If you can't read please download the document
Upload
michael-clark
View
4.216
Download
3
Embed Size (px)
DESCRIPTION
Short presentation on techniques for protecting against vulnerabilities in commonly available PHP packages using a combination of Apache + FastCGI + suEXEC + chroot + mod_security2
Citation preview
2. Presentation Overview
3. php.ini 4. FastCGI 5. suEXEC 6. chroot jail 7. readonly || noexec 8. mod_security2 9. Conclusion 10. PHP {in}security
11. How do we protect against these vulnerabilities 12. Need to provide an environment with minimal trust for PHP applications 13. Only allow a minimal set of essential permissions in a hardened environment 14. Need to use privilege separation and chroot jails 15. php.ini
session.save_path = /var/tmp/php-sessions
upload_tmp_dir = /var/www/mysite/tmp
display_errors = 0 expose_php = 0
allow_url_fopen = 0 allow_url_include = 0
16. FastCGI
Process Separation
17. Allows more control over PHP when it is running as a separate process. Apache Worker MPM
18. By-product of FastCGI is that worker MPM can now be used. 19. Ability for Apache to handle more connections. 20. suEXEC
Privilege Separation
21. Apache can update these directories e.g. mod_dav but PHP can no longer has write perms on these same directories. More than one user per vhost
22. Chroot jail
23. Patch available from Apache Security author 'Ivan Ristic'
Combine with FastCGI and bind mounts
24. Isolate from other services on the same box Bind mount website directory 25. readonly || noexec
26. Can't write in dirs that can be exec'ed Mount and writables noexec
27. Can't exec in dirs that can be written to No other interpreters in PHP chroot jail
Start with zero write access for PHP
28. Dont include from any writable dirs 29. mod_security2
30. Detects common exploits within Apache before being passed to PHP or other web apps:
31. Detects special characters in URLs and inspects POST content type and payload. 32. Detects common injection patterns and exploits. 33. Adds additional logging (Full Request Headers). 34. Flexible extensible rules. 35. Conclusion
36. We can't always audit and fix all of them 37. We can run them in a minimally trusted sandbox 38. Default Apache + mod_php is not very secure
FastCGI + suEXEC + chroot + PHP + (readonly || noexec) + mod_security2
To do SELinux, Hardened PHP, Suhosin