SlideShare ist ein Scribd-Unternehmen logo

Secure the lamp application stack

Als KEY, PDF herunterladen
Johann-Peter Hartmann
Johann-Peter Hartmann
1 von 160
High Security LAMPs Dutch PHP Conference 2008
The guy in the front Johann-Peter Hartmann
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun Founder and CTO of Mayflower GmbH
The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun Founder and CTO of Mayflower GmbH CEO of SektionEins GmbH, founded with Stefan Esser
Agenda Where Security happens
Agenda Where Security happens Distributed Denial of Service Attacks
Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening
Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening Apache Hardening
Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening Apache Hardening MySQL Hardening
Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening Apache Hardening MySQL Hardening PHP Hardening
Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening Apache Hardening MySQL Hardening PHP Hardening Application Hardening
PHP Security - where are we right now?
PHP Security - where are we right now?
Know your enemy Profit Fun Source: Breach 2007
Know your enemy 67 % Profit Fun Source: Breach 2007
Know your enemy 33 % 67 % Profit Fun Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing Information Warfare Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare 23 % Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud 3 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
How they attack You SQL Injection Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRF Source: NSI 2006
How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRF Source: NSI 2006
How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRF Source: NSI 2006
How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You SQL Injection 20 % Information Disclosure Known Exploits 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You SQL Injection 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You SQL Injection 3 % 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You 3 % SQL Injection 3 % 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You 3 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You 2 % 3 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
How they attack You 2 % 3 % 2 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
A simple view on our favourite platforms stack PHP-Application Apache MySQL PHP Linux Network
Network Attacks: DDoS Distributed Denial of Service Attacken Network
Network Attacks: DDoS Distributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) Network
Network Attacks: DDoS Distributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) sending out udp, icmp, tcp packet love, reflected DNS, smart attacks with http Network
Network Attacks: DDoS Distributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) sending out udp, icmp, tcp packet love, reflected DNS, smart attacks with http up to 25Network GB/s
Distributed Denial of Service It‘s a business model Network
Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Network
Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) Network
Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) criminal activities (Anti-419, Anti-Dialer-Sites) Network
Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) criminal activities (Anti-419, Anti-Dialer-Sites) actually it was developped by and for script kiddies in Network IRC
How to protect against DDos You can‘t protect yourself Network
How to protect against DDos You can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Network
How to protect against DDos You can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Your Provider can, ask for „DDos Managed Security Services“ Network
How to protect against DDos You can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Your Provider can, ask for „DDos Managed Security Services“ 2 solutions: blackhole your traffic, or use cleaning Network routers
How to protect against DDos You can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Your Provider can, ask for „DDos Managed Security Services“ 2 solutions: blackhole your traffic, or use cleaning Network routers you won‘t blackhole your christmas business, and cisco ddos cleaning infrastructure is expensive
Safety for your local network You got a firewall and a DMZ Network
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed Network
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP Network
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need Network
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need packet filtering, an own management ip Network
Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need packet filtering, an own management ip Network better: use a vpn
How to secure Linux Deactivate what you don‘t need Linux
How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Linux
How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Harden your kernel Linux
How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Harden your kernel Linux deactivate unneeded kernel features
How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Harden your kernel Linux deactivate unneeded kernel features deactivate loadable kernel modules
How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Harden your kernel Linux deactivate unneeded kernel features deactivate loadable kernel modules Mandantory Access Control like SELinux or AppArmor
SELinux Security Enhanced Linux Linux
SELinux Security Enhanced Linux developped by the NSA Linux
SELinux Security Enhanced Linux developped by the NSA pretty secure from a technical point of view Linux
SELinux Security Enhanced Linux developped by the NSA pretty secure from a technical point of view Linux part of the mainline kernel 2.6 and Redhat/Fedora
SELinux Security Enhanced Linux developped by the NSA pretty secure from a technical point of view Linux part of the mainline kernel 2.6 and Redhat/Fedora more than 700 different permission types
AppArmor - what it is Originally „SubDomain“ developped by Immunix Linux
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Linux
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Linux
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions SELinux for idiots
AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions SELinux for idiots We use it
AppArmor - what it does simplified interface to Mandantory Access Control Linux
AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities Linux
AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames Linux
AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames rather simple Workflow Linux
AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames rather simple Workflow Linux you profile your softwares permissions while using it
AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames rather simple Workflow Linux you profile your softwares permissions while using it the profile defines the permissions needed (needs some rework, though)
AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames rather simple Workflow Linux you profile your softwares permissions while using it the profile defines the permissions needed (needs some rework, though)
Why AppArmor works for idiots upload.php should be able to write to „/images/“ Linux
Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it Linux
Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: Linux
Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html
Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html AppArmor:
Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html AppArmor: /var/www/html/config.inc.php w
Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html AppArmor: /var/www/html/config.inc.php w
Hardening Apache Disable every module you don‘t need. Apache
Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter
Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter mod_security
Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter mod_security a free, small web application firewall
Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter mod_security a free, small web application firewall filters by regular expressions for every part of the request
Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter mod_security a free, small web application firewall filters by regular expressions for every part of the request default rulesets (gotroot)
mod_security Apache
mod_security bought by Breach Security, dual-licensed Apache
mod_security bought by Breach Security, dual-licensed filtering the low hanging fruits Apache
mod_security bought by Breach Security, dual-licensed filtering the low hanging fruits Apache Code Executions, Inclusions, SQL-Injections, XSS
mod_security bought by Breach Security, dual-licensed filtering the low hanging fruits Apache Code Executions, Inclusions, SQL-Injections, XSS if a security issue is found, an error message (usually an error 500) is returned to the user
mod_security bought by Breach Security, dual-licensed filtering the low hanging fruits Apache Code Executions, Inclusions, SQL-Injections, XSS if a security issue is found, an error message (usually an error 500) is returned to the user mod_security 2.0 is stateful and implements session support
Web Application Firewalls granular security rules custom tailored for your application
Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software
Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping
Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping can learn the default behavior of your application
Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping can learn the default behavior of your application http parameters are normalized
MySQL Security MySQL
MySQL Security run MySQL in SELinux/AppArmor MySQL
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things:
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights only the needed user rights for a certain task
MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights only the needed user rights for a certain task
PHP Security PHP
PHP Security Secure PHP configuration: PHP
PHP Security Secure PHP configuration: Deactivate: allow_url_fopen, allow_url_include, PHP display_errors, expose_php, file_support, file_uploads, force_redirect, magic_quotes_gpc, register_globals, use_trans_id
PHP Security Secure PHP configuration: Deactivate: allow_url_fopen, allow_url_include, PHP display_errors, expose_php, file_support, file_uploads, force_redirect, magic_quotes_gpc, register_globals, use_trans_id Activate: memory_limit, post_max_size, session.save_path, upload_max_filesize, upload_tmp_dir
Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP
Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink)
Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection
Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection Protection against Format String Vulnerabilities
Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection Protection against Format String Vulnerabilities Realpath() Hardening
Suhosin Extension Protection against unknown php core level bugs PHP
Suhosin Extension Protection against unknown php core level bugs forbidden methods byPHP vhost
Suhosin Extension Protection against unknown php core level bugs forbidden methods byPHP vhost Protection against Remote Inclusion
Suhosin Extension Protection against unknown php core level bugs forbidden methods byPHP vhost Protection against Remote Inclusion Transparent Session/Cookie Encryption
Suhosin Extension Protection against unknown php core level bugs forbidden methods byPHP vhost Protection against Remote Inclusion Transparent Session/Cookie Encryption Variable and Upload Filtering (poor mans WAF)
Suhosin Logging for intrusion detection and configuration PHP
Suhosin Logging for intrusion detection and configuration supports several output channels PHP
Suhosin Logging for intrusion detection and configuration supports several output channels PHP syslog, shell script, PHP script, file
Suhosin Logging for intrusion detection and configuration supports several output channels PHP syslog, shell script, PHP script, file several impact levels
Suhosin Logging for intrusion detection and configuration supports several output channels PHP syslog, shell script, PHP script, file several impact levels Log Message with file, line and remote IP
Suhosin Logging for intrusion detection and configuration supports several output channels PHP syslog, shell script, PHP script, file several impact levels Log Message with file, line and remote IP Simulation mode to tune suhosin
Coding Guidelines E_ALL/E_STRICT safe coding PHP
Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP
Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP forbidden functions
Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP forbidden functions constants are used where they can be used
Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP forbidden functions constants are used where they can be used Parameter Binding Datenbank-API
Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP forbidden functions constants are used where they can be used Parameter Binding Datenbank-API Libraries for CSRF protection, input validation, filtering, escaping, database access
Input / Output Flow in PHP Input check: PHP
Input / Output Flow in PHP Input check: Validation is done based on the knowledge of the expected content PHP
Input / Output Flow in PHP Input check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitized
Input / Output Flow in PHP Input check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitized Output Escaping:
Input / Output Flow in PHP Input check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitized Output Escaping: there are 5 escape methods for HTML, 1 for SQL, 2 for Shell usage. No Default escape.
PHP-IDS It‘s an IDS, not an XSS filter PHP
PHP-IDS It‘s an IDS, not an XSS filter Better-than-nothing solution, like mod_security PHP
PHP-IDS It‘s an IDS, not an XSS filter Better-than-nothing solution, like mod_security PHP there has always been a IDS evasion
PHP-IDS It‘s an IDS, not an XSS filter Better-than-nothing solution, like mod_security PHP there has always been a IDS evasion no excuse to abandon proper validation, filtering and escaping
PHP-IDS It‘s an IDS, not an XSS filter Better-than-nothing solution, like mod_security PHP there has always been a IDS evasion no excuse to abandon proper validation, filtering and escaping Can be used to detect attacks and react in the application
Questions?
Questions? Contact me at: johann-peter.hartmann@sektioneins.de

Empfohlen

2012 norton cybercrime_report_master_final_050912
2012 norton cybercrime_report_master_final_0509122012 norton cybercrime_report_master_final_050912
2012 norton cybercrime_report_master_final_050912TimelineCR
 
Are You a Hacker's Target?
Are You a Hacker's Target?Are You a Hacker's Target?
Are You a Hacker's Target?Blue Coat
 
Education is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber CrimeEducation is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber CrimeBlue Coat
 
2012 norton cybercrime report
2012 norton cybercrime report2012 norton cybercrime report
2012 norton cybercrime reportMarian Merritt
 
Best Practices: Operational Checklists for the AWS Cloud - AWS NYC Summit 2012
Best Practices: Operational Checklists for the AWS Cloud - AWS NYC Summit 2012Best Practices: Operational Checklists for the AWS Cloud - AWS NYC Summit 2012
Best Practices: Operational Checklists for the AWS Cloud - AWS NYC Summit 2012Amazon Web Services
 
The End of my Career
The End of my CareerThe End of my Career
The End of my CareerJohann-Peter Hartmann
 
E-Commerce vs Architektur CodeTalks.Commerce_2018
E-Commerce vs Architektur CodeTalks.Commerce_2018E-Commerce vs Architektur CodeTalks.Commerce_2018
E-Commerce vs Architektur CodeTalks.Commerce_2018Johann-Peter Hartmann
 
DevOps beyond the Tools
DevOps beyond the ToolsDevOps beyond the Tools
DevOps beyond the ToolsJohann-Peter Hartmann
 

Empfohlen

2012 norton cybercrime_report_master_final_050912
2012 norton cybercrime_report_master_final_0509122012 norton cybercrime_report_master_final_050912
2012 norton cybercrime_report_master_final_050912TimelineCR
 
Are You a Hacker's Target?
Are You a Hacker's Target?Are You a Hacker's Target?
Are You a Hacker's Target?Blue Coat
 
Education is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber CrimeEducation is the Key to Fighting Cyber Crime
Education is the Key to Fighting Cyber CrimeBlue Coat
 
2012 norton cybercrime report
2012 norton cybercrime report2012 norton cybercrime report
2012 norton cybercrime reportMarian Merritt
 
Best Practices: Operational Checklists for the AWS Cloud - AWS NYC Summit 2012
Best Practices: Operational Checklists for the AWS Cloud - AWS NYC Summit 2012Best Practices: Operational Checklists for the AWS Cloud - AWS NYC Summit 2012
Best Practices: Operational Checklists for the AWS Cloud - AWS NYC Summit 2012Amazon Web Services
 
The End of my Career
The End of my CareerThe End of my Career
The End of my CareerJohann-Peter Hartmann
 
E-Commerce vs Architektur CodeTalks.Commerce_2018
E-Commerce vs Architektur CodeTalks.Commerce_2018E-Commerce vs Architektur CodeTalks.Commerce_2018
E-Commerce vs Architektur CodeTalks.Commerce_2018Johann-Peter Hartmann
 
DevOps beyond the Tools
DevOps beyond the ToolsDevOps beyond the Tools
DevOps beyond the ToolsJohann-Peter Hartmann
 
Warum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommtWarum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommtJohann-Peter Hartmann
 
Legacy php - Sanieren oder Ablösen?
Legacy php - Sanieren oder Ablösen?Legacy php - Sanieren oder Ablösen?
Legacy php - Sanieren oder Ablösen?Johann-Peter Hartmann
 
RoofTop Brains & BBQ: Ein Gästbuch für China
RoofTop Brains & BBQ: Ein Gästbuch für ChinaRoofTop Brains & BBQ: Ein Gästbuch für China
RoofTop Brains & BBQ: Ein Gästbuch für ChinaJohann-Peter Hartmann
 
Die Architektur, die man kann
Die Architektur, die man kannDie Architektur, die man kann
Die Architektur, die man kannJohann-Peter Hartmann
 
NewWork in der Praxis
NewWork in der PraxisNewWork in der Praxis
NewWork in der PraxisJohann-Peter Hartmann
 
Von Kutschern, Managern und Systemadministratoren
Von Kutschern, Managern und SystemadministratorenVon Kutschern, Managern und Systemadministratoren
Von Kutschern, Managern und SystemadministratorenJohann-Peter Hartmann
 
Das Ende der Karriere
Das Ende der KarriereDas Ende der Karriere
Das Ende der KarriereJohann-Peter Hartmann
 
DevOps jenseits der Tools
DevOps jenseits der ToolsDevOps jenseits der Tools
DevOps jenseits der ToolsJohann-Peter Hartmann
 
Reparier Deine Unternehmenskultur!
Reparier Deine Unternehmenskultur!Reparier Deine Unternehmenskultur!
Reparier Deine Unternehmenskultur!Johann-Peter Hartmann
 
Lügen, schlimme Lügen und IT-Verträge
Lügen, schlimme Lügen und IT-VerträgeLügen, schlimme Lügen und IT-Verträge
Lügen, schlimme Lügen und IT-VerträgeJohann-Peter Hartmann
 
How not to screw the operating system of your startup
How not to screw the operating system of your startupHow not to screw the operating system of your startup
How not to screw the operating system of your startupJohann-Peter Hartmann
 
Einfangen eines technisch kaputten projektes
Einfangen eines technisch kaputten projektesEinfangen eines technisch kaputten projektes
Einfangen eines technisch kaputten projektesJohann-Peter Hartmann
 
Agile versus Management WJAX 2014
Agile versus Management WJAX 2014Agile versus Management WJAX 2014
Agile versus Management WJAX 2014Johann-Peter Hartmann
 
Leadership in der IT
Leadership in der ITLeadership in der IT
Leadership in der ITJohann-Peter Hartmann
 
Vom Entwickler zur Führungskraft
Vom Entwickler zur FührungskraftVom Entwickler zur Führungskraft
Vom Entwickler zur FührungskraftJohann-Peter Hartmann
 
Erfolgreiche rewrites
Erfolgreiche rewritesErfolgreiche rewrites
Erfolgreiche rewritesJohann-Peter Hartmann
 
Surviving Complexity
Surviving ComplexitySurviving Complexity
Surviving ComplexityJohann-Peter Hartmann
 
Java script security for java developers
Java script security for java developersJava script security for java developers
Java script security for java developersJohann-Peter Hartmann
 
Rewrites überleben
Rewrites überlebenRewrites überleben
Rewrites überlebenJohann-Peter Hartmann
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJohann-Peter Hartmann
 

Weitere ähnliche Inhalte

Mehr von Johann-Peter Hartmann

Warum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommtWarum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommtJohann-Peter Hartmann
 
Legacy php - Sanieren oder Ablösen?
Legacy php - Sanieren oder Ablösen?Legacy php - Sanieren oder Ablösen?
Legacy php - Sanieren oder Ablösen?Johann-Peter Hartmann
 
RoofTop Brains & BBQ: Ein Gästbuch für China
RoofTop Brains & BBQ: Ein Gästbuch für ChinaRoofTop Brains & BBQ: Ein Gästbuch für China
RoofTop Brains & BBQ: Ein Gästbuch für ChinaJohann-Peter Hartmann
 
Von Kutschern, Managern und Systemadministratoren
Von Kutschern, Managern und SystemadministratorenVon Kutschern, Managern und Systemadministratoren
Von Kutschern, Managern und SystemadministratorenJohann-Peter Hartmann
 
Lügen, schlimme Lügen und IT-Verträge
Lügen, schlimme Lügen und IT-VerträgeLügen, schlimme Lügen und IT-Verträge
Lügen, schlimme Lügen und IT-VerträgeJohann-Peter Hartmann
 
How not to screw the operating system of your startup
How not to screw the operating system of your startupHow not to screw the operating system of your startup
How not to screw the operating system of your startupJohann-Peter Hartmann
 
Einfangen eines technisch kaputten projektes
Einfangen eines technisch kaputten projektesEinfangen eines technisch kaputten projektes
Einfangen eines technisch kaputten projektesJohann-Peter Hartmann
 
Java script security for java developers
Java script security for java developersJava script security for java developers
Java script security for java developersJohann-Peter Hartmann
 

Mehr von Johann-Peter Hartmann (20)

Warum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommtWarum die it nicht um new work herumkommt
Warum die it nicht um new work herumkommt
 
Legacy php - Sanieren oder Ablösen?
Legacy php - Sanieren oder Ablösen?Legacy php - Sanieren oder Ablösen?
Legacy php - Sanieren oder Ablösen?
 
RoofTop Brains & BBQ: Ein Gästbuch für China
RoofTop Brains & BBQ: Ein Gästbuch für ChinaRoofTop Brains & BBQ: Ein Gästbuch für China
RoofTop Brains & BBQ: Ein Gästbuch für China
 
Die Architektur, die man kann
Die Architektur, die man kannDie Architektur, die man kann
Die Architektur, die man kann
 
NewWork in der Praxis
NewWork in der PraxisNewWork in der Praxis
NewWork in der Praxis
 
Von Kutschern, Managern und Systemadministratoren
Von Kutschern, Managern und SystemadministratorenVon Kutschern, Managern und Systemadministratoren
Von Kutschern, Managern und Systemadministratoren
 
Das Ende der Karriere
Das Ende der KarriereDas Ende der Karriere
Das Ende der Karriere
 
DevOps jenseits der Tools
DevOps jenseits der ToolsDevOps jenseits der Tools
DevOps jenseits der Tools
 
Reparier Deine Unternehmenskultur!
Reparier Deine Unternehmenskultur!Reparier Deine Unternehmenskultur!
Reparier Deine Unternehmenskultur!
 
Lügen, schlimme Lügen und IT-Verträge
Lügen, schlimme Lügen und IT-VerträgeLügen, schlimme Lügen und IT-Verträge
Lügen, schlimme Lügen und IT-Verträge
 
How not to screw the operating system of your startup
How not to screw the operating system of your startupHow not to screw the operating system of your startup
How not to screw the operating system of your startup
 
Einfangen eines technisch kaputten projektes
Einfangen eines technisch kaputten projektesEinfangen eines technisch kaputten projektes
Einfangen eines technisch kaputten projektes
 
Agile versus Management WJAX 2014
Agile versus Management WJAX 2014Agile versus Management WJAX 2014
Agile versus Management WJAX 2014
 
Leadership in der IT
Leadership in der ITLeadership in der IT
Leadership in der IT
 
Vom Entwickler zur Führungskraft
Vom Entwickler zur FührungskraftVom Entwickler zur Führungskraft
Vom Entwickler zur Führungskraft
 
Erfolgreiche rewrites
Erfolgreiche rewritesErfolgreiche rewrites
Erfolgreiche rewrites
 
Surviving Complexity
Surviving ComplexitySurviving Complexity
Surviving Complexity
 
Java script security for java developers
Java script security for java developersJava script security for java developers
Java script security for java developers
 
Rewrites überleben
Rewrites überlebenRewrites überleben
Rewrites überleben
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 

Secure the lamp application stack

  • 1. High Security LAMPs Dutch PHP Conference 2008
  • 2. The guy in the front Johann-Peter Hartmann
  • 3. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4
  • 4. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun
  • 5. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun
  • 6. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun Founder and CTO of Mayflower GmbH
  • 7. The guy in the front Johann-Peter Hartmann Fulltime PHP Developer since 3.0.4 likes PHP because people are nice and PHP is fun likes Security because Security is fun Founder and CTO of Mayflower GmbH CEO of SektionEins GmbH, founded with Stefan Esser
  • 9. Agenda Where Security happens Distributed Denial of Service Attacks
  • 10. Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening
  • 11. Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening Apache Hardening
  • 12. Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening Apache Hardening MySQL Hardening
  • 13. Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening Apache Hardening MySQL Hardening PHP Hardening
  • 14. Agenda Where Security happens Distributed Denial of Service Attacks Server Hardening Apache Hardening MySQL Hardening PHP Hardening Application Hardening
  • 15. PHP Security - where are we right now?
  • 16. PHP Security - where are we right now?
  • 17. Know your enemy Profit Fun Source: Breach 2007
  • 18. Know your enemy 67 % Profit Fun Source: Breach 2007
  • 19. Know your enemy 33 % 67 % Profit Fun Source: Breach 2007
  • 20. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing Information Warfare Source: Breach 2007
  • 21. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare Source: Breach 2007
  • 22. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare 23 % Source: Breach 2007
  • 23. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
  • 24. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
  • 25. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
  • 26. Why they attack You Informationsdiebstahl Defacement Malware Unknown Fraud 3 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
  • 27. Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
  • 28. Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
  • 29. Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
  • 30. Why they attack You Informationsdiebstahl Defacement Malware 3 % Unknown Fraud 3 % 1 % 1 % Blackmail 3 % Link Spam Worms 8 % Phishing 42 % Information Warfare 15 % 23 % Source: Breach 2007
  • 31. How they attack You SQL Injection Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRF Source: NSI 2006
  • 32. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRF Source: NSI 2006
  • 33. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout CSRF Source: NSI 2006
  • 34. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 35. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 36. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 37. How they attack You SQL Injection 20 % Information Disclosure Known Exploits XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 38. How they attack You SQL Injection 20 % Information Disclosure Known Exploits 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 39. How they attack You SQL Injection 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 40. How they attack You SQL Injection 3 % 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 41. How they attack You 3 % SQL Injection 3 % 20 % Information Disclosure Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 42. How they attack You 3 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 43. How they attack You 2 % 3 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 44. How they attack You 2 % 3 % 2 % SQL Injection 2 % 20 % Information Disclosure 3 % Known Exploits 3 % 3 % XSS Missing Authentication 8 % Guessing of Logins/Sessions OS Code Execution 17 % Wrong configurations 10 % Missing Anti-Automation Denial Of Service Redirect 12 % Wrong Session-Timeout 15 % CSRF Source: NSI 2006
  • 45. A simple view on our favourite platforms stack PHP-Application Apache MySQL PHP Linux Network
  • 46. Network Attacks: DDoS Distributed Denial of Service Attacken Network
  • 47. Network Attacks: DDoS Distributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) Network
  • 48. Network Attacks: DDoS Distributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) sending out udp, icmp, tcp packet love, reflected DNS, smart attacks with http Network
  • 49. Network Attacks: DDoS Distributed Denial of Service Attacken from hundreds to millions of compromised computers (BotNet) sending out udp, icmp, tcp packet love, reflected DNS, smart attacks with http up to 25Network GB/s
  • 50. Distributed Denial of Service It‘s a business model Network
  • 51. Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Network
  • 52. Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) Network
  • 53. Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) criminal activities (Anti-419, Anti-Dialer-Sites) Network
  • 54. Distributed Denial of Service It‘s a business model Blackmail (in-ist-drin.de 7/2007, many more) Political Reasons (Estland 5/2007, more than 1.000.000 computer in the botnet) criminal activities (Anti-419, Anti-Dialer-Sites) actually it was developped by and for script kiddies in Network IRC
  • 55. How to protect against DDos You can‘t protect yourself Network
  • 56. How to protect against DDos You can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Network
  • 57. How to protect against DDos You can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Your Provider can, ask for „DDos Managed Security Services“ Network
  • 58. How to protect against DDos You can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Your Provider can, ask for „DDos Managed Security Services“ 2 solutions: blackhole your traffic, or use cleaning Network routers
  • 59. How to protect against DDos You can‘t protect yourself Your firewall won‘t help you if your uplink is smaller than 25 G/s Your Provider can, ask for „DDos Managed Security Services“ 2 solutions: blackhole your traffic, or use cleaning Network routers you won‘t blackhole your christmas business, and cisco ddos cleaning infrastructure is expensive
  • 60. Safety for your local network You got a firewall and a DMZ Network
  • 61. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed Network
  • 62. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP Network
  • 63. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need Network
  • 64. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need packet filtering, an own management ip Network
  • 65. Safety for your local network You got a firewall and a DMZ Attack surface reduction - disable what is not needed FTP, SSH, SUN-RPC, DNS, SMTP, IMAP, POP for non-public services you actually need packet filtering, an own management ip Network better: use a vpn
  • 66. How to secure Linux Deactivate what you don‘t need Linux
  • 67. How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Linux
  • 68. How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Harden your kernel Linux
  • 69. How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Harden your kernel Linux deactivate unneeded kernel features
  • 70. How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Harden your kernel Linux deactivate unneeded kernel features deactivate loadable kernel modules
  • 71. How to secure Linux Deactivate what you don‘t need Uninstall what you don‘t need Harden your kernel Linux deactivate unneeded kernel features deactivate loadable kernel modules Mandantory Access Control like SELinux or AppArmor
  • 74. SELinux Security Enhanced Linux developped by the NSA pretty secure from a technical point of view Linux
  • 75. SELinux Security Enhanced Linux developped by the NSA pretty secure from a technical point of view Linux part of the mainline kernel 2.6 and Redhat/Fedora
  • 76. SELinux Security Enhanced Linux developped by the NSA pretty secure from a technical point of view Linux part of the mainline kernel 2.6 and Redhat/Fedora more than 700 different permission types
  • 77. AppArmor - what it is Originally „SubDomain“ developped by Immunix Linux
  • 78. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Linux
  • 79. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Linux
  • 80. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions
  • 81. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions SELinux for idiots
  • 82. AppArmor - what it is Originally „SubDomain“ developped by Immunix ... bought by Novell Default part of Novell/SuSE Linux Open Source, can easily be used within other linux Linux distributions SELinux for idiots We use it
  • 83. AppArmor - what it does simplified interface to Mandantory Access Control Linux
  • 84. AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities Linux
  • 85. AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames Linux
  • 86. AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames rather simple Workflow Linux
  • 87. AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames rather simple Workflow Linux you profile your softwares permissions while using it
  • 88. AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames rather simple Workflow Linux you profile your softwares permissions while using it the profile defines the permissions needed (needs some rework, though)
  • 89. AppArmor - what it does simplified interface to Mandantory Access Control based on file permissions and POSIX capabilities based on filenames rather simple Workflow Linux you profile your softwares permissions while using it the profile defines the permissions needed (needs some rework, though)
  • 90. Why AppArmor works for idiots upload.php should be able to write to „/images/“ Linux
  • 91. Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it Linux
  • 92. Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: Linux
  • 93. Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html
  • 94. Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html AppArmor:
  • 95. Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html AppArmor: /var/www/html/config.inc.php w
  • 96. Why AppArmor works for idiots upload.php should be able to write to „/images/“ Default is always deny, so you need to enable it SELinux: docroot label is /var/www/html is http_sys_content_t Linux -> allow writing for the whole /var/www/html AppArmor: /var/www/html/config.inc.php w
  • 97. Hardening Apache Disable every module you don‘t need. Apache
  • 98. Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter
  • 99. Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter mod_security
  • 100. Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter mod_security a free, small web application firewall
  • 101. Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter mod_security a free, small web application firewall filters by regular expressions for every part of the request
  • 102. Hardening Apache Disable every module you don‘t need. mod_parmguard Apache set validation rules for every parameter mod_security a free, small web application firewall filters by regular expressions for every part of the request default rulesets (gotroot)
  • 104. mod_security bought by Breach Security, dual-licensed Apache
  • 105. mod_security bought by Breach Security, dual-licensed filtering the low hanging fruits Apache
  • 106. mod_security bought by Breach Security, dual-licensed filtering the low hanging fruits Apache Code Executions, Inclusions, SQL-Injections, XSS
  • 107. mod_security bought by Breach Security, dual-licensed filtering the low hanging fruits Apache Code Executions, Inclusions, SQL-Injections, XSS if a security issue is found, an error message (usually an error 500) is returned to the user
  • 108. mod_security bought by Breach Security, dual-licensed filtering the low hanging fruits Apache Code Executions, Inclusions, SQL-Injections, XSS if a security issue is found, an error message (usually an error 500) is returned to the user mod_security 2.0 is stateful and implements session support
  • 109. Web Application Firewalls granular security rules custom tailored for your application
  • 110. Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software
  • 111. Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping
  • 112. Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping can learn the default behavior of your application
  • 113. Web Application Firewalls granular security rules custom tailored for your application bridge, router, reverse proxy or embedded in your webserver, appliance or software brute force mitigation, cookie encryption, url mapping can learn the default behavior of your application http parameters are normalized
  • 114. MySQL Security MySQL
  • 115. MySQL Security run MySQL in SELinux/AppArmor MySQL
  • 116. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL
  • 117. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0
  • 118. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things:
  • 119. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases
  • 120. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights
  • 121. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights only the needed user rights for a certain task
  • 122. MySQL Security run MySQL in SELinux/AppArmor deactivate networking: skip-networking MySQL deactivate file access: set-variable = local-infile=0 remove all unneeded things: test databases default users, default rights only the needed user rights for a certain task
  • 123. PHP Security PHP
  • 124. PHP Security Secure PHP configuration: PHP
  • 125. PHP Security Secure PHP configuration: Deactivate: allow_url_fopen, allow_url_include, PHP display_errors, expose_php, file_support, file_uploads, force_redirect, magic_quotes_gpc, register_globals, use_trans_id
  • 126. PHP Security Secure PHP configuration: Deactivate: allow_url_fopen, allow_url_include, PHP display_errors, expose_php, file_support, file_uploads, force_redirect, magic_quotes_gpc, register_globals, use_trans_id Activate: memory_limit, post_max_size, session.save_path, upload_max_filesize, upload_tmp_dir
  • 127. Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP
  • 128. Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink)
  • 129. Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection
  • 130. Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection Protection against Format String Vulnerabilities
  • 131. Suhosin Engine Patches Global protection for Low-Level-Bugs in PHP PHP Memory Manager Hardening (Canary/Safe-Unlink) Hashtable Destructor Protection Protection against Format String Vulnerabilities Realpath() Hardening
  • 132. Suhosin Extension Protection against unknown php core level bugs PHP
  • 133. Suhosin Extension Protection against unknown php core level bugs forbidden methods byPHP vhost
  • 134. Suhosin Extension Protection against unknown php core level bugs forbidden methods byPHP vhost Protection against Remote Inclusion
  • 135. Suhosin Extension Protection against unknown php core level bugs forbidden methods byPHP vhost Protection against Remote Inclusion Transparent Session/Cookie Encryption
  • 136. Suhosin Extension Protection against unknown php core level bugs forbidden methods byPHP vhost Protection against Remote Inclusion Transparent Session/Cookie Encryption Variable and Upload Filtering (poor mans WAF)
  • 137. Suhosin Logging for intrusion detection and configuration PHP
  • 138. Suhosin Logging for intrusion detection and configuration supports several output channels PHP
  • 139. Suhosin Logging for intrusion detection and configuration supports several output channels PHP syslog, shell script, PHP script, file
  • 140. Suhosin Logging for intrusion detection and configuration supports several output channels PHP syslog, shell script, PHP script, file several impact levels
  • 141. Suhosin Logging for intrusion detection and configuration supports several output channels PHP syslog, shell script, PHP script, file several impact levels Log Message with file, line and remote IP
  • 142. Suhosin Logging for intrusion detection and configuration supports several output channels PHP syslog, shell script, PHP script, file several impact levels Log Message with file, line and remote IP Simulation mode to tune suhosin
  • 144. Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP
  • 145. Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP forbidden functions
  • 146. Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP forbidden functions constants are used where they can be used
  • 147. Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP forbidden functions constants are used where they can be used Parameter Binding Datenbank-API
  • 148. Coding Guidelines E_ALL/E_STRICT safe coding no global variables, no variable scope overwriting PHP forbidden functions constants are used where they can be used Parameter Binding Datenbank-API Libraries for CSRF protection, input validation, filtering, escaping, database access
  • 149. Input / Output Flow in PHP Input check: PHP
  • 150. Input / Output Flow in PHP Input check: Validation is done based on the knowledge of the expected content PHP
  • 151. Input / Output Flow in PHP Input check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitized
  • 152. Input / Output Flow in PHP Input check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitized Output Escaping:
  • 153. Input / Output Flow in PHP Input check: Validation is done based on the knowledge of the expected content PHP If the input isn‘t valid, it should be deleted or sanitized Output Escaping: there are 5 escape methods for HTML, 1 for SQL, 2 for Shell usage. No Default escape.
  • 154. PHP-IDS It‘s an IDS, not an XSS filter PHP
  • 155. PHP-IDS It‘s an IDS, not an XSS filter Better-than-nothing solution, like mod_security PHP
  • 156. PHP-IDS It‘s an IDS, not an XSS filter Better-than-nothing solution, like mod_security PHP there has always been a IDS evasion
  • 157. PHP-IDS It‘s an IDS, not an XSS filter Better-than-nothing solution, like mod_security PHP there has always been a IDS evasion no excuse to abandon proper validation, filtering and escaping
  • 158. PHP-IDS It‘s an IDS, not an XSS filter Better-than-nothing solution, like mod_security PHP there has always been a IDS evasion no excuse to abandon proper validation, filtering and escaping Can be used to detect attacks and react in the application
  • 160. Questions? Contact me at: johann-peter.hartmann@sektioneins.de

Hinweis der Redaktion

  1. PHP is used in a lot of environments where security is a good idea, like banks, credit data, porn sites etc. Who is working with personal data? who is working with credit card data? Medical information? information with personal sexual information (like a dating site)? \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. Sorry i can‘t go into depth \n
  9. Sorry i can‘t go into depth \n
  10. Sorry i can‘t go into depth \n
  11. Sorry i can‘t go into depth \n
  12. Sorry i can‘t go into depth \n
  13. Sorry i can‘t go into depth \n
  14. Sorry i can‘t go into depth \n
  15. \n
  16. Der Angreifer ist also keineswegs mehr der Amateur zuhause, sondern Dienstleister in einem funktionierenden Markt. „Für 40.000 Euro bekommt man die Daten jeder Firma“\n
  17. Der Angreifer ist also keineswegs mehr der Amateur zuhause, sondern Dienstleister in einem funktionierenden Markt. „Für 40.000 Euro bekommt man die Daten jeder Firma“\n
  18. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  19. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  20. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  21. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  22. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  23. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  24. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  25. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  26. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  27. Hauptmotivation ist Informationsdiebstahl, dh. der Diebstahl von sensiblen Daten. Aus diesem Grund wird dieses Thema auch explizit behandelt. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. Nowadays you could start with the layer above, too - but don‘t ask me, ask the ajax in action guys about that. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  47. There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  48. There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  49. There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  50. There is a big dark area when it comes to blackmail. \nHappens usually on christmans\n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. services: sun-rpc, ftp, ssh, etc \n
  57. services: sun-rpc, ftp, ssh, etc \n
  58. services: sun-rpc, ftp, ssh, etc \n
  59. services: sun-rpc, ftp, ssh, etc \n
  60. services: sun-rpc, ftp, ssh, etc \n
  61. services: sun-rpc, ftp, ssh, etc \n
  62. \n
  63. \n
  64. \n
  65. \n
  66. \n
  67. \n
  68. \n
  69. \n
  70. \n
  71. \n
  72. \n
  73. \n
  74. \n
  75. \n
  76. \n
  77. \n
  78. \n
  79. \n
  80. \n
  81. \n
  82. \n
  83. \n
  84. \n
  85. \n
  86. \n
  87. \n
  88. \n
  89. \n
  90. \n
  91. \n
  92. \n
  93. \n
  94. \n
  95. \n
  96. \n
  97. \n
  98. \n
  99. \n
  100. \n
  101. \n
  102. \n
  103. \n
  104. \n
  105. \n
  106. \n
  107. \n
  108. \n
  109. \n
  110. \n
  111. \n
  112. \n
  113. \n
  114. \n
  115. \n
  116. \n
  117. \n
  118. \n
  119. \n
  120. \n
  121. \n
  122. \n
  123. \n
  124. \n
  125. \n
  126. \n
  127. \n
  128. \n
  129. \n
  130. \n
  131. \n
  132. \n
  133. \n
  134. \n
  135. \n
  136. \n
  137. \n
  138. \n
  139. \n
  140. \n
  141. \n
  142. \n
  143. \n
  144. \n
  145. \n
  146. \n
  147. \n
  148. \n
  149. \n
  150. \n
  151. \n
  152. \n