Servers: Configure, Harden, and Manage

Transcript

1. Servers: Configure,
   Harden & Manage
   Adam Englander Ijeoma Ezeonyebuchi Eric Mann
   

   View Slide

2. Hello.
   Adam Englander
   Architect, iovation
   Ijeoma Ezeonyebuchi
   Mobile Quality Assurance
   Engineer, NPR
   Eric Mann
   Director of Engineering,
   Vacasa
   

   View Slide

3. Today’s Session
   Why care about server hardening?
   Locking down PHP
   Hardening the app server
   Protecting the database
   Preventing server abuse
   Routine maintenance
   

   View Slide

4. Why Server Hardening?
   CommitStrip: Stack Overflow Patchwork
   

   View Slide

5. Why Server Hardening
   Ship or die: We ship MVPs loaded with technical debt
   Components fail: Dependencies might leak vulnerabilities
   Adversaries learn: You’re always under attack if your system’s online
   

   View Slide

6. PHP: Prohibited Functionality
   [PHP]
   ;;;;;;;;;;;;;;;;;;;
   ; About php.ini ;
   ;;;;;;;;;;;;;;;;;;;
   ; PHP's initialization file, generally called php.ini, is responsible for
   ; configuring many of the aspects of PHP's behavior.
   ; PHP attempts to find and load this configuration from a number of locations.
   ; The following is a summary of its search order:
   ; 1. SAPI module specific location.
   ; 2. The PHPRC environment variable. (As of PHP 5.2.0)
   ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
   ; 4. Current working directory (except CLI)
   

   View Slide

7. PHP: Prohibited Functionality
   ; open_basedir, if set, limits all file operations to the defined directory
   ; and below.
   ; http://php.net/open-basedir
   ;open_basedir =
   ; This directive allows you to disable certain functions for security reasons.
   ; It receives a comma-delimited list of function names.
   ; http://php.net/disable-functions
   disable_functions =
   ; This directive allows you to disable certain classes for security reasons.
   ; It receives a comma-delimited list of class names.
   ; http://php.net/disable-classes
   disable_classes =
   

   View Slide

8. PHP: Prohibited Functionality
   ; open_basedir, if set, limits all file operations to the defined directory
   ; and below.
   ; http://php.net/open-basedir
   ;open_basedir =
   ; This directive allows you to disable certain functions for security reasons.
   ; It receives a comma-delimited list of function names.
   ; http://php.net/disable-functions
   disable_functions = eval,shell_exec,exec,create_function,popen,system
   ; This directive allows you to disable certain classes for security reasons.
   ; It receives a comma-delimited list of class names.
   ; http://php.net/disable-classes
   disable_classes =
   

   View Slide

9. PHP: Prohibited Functionality
   ; open_basedir, if set, limits all file operations to the defined directory
   ; and below.
   ; http://php.net/open-basedir
   ;open_basedir =
   ; This directive allows you to disable certain functions for security reasons.
   ; It receives a comma-delimited list of function names.
   ; http://php.net/disable-functions
   disable_functions = eval,shell_exec,exec,create_function,popen,system
   ; This directive allows you to disable certain classes for security reasons.
   ; It receives a comma-delimited list of class names.
   ; http://php.net/disable-classes
   disable_classes = splfileobject
   

   View Slide

10. PHP: System Configuration
    ; open_basedir, if set, limits all file operations to the defined directory
    ; and below.
    ; http://php.net/open-basedir
    open_basedir = /var/www
    ; This directive allows you to disable certain functions for security reasons.
    ; It receives a comma-delimited list of function names.
    ; http://php.net/disable-functions
    disable_functions = eval,shell_exec,exec,create_function,popen,system
    ; This directive allows you to disable certain classes for security reasons.
    ; It receives a comma-delimited list of class names.
    ; http://php.net/disable-classes
    disable_classes = splfileobject
    

    View Slide

11. PHP: System Configuration
    ; Maximum allowed size for uploaded files.
    ; http://php.net/upload-max-filesize
    upload_max_filesize = 2M
    ; Maximum number of files that can be uploaded via a single request
    max_file_uploads = 20
    ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
    ; http://php.net/allow-url-fopen
    allow_url_fopen = On
    ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
    ; http://php.net/allow-url-include
    allow_url_include = Off
    

    View Slide

12. PHP: System Configuration
    ; Maximum allowed size for uploaded files.
    ; http://php.net/upload-max-filesize
    upload_max_filesize = 2M
    ; Maximum number of files that can be uploaded via a single request
    max_file_uploads = 20
    ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
    ; http://php.net/allow-url-fopen
    allow_url_fopen = On
    ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
    ; http://php.net/allow-url-include
    allow_url_include = Off
    

    View Slide

13. PHP: System Configuration - Other Settings
    Set expose_php to “off” to prevent advertising your system versions
    Set display_errors to “off” in production to avoid leaking information
    Set log_errors to 1 and set error_log to a system path
    Keep PHP up to date!
    

    View Slide

14. Apache/Nginx: Protect the App Server
    Disable server tokens:
    server_tokens off (Nginx)
    ServerTokens Prod (Apache)
    Define the server hostname:
    server_name (Nginx)
    ServerName (Apache)
    

    View Slide

15. Apache/Nginx: Protect the App Server
    Disable directory traversal:
    autoindex off (Nginx)
    Options -Indexes (Apache)
    Use an SSL certificate - LetsEncrypt provides them for free!
    Return proper, documented error codes
    

    View Slide

16. MySQL: Conservative Configuration
    Use a cloud-hosted database provider rather than running locally
    If running locally, set bind_address=127.0.0.1 to block remote
    connections
    Scope database user authorization to the specific host (127.0.0.1)
    Scope database user privileges to the database or table they need
    

    View Slide

17. Blocking the Barbarian Hordes: ufw
    ufw is the default firewall in Ubuntu
    It’s a high-level abstraction atop iptables that makes firewalls easier
    to manage
    sudo enable ufw
    Ensure only HTTP(S) ports and SSH are open
    Ensure only you have access to SSH
    

    View Slide

18. Blocking the Barbarian Hordes: fail2ban
    fail2ban scans log files for failed authentication attempts and blocks
    access from potentially malicious IP addresses
    Can work with ufw to block attacks directly in the firewall
    Additional filters can block traffic based on attacks against:
    - Nginx
    - MySQL
    - Other system applications
    

    View Slide

19. Routine Maintenance
    Keep system packages up to date
    sudo apt-get install unattended-upgrades apt-listchanges
    Ensure your application and system tools log everything
    Leverage systems like:
    - Sentry - log and alert on unhandled application errors
    - Intrusion detection systems - flag unexpected user/system behavior
    

    View Slide

20. Questions?
    

    View Slide

21. Thank you!
    Please rate our talk:
    https://joind.in/talk/ba68b
    

    View Slide