Securing A Linux Web Server In 10 steps or Less

•Télécharger en tant que PPTX, PDF•

7 j'aime•8,917 vues

Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access. You don't need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security. The following types of servers running Linux Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2 Not going to help if you have your website on Shared servers like Dreamhost/Go Daddy/Host Gator

Technologie

Akash Mahajan
That Web Application Security Guy

Reduce Attack Surface

F 117
Nighthawk

http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg

#rootconf | @makash | akashm.com 2

What is the Attack Surface

all the TCP and UDP ports listening
on the external interfaces

# netstat -nltup
#rootconf | @makash | akashm.com 3

Reducing the attack surface

by stopping services from
running
# /etc/init.d/<servicename> stop
listen on external IP
bind-address=127.0.0.1

starting at boot time
# update-rc.d <servicename> remove

#rootconf | @makash | akashm.com 4

After Reduction

#rootconf | @makash | akashm.com 5

Mini Distro

start with a 12 MB mini iso

install OpenSSH server
install required LAMP packages using tasksel
there are no compilers, extra libraries

#rootconf | @makash | akashm.com 6

Patching and Updates

choose Long Term Support
release (10.04 LTS, 12.04 LTS)

one command to patch & update

# apt-get update && apt-get upgrade

#rootconf | @makash | akashm.com 7

Protecting Your Access

#rootconf | @makash | akashm.com 8

Reason #1 for Hacked Linux Servers

SSH Server Password Brute Forcing
#rootconf | @makash | akashm.com 9

Secure Shell aka SSH

Conventional wisdom says
don’t allow root to login

don’t use passwords ; use keys

only use SSH version 2.0

#rootconf | @makash | akashm.com 10

Attack Surface in SSH
password bruteforcing requires valid users
who are allowed to login

lot of people use keys without passphrases

make one change in /etc/sshd_config

AllowUsers <user@Host>
#rootconf | @makash | akashm.com 11

Files and Permissions

Read (r) Write (w) Execute (x)

User 4 2 1

Group 4 - 1

Others 4 - -

-rwxr-xr-- | 0754
#rootconf | @makash | akashm.com 12

Apache Web Server

/etc/apache2/conf.d/security

line number 27 ServerTokens Prod
line number 39 ServerSignature Off

#rootconf | @makash | akashm.com 13

MySQL Database Server

if database and web server are on
the same host, then mysql server
should only listen on localhost
/etc/mysql/my.cnf

bind-address=127.0.0.1
#rootconf | @makash | akashm.com 14

MySQL Database Server

run # mysql_secure_installation

create new user for each new database

only give
SELECT, UPDATE, INSERT, DELETE, ALT
ER, CREATE privileges to new user
new user should be for localhost and don’t give %
#rootconf | @makash | akashm.com 15

Uncomplicated Firewall

• ufw enabled

• ufw allow 22 // SSH Access

• ufw allow 80 // Website Access

• ufw allow 443 // Secure Website Access

• ufw default deny // Kitchen Sink

#rootconf | @makash | akashm.com 16

Uncomplicated Firewall

ufw allow from <external DB IP> to
<current host IP> port 3306

#rootconf | @makash | akashm.com 17

Reference Web App Architecture

Document Root should only contain files
that are meant to be served to the user

everything should be in a folder outside it

#rootconf | @makash | akashm.com 18

Reference Web App Architecture

/var/www/site/public for files to serve

/var/www/site/private for config files

keep files user as person who uploads

Keep the group as www-data

#rootconf | @makash | akashm.com 19

My name is list, Check List

Start from a mini iso

Remove unwanted services

Whitelist user for SSH login

MySQL users need to be protected

Default Deny and Allow Specific

#rootconf | @makash | akashm.com 20

Wait, there is more you can do

• Logs of SSH, web servers

• Monitoring of these services

• Add whitelisted to /etc/host.allow or
blacklisted /etc/host.deny

#rootconf | @makash | akashm.com 21

Questions and Answers

Akash Mahajan
That Web Application Security Guy

http://akashm.com | @makash

akashmahajan@gmail.com | 9980527182

References
• Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk
• Unable to find out where I got the stair case image from. If you know please do let me know.
• Rest of the images are from istockphoto.com

#rootconf | @makash | akashm.com 23

Contenu connexe

Plus de Akash Mahajan

On Writing Well - A talk given at WinjaBlogs Session

Akash Mahajan

App sec in the time of docker containers

Akash Mahajan

Venom vulnerability Overview and a basic demo

Akash Mahajan

Security in the cloud Workshop HSTC 2014

Akash Mahajan

INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there

Akash Mahajan

The real incident of stealing a droid app+data

Akash Mahajan

Believe It Or Not SSL Attacks

Akash Mahajan

I haz your mouse clicks and key strokes

Akash Mahajan

Hackers versus Developers and Secure Web Programming

Akash Mahajan

Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer. This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.

Secure HTTP Headers c0c0n 2011 Akash Mahajan

Akash Mahajan

Php security

Akash Mahajan

Secure passwords-theory-and-practice

Akash Mahajan

Top 10 web application security risks akash mahajan

Akash Mahajan

Web application security

Akash Mahajan

Web application security

Akash Mahajan

Web application security

Akash Mahajan

Secure Programming In Php

Akash Mahajan

Startups Security

Akash Mahajan

Plus de Akash Mahajan (18)

On Writing Well - A talk given at WinjaBlogs Session

App sec in the time of docker containers

Venom vulnerability Overview and a basic demo

Security in the cloud Workshop HSTC 2014

INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there

The real incident of stealing a droid app+data

Believe It Or Not SSL Attacks

I haz your mouse clicks and key strokes

Hackers versus Developers and Secure Web Programming

Secure HTTP Headers c0c0n 2011 Akash Mahajan

Php security

Secure passwords-theory-and-practice

Top 10 web application security risks akash mahajan

Web application security

Secure Programming In Php

Startups Security

Dernier

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

ICT role in 21st century education and its challenges

rafiqahmad00786416

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

DBX First Quarter 2024 Investor Presentation

Dropbox

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Dernier (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

WSO2's API Vision: Unifying Control, Empowering Developers

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Introduction to Multilingual Retrieval Augmented Generation (RAG)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Vector Search -An Introduction in Oracle Database 23ai.pptx

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

ICT role in 21st century education and its challenges

Boost Fertility New Invention Ups Success Rates.pdf

MS Copilot expands with MS Graph connectors

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

DBX First Quarter 2024 Investor Presentation

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Why Teams call analytics are critical to your entire business

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

AWS Community Day CPH - Three problems of Terraform

CNIC Information System with Pakdata Cf In Pakistan

Securing A Linux Web Server In 10 steps or Less

1. Akash Mahajan That Web Application Security Guy

2. Reduce Attack Surface F 117 Nighthawk http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg #rootconf | @makash | akashm.com 2

3. What is the Attack Surface all the TCP and UDP ports listening on the external interfaces # netstat -nltup #rootconf | @makash | akashm.com 3

4. Reducing the attack surface by stopping services from running # /etc/init.d/<servicename> stop listen on external IP bind-address=127.0.0.1 starting at boot time # update-rc.d <servicename> remove #rootconf | @makash | akashm.com 4

5. After Reduction #rootconf | @makash | akashm.com 5

6. Mini Distro start with a 12 MB mini iso install OpenSSH server install required LAMP packages using tasksel there are no compilers, extra libraries #rootconf | @makash | akashm.com 6

7. Patching and Updates choose Long Term Support release (10.04 LTS, 12.04 LTS) one command to patch & update # apt-get update && apt-get upgrade #rootconf | @makash | akashm.com 7

8. Protecting Your Access #rootconf | @makash | akashm.com 8

9. Reason #1 for Hacked Linux Servers SSH Server Password Brute Forcing #rootconf | @makash | akashm.com 9

10. Secure Shell aka SSH Conventional wisdom says don’t allow root to login don’t use passwords ; use keys only use SSH version 2.0 #rootconf | @makash | akashm.com 10

11. Attack Surface in SSH password bruteforcing requires valid users who are allowed to login lot of people use keys without passphrases make one change in /etc/sshd_config AllowUsers <user@Host> #rootconf | @makash | akashm.com 11

12. Files and Permissions Read (r) Write (w) Execute (x) User 4 2 1 Group 4 - 1 Others 4 - - -rwxr-xr-- | 0754 #rootconf | @makash | akashm.com 12

13. Apache Web Server /etc/apache2/conf.d/security line number 27 ServerTokens Prod line number 39 ServerSignature Off #rootconf | @makash | akashm.com 13

14. MySQL Database Server if database and web server are on the same host, then mysql server should only listen on localhost /etc/mysql/my.cnf bind-address=127.0.0.1 #rootconf | @makash | akashm.com 14

15. MySQL Database Server run # mysql_secure_installation create new user for each new database only give SELECT, UPDATE, INSERT, DELETE, ALT ER, CREATE privileges to new user new user should be for localhost and don’t give % #rootconf | @makash | akashm.com 15

16. Uncomplicated Firewall • ufw enabled • ufw allow 22 // SSH Access • ufw allow 80 // Website Access • ufw allow 443 // Secure Website Access • ufw default deny // Kitchen Sink #rootconf | @makash | akashm.com 16

17. Uncomplicated Firewall ufw allow from <external DB IP> to <current host IP> port 3306 #rootconf | @makash | akashm.com 17

18. Reference Web App Architecture Document Root should only contain files that are meant to be served to the user everything should be in a folder outside it #rootconf | @makash | akashm.com 18

19. Reference Web App Architecture /var/www/site/public for files to serve /var/www/site/private for config files keep files user as person who uploads Keep the group as www-data #rootconf | @makash | akashm.com 19

20. My name is list, Check List Start from a mini iso Remove unwanted services Whitelist user for SSH login MySQL users need to be protected Default Deny and Allow Specific #rootconf | @makash | akashm.com 20

21. Wait, there is more you can do • Logs of SSH, web servers • Monitoring of these services • Add whitelisted to /etc/host.allow or blacklisted /etc/host.deny #rootconf | @makash | akashm.com 21

22. Questions and Answers Akash Mahajan That Web Application Security Guy http://akashm.com | @makash akashmahajan@gmail.com | 9980527182

23. References • Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk • Unable to find out where I got the stair case image from. If you know please do let me know. • Rest of the images are from istockphoto.com #rootconf | @makash | akashm.com 23

Notes de l'éditeur

starting at boot time#update-rc.d <servicename> removelistening on external IPbind-address=127.0.0.1

Securing A Linux Web Server In 10 steps or Less

Recommandé

Recommandé

Contenu connexe

Plus de Akash Mahajan

Plus de Akash Mahajan (18)

Dernier

Dernier (20)

Securing A Linux Web Server In 10 steps or Less

Notes de l'éditeur