Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access.
You don't need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security.
The following types of servers running Linux Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2
Not going to help if you have your website on Shared servers like Dreamhost/Go Daddy/Host Gator
3. What is the Attack Surface
all the TCP and UDP ports listening
on the external interfaces
# netstat -nltup
#rootconf | @makash | akashm.com 3
4. Reducing the attack surface
by stopping services from
running
# /etc/init.d/<servicename> stop
listen on external IP
bind-address=127.0.0.1
starting at boot time
# update-rc.d <servicename> remove
#rootconf | @makash | akashm.com 4
6. Mini Distro
start with a 12 MB mini iso
install OpenSSH server
install required LAMP packages using tasksel
there are no compilers, extra libraries
#rootconf | @makash | akashm.com 6
7. Patching and Updates
choose Long Term Support
release (10.04 LTS, 12.04 LTS)
one command to patch & update
# apt-get update && apt-get upgrade
#rootconf | @makash | akashm.com 7
9. Reason #1 for Hacked Linux Servers
SSH Server Password Brute Forcing
#rootconf | @makash | akashm.com 9
10. Secure Shell aka SSH
Conventional wisdom says
don’t allow root to login
don’t use passwords ; use keys
only use SSH version 2.0
#rootconf | @makash | akashm.com 10
11. Attack Surface in SSH
password bruteforcing requires valid users
who are allowed to login
lot of people use keys without passphrases
make one change in /etc/sshd_config
AllowUsers <user@Host>
#rootconf | @makash | akashm.com 11
14. MySQL Database Server
if database and web server are on
the same host, then mysql server
should only listen on localhost
/etc/mysql/my.cnf
bind-address=127.0.0.1
#rootconf | @makash | akashm.com 14
15. MySQL Database Server
run # mysql_secure_installation
create new user for each new database
only give
SELECT, UPDATE, INSERT, DELETE, ALT
ER, CREATE privileges to new user
new user should be for localhost and don’t give %
#rootconf | @makash | akashm.com 15
18. Reference Web App Architecture
Document Root should only contain files
that are meant to be served to the user
everything should be in a folder outside it
#rootconf | @makash | akashm.com 18
19. Reference Web App Architecture
/var/www/site/public for files to serve
/var/www/site/private for config files
keep files user as person who uploads
Keep the group as www-data
#rootconf | @makash | akashm.com 19
20. My name is list, Check List
Start from a mini iso
Remove unwanted services
Whitelist user for SSH login
MySQL users need to be protected
Default Deny and Allow Specific
#rootconf | @makash | akashm.com 20
21. Wait, there is more you can do
• Logs of SSH, web servers
• Monitoring of these services
• Add whitelisted to /etc/host.allow or
blacklisted /etc/host.deny
#rootconf | @makash | akashm.com 21
22. Questions and Answers
Akash Mahajan
That Web Application Security Guy
http://akashm.com | @makash
akashmahajan@gmail.com | 9980527182
23. References
• Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk
• Unable to find out where I got the stair case image from. If you know please do let me know.
• Rest of the images are from istockphoto.com
#rootconf | @makash | akashm.com 23
Notas do Editor
starting at boot time#update-rc.d <servicename> removelistening on external IPbind-address=127.0.0.1