Presentation is loading. Please wait.

Presentation is loading. Please wait.

December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.

Published byDestinee Giles Modified over 9 years ago

Similar presentations

Presentation on theme: "December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward."— Presentation transcript:

1 December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward Chow Securing Careless Security Flaws: A Focused Analysis of the International Capture the Flag Virtual Machines

2 December, 2008 CS-591 Securing Servers: International Capture the Flag 2 Roadmap What kinds of services are usually on a web server? How do I secure my database? How do I secure SSH? How do I secure Apache Tomcat? How do I limit user privileges? How do I find configuration files?

3 December, 2008 CS-591 Securing Servers: International Capture the Flag 3 What kinds of services are usually on a web server? Just a few languages and services are: –Java, C, PHP, Python, and Ruby Other configurations that need protection: –SSH, the MySQL database, and Apache Tomcat

4 December, 2008 CS-591 Securing Servers: International Capture the Flag 4 How do I secure my database? (Locking down MySQL Users) Set the root password (no password should be blank in the mysql- >user table). Change obvious passwords (same username and password). In general, allow users access to the database only from the local machine.

5 December, 2008 CS-591 Securing Servers: International Capture the Flag 5 How do I secure my database? MySQL Commands UPDATE mysql.user SET Password=PASSWORD(newpassword') WHERE User='user'; FLUSH PRIVILEGES; ************************************************** DROP USER ‘user’;

6 December, 2008 CS-591 Securing Servers: International Capture the Flag 6 How do I secure my database? Limit privileges for application users using GRANT. Be able to select and insert for only the database that the user was created. Application users do not need administrative privileges. Host should not be ‘%’. This means access from everywhere.

7 December, 2008 CS-591 Securing Servers: International Capture the Flag 7 How do I secure my database? Drop the test database. DROP DATABASE [database_name];

8 December, 2008 CS-591 Securing Servers: International Capture the Flag 8 How do I secure my database? In Linux (my.cnf) All MySQL database configuration is in my.cnf. Protect the file with a chmod where the mysql user can see the file. In the user table, the host field should not be ‘%’ and/or my.cnf should have skip-networking under [mysql]. Turn off mysqldump in /etc/mysql/my.cnf. bind-address in my.cnf should also be set to 127.0.0.1.

9 December, 2008 CS-591 Securing Servers: International Capture the Flag 9 How do I secure SSH? If possible, turn off SSH (though not realistic). Set PermitRootLogin to no Set up a list of users that are allowed to SSH into the server in /etc/ssh/sshd_config. –PermitRootLogin no –AllowUsers user1 user2@localhost user3@localhost user4@localhost –PermitEmptyPasswords no Change the SSH port to a higher port (if possible).

10 December, 2008 CS-591 Securing Servers: International Capture the Flag 10 How do I secure Apache Tomcat? If using the Tomcat manager web interface, make sure the default users in tomcat-users.xml are not used. Create a Tomcat user. Do not run Tomcat as root in Linux. Remove extraneous example applications from webapps. If not being used, remove the Tomcat manager application from server/webapps.

11 December, 2008 CS-591 Securing Servers: International Capture the Flag 11 How do I secure Apache Tomcat? Return an empty error page instead of a stack trace from Tomcat. –webapps/[app_name]/WEB-INF/web-xml inside the web-app tag Change the shutdown port and shutdown command in conf/server.xml. Protect server.xml.

12 December, 2008 CS-591 Securing Servers: International Capture the Flag 12 How do I limit user privileges? Find users with privileges in /etc/passwd. Limit to the home directory and what application users are allowed to execute. Limit directory traversal. Set directory permissions (chmod). Scan startup scripts for flaws in /etc/init.d for each of the services.

13 December, 2008 CS-591 Securing Servers: International Capture the Flag 13 How do I find configuration files? This command will help you find a file if you know the file name: –find. | grep [name of file] This command will help you find a file if you know a few key phrases in the file: –find. | xargs grep [phrase in file] –e.g. find. | xargs grep DATABASE_ENGINE for Django settings file.

14 December, 2008 CS-591 Securing Servers: International Capture the Flag 14 Conclusions and Further Work Most of the problems in security seem to come from how tools and frameworks are configured. In the future, I would like to look into: –The proper configurations of other frameworks such as Django. –How to configure and properly use lighttpd.

15 December, 2008 CS-591 Securing Servers: International Capture the Flag 15 References Forum: Permitting specific users to SSH. Retrieved November 1, 2008 from http://ph.ubuntuforums.com/showthread.php?t=875164http://ph.ubuntuforums.com/showthread.php?t=875164. Georgia Tech – Securing MySQL. Retrieved November 11, 2008, from http://www.lugatgt.org/articles/sec_mysql/#toc_4http://www.lugatgt.org/articles/sec_mysql/#toc_4. MySQL 5.0 Reference Guide. Retrieved November 20, 2008 from http://dev.mysql.com/doc/refman/5.0/en/http://dev.mysql.com/doc/refman/5.0/en/. Secure SSH: Debian. Retrieved from October 28, 2008, from http://www.debian-administration.org/articles/455http://www.debian-administration.org/articles/455. Securing Apache: Step-by-Step. Retrieved November 27, 2008 from http://www.securityfocus.com/infocus/1694http://www.securityfocus.com/infocus/1694. Securing MySQL: Step-by-Step. Retrieved November 11, 2008, from http://www.securityfocus.com/infocus/1726http://www.securityfocus.com/infocus/1726. Securing Tomcat. Retrieved November 26, 2008 from http://www.owasp.org/index.php/Securing_tomcathttp://www.owasp.org/index.php/Securing_tomcat.

Download ppt "December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward."

Similar presentations

Building Database Relationships

Building Database Relationships
LIS651 lecture 5 direct use of wotan Thomas Krichel 2006-12-10.

LIS651 lecture 5 direct use of wotan Thomas Krichel
WordPress from Start to Finish Day 1: Installing and Using WordPress Looking at the WordPress database.

WordPress from Start to Finish Day 1: Installing and Using WordPress Looking at the WordPress database.
Coursework 2: getting started (3) – hosting static web pages Chris Greenhalgh G54UBI / 2011-02-21.

Coursework 2: getting started (3) – hosting static web pages Chris Greenhalgh G54UBI /
SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.

SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.
Shining A Light on Open Source Software: Going Beyond LAMPP Serving Web Content Using Open Source Software.

Shining A Light on Open Source Software: Going Beyond LAMPP Serving Web Content Using Open Source Software.
Hyrax Installation and Customization ESIP ‘08 Summer Meeting Best Practices in Services and Data Interoperability Dan Holloway James Gallagher.

Hyrax Installation and Customization ESIP ‘08 Summer Meeting Best Practices in Services and Data Interoperability Dan Holloway James Gallagher.
FIRST SESSION - XAMPP Jeongmin Lee.  Jeongmin Lee  CS  PHD  Machine Learning, AI  Web System Development.

FIRST SESSION - XAMPP Jeongmin Lee.  Jeongmin Lee  CS  PHD  Machine Learning, AI  Web System Development.
Agenda Web Application Web Page development WAMP

Agenda Web Application Web Page development WAMP
PHP and MySQL Database. Connecting to MySQL Note: you need to make sure that you have MySQL software properly installed on your computer before you attempt.

PHP and MySQL Database. Connecting to MySQL Note: you need to make sure that you have MySQL software properly installed on your computer before you attempt.
Tux2 Database The Architecture of Our System © Juhani Välimäki 2005.

Tux2 Database The Architecture of Our System © Juhani Välimäki 2005.
WEXTOOL User Guide v1.0 E.P. PLANETE B.B.R.. Plan Introduction & Architecture of Wextool Installation Scenario description Experimentation phase Saving/Synchronizing.

WEXTOOL User Guide v1.0 E.P. PLANETE B.B.R.. Plan Introduction & Architecture of Wextool Installation Scenario description Experimentation phase Saving/Synchronizing.
Web Application Server Apache Tomcat Downloading and Deployment Guide.

Web Application Server Apache Tomcat Downloading and Deployment Guide.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
LIS654lecture 3 omeka installation and system overview start Thomas Krichel 2011-09-29.

LIS654lecture 3 omeka installation and system overview start Thomas Krichel
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Building a Home Web Server Grant Root

Building a Home Web Server Grant Root
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
May 12, 2008 CS-526 IPv6: A Closer Look at Tunneling, Security, and Ubuntu 1 Saroj Patil Nadine Sundquist CS526-S2008 University of Colorado, Colorado.

May 12, 2008 CS-526 IPv6: A Closer Look at Tunneling, Security, and Ubuntu 1 Saroj Patil Nadine Sundquist CS526-S2008 University of Colorado, Colorado.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from

Similar presentations

Ads by Google