permissions..."; find $2 -name "$3" -type f -exec setfacl -m u:$1:r {} ; }
- 13. Prevent anything you haven't approved from being executed
- 14. There are a few MAC options SELinux AppArmor TOMOYO TrustedBSD TrustedSolaris Others
- 15. How SELinux Works You assign security labels to all users, roles, files, network interfaces, ports, etc. You create policies for each user/role that needs to perform an action on a file (read, write, execute, etc.) using the security labels. The SELinux kernel module enforces access If a new file in introduced to the system, it must be labeled and a new policy must be created in order for it to be accessed.
- 16. Installing SELinux in Ubuntu 12.04? I tried to set it up recently and haven’t been able to figure out how to enable the strict policy. I’ll do a blog post on this once I get it working.
- 17. Blanket controls with a poor history of effectiveness
- 18. Blanket controls can be beneficial but don’t rely on them for protection. Magic Quotes Safe Mode Suhosin mod_security
- 19. Know your bounds
- 20. Set a Reasonable PHP Memory Limit Never remove the limit in a production system It only takes one large request to bring your server to a halt You get to decide what is reasonable A larger limit means less work for you but allows your server to handle fewer requests
- 21. top Once in top, hit SHIFT-M to sort by memory. This will allow you to examine the memory footprint of your web server instances. (This is a dev server with no load) top - 03:14:26 up 5:23, 2 users, load average: 0.09, 0.05, 0.05 Tasks: 138 total, 1 running, 137 sleeping, 0 stopped, 0 zombie Cpu(s): 0.7%us, 1.2%sy, 0.0%ni, 98.2%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2062248k total, 1352564k used, 709684k free, 302624k buffers Swap: 0k total, 0k used, 0k free, 696664k cached 1830 www-data 20 0 70176 6908 2732 S 0 0.3 0:00.15 apache2 1831 www-data 20 0 70176 6704 2568 S 0 0.3 0:00.11 apache2
- 22. Set your web server process limits If you run Apache, set MaxClients to a value lower than your total memory divided by the size of the memory footprint for each web server process. MaxClients is the number or simultaneous connections that will be served. http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
- 23. PHPMyAdmin bypasses MySQL host filtering!
- 24. Error Handlers Exception Handlers Status Codes Environments Gotchas
- 25. If you’re interested in an application security career, come talk with me.