Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Servers: Configure, Harden, and Manage

Servers: Configure, Harden, and Manage

Full-stack development requires a full understanding of all elements of your stack – not just backend and frontend software, but the server and lower-level tools upon which your application is built. The most secure coding in the world won’t protect against a misconfigured or vulnerable server. Together we’ll walk through all elements of the stack, from the application itself through the utilities it interacts with to the server upon which everything runs – all from the perspective of security and keeping your customers and their data secure.

Eric Mann

May 21, 2019
Tweet

More Decks by Eric Mann

Other Decks in Programming

Transcript

  1. Hello. Adam Englander Architect, iovation Ijeoma Ezeonyebuchi Mobile Quality Assurance

    Engineer, NPR Eric Mann Director of Engineering, Vacasa
  2. Today’s Session Why care about server hardening? Locking down PHP

    Hardening the app server Protecting the database Preventing server abuse Routine maintenance
  3. Why Server Hardening Ship or die: We ship MVPs loaded

    with technical debt Components fail: Dependencies might leak vulnerabilities Adversaries learn: You’re always under attack if your system’s online
  4. PHP: Prohibited Functionality [PHP] ;;;;;;;;;;;;;;;;;;; ; About php.ini ; ;;;;;;;;;;;;;;;;;;;

    ; PHP's initialization file, generally called php.ini, is responsible for ; configuring many of the aspects of PHP's behavior. ; PHP attempts to find and load this configuration from a number of locations. ; The following is a summary of its search order: ; 1. SAPI module specific location. ; 2. The PHPRC environment variable. (As of PHP 5.2.0) ; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) ; 4. Current working directory (except CLI)
  5. PHP: Prohibited Functionality ; open_basedir, if set, limits all file

    operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =
  6. PHP: Prohibited Functionality ; open_basedir, if set, limits all file

    operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes =
  7. PHP: Prohibited Functionality ; open_basedir, if set, limits all file

    operations to the defined directory ; and below. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes = splfileobject
  8. PHP: System Configuration ; open_basedir, if set, limits all file

    operations to the defined directory ; and below. ; http://php.net/open-basedir open_basedir = /var/www ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = eval,shell_exec,exec,create_function,popen,system ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes = splfileobject
  9. PHP: System Configuration ; Maximum allowed size for uploaded files.

    ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-include allow_url_include = Off
  10. PHP: System Configuration ; Maximum allowed size for uploaded files.

    ; http://php.net/upload-max-filesize upload_max_filesize = 2M ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-fopen allow_url_fopen = On ; Whether to allow include/require to open URLs (like http:// or ftp://) as files. ; http://php.net/allow-url-include allow_url_include = Off
  11. PHP: System Configuration - Other Settings Set expose_php to “off”

    to prevent advertising your system versions Set display_errors to “off” in production to avoid leaking information Set log_errors to 1 and set error_log to a system path Keep PHP up to date!
  12. Apache/Nginx: Protect the App Server Disable server tokens: server_tokens off

    (Nginx) ServerTokens Prod (Apache) Define the server hostname: server_name (Nginx) ServerName (Apache)
  13. Apache/Nginx: Protect the App Server Disable directory traversal: autoindex off

    (Nginx) Options -Indexes (Apache) Use an SSL certificate - LetsEncrypt provides them for free! Return proper, documented error codes
  14. MySQL: Conservative Configuration Use a cloud-hosted database provider rather than

    running locally If running locally, set bind_address=127.0.0.1 to block remote connections Scope database user authorization to the specific host (127.0.0.1) Scope database user privileges to the database or table they need
  15. Blocking the Barbarian Hordes: ufw ufw is the default firewall

    in Ubuntu It’s a high-level abstraction atop iptables that makes firewalls easier to manage sudo enable ufw Ensure only HTTP(S) ports and SSH are open Ensure only you have access to SSH
  16. Blocking the Barbarian Hordes: fail2ban fail2ban scans log files for

    failed authentication attempts and blocks access from potentially malicious IP addresses Can work with ufw to block attacks directly in the firewall Additional filters can block traffic based on attacks against: - Nginx - MySQL - Other system applications
  17. Routine Maintenance Keep system packages up to date sudo apt-get

    install unattended-upgrades apt-listchanges Ensure your application and system tools log everything Leverage systems like: - Sentry - log and alert on unhandled application errors - Intrusion detection systems - flag unexpected user/system behavior