Securing A Linux Web Server In 10 steps or Less

•Transferir como PPTX, PDF•

7 gostaram•8,917 visualizações

Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access. You don't need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security. The following types of servers running Linux Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2 Not going to help if you have your website on Shared servers like Dreamhost/Go Daddy/Host Gator

Tecnologia

Akash Mahajan
That Web Application Security Guy

Reduce Attack Surface

F 117
Nighthawk

http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg

#rootconf | @makash | akashm.com 2

What is the Attack Surface

all the TCP and UDP ports listening
on the external interfaces

# netstat -nltup
#rootconf | @makash | akashm.com 3

Reducing the attack surface

by stopping services from
running
# /etc/init.d/<servicename> stop
listen on external IP
bind-address=127.0.0.1

starting at boot time
# update-rc.d <servicename> remove

#rootconf | @makash | akashm.com 4

After Reduction

#rootconf | @makash | akashm.com 5

Mini Distro

start with a 12 MB mini iso

install OpenSSH server
install required LAMP packages using tasksel
there are no compilers, extra libraries

#rootconf | @makash | akashm.com 6

Patching and Updates

choose Long Term Support
release (10.04 LTS, 12.04 LTS)

one command to patch & update

# apt-get update && apt-get upgrade

#rootconf | @makash | akashm.com 7

Protecting Your Access

#rootconf | @makash | akashm.com 8

Reason #1 for Hacked Linux Servers

SSH Server Password Brute Forcing
#rootconf | @makash | akashm.com 9

Secure Shell aka SSH

Conventional wisdom says
don’t allow root to login

don’t use passwords ; use keys

only use SSH version 2.0

#rootconf | @makash | akashm.com 10

Attack Surface in SSH
password bruteforcing requires valid users
who are allowed to login

lot of people use keys without passphrases

make one change in /etc/sshd_config

AllowUsers <user@Host>
#rootconf | @makash | akashm.com 11

Files and Permissions

Read (r) Write (w) Execute (x)

User 4 2 1

Group 4 - 1

Others 4 - -

-rwxr-xr-- | 0754
#rootconf | @makash | akashm.com 12

Apache Web Server

/etc/apache2/conf.d/security

line number 27 ServerTokens Prod
line number 39 ServerSignature Off

#rootconf | @makash | akashm.com 13

MySQL Database Server

if database and web server are on
the same host, then mysql server
should only listen on localhost
/etc/mysql/my.cnf

bind-address=127.0.0.1
#rootconf | @makash | akashm.com 14

MySQL Database Server

run # mysql_secure_installation

create new user for each new database

only give
SELECT, UPDATE, INSERT, DELETE, ALT
ER, CREATE privileges to new user
new user should be for localhost and don’t give %
#rootconf | @makash | akashm.com 15

Uncomplicated Firewall

• ufw enabled

• ufw allow 22 // SSH Access

• ufw allow 80 // Website Access

• ufw allow 443 // Secure Website Access

• ufw default deny // Kitchen Sink

#rootconf | @makash | akashm.com 16

Uncomplicated Firewall

ufw allow from <external DB IP> to
<current host IP> port 3306

#rootconf | @makash | akashm.com 17

Reference Web App Architecture

Document Root should only contain files
that are meant to be served to the user

everything should be in a folder outside it

#rootconf | @makash | akashm.com 18

Reference Web App Architecture

/var/www/site/public for files to serve

/var/www/site/private for config files

keep files user as person who uploads

Keep the group as www-data

#rootconf | @makash | akashm.com 19

My name is list, Check List

Start from a mini iso

Remove unwanted services

Whitelist user for SSH login

MySQL users need to be protected

Default Deny and Allow Specific

#rootconf | @makash | akashm.com 20

Wait, there is more you can do

• Logs of SSH, web servers

• Monitoring of these services

• Add whitelisted to /etc/host.allow or
blacklisted /etc/host.deny

#rootconf | @makash | akashm.com 21

Questions and Answers

Akash Mahajan
That Web Application Security Guy

http://akashm.com | @makash

akashmahajan@gmail.com | 9980527182

References
• Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk
• Unable to find out where I got the stair case image from. If you know please do let me know.
• Rest of the images are from istockphoto.com

#rootconf | @makash | akashm.com 23

Mais conteúdo relacionado

Mais de Akash Mahajan

On Writing Well - A talk given at WinjaBlogs Session

Akash Mahajan

App sec in the time of docker containers

Akash Mahajan

Venom vulnerability Overview and a basic demo

Akash Mahajan

Security in the cloud Workshop HSTC 2014

Akash Mahajan

INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there

Akash Mahajan

The real incident of stealing a droid app+data

Akash Mahajan

Believe It Or Not SSL Attacks

Akash Mahajan

I haz your mouse clicks and key strokes

Akash Mahajan

Hackers versus Developers and Secure Web Programming

Akash Mahajan

Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer. This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.

Secure HTTP Headers c0c0n 2011 Akash Mahajan

Akash Mahajan

Php security

Akash Mahajan

Secure passwords-theory-and-practice

Akash Mahajan

Top 10 web application security risks akash mahajan

Akash Mahajan

Web application security

Akash Mahajan

Web application security

Akash Mahajan

Web application security

Akash Mahajan

Secure Programming In Php

Akash Mahajan

Startups Security

Akash Mahajan

Mais de Akash Mahajan (18)

On Writing Well - A talk given at WinjaBlogs Session

App sec in the time of docker containers

Venom vulnerability Overview and a basic demo

Security in the cloud Workshop HSTC 2014

INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there

The real incident of stealing a droid app+data

Believe It Or Not SSL Attacks

I haz your mouse clicks and key strokes

Hackers versus Developers and Secure Web Programming

Secure HTTP Headers c0c0n 2011 Akash Mahajan

Php security

Secure passwords-theory-and-practice

Top 10 web application security risks akash mahajan

Web application security

Secure Programming In Php

Startups Security

Último

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Securing A Linux Web Server In 10 steps or Less

1. Akash Mahajan That Web Application Security Guy

2. Reduce Attack Surface F 117 Nighthawk http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg #rootconf | @makash | akashm.com 2

3. What is the Attack Surface all the TCP and UDP ports listening on the external interfaces # netstat -nltup #rootconf | @makash | akashm.com 3

4. Reducing the attack surface by stopping services from running # /etc/init.d/<servicename> stop listen on external IP bind-address=127.0.0.1 starting at boot time # update-rc.d <servicename> remove #rootconf | @makash | akashm.com 4

5. After Reduction #rootconf | @makash | akashm.com 5

6. Mini Distro start with a 12 MB mini iso install OpenSSH server install required LAMP packages using tasksel there are no compilers, extra libraries #rootconf | @makash | akashm.com 6

7. Patching and Updates choose Long Term Support release (10.04 LTS, 12.04 LTS) one command to patch & update # apt-get update && apt-get upgrade #rootconf | @makash | akashm.com 7

8. Protecting Your Access #rootconf | @makash | akashm.com 8

9. Reason #1 for Hacked Linux Servers SSH Server Password Brute Forcing #rootconf | @makash | akashm.com 9

10. Secure Shell aka SSH Conventional wisdom says don’t allow root to login don’t use passwords ; use keys only use SSH version 2.0 #rootconf | @makash | akashm.com 10

11. Attack Surface in SSH password bruteforcing requires valid users who are allowed to login lot of people use keys without passphrases make one change in /etc/sshd_config AllowUsers <user@Host> #rootconf | @makash | akashm.com 11

12. Files and Permissions Read (r) Write (w) Execute (x) User 4 2 1 Group 4 - 1 Others 4 - - -rwxr-xr-- | 0754 #rootconf | @makash | akashm.com 12

13. Apache Web Server /etc/apache2/conf.d/security line number 27 ServerTokens Prod line number 39 ServerSignature Off #rootconf | @makash | akashm.com 13

14. MySQL Database Server if database and web server are on the same host, then mysql server should only listen on localhost /etc/mysql/my.cnf bind-address=127.0.0.1 #rootconf | @makash | akashm.com 14

15. MySQL Database Server run # mysql_secure_installation create new user for each new database only give SELECT, UPDATE, INSERT, DELETE, ALT ER, CREATE privileges to new user new user should be for localhost and don’t give % #rootconf | @makash | akashm.com 15

16. Uncomplicated Firewall • ufw enabled • ufw allow 22 // SSH Access • ufw allow 80 // Website Access • ufw allow 443 // Secure Website Access • ufw default deny // Kitchen Sink #rootconf | @makash | akashm.com 16

17. Uncomplicated Firewall ufw allow from <external DB IP> to <current host IP> port 3306 #rootconf | @makash | akashm.com 17

18. Reference Web App Architecture Document Root should only contain files that are meant to be served to the user everything should be in a folder outside it #rootconf | @makash | akashm.com 18

19. Reference Web App Architecture /var/www/site/public for files to serve /var/www/site/private for config files keep files user as person who uploads Keep the group as www-data #rootconf | @makash | akashm.com 19

20. My name is list, Check List Start from a mini iso Remove unwanted services Whitelist user for SSH login MySQL users need to be protected Default Deny and Allow Specific #rootconf | @makash | akashm.com 20

21. Wait, there is more you can do • Logs of SSH, web servers • Monitoring of these services • Add whitelisted to /etc/host.allow or blacklisted /etc/host.deny #rootconf | @makash | akashm.com 21

22. Questions and Answers Akash Mahajan That Web Application Security Guy http://akashm.com | @makash akashmahajan@gmail.com | 9980527182

23. References • Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk • Unable to find out where I got the stair case image from. If you know please do let me know. • Rest of the images are from istockphoto.com #rootconf | @makash | akashm.com 23

Notas do Editor

starting at boot time#update-rc.d <servicename> removelistening on external IPbind-address=127.0.0.1

Securing A Linux Web Server In 10 steps or Less

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Akash Mahajan

Mais de Akash Mahajan (18)

Último

Último (20)

Securing A Linux Web Server In 10 steps or Less

Notas do Editor