Apache and PHP Security

1
Apache and PHP Security
2
Abbreviated Talk Outline

• Basic machine lockdown
• Apache Configuration and Hardening
• PHP Configuration and Hardening
• Secure Practices for PHP Development
• Secure Configuration of Common PHP Applications

3
Before taking action understand the Role of the
Server

• Who will have physical access?
• Who will have shell access?
• Will apache write to the filesystem?
• Will you need perl, python etc. within the OS or
  for apache?
• If possible can you limit what kind of
  post/get/cookie/file payloads can be transmitted?

4
Basic Lockdown

• Turn off unused services, update the machine
  regularly, use recommended configuration files
  etc.
• Enable logwatch or logcheck and actually read the
  reports.
• Enable a well configured file integrity checker
• Configure iptables Ports 22, 80, 443 tomcat?

5
Lockdown Continued

• Possibly survive a SYN flood attack
• In /etc/sysctl.conf set
• net.ipv4.tcp_syncookies 1
• More Information
• http//cr.yp.to/syncookies.html
• Restrict cron and at access using cron.allow and
  at.allow. chmod/chown /etc/cron and
  /var/spool/cron

6
Lockdown Continued

• Configure NTP for logfile accuracy.
• Filesystem lockdown
• If possible set quota to 1 for apache.
  Especially /tmp and /var.
• Sessions can write to a user configured directory
  OR preferably a database.
• /var, /data, /home should be mounted
  nosuid,nodev,rw
• Is it reasonable to make /usr or /usr/local ro?

7
Securing Apache
8
Configuring Apache

• Turn off any unnecessary capabilities.
  Unfortunately many things are on by default.
• Before making changes, research potential
  exploits especially in the context of the
  machines services.
• Look into alternatives
• Example If running php, use it instead of server
  side includes.
• lt?php include footer.html ?gt
• XBitHack not necessary

9
More Configuration Options

• Remove /var/www/ directories to protect identity.
• Create custom /var/www/error files

10
mod_dosevasive

• Easy to configure
• Can help evade DoS attacks by blocking ip
  addresses or URLs temporarily.
• Blocks if
• Requests are made for the same page more than X
  times per second per host
• More than X concurrent requests on the same child
  per second are made
• First sends 403 error then blacklists.
• Can log to syslog and send email.
• Can also communicate with firewall or router and
  execute system commands.

11
Example Configuration

• LoadModule dosevasive20_module modules/mod_dosevas
  ive20.so
• ltIfModule mod_dosevasive20.cgt
• DOSHashTableSize 3097
• DOSPageCount 2
• DOSPageInterval 1
• DOSSiteCount 50
• DOSSiteInterval 1
• DOSBlockingPeriod 10
• DOSEmailNotify admin_at_domain.com
• DOSLogDir "/tmp/mod_dosevasive (make writable
  by apache only)
• lt/IfModulegt

12
mod_security

• Very Powerful
• Can be tricky to configure. Lots of testing.
• Especially useful if web server runs a small
  amount of applications.

13
mod_security Features

• Filters requests before apache.
• Filters all requests including post payloads and
  SSL.
• Understands the http protocol, allowing fine
  tuning.
• Complete logging, including post data.
• Custom rules using regular expressions can be
  applied at the virtual host level.

14
More mod_security features

• Upon catch can filter, email, log, redirect,
  send error code, or execute system binary.
• Can execute action upon file upload. Example
  virus scan.
• Easier and better apache chrooting. No modules or
  libraries needed. Logs already open. One Line
  SecChrootDir /chroot/apache
• Can use snort web attack signatures
• Rules are created and posted for web application
  vulnerabilities.
• Can change the identity of the web server in the
  http header without editing the source. Finger
  printing still works though.

15
Example mod_security Configuration

• ltIfModule mod_security.cgt
• SecFilterEngine On
• Prevent OS specific keywords index.php?include
  filename
• SecFilter /etc/passwd
• Prevent path traversal (..) attacks
• SecFilter "\.\./"
• Very crude filters to prevent SQL injection
  attacks
• SecFilter "deletespacefrom"
• SecFilter "insertspaceinto"
• SecFilter "select.from"
• lt/IfModulegt

16
Scanning your server

• Nmap
• Nessus
• www.nessus.org
• CIS Linux Benchmark Scan
• http//www.cisecurity.org/bench_linux.html

17
PHP Security
18
Types of PHP Attacks

• Command execution and/or writing to the
  filesystem.
• Sql injection
• Session Hijacking
• Cross Site Scripting (xss)
• Cross Site Request Forgeries (CSRF)
• Session reading/predicting

19
Securing PHP

• Default php.ini lt V.4.8
• WARNING
• This is the default settings file for new PHP
  installations.
• By default, PHP installs itself with a
  configuration suitable for
• development purposes, and NOT for production
  purposes.
• Newer installs are better.
• Many php applications are installed with a
  default php.ini. Therefore vulnerabilities can be
  exploited.

20
Secure PHP Settings

• Recommended configurations
• display_errors Off (turn on with ini_set or
  .htaccess)
• log_errors On
• error_reporting E_ALL (better error reporting)
• session.save_path/opt/php/session (Should be
  specified by the user. Where /opt has no apache
  quota)
• session.gc_maxlifetime600 (ten minutes of
  inactivity)

21
More Settings

• magic_quotes_gpc Off
• Escapes incoming get/post/cookie data, but for
  what application/database. Broken Crutches.
• Better to use specific php functions.
• More later

22
More Settings

• register_globals Off
• Never turn on
• Too easy to write insecure code
• Auto initializes variables from Get/Post/Cookie
  data
• URL index.php?administratorxyz
• lt?phpif (isset(administrator))    authorize
  d true?gt

23
More Settings

• safe_mode On (enable if possible)
• safe_mode_gid On (enable if possible)
• Especially useful in Highly Critical attacks.
• Can not see files not owned by script owner.
• Can not execute files not owned by script owner.

24
Developing Best Practices

• Develop with security and production in mind.
• Form strict policies concerning how data is
  sanitized and at what stage.
• _GET, _COOKIE, _POST should always be
  sanitized according to where its going not where
  it came from.
• Mysql mysql_real_escape_string()
• Postgres pg_escape_string ()
• The P.E.A.R. DB class handles database data with
  ? replacements.
• To browser htmlentities () or strip_tags()
• To Shell escapeshellcmd()

25
To Remove Javascript and reduce XSS attacks

• Use preg_replace() on
• javascript onclick ondblclick onmousedown
  onmouseup onmouseover onmousemove
  onmouseout onkeypress onkeydown onkeyup

26
Developing Best Practices cont.

• Form strict policies concerning sessions.
  (storage, timeouts, session id length, etc.)
• If on a multiuser machine make a custom
  session.save_path or save session data to a
  database.
• Use session_regenerate_id() to prevent fixation.
  Especially after privilege escalation.

27
Developing Best Practices cont. Securing Includes

• Place them outside of document root.
• ini_set("include_path","./home/user/libs")
• But, if you have to place them in root
• End them in .php, so source is not revealed. Ex.
  database.inc.php
• ltFiles "\.inc"gt    Order allow,deny    Deny
  from all
• lt/Filesgt

28
Where to put db_connect.inc.php

• Not in document root.
• If possible, make it non-world readable. Apache
  group readable.

29
Web Applications
30
Secure Configuration of Common PHP
ApplicationsphpMyAdmin

• Protect config.inc.php if db access is config
• If possible use mod_cas
• If using http authentication force ssl using
  mod_rewrite
• RewriteRule / /index.php RewriteCond
  SERVER_PORT!443 RewriteRule (.)
  https//host.com4431 R301,L

31
Secure Configuration of Common PHP
Applicationsphpbb

• If configuring remotely via the web, use ssl.
• Sanity.A worm attacked a flaw that allowed for
  system calls to be sent using GET vars.
• Evil PHPlt?phpterm urldecode(_GET'sterm')
  ?gt
• _GET is decoded once by php then again by
  urldecode. The second time quotes or other
  harmful symbols can be decoded and applied to
  system(). Assuming no magic quotes would have
  prevented the problem using escapecmd().

32
Secure Configuration of Common PHP
ApplicationsGallery

• Verify that gallery has written to the .htaccess
  and config.php file after install.
• Then
• chmod 644 .htaccess
• chmod 644 config.php
• chmod 400 setup

33
Secure Configuration of Common PHP
Applicationsphpnuke

• Move config.php outside of DocumentRoot
• Edit mainfile.php to path of moved config.php.

34
Web Applications

• When installing free web applications always be
  aware of security advisories.
• Maintain a backup of your database.
• Practice restoring the database.
• Be familiar with how to update the application.
• If possible always use mod_cas. Especially with
  tools like phpMyAdmin.

35
Questions?