In this presentation we will be looking at:
Common threats to the security of your website.
The various attack surfaces of a website; from the server, down the wire to presentation in the client browser.
Simple approaches to mitigating these threats.
Keeping web applications free from malicious attack is an arms race. From bruteforce attacks against your server through to browser based attacks to your pages once delivered (e.g. XSS, click jacking, cross site request forgery (CSRF)); there are many ways in which your web site is susceptible to attack.
Fortunately there are several established counter measures that are simply (if rarely) implemented that are effective in mitigating such threats.
We will look at the various modes of attack, review some real world examples and see how counter measures can be put in place.
The presentation is aimed at anyone responsible for delivering information over the web regardless of whether they are responsible for the hosting and administration of their web site. Covering measures you can implement yourself and measures you may wish supported by your hosting provider.
Topics covered:
Server hardening through the use of firewalls,
TLS/SSL implementation to protect delivery across the wire and
Secure response headers and Content Security Policies to protect your page once received by the user's browser.
3. WEB SECURITY
Threats, culprits & examples
Threats & how they work
How can we guard against them
Server Environment Security
Application level security
Transport Security
Browser based security
Questions
4. HACKERS: WHO / WHAT ARE THEY
Defacers
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware
Angler EK / Nautilus / Necurs
Layer 7 attacks - HTTP flood
9. USER AGENT SPECIFIC PARASITES
User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
10. USER AGENT SPECIFIC PARASITES
User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) Chrome/51.0.2704.84 Safari/537.36
11. HACKERS: WHAT ARE THEY
Defacers / Malicious
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware
Angler EK / Nautilus / Necurs
Layer 7 attacks - HTTP flood
19. HACKERS: WHAT ARE THEY
Defacers / Malicious
Content injection
Data Breaches
"Hactivists"
Intruders / Botnets
Ransom: Layer 4 & 7 attacks - HTTP flood
20. DDOS / FLOOD ATTACKS
LAYER 4 LAYER 7
UDP Flood
SYN Flood
DNS Attacks
XML-RPC
HTTP GET/POST
SLOWLORIS
IP Stressers, Booters and shells
21. HACKERS: THEY HAVE IT EASY
Open configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
24. HTTPS KEEPS YOU SAFE - RIGHT?
not if your
settings.php
is readable
25. HACKERS: THEY HAVE IT EASY
Open configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
Shells
27. HACKERS: THEY HAVE IT EASY
Open configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
28. HACKERS: THEY HAVE IT EASY
Open configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
29. HACKERS: HOW THEY FEED - LOW HANGING FRUIT
Internet of things: shodan.io
Google Dorks
Exploit-db
Drive by
Show off: zone-h
30. Internet of things: shodan.io
Google Dorks
Exploit-db
Drive by / Trawlers
Show off: zone-h
Example to locate Drupalgeddon vulnerable sites - redacted
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
31. Normal day: Attempts to use known hacks by 255 hosts were logged 753 time(s)
/admin/fckeditor/editor/filemanager/upload/php/upload.php
/wp-config.php.bak
/wp-login.php
/backup.sql
/Ringing.at.your.dorbell!
/admin/assets/ckeditor/elfinder/php/connector.php
/wp-admin/admin-ajax.php?action=revslider_ajax_action
//phpMyAdmin/scripts/setup.php
/SQLite/SQLiteManager-1.2.4/main.php
/jenkins/login
/joomla/administrator
/wp-content/plugins/sell-downloads/sell-downloads.php?file=../../.././wp-config.php
/modules/coder/LICENSE.txt
/modules/restws/LICENSE.txt
/sites/all/modules/webform_multifile/LICENSE.txt
SSHD Illegal users:
admin
nagios
ubnt
fluffy
guest
info
library
linux
oracle
shell
test
unix
webmaster
.....
HACKERS: HOW THEY FEED - TRAWLERS
32. Internet of things: shodan.io
Google Dorks
Exploit-db
Drive by / Trawlers
Show off: zone-h
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
33. WEB SECURITY
How can we guard against threats
Server Environment Security
Application level security
Transport Security
Browser based security
36. ATTACK SURFACES
Server (Layer 3)
Other servers (backup, monitoring, local)
Application / Layer 7
In transit
The browser
37. SERVER: PORTS ARE OPEN DOORS
Know what ports you have open, what is listening on them
and who can access.
On the server:
0.0.0.0:9080 LISTEN 1804/varnishd
127.0.0.1:25 LISTEN 2583/exim4
144.76.185.80:443 LISTEN 1037/pound
0.0.0.0:2812 LISTEN 1007/monit
127.0.0.1:6082 LISTEN 1799/varnishd
0.0.0.0:3306 LISTEN 1727/mysqld
127.0.0.1:11211 LISTEN 849/memcached
127.0.0.1:6379 LISTEN 946/redis-server 12
0.0.0.0:10000 LISTEN 2644/perl
144.76.185.80:80 LISTEN 1037/pound
0.0.0.0:22 LISTEN 851/sshd
0 :::9080 LISTEN 1804/varnishd
0 ::1:25 LISTEN 2583/exim4
0 :::8443 LISTEN 1779/apache2
0 :::8080 LISTEN 1779/apache2
0 :::22 LISTEN 851/sshd
$netstat -nlp | grep tcp
From outside:
$nmap xxx.xxx.xxx.xxx
Not shown: 990 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
554/tcp open tsp
7070/tcp open realserver
8080/tcp open http-proxy
8443/tcp open https-alt
9080/tcp open glrpc
10000/tcp open snet-sensor-mgmt
Red: IP / MAC restricted
Grey: Router proxies
38. SERVER: CONFIGURE YOUR FIREWALL
Allow if:
White listed
Allowed port
Not blocked
Rate ok
Otherwise:
Reject / Drop
39. NETWORK: ATTACKS & BLOCK LISTS
The IP 195.154.47.128 has just
been banned by Fail2Ban after
3 attempts against ssh.
Firewall
195.154.47.12
CVE-2016-2118 (a.k.a. BADLOCK)
SSH Brute force
Block
Blocklist
Drop
Firewall
IPSET
IPSET
Any Port
1
2
3
4
5
Log
Report to blocklist
Source/share lists
of bad ips
Block on first visit
Initial
Server
Anyother
Server
Compromised Zombie
Exclude whitelist
44. CONTROL YOUR APPLICATION ENVIRONMENT
Migrate all .htaccess to vhosts
Get a static IP
Limit what files can be read
Limit where PHP can be 'run'
Restrict file permissions (640 / 440)
Update your CMS
45. DENY ACCESS TO SENSITIVE FILES
# Protect files and directories from prying eyes.
<FilesMatch ".(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|
theme|tpl(.php)?|xtmpl)(~|.sw[op]|.bak|.orig|.save)?$|^(..*|Entries.*|
Repository|Root|Tag|Template|composer.(json|lock))$|^#.*#$|.php(~|.sw[op]|
.bak|.orig.save)$">
Require all denied
</FilesMatch>
Disallow access to files by type
Disallow access to hidden directories (i.e. git)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} "!(^|/).well-known/([^./]+./?)+$" [NC]
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)." - [F]
</IfModule>
<Directorymatch "^/.*/.git+/">
Require all denied
</Directorymatch>
.well-known
use for standard files:
favicon, DNT, letsencrypt etc
see:
https://tools.ietf.org/html/rfc5785
https://www.iana.org/assignments/well-
known-uris/well-known-uris.xhtml
https://www.drupal.org/node/2408321
46. LIMIT PHP EXECUTION
<Directory /var/www/yoursite/htdocs/sites/default/files>
# Turn off all options we don't need.
Options None
Options +SymLinksIfOwnerMatch
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
</Directory>
Protect folders: tmp, files and private folders and any others.
Note you will need these in the folders as .htaccess too just to stop Drupal
complaining
47. No PHP files other than index.php
No text files other than robots.txt
<FilesMatch "([^index].php|[^myrobots|robots].*.txt)$">
AuthName "Restricted"
AuthUserFile /etc/apache2/.htpasswds/passwdfile
AuthType basic
Require valid-user
Require ip 123.123.123.123 <- Your static IP
Require ip 127.0.0.1
</FilesMatch>
LIMIT PHP EXECUTION
48. DO YOUR PHP FILES NEED TO BE IN THE DOCROOT?
https://www.drupal.org/node/2767907
49. APPLICATION LEVEL ATTACKS
Requires Configuration
Slowloris
Know your traffic levels
MOD EVASIVE
Requires Configuration
Know your application patterns
Cautious whitelisting
MOD SECURITY
52. SECURE IN TRANSIT
Setup HTTPS / TLS
Free certificates
Strong Ciphers
Upgrade insecure requests
Strict Transport Security (HSTS)
Pin public keys
Audit TLS
53. TLS AUDIT
Not just for the A+
Consider other browsers / agents
e.g. Screaming frog on OSX / Java
54. CASE STUDY
Your page is everyone's canvas
<style type="text/css">.gm-style .gm-style-cc
span,.gm-style .gm-style-cc a,.gm-style .gm-
style-mtc div{font-size:10px}</style>
<iframe> <script>
56. SECURE HEADERS
X-Content-Type-Options: nosniff
Guards against "drive-by download attacks" by preventing
IE & Chrome from MIME-sniffing a response away from the
declared content-type.
X-Frame-Options: DENY
Provides Clickjacking protection
X-Xss-Protection: 1; mode=block
Configures the XSS audit facilities in IE & Chrome
X-Permitted-Cross-Domain-Policies: none
Adobe specific header that controls whether Flash & PDFs
can access cross domain data - read the crossdomain.xml
57. XSS - CROSS SITE SCRIPTING
Cross-Site Scripting (XSS) attacks are a type of injection,
in which malicious scripts are injected into otherwise
benign and trusted web sites.
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
(do not render the document if
XSS is found)
(disable XSS filter/auditor)
(remove unsafe parts; this is
the default setting if no
X-XSS-Protection header is
present)
http://blog.innerht.ml/the-misunderstood-x-xss-protection/
58. SECURE HEADERS
Strict-Transport-Security: max-
age=31536000; includeSubDomains env=HTTPS
Informs the UA that all communications should be treated
as HTTPS. Prevents MiTM & SSL-stripping attacks
Public-Key-Pins
By specifying the fingerprint of certain cryptographic
identities, you can force the UA to only accept those
identities going forwards.
Content-Security-Policy:
Provides details about the sources of resources the
browser can trust. e.g. Images, scripts, CSS, frames
(both ancestors & children)
See https://securityheaders.io
59. CSRF - CROSS SITE REQUEST FORGERY
an attack that forces an end user to execute unwanted
actions
Drupal protects you against this
60. CONTENT SECURITY POLICY
Connect Source
Media Source
Object Source
Form Action
Upgrade Insecure
Requests
Block All Mixed
Content
Sandbox
Reflected XSS
Base URI
Manifest Source
Plugin Types
Referrer
How to test:
Default Source
Script Source
Style Source
Image Source
Font Source
Child Source
Frame Ancestors
Report Only
Report URI
Others:
Typical elements:
Audit!
66. FINAL THOUGHTS
Bake your principles into practices - Ansible - immutable infrastructure
•Follow some Opsec people:
@Scott_Helme, @troyhunt, @ivanristic,
@briankrebs
•Does your site have to be dynamic?
•Letsencrypt - https.
•Security is a department - not a one off
•Learn your attack surface, test on Tor
•VPN, Password apps, 2Factor Authentication
•Work together (bad ips, honeypot, block list) -
don't hit back