Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Application and Server Security

322 Aufrufe

Veröffentlicht am

This is my presentation from Denver Startup Week 2016 on security for applications and servers. This presentation covers everything you need to know about securing a Linux server and your application.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Application and Server Security

  1. 1. About Me • CEO of Inversoft • Software Developer for 16 years • I’ve had multiple servers hacked • I’ve had root kits installed • I’ve had applications hacked
  2. 2. LinkedIn hack releases 167 million accounts. Milwaukee Bucks organization accidentally leaks player financials onto the Internet. 4.8 Million V-Tech customer's data stolen. Hacking group leaked more than 25 gigabytes of Ashley Madison data, including user details.
  3. 3. We Must Stop the Madness!
  4. 4. Server Security Application Security
  5. 5. Server Security • Architecture • Password Security • Remote Access • Two-Factor Authentication • Firewall • Intrusion Detection FYI: Most everything in this section is for Linux
  6. 6. Application Security • Run-As User • SSL • Password Security • SQL Injection • Configuration • Database Security
  7. 7. Architecture Application Server Database Server F I R E W A L l
  8. 8. Architecture Explained • Application server has public IP • Database server has private IP • Firewall controls access to database server
  9. 9. Password Security • Force users not to pick crappy passwords • Use the libpam-cracklib module • Modify /etc/pam.d/common-password
  10. 10. DEMO
  11. 11. password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1 Only allow 3 tries to type the password twice Minimum length is 10 Must be different that last password by 3 characters Must have 1 uppercase character Must have 2 lowercase character Must have 1 digit character Must have 2 “other” character
  12. 12. Super User Access • Disable password login as root – usermod -p '*' root • Disable password-less sudo – Remove exempt_groups – %sudo ALL=(ALL:ALL) ALL
  13. 13. DEMO
  14. 14. Remote Access • Use key based login • Lock down SSH
  15. 15. SSH Keys • Run keygen (with a passphrase) – ssh-keygen -t rsa -b 2048 –f ~/.ssh/id_demo • Create a user – useradd -m -G sudo -s /bin/bash bpontarelli – passwd bpontarelli • Install public key – scp ~/.ssh/id_demo.pub bpontarelli@192.168.42.2:/home/your-username – ssh bpontarelli@192.168.42.2 – mkdir .ssh – mv id_demo.pub .ssh/authorized_keys – chmod 600 .ssh/authorized_keys • Bask in password-less login glory – ssh –i ~/.ssh/id_demo bpontarelli@192.168.42.2 • Don’t forget an agent – alias ssh='ssh -A'
  16. 16. DEMO
  17. 17. SSH Server Config • Disable root login – PermitRootLogin no • Disable password login – PasswordAuthentication no • Restart SSH – service ssh restart
  18. 18. DEMO
  19. 19. Two-Factor Authentication • Use the libpam-google-authenticator module – auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok • Update the SSH configuration – ChallengeResponseAuthentication yes – AuthenticationMethods publickey,keyboard-interactive • Install NTP – apt-get install ntp • Restart SSH – service ssh restart • Generate the two-factor key – google-authenticator -l ’bpontarelli@Application Server'
  20. 20. DEMO
  21. 21. Firewall • Persistent iptables – apt-get install iptables-persistent • Create tables and rules • Restart the service – service netfilter-persistent reload • Lock down as much as possible – Database servers can listen only on specific interfaces and for specific IPs • Be careful!
  22. 22. DEMO
  23. 23. Intrusion Detection • Install Monit (there are others as well) – apt-get install monit • Edit /etc/monit/conf.d/ssh-logins • Edit /etc/monit/monitrc • Create Slack or Pushover integration script • Restart the service – service monit restart
  24. 24. DEMO
  25. 25. Application Security
  26. 26. Run-As User • Never run your apps as root • Create an unprivileged user instead – useradd -M -s /bin/false application • Use sudo (or something like it) to run your app – sudo -u application nodejs /usr/local/application/app.js
  27. 27. SSL • Always use SSL for your websites • SSL certificates are easy to get – And cheap • https://letsencrypt.org/
  28. 28. Password Validation • Simple to code • Let’s see some code!
  29. 29. Password Encryption • SHA • MD5 • Bcrypt • PBKDF2HMACSHA256 Yes that’s a real thing!
  30. 30. Large bitcoin rigs can do 1,000 Tera-hashes per second.
  31. 31. Assuming passwords normally contain up to 100 characters…
  32. 32. That’s 1e18 possible passwords (for up to 9 character passwords)
  33. 33. Generating every possible hash for these passwords would take 1e3 seconds
  34. 34. Also known as 16 minutes
  35. 35. If you stop at 8 characters, it can take less than one minute
  36. 36. Complexity • Encryption is about complexity • Slow algorithms mean good security • SHA and MD5 have iterations, Bcrypt has a load factor • More iterations = good • More load = good
  37. 37. ScaleNumberofServers Number of Logins & Registrations per Second
  38. 38. Salting • Add a large piece of garbage before the password • Then hash that!
  39. 39. [{16e49f4f-fd87-41b9-8013-57ed3b0403d8}]Ksie923kd-A291kndj
  40. 40. Salting • This prevents lookups • Lookups are large tables of common password hashes
  41. 41. http://www.my-application.com/some-data?sort=first_name+desc
  42. 42. select * from users order by first_name desc
  43. 43. http://www.my-application.com/some- data?sort=(select%20CAST((select concat(email,':',password) from users limit 1) as date))+desc
  44. 44. "admin@inversoft.com:173ad94aa37d140a5aab46795b14cef88efe8be7 6930b90460b5da60f4cff76e" is not a Date
  45. 45. SQL Injections • Use prepared statements when possible • Avoid string concatenation • Use code for parameters
  46. 46. http://www.my-application.com/some-data?sort=first_name_DOWN
  47. 47. if (sort == SortEnum.firstName_DOWN) { orderBy = "first_name desc"; }
  48. 48. select * from users where name = ?
  49. 49. select * from users where name = '';select concat(email,':',password) from users limit 1;'
  50. 50. Configuration • Put all secure information in configuration files – (never in code) • Ensure configuration files are NOT world readable – Only the application user should have access • Ensure the directory configuration files are stored in is NOT world readable or executable – Only the application user should have access
  51. 51. $ chown -R application:application /usr/local/application/config $ chmod 700 /usr/local/application/config $ chmod 400 /usr/local/application/config/*
  52. 52. Database Security • Lock access by user and server
  53. 53. mysql> create user 'inversoft'@'192.168.42.3' identified by 'super-strong-password'; mysql> grant insert, select, update, delete on my_database.* to 'inversoft'@'192.168.42.3'

×