December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.

Slides:



Advertisements
Similar presentations
Building Database Relationships
Advertisements

LIS651 lecture 5 direct use of wotan Thomas Krichel
WordPress from Start to Finish Day 1: Installing and Using WordPress Looking at the WordPress database.
Coursework 2: getting started (3) – hosting static web pages Chris Greenhalgh G54UBI /
SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.
Shining A Light on Open Source Software: Going Beyond LAMPP Serving Web Content Using Open Source Software.
Hyrax Installation and Customization ESIP ‘08 Summer Meeting Best Practices in Services and Data Interoperability Dan Holloway James Gallagher.
FIRST SESSION - XAMPP Jeongmin Lee.  Jeongmin Lee  CS  PHD  Machine Learning, AI  Web System Development.
Agenda Web Application Web Page development WAMP
PHP and MySQL Database. Connecting to MySQL Note: you need to make sure that you have MySQL software properly installed on your computer before you attempt.
Tux2 Database The Architecture of Our System © Juhani Välimäki 2005.
WEXTOOL User Guide v1.0 E.P. PLANETE B.B.R.. Plan Introduction & Architecture of Wextool Installation Scenario description Experimentation phase Saving/Synchronizing.
Web Application Server Apache Tomcat Downloading and Deployment Guide.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
LIS654lecture 3 omeka installation and system overview start Thomas Krichel
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Building a Home Web Server Grant Root
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
May 12, 2008 CS-526 IPv6: A Closer Look at Tunneling, Security, and Ubuntu 1 Saroj Patil Nadine Sundquist CS526-S2008 University of Colorado, Colorado.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
XMAS installation instructions Windows Version: 1.0 4/22/2008.
A complete web app using flex. You can use the flex builder to generate the php (server side) code for a flex-php application. As before, Php connects.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
4/8/99 C. Edward Chow Page 1 Internet Services Manager Click Start | Programs | Administrative Tools | Internet Services Manager.
Dynamic Web site With PHP and MySQL. MySQL The combination of MySQL database and PHP scripting language is optimum for building dynamic websites. MySQL.
Julien Thibault / Phil Brewster / Kristina Doing-Harris
Platform as a Service (PaaS)
Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
A crash course in njit’s Afs
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
MySQL Dr. Hsiang-Fu Yu National Taipei University of Education
1 Web Server Concepts Dr. Awad Khalil Computer Science Department AUC.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
1 John Magee 9 November 2012 CS120 Lecture 17a: Publishing Web pages.
1 CCNA 3 v3.1 Module 6 Switch Configuration Claes Larsen, CCAI.
CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES LECTURE 5_1 George Koutsogiannakis/ Summer
ITN Wake Tech1 ITN270 Advanced Internet Databases Lecture 15. General MySQL Administration Topics: –Securing a New MySQL Installation –MySQL Server.
Who uses it? MichaelMoore.com What's it all about? Rapid Development Clean, Pragmatic Design.
Ruby on Rails CSE 190M, Spring 2009 Week 6. Overview How to use a database Demo creating a blog application on Rails Explain how the application works.
Web Server/Services Web Server/Services pyhsu. Computer Center, CS, NCTU 2 FAMP(FreeBSD+Apache+MySQL+PHP)  Apache 2.2 (40%) /usr/ports/www/apache22 apache22_enable="YES"
Cosc 4750 Configuring httpd, Mysql, And Samba. defaults By default httpd demean will startup and work User directories are turned off Default directory.
 Apache 2.2 › /usr/ports/www/apache22 › apache22_enable="YES" (/etc/rc.conf) › /usr/local/etc/rc.d/apache22 start  MySQL 5.0 › /usr/ports/databases/mysql50-server.
Ruby on Rails on Ubuntu Bradley Taylor Rails Machine, LLC
Linux Services Configuration
Creating a simple database This shows you how to set up a database using PHPMyAdmin (installed with WAMP)
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
VIRTUAL HOSTING WITH PureFTPd And MYSQL (Quota And Bandwidth Management) BY Odoh Kenneth Emeka Sun Yu Patrick Appiah.
MySQL MySQL and PHP – interacting with a database.
Web Server Apache PHP HTTP Request User types URL into browser Address resolved if nec. We use directly Most browsers request.
Introduction to AFS IMSA Intersession 2003 Managing AFS Services Brian Sebby, IMSA ‘96 Copyright 2003 by Brian Sebby, Copies of these slides.
Software-Projekt 2008 Seminarvortrag“Short tutorial of MySql“ Wei Chen Verena Honsel.
WordPress and Etherpad with BlueMix and Docker. Our aim is to run on BlueMix containers (now in beta) these two famous services In the BlueMix dashboard,
Apache Web Server v. 2.2 Reference Manual Chapter 2 Starting Apache.
COM621: Advanced Interactive Web Development Lecture 10 PHP and MySQL.
L.A.M.P. İlker Korkmaz & Kaya Oğuz CS 350. Why cover a lecture on LAMP? ● Job Opportunities – There are many hosting companies offering LAMP as a web.
Web Technology Seminar
Platform as a Service (PaaS)
Platform as a Service (PaaS)
Chapter 5 Linux Services
Open Source Server Side Scripting Permissions & Users
4166 Review.
CCNA 3 v3.1 Module 6 Switch Configuration
Lab 1 introduction, debrief
INSTALLING AND SETTING UP APACHE2 IN A LINUX ENVIRONMENT
Chapter 8 Working with Databases and MySQL
Introduction to JBoss application server
PHP and Forms.
Web Servers / Deployment
Presentation transcript:

December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward Chow Securing Careless Security Flaws: A Focused Analysis of the International Capture the Flag Virtual Machines

December, 2008 CS-591 Securing Servers: International Capture the Flag 2 Roadmap What kinds of services are usually on a web server? How do I secure my database? How do I secure SSH? How do I secure Apache Tomcat? How do I limit user privileges? How do I find configuration files?

December, 2008 CS-591 Securing Servers: International Capture the Flag 3 What kinds of services are usually on a web server? Just a few languages and services are: –Java, C, PHP, Python, and Ruby Other configurations that need protection: –SSH, the MySQL database, and Apache Tomcat

December, 2008 CS-591 Securing Servers: International Capture the Flag 4 How do I secure my database? (Locking down MySQL Users) Set the root password (no password should be blank in the mysql- >user table). Change obvious passwords (same username and password). In general, allow users access to the database only from the local machine.

December, 2008 CS-591 Securing Servers: International Capture the Flag 5 How do I secure my database? MySQL Commands UPDATE mysql.user SET Password=PASSWORD(newpassword') WHERE User='user'; FLUSH PRIVILEGES; ************************************************** DROP USER ‘user’;

December, 2008 CS-591 Securing Servers: International Capture the Flag 6 How do I secure my database? Limit privileges for application users using GRANT. Be able to select and insert for only the database that the user was created. Application users do not need administrative privileges. Host should not be ‘%’. This means access from everywhere.

December, 2008 CS-591 Securing Servers: International Capture the Flag 7 How do I secure my database? Drop the test database. DROP DATABASE [database_name];

December, 2008 CS-591 Securing Servers: International Capture the Flag 8 How do I secure my database? In Linux (my.cnf) All MySQL database configuration is in my.cnf. Protect the file with a chmod where the mysql user can see the file. In the user table, the host field should not be ‘%’ and/or my.cnf should have skip-networking under [mysql]. Turn off mysqldump in /etc/mysql/my.cnf. bind-address in my.cnf should also be set to

December, 2008 CS-591 Securing Servers: International Capture the Flag 9 How do I secure SSH? If possible, turn off SSH (though not realistic). Set PermitRootLogin to no Set up a list of users that are allowed to SSH into the server in /etc/ssh/sshd_config. –PermitRootLogin no –AllowUsers user1 –PermitEmptyPasswords no Change the SSH port to a higher port (if possible).

December, 2008 CS-591 Securing Servers: International Capture the Flag 10 How do I secure Apache Tomcat? If using the Tomcat manager web interface, make sure the default users in tomcat-users.xml are not used. Create a Tomcat user. Do not run Tomcat as root in Linux. Remove extraneous example applications from webapps. If not being used, remove the Tomcat manager application from server/webapps.

December, 2008 CS-591 Securing Servers: International Capture the Flag 11 How do I secure Apache Tomcat? Return an empty error page instead of a stack trace from Tomcat. –webapps/[app_name]/WEB-INF/web-xml inside the web-app tag Change the shutdown port and shutdown command in conf/server.xml. Protect server.xml.

December, 2008 CS-591 Securing Servers: International Capture the Flag 12 How do I limit user privileges? Find users with privileges in /etc/passwd. Limit to the home directory and what application users are allowed to execute. Limit directory traversal. Set directory permissions (chmod). Scan startup scripts for flaws in /etc/init.d for each of the services.

December, 2008 CS-591 Securing Servers: International Capture the Flag 13 How do I find configuration files? This command will help you find a file if you know the file name: –find. | grep [name of file] This command will help you find a file if you know a few key phrases in the file: –find. | xargs grep [phrase in file] –e.g. find. | xargs grep DATABASE_ENGINE for Django settings file.

December, 2008 CS-591 Securing Servers: International Capture the Flag 14 Conclusions and Further Work Most of the problems in security seem to come from how tools and frameworks are configured. In the future, I would like to look into: –The proper configurations of other frameworks such as Django. –How to configure and properly use lighttpd.

December, 2008 CS-591 Securing Servers: International Capture the Flag 15 References Forum: Permitting specific users to SSH. Retrieved November 1, 2008 from Georgia Tech – Securing MySQL. Retrieved November 11, 2008, from MySQL 5.0 Reference Guide. Retrieved November 20, 2008 from Secure SSH: Debian. Retrieved from October 28, 2008, from Securing Apache: Step-by-Step. Retrieved November 27, 2008 from Securing MySQL: Step-by-Step. Retrieved November 11, 2008, from Securing Tomcat. Retrieved November 26, 2008 from

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.