Security for dummies Minimize attack surface area

Disclaim me I’m not a security expert, hacker, pen tester… just a dev doing some ops Prior to working on internet hosted servers… security was a low priority task for me, spread/diluted on multiple teams with their own priorities, but now time has changed.

First recognize you have a problem

How many days per year do you work on security related tasks ? How many upgrade ?

What is your patch policy ?

Do you have separation of duties ?

Where are your production passwords ?

What is the impact of losing your laptop ?

What is your password/keys/secret policy ?

Do you have a firewall configured ?

What is your security breach plan ?

Do you audit your code, your infrastructure ?

not convinced ? ok let’s do a small test on sensible.host.be

Before just remember that “… there are only 2 types of company those that have been hacked and those that will ... ” - Director Robert Mueller, FBI, RSA Cyber Security Conference, March 2012

First recognize you have a problem > nmap -sV sensible.host.be Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-23 07:48 CET Nmap scan report for ... Not shown: 983 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3a 25/tcp open smtp Postfix smtpd

53/tcp open domain ISC BIND 9.7.3 80/tcp open http Apache httpd 110/tcp open pop3 Dovecot pop3d 143/tcp open imap Dovecot imapd 443/tcp open http Apache httpd 445/tcp filtered microsoft-ds 587/tcp open smtp Postfix smtpd 666/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0)

993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 3306/tcp open mysql MySQL 5.5.28-1~dotdeb.0-log 8011/tcp open unknown 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 10000/tcp open http MiniServ 1.631 (Webmin httpd) 20000/tcp open http MiniServ 1.550 (Webmin httpd) Service Info: Host: .... OSs: Unix, Linux; CPE: cpe:/o:linux: kernel

At first glance a lot of ports open on the net → a lot of opportunities for attackers - apache tomcat not “hidden” behind the apache proxy or a firewall - mysql/ftp/webmin all open - webmin install at 2 differents port/version - no firewall installed (instant nmap) - db accessible from any host

Announcement helps the bad guys > ftp ftp://username:[email protected] Connected to sensible.host.be. 220 ProFTPD 1.3.3a Server (Debian) ● ftp is insecure by nature, use sftp ● exploitable : https://github.com/rapid7/metasploit- framework/blob/master/modules/exploits/linux/ftp/proftp _telnet_iac.rb

Announcement (2) > curl --head http://sensible.host.be * About to connect() to sensible.host.be port 80 (#0) * Connected to sensible.host.be (xx.yy.zz.ww) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: sensible.host.be > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 23 Dec 2013 07:26:04 GMT < Server: Apache < X-Powered-By: PHP/5.3.18-1~dotdeb.0 < Expires: Sun, 19 Nov 1978 05:00:00 GMT < Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0

Don’t allow administration consoles > http://sensible.host.be:8080/ Apache Tomcat/7.0.27 ● hide it behind the firewall, listen only on 127.0.0.1:8080, configure apache to be a reverse proxy for non admin application ● use ssh port forwarding to access it more safely ● from the http header, wondering if it’s actually necessary to expose it

Apache Hardening 101 Header always unset "X-Powered-By" Header always unset "X-Runtime" ServerTokens Prod ServerSignature Off TraceEnable off Header set X-Frame-Options: sameorigin + http://www.modsecurity.org/ + cookies : strict transport policy + content security policy

SSL score https://www.ssllabs.com/ssltest/ https://sslcheck.globalsign.com/en_GB

Don’t trust your config… test it continuously http://gauntlt.org/ https://github.com/garethr/prodder (gov.uk)

Making the web secure, one unit test at a time CI : http://asciinema.org/a/6565 thanks garethr

Reduce the attack surface http://www.300spartanwarriors.com/ http://fr.wikipedia.org/wiki/Tortue_%28formation%29 http://www.vodkaster.com/Films/Asterix-aux-jeux-olympiques/2447

each line is a vulnerability vector 80 443 8080 21

Reduce the attack surface fire wall Mysql Tomcat admin 127.0.0.1:8081 80 443 22 / 666 ssh sftp Apache or nginx Tomcat apps 127.0.0.1:8080 m o d s e c Users Admins

Fail securely / unsafe defaults don’t tell too much when it’s broken PassengerFriendlyErrorPages off ● Monitor ○ http and app logs ○ your exception ● Custom error 404/500 ○ don’t show stack trace. ○ raw error message

Keep everything up to date OS ■ ideally automate the security updates stack ■ subscribe to announcement list ■ https://hakiri.io/ code dependencies ■ release announcement ■ gemnasium, gemcanary code ■ brakeman, codesake-dawn, PullReview, rips (php), code reviews ■ externalize credentials Not Panacea but you will be better than average

Code vulnerabilities Cross Site Scripting - XSS (JSON, Content Tag), SQL and Command Injection, Mass Assignment, Attribute Restriction, Cross-Site Request Forgery, Unsafe Redirects, Default Routes, Format Validation (multiline regexp), Denial of Service (cpu, memory,...), Dynamic Render Paths, Dangerous Evaluation, Unsafe Deserialization, File Access, Basic Authentication, Session Settings, Information Disclosure, Dangerous Send, Mail Link, Remote Code Execution, Remote Execution in YAML. load

Use a modern framework, update it on CVE and monitor your errors MultiJson::LoadError: 795: unexpected token at '--- ! ruby/hash\u003aActionController\u003a\u003aRouting\u003a\u003aRo uteSet\u003a\u003aNamedRouteCollection 'NS; eval(% [c2xlZXAoMjUp].unpack(%[m0])[0]);' \u003a ... Actio​nView​::Mis​singT​empla​te: M​issin​g tem​plate​ code​_revi​ews/i​ndex,​ appl​icati​on/in​dex w​ith {​:loca​le=>[​:en],​ : for​mats=​>["ac​uneti​x/wvs​"], :​handl​ers=>​[:erb​, :bu​ilder​]}. code_reviews#index => ["sleep(25)"] gentle attack could be rm -rf * or command to add his key to ~/.ssh/authorized_keys Argum​entEr​ror: ​inval​id %-​encod​ing (​% CART​ID%)

Audit your code

Follow best practices - validate user params - use a well known authentication framework - don’t roll your own, - don’t handle password yourself, - emails are not safe - use prepared statement for db access - don’t use user params in command, eval, string concat for sql, temp files,... - try to enable two-factor authentication

Breach plan Your box was compromised and you fixed it by.... - deleting the two files you found ? http://www.reddit.com/user/drysart

The right response is 1. don’t panic communicate revoke keys / api tokens change passwords unplug if necessary

and 2. treat everything on the box, and everything the box had SSH keys for as radioactive. - Stand up a new server, install your application on there, - Do a very carefully export whatever data (no scripts or executables) - then nuke the compromised machine.

First steps ? - minimize your attack surface behind ssh or web server remove unnecessary component - configure your firewall (drop first policy) - modify unsafe defaults - monitor your errors - keep up to date - audit your infrastructure, code and dependencies - identify your key secrets/assets and protect them facebook tokens, github deploy keys, financial information, credit cards,... → iterate, one step after another, continuous improvement

imperfect security is better than no security Linux kernel developer Matthew Garrett spoke at LinuxConf Australia 2014 about security concerns post-Snowden.

Borrowed stuff and more on the subject OWASP Web penetration testing with kali linux XStream "Remote Code Execution" exploit Securing Debian HowTo metasploit sqlmap DevOpsSec web-application-security-tools Github SSL setup security headers you should always be using Gauntlt Rugged By Example my VPS hacked. making the web secure iptables outgoing connection sandboxing SELinux Egor Homakov's blog Not just software How do I deal with a compromised server The Tangled Web Java script mvc

https://www.owasp.org/index.php/Main_Page http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html http://www.packtpub.com/web-penetration-testing-with-kali-linux/book http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html http://www.rapid7.com/products/metasploit/ http://blog.jooq.org/2013/11/05/using-sql-injection-vulnerabilities-to-dump-your-database/ http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security/ http://www.morethanseven.net/2013/04/23/web-application-security-tools/ https://github.com/blog/1734-improving-our-ssl-setup http://www.morethanseven.net/2013/12/29/making-the-web-secure/ http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using http://www.slideshare.net/wickett/gauntlt-rugged-by-example http://www.corrspt.com/blog/2014/01/18/tale-vps-hacked/ http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html http://homakov.blogspot.be/ https://www.gov.uk/service-manual/operations/penetration-testing.html http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886 http://www.slideshare.net/x00mario/jsmvcomfg-to-sternly-look-at-javascript-mvc-and-templating-frameworks