Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Betatech - Security for Dummies

mestachs
February 11, 2014

Betatech - Security for Dummies

11 February 2014 @ Beta Tech
To get access to the links easily, download the pdf.

http://www.meetup.com/betatech-brussels/

mestachs

February 11, 2014
Tweet

More Decks by mestachs

Other Decks in Technology

Transcript

  1. Disclaim me I’m not a security expert, hacker, pen tester…

    just a dev doing some ops Prior to working on internet hosted servers… security was a low priority task for me, spread/diluted on multiple teams with their own priorities, but now time has changed.
  2. How many days per year do you work on security

    related tasks ? How many upgrade ?
  3. Before just remember that “… there are only 2 types

    of company those that have been hacked and those that will ... ” - Director Robert Mueller, FBI, RSA Cyber Security Conference, March 2012
  4. First recognize you have a problem > nmap -sV sensible.host.be

    Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-23 07:48 CET Nmap scan report for ... Not shown: 983 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3a 25/tcp open smtp Postfix smtpd
  5. 53/tcp open domain ISC BIND 9.7.3 80/tcp open http Apache

    httpd 110/tcp open pop3 Dovecot pop3d 143/tcp open imap Dovecot imapd 443/tcp open http Apache httpd 445/tcp filtered microsoft-ds 587/tcp open smtp Postfix smtpd 666/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0)
  6. 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d

    3306/tcp open mysql MySQL 5.5.28-1~dotdeb.0-log 8011/tcp open unknown 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 10000/tcp open http MiniServ 1.631 (Webmin httpd) 20000/tcp open http MiniServ 1.550 (Webmin httpd) Service Info: Host: .... OSs: Unix, Linux; CPE: cpe:/o:linux: kernel
  7. At first glance a lot of ports open on the

    net → a lot of opportunities for attackers - apache tomcat not “hidden” behind the apache proxy or a firewall - mysql/ftp/webmin all open - webmin install at 2 differents port/version - no firewall installed (instant nmap) - db accessible from any host
  8. Announcement helps the bad guys > ftp ftp://username:[email protected] Connected to

    sensible.host.be. 220 ProFTPD 1.3.3a Server (Debian) • ftp is insecure by nature, use sftp • exploitable : https://github.com/rapid7/metasploit- framework/blob/master/modules/exploits/linux/ftp/proftp _telnet_iac.rb
  9. Announcement (2) > curl --head http://sensible.host.be * About to connect()

    to sensible.host.be port 80 (#0) * Connected to sensible.host.be (xx.yy.zz.ww) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: sensible.host.be > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 23 Dec 2013 07:26:04 GMT < Server: Apache < X-Powered-By: PHP/5.3.18-1~dotdeb.0 < Expires: Sun, 19 Nov 1978 05:00:00 GMT < Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
  10. Don’t allow administration consoles > http://sensible.host.be:8080/ Apache Tomcat/7.0.27 • hide

    it behind the firewall, listen only on 127.0.0.1:8080, configure apache to be a reverse proxy for non admin application • use ssh port forwarding to access it more safely • from the http header, wondering if it’s actually necessary to expose it
  11. Apache Hardening 101 Header always unset "X-Powered-By" Header always unset

    "X-Runtime" ServerTokens Prod ServerSignature Off TraceEnable off Header set X-Frame-Options: sameorigin + http://www.modsecurity.org/ + cookies : strict transport policy + content security policy
  12. Making the web secure, one unit test at a time

    CI : http://asciinema.org/a/6565 thanks garethr
  13. Reduce the attack surface fire wall Mysql Tomcat admin 127.0.0.1:8081

    80 443 22 / 666 ssh sftp Apache or nginx Tomcat apps 127.0.0.1:8080 m o d s e c Users Admins
  14. Fail securely / unsafe defaults don’t tell too much when

    it’s broken PassengerFriendlyErrorPages off • Monitor ◦ http and app logs ◦ your exception • Custom error 404/500 ◦ don’t show stack trace. ◦ raw error message
  15. Keep everything up to date OS ▪ ideally automate the

    security updates stack ▪ subscribe to announcement list ▪ https://hakiri.io/ code dependencies ▪ release announcement ▪ gemnasium, gemcanary code ▪ brakeman, codesake-dawn, PullReview, rips (php), code reviews ▪ externalize credentials Not Panacea but you will be better than average
  16. Code vulnerabilities Cross Site Scripting - XSS (JSON, Content Tag),

    SQL and Command Injection, Mass Assignment, Attribute Restriction, Cross-Site Request Forgery, Unsafe Redirects, Default Routes, Format Validation (multiline regexp), Denial of Service (cpu, memory,...), Dynamic Render Paths, Dangerous Evaluation, Unsafe Deserialization, File Access, Basic Authentication, Session Settings, Information Disclosure, Dangerous Send, Mail Link, Remote Code Execution, Remote Execution in YAML. load
  17. Use a modern framework, update it on CVE and monitor

    your errors MultiJson::LoadError: 795: unexpected token at '--- ! ruby/hash\u003aActionController\u003a\u003aRouting\u003a\u003aRo uteSet\u003a\u003aNamedRouteCollection 'NS; eval(% [c2xlZXAoMjUp].unpack(%[m0])[0]);' \u003a ... Actio​nView​::Mis​singT​empla​te: M​issin​g tem​plate​ code​_revi​ews/i​ndex,​ appl​icati​on/in​dex w​ith {​:loca​le=>[​:en],​ : for​mats=​>["ac​uneti​x/wvs​"], :​handl​ers=>​[:erb​, :bu​ilder​]}. code_reviews#index => ["sleep(25)"] gentle attack could be rm -rf * or command to add his key to ~/.ssh/authorized_keys Argum​entEr​ror: ​inval​id %-​encod​ing (​% CART​ID%)
  18. Follow best practices - validate user params - use a

    well known authentication framework - don’t roll your own, - don’t handle password yourself, - emails are not safe - use prepared statement for db access - don’t use user params in command, eval, string concat for sql, temp files,... - try to enable two-factor authentication
  19. Breach plan Your box was compromised and you fixed it

    by.... - deleting the two files you found ? http://www.reddit.com/user/drysart
  20. The right response is 1. don’t panic communicate revoke keys

    / api tokens change passwords unplug if necessary
  21. and 2. treat everything on the box, and everything the

    box had SSH keys for as radioactive. - Stand up a new server, install your application on there, - Do a very carefully export whatever data (no scripts or executables) - then nuke the compromised machine.
  22. First steps ? - minimize your attack surface behind ssh

    or web server remove unnecessary component - configure your firewall (drop first policy) - modify unsafe defaults - monitor your errors - keep up to date - audit your infrastructure, code and dependencies - identify your key secrets/assets and protect them facebook tokens, github deploy keys, financial information, credit cards,... → iterate, one step after another, continuous improvement
  23. imperfect security is better than no security Linux kernel developer

    Matthew Garrett spoke at LinuxConf Australia 2014 about security concerns post-Snowden.
  24. Borrowed stuff and more on the subject OWASP Web penetration

    testing with kali linux XStream "Remote Code Execution" exploit Securing Debian HowTo metasploit sqlmap DevOpsSec web-application-security-tools Github SSL setup security headers you should always be using Gauntlt Rugged By Example my VPS hacked. making the web secure iptables outgoing connection sandboxing SELinux Egor Homakov's blog Not just software How do I deal with a compromised server The Tangled Web Java script mvc
  25. https://www.owasp.org/index.php/Main_Page http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html http://www.packtpub.com/web-penetration-testing-with-kali-linux/book http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html http://www.rapid7.com/products/metasploit/ http://blog.jooq.org/2013/11/05/using-sql-injection-vulnerabilities-to-dump-your-database/ http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security/ http://www.morethanseven.net/2013/04/23/web-application-security-tools/ https://github.com/blog/1734-improving-our-ssl-setup http://www.morethanseven.net/2013/12/29/making-the-web-secure/

    http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using http://www.slideshare.net/wickett/gauntlt-rugged-by-example http://www.corrspt.com/blog/2014/01/18/tale-vps-hacked/ http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html http://homakov.blogspot.be/ https://www.gov.uk/service-manual/operations/penetration-testing.html http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886 http://www.slideshare.net/x00mario/jsmvcomfg-to-sternly-look-at-javascript-mvc-and-templating-frameworks