Servers: Configure, Harden, and Manage

Transcript

1. Servers: Configure, Harden & Manage Adam Englander Ijeoma Ezeonyebuchi Eric

   Mann

2. Hello. Adam Englander Architect, iovation Ijeoma Ezeonyebuchi Mobile Quality Assurance

   Engineer, NPR Eric Mann Director of Engineering, Vacasa

3. Today’s Session Why care about server hardening? Locking down PHP

   Hardening the app server Protecting the database Preventing server abuse Routine maintenance

4. Why Server Hardening? CommitStrip: Stack Overflow Patchwork

5. Why Server Hardening Ship or die: We ship MVPs loaded

   with technical debt Components fail: Dependencies might leak vulnerabilities Adversaries learn: You’re always under attack if your system’s online

6. PHP: Prohibited Functionality [PHP] ;;;;;;;;;;;;;;;;;;; ; About php.ini ; ;;;;;;;;;;;;;;;;;;;

   ; PHP's initialization file, generally called php.ini, is responsible for ; configuring many of the aspects of PHP's behavior. ; PHP attempts to find and load this configuration from a number of locations. ; The following is a summary of its search order: ; 1. SAPI module specific location. ; 2. The PHPRC environment variable. (As of PHP 5.2.0) ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) ; 4. Current working directory (except CLI)

7. PHP: Prohibited Functionality ; open_basedir, if set, limits all file

   operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =

8. PHP: Prohibited Functionality ; open_basedir, if set, limits all file

   operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =

9. PHP: Prohibited Functionality ; open_basedir, if set, limits all file

   operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes = splfileobject

10. PHP: System Configuration ; open_basedir, if set, limits all file

    operations to the defined directory ; and below. ; http://php.net/open-basedir open_basedir = /var/www ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes = splfileobject

11. PHP: System Configuration ; Maximum allowed size for uploaded files.

    ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-include allow_url_include = Off

12. PHP: System Configuration ; Maximum allowed size for uploaded files.

    ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-include allow_url_include = Off

13. PHP: System Configuration - Other Settings Set expose_php to “off”

    to prevent advertising your system versions Set display_errors to “off” in production to avoid leaking information Set log_errors to 1 and set error_log to a system path Keep PHP up to date!

14. Apache/Nginx: Protect the App Server Disable server tokens: server_tokens off

    (Nginx) ServerTokens Prod (Apache) Define the server hostname: server_name (Nginx) ServerName (Apache)

15. Apache/Nginx: Protect the App Server Disable directory traversal: autoindex off

    (Nginx) Options -Indexes (Apache) Use an SSL certificate - LetsEncrypt provides them for free! Return proper, documented error codes

16. MySQL: Conservative Configuration Use a cloud-hosted database provider rather than

    running locally If running locally, set bind_address=127.0.0.1 to block remote connections Scope database user authorization to the specific host (127.0.0.1) Scope database user privileges to the database or table they need

17. Blocking the Barbarian Hordes: ufw ufw is the default firewall

    in Ubuntu It’s a high-level abstraction atop iptables that makes firewalls easier to manage sudo enable ufw Ensure only HTTP(S) ports and SSH are open Ensure only you have access to SSH

18. Blocking the Barbarian Hordes: fail2ban fail2ban scans log files for

    failed authentication attempts and blocks access from potentially malicious IP addresses Can work with ufw to block attacks directly in the firewall Additional filters can block traffic based on attacks against: - Nginx - MySQL - Other system applications

19. Routine Maintenance Keep system packages up to date sudo apt-get

    install unattended-upgrades apt-listchanges Ensure your application and system tools log everything Leverage systems like: - Sentry - log and alert on unhandled application errors - Intrusion detection systems - flag unexpected user/system behavior

20. Questions?

21. Thank you! Please rate our talk: https://joind.in/talk/ba68b