securing a linux web server in 10 steps or less
DESCRIPTION
Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access.You don't need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security.The following types of servers running Linux Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2Not going to help if you have your website on Shared servers like Dreamhost/Go Daddy/Host GatorTRANSCRIPT
2
Reduce Attack Surface
#rootconf | @makash | akashm.com
F 117 Nighthawk
World’s first modern stealth aircraft, avoided radars
because of very low radar signature
http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg
#rootconf | @makash | akashm.com
3
What is the Attack Surface
all the TCP and UDP ports listening on the external
interfaces
# netstat -nltup
#rootconf | @makash | akashm.com
4
Reducing the attack surface
by stopping services fromrunning
# /etc/init.d/<servicename> stop
listen on external IP bind-address=127.0.0.1
starting at boot time # update-rc.d <servicename> remove
#rootconf | @makash | akashm.com
6
Mini Distro
start with a 12 MB mini iso
install OpenSSH server
install required LAMP packages using tasksel
there are no compilers, extra libraries
#rootconf | @makash | akashm.com
7
Patching and Updates
choose Long Term Support release (10.04 LTS, 12.04 LTS)
one command to patch & update
# apt-get update && apt-get upgrade
#rootconf | @makash | akashm.com
9
Reason #1 for Hacked Linux Servers
SSH Server Password Brute Forcing
#rootconf | @makash | akashm.com
10
Secure Shell aka SSH
Conventional wisdom says
don’t allow root to login
don’t use passwords ; use keys
only use SSH version 2.0
#rootconf | @makash | akashm.com
11
Attack Surface in SSH
password bruteforcing requires valid users who are allowed to login
lot of people use keys without passphrases
make one change in /etc/sshd_config
AllowUsers <user@Host>
#rootconf | @makash | akashm.com
12
Files and Permissions
Read (r) Write (w) Execute (x)
User 4 2 1
Group 4 - 1
Others 4 - -
-rwxr-xr-- | 0754
#rootconf | @makash | akashm.com
13
Apache Web Server
/etc/apache2/conf.d/security
line number 27 ServerTokens Prod line number 39 ServerSignature Off
#rootconf | @makash | akashm.com
14
MySQL Database Server
if database and web server are
on the same host, then mysql
server should only listen on
localhost
/etc/mysql/my.cnf
bind-address=127.0.0.1
#rootconf | @makash | akashm.com
15
MySQL Database Server
run # mysql_secure_installation
create new user for each new
database
only give SELECT, UPDATE, INSERT,
DELETE, ALTER, CREATE privileges
to new user
new user should be for localhost and don’t
give %
#rootconf | @makash | akashm.com
16
Uncomplicated Firewall
• ufw enabled
• ufw allow 22 // SSH Access
• ufw allow 80 // Website Access
• ufw allow 443 // Secure Website
Access
• ufw default deny // Kitchen Sink
#rootconf | @makash | akashm.com
17
Uncomplicated Firewall
ufw allow from <external DB IP> to
<current host IP> port 3306
#rootconf | @makash | akashm.com
18
Reference Web App Architecture
Document Root should only contain
files that are meant to be served to
the user
everything should be in a folder
outside it
#rootconf | @makash | akashm.com
19
Reference Web App Architecture
/var/www/site/public for files to
serve
/var/www/site/private for config
files
keep files user as person who uploads
Keep the group as www-data
#rootconf | @makash | akashm.com
20
My name is list, Check List
Start from a mini iso
Remove unwanted services
Whitelist user for SSH login
MySQL users need to be protected
Default Deny and Allow Specific
#rootconf | @makash | akashm.com
21
Wait, there is more you can do
• Logs of SSH, web servers
• Monitoring of these services
• Add whitelisted to /etc/host.allow or
blacklisted /etc/host.deny
Akash MahajanThat Web Application Security
Guy
http://akashm.com | @makash
[email protected] | 9980527182
Questions and Answers
#rootconf | @makash | akashm.com
23
References• Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk• Unable to find out where I got the stair case image from. If you know please do let me know.• Rest of the images are from istockphoto.com