Presentation is loading. Please wait.

Presentation is loading. Please wait.

December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.

Similar presentations


Presentation on theme: "December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward."— Presentation transcript:

1 December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward Chow Securing Careless Security Flaws: A Focused Analysis of the International Capture the Flag Virtual Machines

2 December, 2008 CS-591 Securing Servers: International Capture the Flag 2 Roadmap What kinds of services are usually on a web server? How do I secure my database? How do I secure SSH? How do I secure Apache Tomcat? How do I limit user privileges? How do I find configuration files?

3 December, 2008 CS-591 Securing Servers: International Capture the Flag 3 What kinds of services are usually on a web server? Just a few languages and services are: –Java, C, PHP, Python, and Ruby Other configurations that need protection: –SSH, the MySQL database, and Apache Tomcat

4 December, 2008 CS-591 Securing Servers: International Capture the Flag 4 How do I secure my database? (Locking down MySQL Users) Set the root password (no password should be blank in the mysql- >user table). Change obvious passwords (same username and password). In general, allow users access to the database only from the local machine.

5 December, 2008 CS-591 Securing Servers: International Capture the Flag 5 How do I secure my database? MySQL Commands UPDATE mysql.user SET Password=PASSWORD(newpassword') WHERE User='user'; FLUSH PRIVILEGES; ************************************************** DROP USER ‘user’;

6 December, 2008 CS-591 Securing Servers: International Capture the Flag 6 How do I secure my database? Limit privileges for application users using GRANT. Be able to select and insert for only the database that the user was created. Application users do not need administrative privileges. Host should not be ‘%’. This means access from everywhere.

7 December, 2008 CS-591 Securing Servers: International Capture the Flag 7 How do I secure my database? Drop the test database. DROP DATABASE [database_name];

8 December, 2008 CS-591 Securing Servers: International Capture the Flag 8 How do I secure my database? In Linux (my.cnf) All MySQL database configuration is in my.cnf. Protect the file with a chmod where the mysql user can see the file. In the user table, the host field should not be ‘%’ and/or my.cnf should have skip-networking under [mysql]. Turn off mysqldump in /etc/mysql/my.cnf. bind-address in my.cnf should also be set to

9 December, 2008 CS-591 Securing Servers: International Capture the Flag 9 How do I secure SSH? If possible, turn off SSH (though not realistic). Set PermitRootLogin to no Set up a list of users that are allowed to SSH into the server in /etc/ssh/sshd_config. –PermitRootLogin no –AllowUsers user1 –PermitEmptyPasswords no Change the SSH port to a higher port (if possible).

10 December, 2008 CS-591 Securing Servers: International Capture the Flag 10 How do I secure Apache Tomcat? If using the Tomcat manager web interface, make sure the default users in tomcat-users.xml are not used. Create a Tomcat user. Do not run Tomcat as root in Linux. Remove extraneous example applications from webapps. If not being used, remove the Tomcat manager application from server/webapps.

11 December, 2008 CS-591 Securing Servers: International Capture the Flag 11 How do I secure Apache Tomcat? Return an empty error page instead of a stack trace from Tomcat. –webapps/[app_name]/WEB-INF/web-xml inside the web-app tag Change the shutdown port and shutdown command in conf/server.xml. Protect server.xml.

12 December, 2008 CS-591 Securing Servers: International Capture the Flag 12 How do I limit user privileges? Find users with privileges in /etc/passwd. Limit to the home directory and what application users are allowed to execute. Limit directory traversal. Set directory permissions (chmod). Scan startup scripts for flaws in /etc/init.d for each of the services.

13 December, 2008 CS-591 Securing Servers: International Capture the Flag 13 How do I find configuration files? This command will help you find a file if you know the file name: –find. | grep [name of file] This command will help you find a file if you know a few key phrases in the file: –find. | xargs grep [phrase in file] –e.g. find. | xargs grep DATABASE_ENGINE for Django settings file.

14 December, 2008 CS-591 Securing Servers: International Capture the Flag 14 Conclusions and Further Work Most of the problems in security seem to come from how tools and frameworks are configured. In the future, I would like to look into: –The proper configurations of other frameworks such as Django. –How to configure and properly use lighttpd.

15 December, 2008 CS-591 Securing Servers: International Capture the Flag 15 References Forum: Permitting specific users to SSH. Retrieved November 1, 2008 from Georgia Tech – Securing MySQL. Retrieved November 11, 2008, from MySQL 5.0 Reference Guide. Retrieved November 20, 2008 from Secure SSH: Debian. Retrieved from October 28, 2008, from Securing Apache: Step-by-Step. Retrieved November 27, 2008 from Securing MySQL: Step-by-Step. Retrieved November 11, 2008, from Securing Tomcat. Retrieved November 26, 2008 from


Download ppt "December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward."

Similar presentations


Ads by Google