Aaron Corso COSC Spring 2012

What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP Common substitutions are WAMP (using Windows instead of Linux), and LAPP (using PostgreSQL instead of MySQL)

Why LAMP?  Linux = Open source, easy to deploy in a server environment  Apache = Most popular web server in the world; approximately 65% of web servers use Apache; over 442 million host names  PHP and MySQL = Popular back-end stack for web applications  Combined, entirely Open Source. Only non-standard software installations are proprietary.

NetCraft Survey, April 2012

Why LAMP Security?  Being the number one deployed web server makes the stack a popular target of attacks  Result of attacks is highly visible  Sites can contain valuable information to attackers; especially eCommerce websites  Many routes of attack through modularized operating environment

The Challenge of Modularized Security  Each component of the solution stack has its own method for security – each must be kept up-to-date  Linux Kernel  Distro applications  Other Application Add-ons  Apache  Apache Modules  PHP  PHP Extensions  MySQL

Where does LAMP Security Start?  Choosing a Linux Distribution  Each distribution (“distro”) has its own set of core applications built on top of the kernel  Some distros are created with security and a server environment in mind, others are consumer oriented  Common base distros for LAMP servers are Ubuntu Server and Red Hat Linux

Considerations for choosing a distro  Life cycle – avoid distros which release major versions constantly  Package Management – centralize the update process as much as possible  Documentation – more specialized distros have less documentation  Scalability – can the server handle virtualization or be used as part of a server farm easily?

Securing the Linux Installation  Kernel Hardening  Use gresecurity to sandbox processes to the kernel role-based access control (RBAC) system  Mandatory Access Control (MAC)  Restrict system processes to the appropriate users  Do not use default accounts – perform an audit  Standard firewalling practices

Securing the Apache Installation  Apache breaches are the most common exploit of the stack  Breaching of Apache is very harmful if the objective is to transfer all files from the document root  Security of the web server component is arguably the most important

Securing the Apache Installation (continued)  Disable any unnecessary modules (“mods”) via the configuration file  Run the Apache service under its own user and with its own security group  Restrict access to the root directory  Restrict system level files contained in the “bin” and “conf” directories

Apache Configuration File  httpd.conf

Securing the Apache Installation (continued)  Disable the sending of Apache version information in request headers  Configure CGI (Common Gateway Interface) and SSI (Server Side Includes) to run under their own user  Keep and monitor access logs

Security Modules for Apache  Mod_security  Easy configuration of firewall rules based on client request variables such as IP  Automatic detection and response to access to files or unusual behavior  Mod_evasive  Helps to protect against basic DDOS attacks

Securing the PHP Installation  PHP security relies on both the administrator and the programmer  Programmers must engage in “defensive coding”  Administrators must secure and update extensions and the process

Securing the PHP Installation (continued)  Sandboxing remote resource access – require programmers use wrapping functions rather than native functions  cURL functions or custom wrapper  Limit execution time  Prevent large-scale SQL injection attacks Hide all errors and place in a log  Don’t give attackers hints

Securing the PHP Installation (continued)  Disable sending of versioning information in request headers  Disable “magic quotes” and “register globals”  Should rely on defensive programming practices  Find other methods to sandbox developers  When used, programming ambiguity arises

PHP Configuration File  php.ini

Defensive Coding in PHP  Always “escape” data about to be inserted into the database  Using “\” characters to prevent SQL injection via special characters  PHP provides native wrapper functions for MySQL for this  Developers can also use a “prepared statement” to separate the data being passed from the SQL logic

Securing the MySQL Installation  Restrict access to remote MySQL access by IP  Run MySQL under its own user and with its own security group  Protect data, system, and log files under an administrator user  Use a strong username and password

Remote MySQL Configuration

Tools for Integrated Management  cPanel / WHM  Webmin  Virtualmin  Useful for reseller accounts and virtualizing

Conclusions  Secure each component and their appropriate modules  Follow general security practices of isolating processes, maintaining logs, and disabling unused or unnecessary components  Use an integrated update manager for the four components of the stack and their respective add-ons

Questions?