Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Extreme security in web servers
1. Extreme security in
web servers
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 1
2. Creative Commons License
The art of disguise - Anti-fingerprinting techniques
by Daniel García García a.k.a. cr0hn is licensed under a:
Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.
Permissions beyond the scope of this license may be available at: dani@iniqua.com.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 2
3. Acknowledgments
• Manuel Trujillo <TooManySecrets>
• Francisco Jesus Gomez Rodriguez (@ffranz)
• @capi_x <capi_x@haibane.org>
• Maikel Mayán <@AloneInTheShell>
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 3
4. About what is this talk?
1. Infrastructure: virtualization vs physical.
2. Choosing OS base: FreeBSD.
3. Brief intro to configuration of FreeBSD.
4. Isolating process.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 4
5. 1 - Infrastructure:
Virtualization vs physical
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 5
6. 1 – Infrastructure: Virtualization vs physical
a) Virtualization advantages.
b) Virtualization’s solutions.
c) Why use server virtualization system?
d) Organizing the virtual machines: approaches.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 6
7. 1.a - Virtualization advantages
• Less physical space.
• Less energy costs.
• More use of resources.
• Scalability.
• Simplicity of administration.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 7
8. 1.b - Virtualization solutions
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 8
9. 1.c - Why use server virtualization system?
• Scalability
• Centralized storage system.
• Hot cloning.
• Hot migrating of machines.
• Modular architecture.
• Simplicity management.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 9
10. 1.c - Why use server virtualization system?
Examples:
• VMWare ESXi
• Xen
• Proxmox
11. 1.d - Organizing the virtual machines: approaches
I. One machine for all.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 11
12. 1.d - Organizing the virtual machines: approaches
II. Two machines: frontend and backend.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 12
13. 1.d - Organizing the virtual machines: approaches
III. Multilevel:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 13
14. 2 – Choosing OS base:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 14
15. 2 – Choosing OS base: FreeBSD
a) Why use FreeBSD?
b) Who use FreeBSD?
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 15
16. 2.a – Why use FreeBSD?
• Simplicity of kernel.
• Simplicity of re-compile all system.
• Build-in security features.
• Isolating features, like jails.
• Administration simplicity.
• Can run Linux binaries
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 16
17. 2.b – Who use FreeBSD?
• JunOS
• Citrix
• Nokia’s firewalls
• PlayStation 3
• Netflix
• Netcraft
• Some parts of Apple OS X
• …
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 17
18. 3 – Configuration of system
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 18
19. 3 – Configuration of system.
a) Adjust system binaries.
b) Configuration files.
c) Kernel and “user-land”.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 19
20. 3.a – Adjust system binaries
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 20
21. I. Install LLVM/clang
Q: Why use LLVM/clang?
A: Generate more optimized code than gcc.
See a comparison:
http://blog.buguroo.com/?tag=compilador-gcc-llvm-clang-benchmark&lang=en
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 21
22. II. Patch and reinstall OpenSSH
Q: Why path openSSH?
A: Patch to evade fingerprinting techniques.
See how to path it in:
http://www.slideshare.net/cr0hn/the-art-of-disguise-antifingerprinting-techniques
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 22
23. 3.b – Configuration files.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 23
24. I. /etc/src.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 24
28. V. /etc/make.conf
Difficult the of
execution
exploits
Prevent
hooking
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 28
30. 3.c – Kernel and “user-land”
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 30
31. I. Update system source
• First, we need cvsup tool.
• Configure our repository config file:
• Update system source (also include kernel).
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 31
32. II. Configure kernel
• Configuration file:
• Adjust some basic parameters:
Only if you don’t need fat/vfat support!
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 32
33. III. Compile the kernel
Our kernel
configuration file
Enable LLVM static
analyzer
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 33
34. IIII. The “user-land”
Q: What’s “user-land”?
A: The user-land is a way to naming all basic
binaries and programs of system, like: syslog,
common commands (sed, awk, sort…), gcc,
clang…
Q: How configure the “user-land”?
A: You can customize what include the user-land
with the file: “/etc/src.conf”
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 34
35. IIII. Recompile the user-land
Delete old compiled objects
Make erasable all files
Enable static
optimizations of LLVM
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 35
36. 4 – Isolating processes
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 36
37. 4 – Isolating process
a) Concept of jail.
b) How to create basic a jail?.
c) Maintainable jail system.
d) Jail deploy: Approaches.
e) How deploy a web site using jails.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 37
38. 4.a – Concept of jail
Jail ≠ chroot
Jail
chroot rules Resources
Network tools
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 38
39. 4.a – Concept of jail.
Jail: Operating system level virtualization
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 39
40. 4.b – How to create a basic jail
Hand to work!
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 40
41. I. – Compilation variables
When can you use compilation variables?
• When compiling a port.
• When compiling the kernel.
• When compiling the user-land.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 41
42. I. – Compilation variables
• FORCE_PKG_REGISTER: Force reinstallation, if binary
is already installed.
• PORT_DBDIR: location of database that manager
what’s binaries are installed.
• PREFIX: destination of compiled binaries.
• DESTDIR: makes a chroot to indicated path, and
install binaries in it.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 42
43. II. – Create a jail
1. Creating root folder for our jail:
2. Copying common system binaries:
3. Copying system source code: Special command
that copy files,
permissions,
4. Installing port system into jail: hadlinks, softlinks,
etc
5. Copying missing system configuration files:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 43
44. II. – Create a jail
• Add to host /etc/rc.conf:
To allow to jail to access to outside of jail network,
each jail must have an alias and the same IP of alias.
• Manually start jail system:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 44
45. II. – Create a jail
• Add to jail /home/j/test_jail/etc/rc.conf:
This line allow to the jail outside connectivity
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 45
46. III. – Installation of programs
Installing nginx server into jail:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 46
47. 4.c – Maintainable Jail system
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 47
48. 4.c – Maintainable Jail system
I. Separating roles
II. Block diagram
III. Advantages
IV. Real example: role separated web server
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 48
49. I. – Separating roles
Isolated
system
Shared base Shared
Skeletons
binaries programs
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 49
50. I. – Separating roles
Q: What’s shared base binaries?
A: The user-land binaries. All jails have this in common.
Q: What’s Skeletons?
A: Collection of configuration files tuned for an specific
task. We have one skel for each role: webservers,
database servers, php, java… Also mush be called
templates
Q: What’s shared programs?
A: Any program you want to run: apache, mysql, etc
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 50
51. I. – Separating roles
In other words… Shared base binaries
Common commands: Resulting jail. E.g. ->
ls, sed, awk, sort, an jailed apache
uniq… web server.
Custom config files:
- /etc/rc.conf Shared programs:
-/etc/make.conf Apache, mysql,
-/etc/pf.conf php…
-….
Shared programs
Skeletons
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 51
52. II. – Block diagram
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 52
53. III. – Advantages
Q: Why is maintainable jail system?
A: Because all binaries are shared between all virtual
machines and jails in a shared storage.
Q: Why use skel templates?
A: Then you can deploy new jail only copying a template.
i.e: copying skel of a web server.
Q: How can I update the system and/or any binary?
A: You only must update shared binaries folder and/or
shared binaries folder. Updates will spread to all jails.
54. IV. – Role separated web server
a) Create folders for each type of role
b) Create shared base binaries container
c) Create base skeleton
d) Create shared web server
e) Mount the jail
f) Start the jail
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 54
55. a) Create folders for each type of role
• Skeletons:
• Shared base binaries:
• Shared binaries:
• Mounted jails:
Working directory for a
concrete jail.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 55
56. b) Create shared base binaries container
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 56
57. c) Create base skeleton
Move configuration and
non-shared info
to skel
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 57
58. c) Create base skeleton
Copy missing configuration files Not necessary for a template
Make relative links to
essential directories
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 58
59. c) Create base skeleton
Copy hardened configuration files, following
steps of point 3.b, at jail:
• src.conf
• auth.conf
• login.conf
• make.conf
• sysctl.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 59
60. d) Create shared web server
1. Create directory for binary:
2. Install nginx, and all dependences, into folder:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 60
61. e) Mount the jail Concrete skeleton of web server
• Create mounting folder for our web server:
Common and
shared binaries
• Like a puzzle, join roles in /etc/fstab:
• Add jail to /etc/rc.conf of host:
Shared of
web
server
binaries
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 61
62. f) Start the jail
And the end, we start the jail system typing:
Or, if is already started…
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 62
63. 4.d – Jail deploys:
Approaches
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 63
64. 4.d – Jail deploys: Approaches
a) Simple architecture I
b) Simple architecture II
c) Equilibrated architecture.
d) Complex architecture.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 64
65. Deploy approaches
Maintainability Security level
a) Simple architecture II
b) Simple architecture II
c) Equilibrated architecture
d) Complex architecture:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 65
66. a) Simple architecture I
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 66
67. a) Simple architecture I
• One machine for all services.
• Shared programs: nginx, php, MySQL,
pureFTPd…
• Separated type of storages: DB/web content.
• Isolated communications between jails.
• Isolated php runtime environment for each
web site.
• Shared web and ftp servers for all web sites.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 67
68. a) Simple architecture II
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 68
69. a) Simple architecture II
• One machine for all services.
• Shared programs: nginx, php, MySQL, pureFTPd…
• Separated type of storages: DB/web content.
• Isolated communications between jails.
• Isolated php runtime environment for each web site.
• Shared ftp servers for all web sites.
• Isolated web server for each web site.
Like Simple architecture I
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 69
71. b) Equilibrated architecture
• Separated backend and frontend in two virtual
machines.
• Shared programs in network storage: nginx,
php, MySQL, pureFTPd…
• Isolated communications between jails.
• Isolated php runtime environment for each
web site.
• Shared ftp servers for all web sites.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 71
73. c) Complex architecture
• 3 level in 3 virtual machines: load balancer,
business layer and backend.
• Separated storage out ouf virtualization
server.
• Isolated communications between jails.
• Isolated php runtime environment for each
web site.
• Isolated web server for each web site.
• Shared ftp servers for all web sites.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 73
74. 4.d – Deploying a web site using jails
Example: Deploy the WordPress Site
www.mytestsite.com
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 74
75. 4.d – Deploy a web site using jails
I. Select a deploy model
II. Create system binaries
III. Create binaries
IV. Create user content info
V. Create mounting folder
VI. Configure PHP
VII. Configure web server
VIII. Create PHP for site
IX. Create web server for site
X. Create FTP server
XI. Create web balancer
XII. Create MySQL server
XIII. Install WordPress
XIV. Configure jail and enable jail.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 75
76. I. – Select deploy model
This example follows mentioned model:
Simple architecture II
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 76
77. II. – Create system binaries
System binaries folder. Shared
for all jails
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 77
78. III. – Create binaries
• Install php Don’t forget
compile it
without CLI
option!
(for security)
• Install mysql
• Install nginx
• Install ftp
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 78
79. IV. – Create user content info
Directories that will contain site info.
For future
use
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 79
80. V. – Create mounting folder
1. Create mount point directory:
2. Create root directories:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 80
81. VI. – Configure php
• Modifying: /php/mytestsite.com/conf/php-fpm.ini
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 81
82. VI. – Configure php
• Modifying:
/home/js/mytestsite.com-php/usr/local/etc/php-fpm.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 82
83. VII. – Configure web server
• Configuring: /home/j/mytestsite.com/usr/local/etc/nginx/nginx.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 83
84. VIII. – Create PHP for site
• Create base folder and copy skeleton (or profile) for
web server
• Create mount point for each site of isolated php server.
• Create mount point web content.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 84
85. VIII. – Create PHP for site
• Configuration of init script for web server jail:
/home/j/mytestsite.com-php/etc/rc.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 85
86. IX. – Create web server for site
• Create base folder and copy skeleton (or profile) for
web server
• Create mount point for each site of isolated web server.
• Create mount point web content.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 86
87. IX. – Create web server for site
• Configuration of init script for web server jail:
/home/j/mytestsite.com-wserver/etc/rc.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 87
88. X. – Create FTP server
• Create base folder and copy skeleton (or profile) for FTP
server
• Create mount point of FTP isolated server.
• Create mount point for web content.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 88
89. X. – Create FTP server
• Configuration of init script for FTP server jail:
/home/j/ftpserver/etc/rc.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 89
90. X. – Create FTP server
• Configuring: /home/j/ftpserver/usr/local/etc/pure-ftpd.conf
There is more configuration parameters, but this is the
most important.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 90
91. XI. – Create web balancer
• Create base folder and copy skeleton (or profile) for
web balancer:
• Create mount point of web balancer isolated server.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 91
92. XI. – Create web balancer
• Configuration of init script for web balancer jail:
/home/j/webbalancer/etc/rc.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 92
93. XI. – Create web balancer
• Configuring: /home/j/webbalancer/usr/local/etc/nginx/nginx.conf
Redirect to web server of isolated web site.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 93
94. XII. – Create MySQL server
• Create base folder and copy skeleton (or profile) for
mysql server:
• Create mount point of mysql isolated server.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 94
95. XII. – Create MySQL server
• Configuration of init script for web server jail:
/home/j/mysql/etc/rc.conf
Change listen address.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 95
96. XIII. – Install WordPress
• Install WordPress from FreeBSD sources, into host
system.
This method allows us to
easily install our own
patches.
• Copy sources to our site:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 96
97. XIII. – Install wordpress
• Configure our WordPress installation defining location
of MySQL.
IP of our jail
with MySQL
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 97
98. XIV. – Configure and enable de jail
Configure /etc/fstab.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 98
99. XIV. – Configure and enable de jail
Configure /etc/fstab (cont).
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 99
100. XIV. – Configure and enable de jail
Enable jail in the system /etc/rc.conf:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 100
101. XIV. – Configure and enable de jail
Enable jail in the system /etc/rc.conf (cont):
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 101