Learn the basic approaches to securing linux based web servers without getting too technical. This talk will be useful for anyone running a linux server with full root access. You don't need to be an experienced system administrator to understand and use the content of this talk. But if you are a full time system admin you will get to know a structured way of looking at server security. The following types of servers running Linux Virtual Private Server/Dedicated Server/Rackspace Cloud Instance/Amazon EC2 Not going to help if you have your website on Shared servers like Dreamhost/Go Daddy/Host Gator

1. Akash Mahajan
That Web Application Security Guy

2. Reduce Attack Surface
F 117
Nighthawk
http://en.wikipedia.org/wiki/File:F-117_Nighthawk_Front.jpg
#rootconf | @makash | akashm.com 2

3. What is the Attack Surface
all the TCP and UDP ports listening
on the external interfaces
# netstat -nltup
#rootconf | @makash | akashm.com 3

4. Reducing the attack surface
by stopping services from
running
# /etc/init.d/<servicename> stop
listen on external IP
bind-address=127.0.0.1
starting at boot time
# update-rc.d <servicename> remove
#rootconf | @makash | akashm.com 4

5. After Reduction
#rootconf | @makash | akashm.com 5

6. Mini Distro
start with a 12 MB mini iso
install OpenSSH server
install required LAMP packages using tasksel
there are no compilers, extra libraries
#rootconf | @makash | akashm.com 6

7. Patching and Updates
choose Long Term Support
release (10.04 LTS, 12.04 LTS)
one command to patch & update
# apt-get update && apt-get upgrade
#rootconf | @makash | akashm.com 7

8. Protecting Your Access
#rootconf | @makash | akashm.com 8

9. Reason #1 for Hacked Linux Servers
SSH Server Password Brute Forcing
#rootconf | @makash | akashm.com 9

10. Secure Shell aka SSH
Conventional wisdom says
don’t allow root to login
don’t use passwords ; use keys
only use SSH version 2.0
#rootconf | @makash | akashm.com 10

11. Attack Surface in SSH
password bruteforcing requires valid users
who are allowed to login
lot of people use keys without passphrases
make one change in /etc/sshd_config
AllowUsers <user@Host>
#rootconf | @makash | akashm.com 11

12. Files and Permissions
Read (r) Write (w) Execute (x)
User 4 2 1
Group 4 - 1
Others 4 - -
-rwxr-xr-- | 0754
#rootconf | @makash | akashm.com 12

13. Apache Web Server
/etc/apache2/conf.d/security
line number 27 ServerTokens Prod
line number 39 ServerSignature Off
#rootconf | @makash | akashm.com 13

14. MySQL Database Server
if database and web server are on
the same host, then mysql server
should only listen on localhost
/etc/mysql/my.cnf
bind-address=127.0.0.1
#rootconf | @makash | akashm.com 14

15. MySQL Database Server
run # mysql_secure_installation
create new user for each new database
only give
SELECT, UPDATE, INSERT, DELETE, ALT
ER, CREATE privileges to new user
new user should be for localhost and don’t give %
#rootconf | @makash | akashm.com 15

16. Uncomplicated Firewall
• ufw enabled
• ufw allow 22 // SSH Access
• ufw allow 80 // Website Access
• ufw allow 443 // Secure Website Access
• ufw default deny // Kitchen Sink
#rootconf | @makash | akashm.com 16

17. Uncomplicated Firewall
ufw allow from <external DB IP> to
<current host IP> port 3306
#rootconf | @makash | akashm.com 17

18. Reference Web App Architecture
Document Root should only contain files
that are meant to be served to the user
everything should be in a folder outside it
#rootconf | @makash | akashm.com 18

19. Reference Web App Architecture
/var/www/site/public for files to serve
/var/www/site/private for config files
keep files user as person who uploads
Keep the group as www-data
#rootconf | @makash | akashm.com 19

20. My name is list, Check List
Start from a mini iso
Remove unwanted services
Whitelist user for SSH login
MySQL users need to be protected
Default Deny and Allow Specific
#rootconf | @makash | akashm.com 20

21. Wait, there is more you can do
• Logs of SSH, web servers
• Monitoring of these services
• Add whitelisted to /etc/host.allow or
blacklisted /etc/host.deny
#rootconf | @makash | akashm.com 21

22. Questions and Answers
Akash Mahajan
That Web Application Security Guy
http://akashm.com | @makash
akashmahajan@gmail.com | 9980527182

23. References
• Information about F1117 Nighthawk from http://en.wikipedia.org/wiki/Lockheed_F-117_Nighthawk
• Unable to find out where I got the stair case image from. If you know please do let me know.
• Rest of the images are from istockphoto.com
#rootconf | @makash | akashm.com 23