securing a linux web server in 10 steps or less

Securing a Linux Web Server in

10 Steps or Less

Akash Mahajan That Web Application Security Guy

2

Reduce Attack Surface

#rootconf | @makash | akashm.com

F 117 Nighthawk

World’s first modern stealth aircraft, avoided radars

because of very low radar signature

http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg


3

What is the Attack Surface

all the TCP and UDP ports listening on the external

interfaces

# netstat -nltup


4

Reducing the attack surface

by stopping services fromrunning

# /etc/init.d/<servicename> stop

listen on external IP bind-address=127.0.0.1

starting at boot time # update-rc.d <servicename> remove


5

After Reduction


6

Mini Distro

start with a 12 MB mini iso

install OpenSSH server

install required LAMP packages using tasksel

there are no compilers, extra libraries


7

Patching and Updates

choose Long Term Support release (10.04 LTS, 12.04 LTS)

one command to patch & update

# apt-get update && apt-get upgrade


8

Protecting Your AccessKAT

DORZ IZ ALWYZ OPEN


9

Reason #1 for Hacked Linux Servers

SSH Server Password Brute Forcing


10

Secure Shell aka SSH

Conventional wisdom says

don’t allow root to login

don’t use passwords ; use keys

only use SSH version 2.0


11

Attack Surface in SSH

password bruteforcing requires valid users who are allowed to login

lot of people use keys without passphrases

make one change in /etc/sshd_config

AllowUsers <user@Host>


12

Files and Permissions

Read (r) Write (w) Execute (x)

User 4 2 1

Group 4 - 1

Others 4 - -

-rwxr-xr-- | 0754


13

Apache Web Server

/etc/apache2/conf.d/security

line number 27 ServerTokens Prod line number 39 ServerSignature Off


14

MySQL Database Server

if database and web server are

on the same host, then mysql

server should only listen on

localhost

/etc/mysql/my.cnf

bind-address=127.0.0.1


15

MySQL Database Server

run # mysql_secure_installation

create new user for each new

database

only give SELECT, UPDATE, INSERT,

DELETE, ALTER, CREATE privileges

to new user

new user should be for localhost and don’t

give %


16

Uncomplicated Firewall

• ufw enabled

• ufw allow 22 // SSH Access

• ufw allow 80 // Website Access

• ufw allow 443 // Secure Website

Access

• ufw default deny // Kitchen Sink


17

Uncomplicated Firewall

ufw allow from <external DB IP> to

<current host IP> port 3306


18

Reference Web App Architecture

Document Root should only contain

files that are meant to be served to

the user

everything should be in a folder

outside it


19

Reference Web App Architecture

/var/www/site/public for files to

serve

/var/www/site/private for config

files

keep files user as person who uploads

Keep the group as www-data


20

My name is list, Check List

Start from a mini iso

Remove unwanted services

Whitelist user for SSH login

MySQL users need to be protected

Default Deny and Allow Specific


21

Wait, there is more you can do

• Logs of SSH, web servers

• Monitoring of these services

• Add whitelisted to /etc/host.allow or

blacklisted /etc/host.deny

Akash MahajanThat Web Application Security

Guy

http://akashm.com | @makash

[email protected] | 9980527182

Questions and Answers


23

References• Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk• Unable to find out where I got the stair case image from. If you know please do let me know.• Rest of the images are from istockphoto.com

http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk

http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk

securing a linux web server in 10 steps or less

Technology

makash akashm

ssh access ufw

files user

mysql server

web servers monitoring

ssh version

logs of ssh

config files