Apache and PHP Security

1
Apache and PHP Security
2
Abbreviated Talk Outline

• Basic machine lockdown
• Apache Configuration and Hardening
• PHP Configuration and Hardening
• Secure Practices for PHP Development
• Secure Configuration of Common PHP Applications

3
Before taking action understand the Role of the
Server

• Who will have physical access?
• Who will have shell access?
• Will apache write to the filesystem?
• Will you need perl, python etc. within the OS or
  for apache?
• If possible can you limit what kind of
  post/get/cookie/file payloads can be transmitted?

4
Basic Lockdown

• Turn off unused services, update the machine
  regularly, use recommended configuration files
  etc.
• Enable logwatch or logcheck and actually read the
  reports.
• Enable a well configured file integrity checker
• Configure iptables Ports 22, 80, 443 tomcat?

5
Lockdown Continued

• Possibly survive a SYN flood attack
• In /etc/sysctl.conf set
• net.ipv4.tcp_syncookies 1
• More Information
• http//cr.yp.to/syncookies.html
• Restrict cron and at access using cron.allow and
  at.allow. chmod/chown /etc/cron and
  /var/spool/cron

6
Lockdown Continued

• Configure NTP for logfile accuracy.
• Filesystem lockdown
• If possible set quota to 1 for apache.
  Especially /tmp and /var.
• Sessions can write to a user configured directory
  OR preferably a database.
• /var, /data, /home should be mounted
  nosuid,nodev,rw
• Is it reasonable to make /usr or /usr/local ro?

7
Securing Apache
8
Configuring Apache

• Turn off any unnecessary capabilities
  unfortunately many things are on by default.
• Before making changes, research potential
  exploits especially in the context of the
  machines services.
• Look into alternatives
• Example If running php, use it instead of server
  side includes.
• XBitHack not necessary

9
More Configuration Options

• Remove /var/www/ directories to protect identity.
• Create custom /var/www/error files

10
mod_dosevasive

• Easy to configure
• Can help evade DoS attacks by blocking ip
  addresses or URLs temporarily.
• Blocks if
• Requests are made for the same page more than X
  times per second per host
• More than X concurrent requests on the same child
  per second are made
• First sends 403 error then blacklists.
• Can log to syslog and send email.
• Can also communicate with firewall or router and
  execute system commands.

11
Example Configuration

• LoadModule dosevasive20_module modules/mod_dosevas
  ive20.so
• DOSHashTableSize 3097
• DOSPageCount 2
• DOSPageInterval 1
• DOSSiteCount 50
• DOSSiteInterval 1
• DOSBlockingPeriod 10
• DOSEmailNotify admin_at_domain.com
• DOSLogDir "/tmp/mod_dosevasive (make writable
  by apache only)

12
mod_security

• Very Powerful
• Can be tricky to configure. Lots of testing.
• Especially useful if web server runs a small
  amount of applications.

13
mod_security Features

• Filters requests before apache.
• Filters all requests including post payloads and
  SSL.
• Understands the http protocol, allowing fine
  tuning.
• Complete logging, including post data.
• Custom rules using regular expressions can be
  applied at the virtual host level.

14
More mod_security features

• Upon catch can filter, email, log, redirect,
  send error code, or execute system binary.
• Can execute action upon file upload. Example
  virus scan.
• Easier and better apache chrooting. No modules or
  libraries needed. Logs already open. One Line
  SecChrootDir /chroot/apache
• Can use snort web attack signatures
• Rules are created and posted for web application
  vulnerabilities.
• Can change the identity of the web server without
  editing the source.

15
Example mod_security Configuration

• SecFilterEngine On
• Prevent OS specific keywords index.php?include
  filename
• SecFilter /etc/passwd
• Prevent path traversal (..) attacks
• SecFilter "\.\./"
• Very crude filters to prevent SQL injection
  attacks
• SecFilter "deletespacefrom"
• SecFilter "insertspaceinto"
• SecFilter "select.from"

16
Scanning your server

• Nmap
• Nessus
• www.nessus.org
• CIS Linux Benchmark Scan
• http//www.cisecurity.org/bench_linux.html

17
PHP Security
18
Types of PHP Attacks

• Command execution and/or writing to the
  filesystem.
• Sql injection
• Session Hijacking
• Cross Site Scripting (xss)
• Cross Site Request Forgeries (CSRF)
• Session reading/predicting

19
Securing PHP

• Default php.ini
• WARNING
• This is the default settings file for new PHP
  installations.
• By default, PHP installs itself with a
  configuration suitable for
• development purposes, and NOT for production
  purposes.
• Newer installs are better.
• Many php applications are installed with a
  default php.ini. Therefore vulnerabilities can be
  exploited.

20
Secure PHP Settings

• Recommended configurations
• display_errors Off (turn on with ini_set or
  .htaccess)
• log_errors On
• error_reporting E_ALL (better error reporting)
• session.save_path/opt/php/session (Should be
  specified by the user. Where /opt has no apache
  quota)
• session.gc_maxlifetime600 (ten minutes of
  inactivity)
• safe_mode On (enable if possible)
• safe_mode_gid On (enable if possible)
• Most highly critical vulnerabilities can be
  mitigated with safe_mode.

21
More Settings

• magic_quotes_gpc Off
• Escapes incoming get/post/cookie data, but for
  what application/database. Broken Crutches.
• Better to use specific php functions.

22
More Settings

• register_globals Off
• Never turn on
• Too easy to write insecure code
• Auto initializes variables from Get/Post/Cookie
  data
• URL index.php?administratorxyz
• d true?

23
Developing Best Practices

• Develop with security and production in mind.
• Form strict policies concerning how data is
  sanitized and at what stage.
• _GET, _COOKIE, _POST should always be
  sanitized according to where its going not where
  it came from.
• Pear DB class handles database data with ?
  replacements.
• Mysql mysql_real_escape_string()
• Postgres pg_escape_string ()
• To browser htmlentities () or strip_tags()
• To Shell escapeshellcmd()

24
To Remove Javascript

• Use preg_replace() on
• javascriptonclickondblclickonmousedownonmouse
  uponmouseover'. 'onmousemoveonmouseout
  onkeypressonkeydownonkeyup

25
Developing Best Practices cont.

• Form strict policies concerning sessions.
  (storage, timeouts, session id length, etc.)
• If on a multiuser machine make a custom
  session.save_path or save session data to a
  database.
• Use session_regenerate_id() to prevent fixation.

26
Developing Best Practices cont. Securing Includes

• Place them outside of document root.
• ini_set("include_path","./home/user/libs")
• But, if you have to place them in root
• End them in .php, so source is not revealed. Ex.
  database.inc.php
•     Order allow,deny    Deny
  from all

27
Where to put db_connect.inc.php

• Not in document root.
• If possible, make it non-world readable. Apache
  group readable.

28
Web Applications

• When installing free web applications always be
  aware of security advisories.
• Maintain a backup of your database.
• Practice restoring the database.
• Be familiar with how to update the application.

29
Secure Configuration of Common PHP
ApplicationsphpMyAdmin

• Protect config.inc.php if db access is config
• If using http authentication force ssl using
  mod_rewrite
• RewriteRule / /index.php RewriteCond
  SERVER_PORT!443 RewriteRule (.)
  https//host.com4431 R301,L

30
Secure Configuration of Common PHP
ApplicationsGallery

• Verify that gallery has written to the .htaccess
  and config.php file after install.
• Then
• chmod 644 .htaccess
• chmod 644 config.php
• chmod 400 setup

31
Secure Configuration of Common PHP
Applicationsphpnuke

• Move config.php outside of DocumentRoot
• Edit mainfile.php to path of moved config.php.

32
Questions?