SlideShare ist ein Scribd-Unternehmen logo

Protecting Plone from the Big, Bad Internet

Erik Rose
Erik Rose

Steve McMahon and Erik Rose’s presentation on Plone security from Plone Conference 2008 in Washington, D.C.

Technologie
1 von 97
Downloaden Sie, um offline zu lesen
Protecting Plone From The Big, Bad Internet Steve McMahon Reid-McMahon, LLC Erik Rose WebLion, Pennsylvania State University
<SteveM>
CVE Vulnerability Records
CVE Vulnerability Records Common Vulnerabilities & Exposures
CVE Vulnerability Records Common Vulnerabilities & Exposures
CVE Vulnerability Records Common Vulnerabilities & Exposures
So, why worry?
<Basics>
Defense in Depth
Defense in Depth
Single Wall Defense
Maginot Line
Maginot Line
Maginot Line
Maginot Line
Maginot Line
Failure of single wall defense
Failure of single wall defense
Proposition: Zope is our Maginot Line
CVE-2007-5741 Original release date:11/07/2007 Last revised:09/05/2008 Source: US-CERT/NIST Overview Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.
Principle of Least Privileges
Principle of Least Privileges
Principle of Least Privileges
</Basics>
Daemon Security
No Rights
Bad Example: Sendmail (1990s) from network Sendmail* to network to |command** to /file/name** local submission /bin/mail* executed as recipient local delivery * uses root privileges ** in ~/.forward files owned by recipient mailbox file and in /etc/aliases
Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
<Implementation>
<Implementation> <File & Process>
Typical Installation Process UID: Plone } ./var ./logs File Owner: Plone
Typical Installation Process UID: Plone } ./var ./logs File Owner: ./parts Plone *.pyc
Why is that so bad?
Why is that so bad? Daemon can write into its own code space.
A Better Way Process UID: Plone ./parts *.py* } File Owner: root ./var ./logs } File Owner: Plone
Making it happen
Making it happen Python-2.4/lib/python2.4/compileall.py Via buildout: [precompile] recipe = plone.recipe.precompiler
Even Better: ZEO Process UID: Process UID: zclient zeo ./client-log ./parts ./var File Owner: File Owner: File Owner: zclient root zeo
Windows
</File & Process>
</File & Process> </Implementation>
</File & Process> </Implementation> </SteveM>
<Port Security>
Reverse Proxy Evil, Monstrous Zope Internet
Reverse Proxy Evil, Monstrous Zope Internet
Reverse Proxy Evil, Monstrous Apache Zope Internet
Reverse Proxy Evil, SSL Monstrous Apache Zope Internet
Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet
Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
Listen Locally Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
Listen Locally Evil, SSL Monstrous Apache Zope Internet ssh -L 3333:127.0.0.1:8080 fred@example.com -N
Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet
Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
Untrusted Local Users Zope ZEO (81) (8100) Your Server
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
Privileged Ports Zope ZEO (8080) (8100) Your Server
Privileged Ports Zope ZEO (8080) (8100) Your Server
Privileged Ports ZEO (8100) Your Server
Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server (2032) DO (1001) NE H .1 + . 4 + .5 (2536) PLEASE FORGET #1 PLEASE STAS (2036) PLEASE FORG (30 10) ) NEXT DO :5 <- quot;'?quot;:1~' PLEA SE DO (1020 2~'#65535$#0'quot;' #65535$#0'quot;$quot;: DO .5 <- '?. DO .2 <- #0 DO .5 <- '?quot; ~'#0$#65535'quot;$quot;'? DO . 3 <- #2 1~'#0$#65535'quot;$quot;: quot;: 5'$#32768quot;~quot;#0$#6553 2~'#0$ quot;.5 DO .4 <- .1 #65535'quot;'~'#0$#65 DO ( 3012) NEXT DO .5 <- '?quot;'&quot;': 535'quot; DO (2034) NEXT EXT (30 11) DO (1001) N 5quot;~quot;#65535$ 2~:5'~'quot;'?quot;'?quot;:5~ : DO .5 <- .3 ET #1 (30 12) PLEASE FORG DO (1010) NEXT DO (3000) N EXT #2'~#3 #65535quot;'~'#65535$#0'quot;$#3 PLEASE DO .1 <- 1~#256quot;$ DO .3 <- 'V DO .5 <- '?quot;?. 'quot; 2768'~'#0$#65535 DO (3013) N EXT ?. DO (2035) NEXT 65535~quot;' $quot;'?quot;:5~: PLEASE DO ( DO .5 <- '?quot;'# 5quot;~quot;#65535$#65535 (2034) quot;$#1'~#3 quot;'~'#0$#65535'quot;' DO FORGET # 1$# 10'~ #21845quot;'~#1 quot;$quot;':5~:5'~#1quot;'~# (2035) DO (3013) NEXT DO (2534) NEXT 1quot;$#2'~#3 DO .5 <- quot;?'.4~ DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT .2~#65
</Port Security> <Within Zope>
PluggableAuthService (PAS)
WebServerAuth a PluggableAuthService plugin
WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge)
WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication)
WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication) Makes PAS behave (User Enumerator)
WebServerAuth a PluggableAuthService plugin
WebServerAuth a PluggableAuthService plugin <VirtualHost *:443> ServerName www.example.com # Prompt for authentication: <Location /> SSLRequireSSL AuthType Basic AuthName quot;My Funky Web Sitequot; AuthUserFile /etc/such-and-such # (etc.) Require valid-user
WebServerAuth a PluggableAuthService plugin # Put the username (stored below) into the HTTP_X_REMOTE_USER # request header. This has to be in the <Location> block for # some Apache auth modules, such as PubCookie, which don't set # REMOTE_USER until very late. RequestHeader set X_REMOTE_USER %{remoteUser}e </Location> # Do the typical VirtualHostMonster rewrite, adding an E= option # that puts the Apache-provided username into the remoteUser # variable. RewriteEngine On RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/ %{SERVER_NAME}:443/VirtualHostRoot/ $1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}] </VirtualHost>
WebServerAuth a PluggableAuthService plugin <VirtualHost *:80> ... RequestHeader unset X_REMOTE_USER ... </VirtualHost>
LDAP
LDAP PloneLDAP + plone.app.ldap
LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP
LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone
LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone Relax—written by Wiggy
Writing PAS Plugins
Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages
Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Paster template Products.NoGoChallenger/ trunk paster create -t plone_pas
Questions? Steve McMahon Erik Rose Steve@dcn.org ErikRose@psu.edu Image Credits • Reactor defense in depth: • Sendmail and Postfix architecture diagrams: http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure programming example, Wietse Venema • Gate: Nuclear Power Plant Dungeness - Corey IBM T.J. Watson Research Center Holms 2008, CC Attribution • The Scream: Edvard Munk • Locks on door: Kansir, flikr, CC attribution license • Shrug: spamily, flikr, CC by A • What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf Attribution, NC • PB&J photo: Northern Miniatures • BSD Daemon: Created by Poul-Henning • Other photos: Wikimedia Commons Kamp • INTERCAL Numerical I/O lib: Brian Raiter • No Right Turn: greefus groinks' photostream, CC Attribution • Crown jewels of Denmark: King Christian IV
References • Slides: svn checkout https:// weblion.psu.edu/svn/weblion/users/ewr119/ ploneSecurityPresentation/Big,%20Bad %20Internet.key • https://weblion.psu.edu/wiki/SecureZope
WebServerAuth Advantages over apachepas + AutoMemberMaker Redirects to HTTPS No user clutter Member and Authenticated roles are distinct Sets up Log In link for you Better test coverage; death to doctests One product, not two

Empfohlen

How to make DSL
How to make DSLHow to make DSL
How to make DSLYukio Goto
 
Wireshark display filters
Wireshark display filtersWireshark display filters
Wireshark display filtersMohamed Gamel
 
Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013 Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013Lukas Smith
 
Os Tucker
Os TuckerOs Tucker
Os Tuckeroscon2007
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filtersAcácio Oliveira
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filtersAcácio Oliveira
 
3.2 process text streams using filters
3.2 process text streams using filters3.2 process text streams using filters
3.2 process text streams using filtersAcácio Oliveira
 

Empfohlen

How to make DSL
How to make DSLHow to make DSL
How to make DSLYukio Goto
 
Wireshark display filters
Wireshark display filtersWireshark display filters
Wireshark display filtersMohamed Gamel
 
Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013 Welcome to the Symfony2 World - FOSDEM 2013
Welcome to the Symfony2 World - FOSDEM 2013Lukas Smith
 
Os Tucker
Os TuckerOs Tucker
Os Tuckeroscon2007
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filtersAcácio Oliveira
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filtersAcácio Oliveira
 
3.2 process text streams using filters
3.2 process text streams using filters3.2 process text streams using filters
3.2 process text streams using filtersAcácio Oliveira
 
Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesGateway Business Solutions
 
XMPP 101
XMPP 101XMPP 101
XMPP 101Remko Tronçon
 
Open Source Debugging v1.3.2
Open Source Debugging v1.3.2Open Source Debugging v1.3.2
Open Source Debugging v1.3.2Matthew McCullough
 
Tftp errors
Tftp errorsTftp errors
Tftp errorsjivanihiren
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例National Cheng Kung University
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83Thomas Mangin
 
Services
ServicesServices
ServicesTerry Hernandez
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking systemJesse Vincent
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingVideoguy
 
Client server
Client serverClient server
Client servermaryam1231
 
Making asterisk feel like home outside north america
Making asterisk feel like home outside north americaMaking asterisk feel like home outside north america
Making asterisk feel like home outside north americaPaloSanto Solutions
 
Virtual net performance
Virtual net performanceVirtual net performance
Virtual net performanceStephen Hemminger
 
Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008boorad
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템Sam Kim
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
XMPP Intro - The camp2012
XMPP Intro - The camp2012XMPP Intro - The camp2012
XMPP Intro - The camp2012Steffen Larsen
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrSim Janghoon
 
Mpeg For The Media Sonic Players
Mpeg For The Media Sonic PlayersMpeg For The Media Sonic Players
Mpeg For The Media Sonic Playersguest78aa88
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.Naoto MATSUMOTO
 
The Business Concept of Future Firm_Italy
The Business Concept of Future Firm_ItalyThe Business Concept of Future Firm_Italy
The Business Concept of Future Firm_ItalyOLEtark
 
Migrants and crimes in Europe
Migrants and crimes in EuropeMigrants and crimes in Europe
Migrants and crimes in EuropeOLEtark
 
De Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter DropDe Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter Dropfrozenmermaid
 

Weitere ähnliche Inhalte

Was ist angesagt?

LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例National Cheng Kung University
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking systemJesse Vincent
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingVideoguy
 
Making asterisk feel like home outside north america
Making asterisk feel like home outside north americaMaking asterisk feel like home outside north america
Making asterisk feel like home outside north americaPaloSanto Solutions
 
Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008boorad
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템Sam Kim
 
XMPP Intro - The camp2012
XMPP Intro - The camp2012XMPP Intro - The camp2012
XMPP Intro - The camp2012Steffen Larsen
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrSim Janghoon
 
Mpeg For The Media Sonic Players
Mpeg For The Media Sonic PlayersMpeg For The Media Sonic Players
Mpeg For The Media Sonic Playersguest78aa88
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.Naoto MATSUMOTO
 

Was ist angesagt? (19)

Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x series
 
XMPP 101
XMPP 101XMPP 101
XMPP 101
 
Open Source Debugging v1.3.2
Open Source Debugging v1.3.2Open Source Debugging v1.3.2
Open Source Debugging v1.3.2
 
Tftp errors
Tftp errorsTftp errors
Tftp errors
 
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
LLVM 總是打開你的心:從電玩模擬器看編譯器應用實例
 
ExaBGP at LINX 83
ExaBGP at LINX 83ExaBGP at LINX 83
ExaBGP at LINX 83
 
Services
ServicesServices
Services
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking system
 
Advances in Network-adaptive Video Streaming
Advances in Network-adaptive Video StreamingAdvances in Network-adaptive Video Streaming
Advances in Network-adaptive Video Streaming
 
Client server
Client serverClient server
Client server
 
Making asterisk feel like home outside north america
Making asterisk feel like home outside north americaMaking asterisk feel like home outside north america
Making asterisk feel like home outside north america
 
Virtual net performance
Virtual net performanceVirtual net performance
Virtual net performance
 
Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008Why Erlang? - Bar Camp Atlanta 2008
Why Erlang? - Bar Camp Atlanta 2008
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
XMPP Intro - The camp2012
XMPP Intro - The camp2012XMPP Intro - The camp2012
XMPP Intro - The camp2012
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvr
 
Mpeg For The Media Sonic Players
Mpeg For The Media Sonic PlayersMpeg For The Media Sonic Players
Mpeg For The Media Sonic Players
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.
 

Andere mochten auch

The Business Concept of Future Firm_Italy
The Business Concept of Future Firm_ItalyThe Business Concept of Future Firm_Italy
The Business Concept of Future Firm_ItalyOLEtark
 
Migrants and crimes in Europe
Migrants and crimes in EuropeMigrants and crimes in Europe
Migrants and crimes in EuropeOLEtark
 
De Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter DropDe Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter Dropfrozenmermaid
 
Management in Italy school
Management in Italy schoolManagement in Italy school
Management in Italy schoolOLEtark
 
WebLion Hosting Lightning Talk
WebLion Hosting Lightning TalkWebLion Hosting Lightning Talk
WebLion Hosting Lightning TalkErik Rose
 

Andere mochten auch (8)

The Business Concept of Future Firm_Italy
The Business Concept of Future Firm_ItalyThe Business Concept of Future Firm_Italy
The Business Concept of Future Firm_Italy
 
Migrants and crimes in Europe
Migrants and crimes in EuropeMigrants and crimes in Europe
Migrants and crimes in Europe
 
De Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter DropDe Paddenstoelen Van Kabouter Drop
De Paddenstoelen Van Kabouter Drop
 
Robinson 2008
Robinson 2008Robinson 2008
Robinson 2008
 
Bunny story
Bunny storyBunny story
Bunny story
 
Management in Italy school
Management in Italy schoolManagement in Italy school
Management in Italy school
 
Mn Vriendje
Mn VriendjeMn Vriendje
Mn Vriendje
 
WebLion Hosting Lightning Talk
WebLion Hosting Lightning TalkWebLion Hosting Lightning Talk
WebLion Hosting Lightning Talk
 

Ähnlich wie Protecting Plone from the Big, Bad Internet

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
I Pv6 Cyber Criminal Opportunities 05
I Pv6 Cyber Criminal Opportunities 05I Pv6 Cyber Criminal Opportunities 05
I Pv6 Cyber Criminal Opportunities 05Barry Greene
 
Hacking Robotics(English Version)
Hacking Robotics(English Version)Hacking Robotics(English Version)
Hacking Robotics(English Version)Kensei Demura
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSensePost
 
Building a moat bastion server
Building a moat bastion serverBuilding a moat bastion server
Building a moat bastion servernseemiller
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsHeadLightSecurity
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
Using routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter HesslerUsing routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter Hesslereurobsdcon
 
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Puppet
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdffaker1842002
 

Ähnlich wie Protecting Plone from the Big, Bad Internet (20)

Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilities
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
I Pv6 Cyber Criminal Opportunities 05
I Pv6 Cyber Criminal Opportunities 05I Pv6 Cyber Criminal Opportunities 05
I Pv6 Cyber Criminal Opportunities 05
 
Hacking Robotics(English Version)
Hacking Robotics(English Version)Hacking Robotics(English Version)
Hacking Robotics(English Version)
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Building a moat bastion server
Building a moat bastion serverBuilding a moat bastion server
Building a moat bastion server
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Ltsp talk
Ltsp talkLtsp talk
Ltsp talk
 
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditions
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
 
Tech f42
Tech f42Tech f42
Tech f42
 
Using routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter HesslerUsing routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter Hessler
 
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
Oscar: Rapid Iteration with Vagrant and Puppet Enterprise - PuppetConf 2013
 
SING
SING SING
SING
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
 

Mehr von Erik Rose

Fathom Overview and Future, San Francisco 2018
Fathom Overview and Future, San Francisco 2018Fathom Overview and Future, San Francisco 2018
Fathom Overview and Future, San Francisco 2018Erik Rose
 
What happens when firefox crashes?
What happens when firefox crashes?What happens when firefox crashes?
What happens when firefox crashes?Erik Rose
 
Es part 2 pdf no build
Es part 2 pdf no buildEs part 2 pdf no build
Es part 2 pdf no buildErik Rose
 
Fluid, Fluent APIs
Fluid, Fluent APIsFluid, Fluent APIs
Fluid, Fluent APIsErik Rose
 
Django’s nasal passage
Django’s nasal passageDjango’s nasal passage
Django’s nasal passageErik Rose
 
WebLion Hosting: Leveraging Laziness, Impatience, and Hubris
WebLion Hosting: Leveraging Laziness, Impatience, and HubrisWebLion Hosting: Leveraging Laziness, Impatience, and Hubris
WebLion Hosting: Leveraging Laziness, Impatience, and HubrisErik Rose
 

Mehr von Erik Rose (8)

Fathom Overview and Future, San Francisco 2018
Fathom Overview and Future, San Francisco 2018Fathom Overview and Future, San Francisco 2018
Fathom Overview and Future, San Francisco 2018
 
What happens when firefox crashes?
What happens when firefox crashes?What happens when firefox crashes?
What happens when firefox crashes?
 
Poetic APIs
Poetic APIsPoetic APIs
Poetic APIs
 
Es part 2 pdf no build
Es part 2 pdf no buildEs part 2 pdf no build
Es part 2 pdf no build
 
Fluid, Fluent APIs
Fluid, Fluent APIsFluid, Fluent APIs
Fluid, Fluent APIs
 
Django’s nasal passage
Django’s nasal passageDjango’s nasal passage
Django’s nasal passage
 
Stackful
StackfulStackful
Stackful
 
WebLion Hosting: Leveraging Laziness, Impatience, and Hubris
WebLion Hosting: Leveraging Laziness, Impatience, and HubrisWebLion Hosting: Leveraging Laziness, Impatience, and Hubris
WebLion Hosting: Leveraging Laziness, Impatience, and Hubris
 

Kürzlich hochgeladen

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Protecting Plone from the Big, Bad Internet

  • 1. Protecting Plone From The Big, Bad Internet Steve McMahon Reid-McMahon, LLC Erik Rose WebLion, Pennsylvania State University
  • 4. CVE Vulnerability Records Common Vulnerabilities & Exposures
  • 5. CVE Vulnerability Records Common Vulnerabilities & Exposures
  • 6. CVE Vulnerability Records Common Vulnerabilities & Exposures
  • 7.
  • 12.
  • 19. Failure of single wall defense
  • 20. Failure of single wall defense
  • 21. Proposition: Zope is our Maginot Line
  • 22. CVE-2007-5741 Original release date:11/07/2007 Last revised:09/05/2008 Source: US-CERT/NIST Overview Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.
  • 23. Principle of Least Privileges
  • 24. Principle of Least Privileges
  • 25. Principle of Least Privileges
  • 29. Bad Example: Sendmail (1990s) from network Sendmail* to network to |command** to /file/name** local submission /bin/mail* executed as recipient local delivery * uses root privileges ** in ~/.forward files owned by recipient mailbox file and in /etc/aliases
  • 30. Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
  • 31. Good Example: Postfix Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged
  • 33. <Implementation> <File & Process>
  • 34. Typical Installation Process UID: Plone } ./var ./logs File Owner: Plone
  • 35. Typical Installation Process UID: Plone } ./var ./logs File Owner: ./parts Plone *.pyc
  • 36. Why is that so bad?
  • 37. Why is that so bad? Daemon can write into its own code space.
  • 38. A Better Way Process UID: Plone ./parts *.py* } File Owner: root ./var ./logs } File Owner: Plone
  • 40. Making it happen Python-2.4/lib/python2.4/compileall.py Via buildout: [precompile] recipe = plone.recipe.precompiler
  • 41. Even Better: ZEO Process UID: Process UID: zclient zeo ./client-log ./parts ./var File Owner: File Owner: File Owner: zclient root zeo
  • 45. </File & Process> </Implementation> </SteveM>
  • 47. Reverse Proxy Evil, Monstrous Zope Internet
  • 48. Reverse Proxy Evil, Monstrous Zope Internet
  • 49. Reverse Proxy Evil, Monstrous Apache Zope Internet
  • 50. Reverse Proxy Evil, SSL Monstrous Apache Zope Internet
  • 51. Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet
  • 52. Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
  • 53. Listen Locally Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1
  • 54. Listen Locally Evil, SSL Monstrous Apache Zope Internet ssh -L 3333:127.0.0.1:8080 fred@example.com -N
  • 55. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
  • 56. Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet
  • 57. Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
  • 58. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100
  • 59. Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet
  • 60. Untrusted Local Users Zope ZEO (81) (8100) Your Server
  • 61. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  • 62. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  • 63. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server
  • 64. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT
  • 65. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
  • 66. Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo -m owner ! --uid-owner zope -j REJECT
  • 67. Privileged Ports Zope ZEO (8080) (8100) Your Server
  • 68. Privileged Ports Zope ZEO (8080) (8100) Your Server
  • 69. Privileged Ports ZEO (8100) Your Server
  • 70. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
  • 71. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server
  • 72. Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server (2032) DO (1001) NE H .1 + . 4 + .5 (2536) PLEASE FORGET #1 PLEASE STAS (2036) PLEASE FORG (30 10) ) NEXT DO :5 <- quot;'?quot;:1~' PLEA SE DO (1020 2~'#65535$#0'quot;' #65535$#0'quot;$quot;: DO .5 <- '?. DO .2 <- #0 DO .5 <- '?quot; ~'#0$#65535'quot;$quot;'? DO . 3 <- #2 1~'#0$#65535'quot;$quot;: quot;: 5'$#32768quot;~quot;#0$#6553 2~'#0$ quot;.5 DO .4 <- .1 #65535'quot;'~'#0$#65 DO ( 3012) NEXT DO .5 <- '?quot;'&quot;': 535'quot; DO (2034) NEXT EXT (30 11) DO (1001) N 5quot;~quot;#65535$ 2~:5'~'quot;'?quot;'?quot;:5~ : DO .5 <- .3 ET #1 (30 12) PLEASE FORG DO (1010) NEXT DO (3000) N EXT #2'~#3 #65535quot;'~'#65535$#0'quot;$#3 PLEASE DO .1 <- 1~#256quot;$ DO .3 <- 'V DO .5 <- '?quot;?. 'quot; 2768'~'#0$#65535 DO (3013) N EXT ?. DO (2035) NEXT 65535~quot;' $quot;'?quot;:5~: PLEASE DO ( DO .5 <- '?quot;'# 5quot;~quot;#65535$#65535 (2034) quot;$#1'~#3 quot;'~'#0$#65535'quot;' DO FORGET # 1$# 10'~ #21845quot;'~#1 quot;$quot;':5~:5'~#1quot;'~# (2035) DO (3013) NEXT DO (2534) NEXT 1quot;$#2'~#3 DO .5 <- quot;?'.4~ DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT .2~#65
  • 76. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge)
  • 77. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication)
  • 78. WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication) Makes PAS behave (User Enumerator)
  • 80. WebServerAuth a PluggableAuthService plugin <VirtualHost *:443> ServerName www.example.com # Prompt for authentication: <Location /> SSLRequireSSL AuthType Basic AuthName quot;My Funky Web Sitequot; AuthUserFile /etc/such-and-such # (etc.) Require valid-user
  • 81. WebServerAuth a PluggableAuthService plugin # Put the username (stored below) into the HTTP_X_REMOTE_USER # request header. This has to be in the <Location> block for # some Apache auth modules, such as PubCookie, which don't set # REMOTE_USER until very late. RequestHeader set X_REMOTE_USER %{remoteUser}e </Location> # Do the typical VirtualHostMonster rewrite, adding an E= option # that puts the Apache-provided username into the remoteUser # variable. RewriteEngine On RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/ %{SERVER_NAME}:443/VirtualHostRoot/ $1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}] </VirtualHost>
  • 82. WebServerAuth a PluggableAuthService plugin <VirtualHost *:80> ... RequestHeader unset X_REMOTE_USER ... </VirtualHost>
  • 83. LDAP
  • 86. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone
  • 87. LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone Relax—written by Wiggy
  • 88.
  • 90. Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages
  • 91. Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  • 92. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  • 93. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk
  • 94. Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Paster template Products.NoGoChallenger/ trunk paster create -t plone_pas
  • 95. Questions? Steve McMahon Erik Rose Steve@dcn.org ErikRose@psu.edu Image Credits • Reactor defense in depth: • Sendmail and Postfix architecture diagrams: http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure programming example, Wietse Venema • Gate: Nuclear Power Plant Dungeness - Corey IBM T.J. Watson Research Center Holms 2008, CC Attribution • The Scream: Edvard Munk • Locks on door: Kansir, flikr, CC attribution license • Shrug: spamily, flikr, CC by A • What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf Attribution, NC • PB&J photo: Northern Miniatures • BSD Daemon: Created by Poul-Henning • Other photos: Wikimedia Commons Kamp • INTERCAL Numerical I/O lib: Brian Raiter • No Right Turn: greefus groinks' photostream, CC Attribution • Crown jewels of Denmark: King Christian IV
  • 96. References • Slides: svn checkout https:// weblion.psu.edu/svn/weblion/users/ewr119/ ploneSecurityPresentation/Big,%20Bad %20Internet.key • https://weblion.psu.edu/wiki/SecureZope
  • 97. WebServerAuth Advantages over apachepas + AutoMemberMaker Redirects to HTTPS No user clutter Member and Authenticated roles are distinct Sets up Log In link for you Better test coverage; death to doctests One product, not two