Date post: | 22-Jan-2018 |
Category: |
Technology |
Upload: | brian-pontarelli |
View: | 237 times |
Download: | 0 times |
About Me
• CEO of Inversoft
• Software Developer for 16 years
• I’ve had multiple servers hacked
• I’ve had root kits installed
• I’ve had applications hacked
LinkedIn hack releases 167 million accounts.
Milwaukee Bucks organization accidentally leaks player financials onto the Internet.
4.8 Million V-Tech customer's data stolen.
Hacking group leaked more than 25 gigabytes of Ashley Madison data, including user details.
Server Security
• Architecture
• Password Security
• Remote Access
• Two-Factor Authentication
• Firewall
• Intrusion Detection
FYI: Most everything in this section is for Linux
Application Security
• Run-As User
• SSL
• Password Security
• SQL Injection
• Configuration
• Database Security
Architecture Explained
• Application server has public IP
• Database server has private IP
• Firewall controls access to database server
Password Security
• Force users not to pick crappy passwords
• Use the libpam-cracklib module
• Modify /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
Only allow 3 tries to type the password twice
Minimum length is 10
Must be different that last password by 3 characters
Must have 1 uppercase character
Must have 2 lowercase character
Must have 1 digit character
Must have 2 “other” character
Super User Access
• Disable password login as root– usermod -p '*' root
• Disable password-less sudo– Remove exempt_groups
– %sudo ALL=(ALL:ALL) ALL
SSH Keys
• Run keygen (with a passphrase)– ssh-keygen -t rsa -b 2048 –f ~/.ssh/id_demo
• Create a user– useradd -m -G sudo -s /bin/bash bpontarelli
– passwd bpontarelli
• Install public key– scp ~/.ssh/id_demo.pub [email protected]:/home/your-username
– ssh [email protected]
– mkdir .ssh
– mv id_demo.pub .ssh/authorized_keys
– chmod 600 .ssh/authorized_keys
• Bask in password-less login glory– ssh –i ~/.ssh/id_demo [email protected]
• Don’t forget an agent– alias ssh='ssh -A'
SSH Server Config
• Disable root login– PermitRootLogin no
• Disable password login– PasswordAuthentication no
• Restart SSH– service ssh restart
Two-Factor Authentication
• Use the libpam-google-authenticator module– auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
• Update the SSH configuration– ChallengeResponseAuthentication yes
– AuthenticationMethods publickey,keyboard-interactive
• Install NTP– apt-get install ntp
• Restart SSH– service ssh restart
• Generate the two-factor key– google-authenticator -l ’bpontarelli@Application Server'
Firewall
• Persistent iptables– apt-get install iptables-persistent
• Create tables and rules
• Restart the service– service netfilter-persistent reload
• Lock down as much as possible
– Database servers can listen only on specific interfaces and for specific IPs
• Be careful!
Intrusion Detection
• Install Monit (there are others as well)– apt-get install monit
• Edit /etc/monit/conf.d/ssh-logins
• Edit /etc/monit/monitrc
• Create Slack or Pushover integration script
• Restart the service– service monit restart
Run-As User
• Never run your apps as root
• Create an unprivileged user instead– useradd -M -s /bin/false application
• Use sudo (or something like it) to run your app– sudo -u application nodejs /usr/local/application/app.js
SSL
• Always use SSL for your websites
• SSL certificates are easy to get
– And cheap
• https://letsencrypt.org/
Complexity
• Encryption is about complexity
• Slow algorithms mean good security
• SHA and MD5 have iterations, Bcrypt has a load factor
• More iterations = good
• More load = good
http://www.my-application.com/some-data?sort=(select%20CAST((select concat(email,':',password) from users limit 1) as date))+desc
"[email protected]:173ad94aa37d140a5aab46795b14cef88efe8be76930b90460b5da60f4cff76e" is not a Date
SQL Injections
• Use prepared statements when possible
• Avoid string concatenation
• Use code for parameters
Configuration
• Put all secure information in configuration files
– (never in code)
• Ensure configuration files are NOT world readable
– Only the application user should have access
• Ensure the directory configuration files are stored in is NOT world readable or executable
– Only the application user should have access
$ chown -R application:application /usr/local/application/config
$ chmod 700 /usr/local/application/config
$ chmod 400 /usr/local/application/config/*