Betatech - Security for Dummies

Transcript

1. Security for dummies Minimize attack surface area

2. Disclaim me I’m not a security expert, hacker, pen tester…

   just a dev doing some ops Prior to working on internet hosted servers… security was a low priority task for me, spread/diluted on multiple teams with their own priorities, but now time has changed.

3. First recognize you have a problem

4. How many days per year do you work on security

   related tasks ? How many upgrade ?

5. What is your patch policy ?

6. Do you have separation of duties ?

7. Where are your production passwords ?

8. What is the impact of losing your laptop ?

9. What is your password/keys/secret policy ?

10. Do you have a firewall configured ?

11. What is your security breach plan ?

12. Do you audit your code, your infrastructure ?

13. not convinced ? ok let’s do a small test on

    sensible.host.be

14. Before just remember that “… there are only 2 types

    of company those that have been hacked and those that will ... ” - Director Robert Mueller, FBI, RSA Cyber Security Conference, March 2012

15. First recognize you have a problem > nmap -sV sensible.host.be

    Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-23 07:48 CET Nmap scan report for ... Not shown: 983 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3a 25/tcp open smtp Postfix smtpd

16. 53/tcp open domain ISC BIND 9.7.3 80/tcp open http Apache

    httpd 110/tcp open pop3 Dovecot pop3d 143/tcp open imap Dovecot imapd 443/tcp open http Apache httpd 445/tcp filtered microsoft-ds 587/tcp open smtp Postfix smtpd 666/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0)

17. 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d

    3306/tcp open mysql MySQL 5.5.28-1~dotdeb.0-log 8011/tcp open unknown 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 10000/tcp open http MiniServ 1.631 (Webmin httpd) 20000/tcp open http MiniServ 1.550 (Webmin httpd) Service Info: Host: .... OSs: Unix, Linux; CPE: cpe:/o:linux: kernel

18. At first glance a lot of ports open on the

    net → a lot of opportunities for attackers - apache tomcat not “hidden” behind the apache proxy or a firewall - mysql/ftp/webmin all open - webmin install at 2 differents port/version - no firewall installed (instant nmap) - db accessible from any host

19. Announcement helps the bad guys > ftp ftp://username:[email protected] Connected to

    sensible.host.be. 220 ProFTPD 1.3.3a Server (Debian) • ftp is insecure by nature, use sftp • exploitable : https://github.com/rapid7/metasploit- framework/blob/master/modules/exploits/linux/ftp/proftp _telnet_iac.rb

20. Announcement (2) > curl --head http://sensible.host.be * About to connect()

    to sensible.host.be port 80 (#0) * Connected to sensible.host.be (xx.yy.zz.ww) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: sensible.host.be > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 23 Dec 2013 07:26:04 GMT < Server: Apache < X-Powered-By: PHP/5.3.18-1~dotdeb.0 < Expires: Sun, 19 Nov 1978 05:00:00 GMT < Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0

21. Don’t allow administration consoles > http://sensible.host.be:8080/ Apache Tomcat/7.0.27 • hide

    it behind the firewall, listen only on 127.0.0.1:8080, configure apache to be a reverse proxy for non admin application • use ssh port forwarding to access it more safely • from the http header, wondering if it’s actually necessary to expose it

22. Apache Hardening 101 Header always unset "X-Powered-By" Header always unset

    "X-Runtime" ServerTokens Prod ServerSignature Off TraceEnable off Header set X-Frame-Options: sameorigin + http://www.modsecurity.org/ + cookies : strict transport policy + content security policy

23. SSL score https://www.ssllabs.com/ssltest/ https://sslcheck.globalsign.com/en_GB

24. Don’t trust your config… test it continuously http://gauntlt.org/ https://github.com/garethr/prodder (gov.uk)

25. Making the web secure, one unit test at a time

    CI : http://asciinema.org/a/6565 thanks garethr

26. Reduce the attack surface http://www.300spartanwarriors.com/ http://fr.wikipedia.org/wiki/Tortue_%28formation%29 http://www.vodkaster.com/Films/Asterix-aux-jeux-olympiques/2447

27. each line is a vulnerability vector 80 443 8080 21

28. Reduce the attack surface fire wall Mysql Tomcat admin 127.0.0.1:8081

    80 443 22 / 666 ssh sftp Apache or nginx Tomcat apps 127.0.0.1:8080 m o d s e c Users Admins

29. Fail securely / unsafe defaults don’t tell too much when

    it’s broken PassengerFriendlyErrorPages off • Monitor ◦ http and app logs ◦ your exception • Custom error 404/500 ◦ don’t show stack trace. ◦ raw error message

30. Keep everything up to date OS ▪ ideally automate the

    security updates stack ▪ subscribe to announcement list ▪ https://hakiri.io/ code dependencies ▪ release announcement ▪ gemnasium, gemcanary code ▪ brakeman, codesake-dawn, PullReview, rips (php), code reviews ▪ externalize credentials Not Panacea but you will be better than average

31. Code vulnerabilities Cross Site Scripting - XSS (JSON, Content Tag),

    SQL and Command Injection, Mass Assignment, Attribute Restriction, Cross-Site Request Forgery, Unsafe Redirects, Default Routes, Format Validation (multiline regexp), Denial of Service (cpu, memory,...), Dynamic Render Paths, Dangerous Evaluation, Unsafe Deserialization, File Access, Basic Authentication, Session Settings, Information Disclosure, Dangerous Send, Mail Link, Remote Code Execution, Remote Execution in YAML. load

32. Use a modern framework, update it on CVE and monitor

    your errors MultiJson::LoadError: 795: unexpected token at '--- ! ruby/hash\u003aActionController\u003a\u003aRouting\u003a\u003aRo uteSet\u003a\u003aNamedRouteCollection 'NS; eval(% [c2xlZXAoMjUp].unpack(%[m0])[0]);' \u003a ... Actio​nView​::Mis​singT​empla​te: M​issin​g tem​plate​ code​_revi​ews/i​ndex,​ appl​icati​on/in​dex w​ith {​:loca​le=>[​:en],​ : for​mats=​>["ac​uneti​x/wvs​"], :​handl​ers=>​[:erb​, :bu​ilder​]}. code_reviews#index => ["sleep(25)"] gentle attack could be rm -rf * or command to add his key to ~/.ssh/authorized_keys Argum​entEr​ror: ​inval​id %-​encod​ing (​% CART​ID%)

33. Audit your code

34. Follow best practices - validate user params - use a

    well known authentication framework - don’t roll your own, - don’t handle password yourself, - emails are not safe - use prepared statement for db access - don’t use user params in command, eval, string concat for sql, temp files,... - try to enable two-factor authentication

35. Breach plan Your box was compromised and you fixed it

    by.... - deleting the two files you found ? http://www.reddit.com/user/drysart

36. The right response is 1. don’t panic communicate revoke keys

    / api tokens change passwords unplug if necessary

37. and 2. treat everything on the box, and everything the

    box had SSH keys for as radioactive. - Stand up a new server, install your application on there, - Do a very carefully export whatever data (no scripts or executables) - then nuke the compromised machine.

38. First steps ? - minimize your attack surface behind ssh

    or web server remove unnecessary component - configure your firewall (drop first policy) - modify unsafe defaults - monitor your errors - keep up to date - audit your infrastructure, code and dependencies - identify your key secrets/assets and protect them facebook tokens, github deploy keys, financial information, credit cards,... → iterate, one step after another, continuous improvement

39. imperfect security is better than no security Linux kernel developer

    Matthew Garrett spoke at LinuxConf Australia 2014 about security concerns post-Snowden.

40. Borrowed stuff and more on the subject OWASP Web penetration

    testing with kali linux XStream "Remote Code Execution" exploit Securing Debian HowTo metasploit sqlmap DevOpsSec web-application-security-tools Github SSL setup security headers you should always be using Gauntlt Rugged By Example my VPS hacked. making the web secure iptables outgoing connection sandboxing SELinux Egor Homakov's blog Not just software How do I deal with a compromised server The Tangled Web Java script mvc

41. https://www.owasp.org/index.php/Main_Page http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html http://www.packtpub.com/web-penetration-testing-with-kali-linux/book http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html http://www.rapid7.com/products/metasploit/ http://blog.jooq.org/2013/11/05/using-sql-injection-vulnerabilities-to-dump-your-database/ http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security/ http://www.morethanseven.net/2013/04/23/web-application-security-tools/ https://github.com/blog/1734-improving-our-ssl-setup http://www.morethanseven.net/2013/12/29/making-the-web-secure/

    http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using http://www.slideshare.net/wickett/gauntlt-rugged-by-example http://www.corrspt.com/blog/2014/01/18/tale-vps-hacked/ http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html http://homakov.blogspot.be/ https://www.gov.uk/service-manual/operations/penetration-testing.html http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886 http://www.slideshare.net/x00mario/jsmvcomfg-to-sternly-look-at-javascript-mvc-and-templating-frameworks