Transcript Securing a production LAMP enviornment

SECURING A PRODUCTION
LAMP SERVER
Aaron Corso
COSC356-001
Spring 2012
What is LAMP?
 A ‘solution stack’, or package of an OS
and software consisting of:




Linux
Apache
MySQL
PHP
• Common substitutions are WAMP (using
Windows instead of Linux), and LAPP (using
PostgreSQL instead of MySQL)
Why LAMP?
 Linux = Open source, easy to deploy in a
server environment
 Apache = Most popular web server in the
world; approximately 65% of web servers
use Apache; over 442 million host names
 PHP and MySQL = Popular back-end
stack for web applications
 Combined, entirely Open Source. Only
non-standard software installations are
proprietary.
NetCraft Survey, April 2012
Why LAMP Security?
 Being the number one deployed web
server makes the stack a popular target of
attacks
 Result of attacks is highly visible
 Sites can contain valuable information to
attackers; especially eCommerce websites
 Many routes of attack through
modularized operating environment
The Challenge of Modularized
Security
 Each component of the solution stack has its
own method for security – each must be kept
up-to-date
 Linux Kernel
 Distro applications
 Other Application Add-ons
 Apache
 Apache Modules
 PHP
 PHP Extensions
 MySQL
Where does LAMP Security Start?
 Choosing a Linux Distribution
 Each distribution (“distro”) has its own
set of core applications built on top of the
kernel
 Some distros are created with security and
a server environment in mind, others are
consumer oriented
 Common base distros for LAMP servers
are Ubuntu Server and Red Hat Linux
Considerations for choosing a distro
 Life cycle – avoid distros which release
major versions constantly
 Package Management – centralize the
update process as much as possible
 Documentation – more specialized distros
have less documentation
 Scalability – can the server handle
virtualization or be used as part of a
server farm easily?
Securing the Linux Installation
 Kernel Hardening
 Use gresecurity to sandbox processes to the
kernel role-based access control (RBAC)
system
 Mandatory Access Control (MAC)
 Restrict system processes to the appropriate
users
 Do not use default accounts – perform an
audit
 Standard firewalling practices
Securing the Apache
Installation
 Apache breaches are the most common
exploit of the stack
 Breaching of Apache is very harmful if the
objective is to transfer all files from the
document root
 Security of the web server component is
arguably the most important
Securing the Apache Installation
(continued)
 Disable any unnecessary modules
(“mods”) via the configuration file
 Run the Apache service under its own
user and with its own security group
 Restrict access to the root directory
 Restrict system level files contained in the
“bin” and “conf” directories
Apache Configuration File
 httpd.conf
Securing the Apache Installation
(continued)
 Disable the sending of Apache version
information in request headers
 Configure CGI (Common Gateway
Interface) and SSI (Server Side Includes)
to run under their own user
 Keep and monitor access logs
Security Modules for Apache
 Mod_security
 Easy configuration of firewall rules based on
client request variables such as IP
 Automatic detection and response to access to
files or unusual behavior
 Mod_evasive
 Helps to protect against basic DDOS attacks
Securing the PHP Installation
 PHP security relies on both the
administrator and the programmer
 Programmers must engage in “defensive
coding”
 Administrators must secure and update
extensions and the process
Securing the PHP Installation
(continued)
 Sandboxing remote resource access –
require programmers use wrapping
functions rather than native functions
 cURL functions or custom wrapper
 Limit execution time
 Prevent large-scale SQL injection attacks
• Hide all errors and place in a log
 Don’t give attackers hints
Securing the PHP Installation
(continued)
 Disable sending of versioning information
in request headers
 Disable “magic quotes” and “register
globals”
 Should rely on defensive programming
practices
 Find other methods to sandbox developers
 When used, programming ambiguity arises
PHP Configuration File
 php.ini
Defensive Coding in PHP
 Always “escape” data about to be inserted
into the database
 Using “\” characters to prevent SQL injection
via special characters
 PHP provides native wrapper functions for
MySQL for this
 Developers can also use a “prepared
statement” to separate the data being passed
from the SQL logic
Securing the MySQL Installation
 Restrict access to remote MySQL access by
IP
 Run MySQL under its own user and with
its own security group
 Protect data, system, and log files under
an administrator user
 Use a strong username and password
Remote MySQL Configuration
Tools for Integrated
Management
 cPanel / WHM
 Webmin
 Virtualmin
 Useful for reseller accounts and
virtualizing
Conclusions
 Secure each component and their
appropriate modules
 Follow general security practices of
isolating processes, maintaining logs, and
disabling unused or unnecessary
components
 Use an integrated update manager for the
four components of the stack and their
respective add-ons
Questions?