sleed Posted March 8, 2014 Report Share Posted March 8, 2014 Buna.Daca tot a inceput ,,treaba cu securitatea la un server", https://rstforums.com/forum/15896-tutorial-cum-securizam-un-server.rst , propun sa va arat cum se securizeaza si elementele care fac un server sa fie functionabil.Bun , sa incepem cu APACHE. CE este apache? Apache este un server HTTP de tip open source.Apache suport? o mare varietate de module care îi extind func?ionalitatea, acestea variaz? de la server side programming ?i pân? la scheme de autentificare. Câteva limbaje suportate sunt: mod_perl, mod_python, Tcl si PHP. Ca alte module putem enumera : SSL si TLS support (mod_ssl), un modul proxyun, modul de rescriere URL (cunoscut ca un motor de rescriere mod_rewrite), custom log files (mod_log_config) ?i suport de filtrare (mod_include ?i mod_ext_filter). O alt? calitate a serverului Apache este virtual hosting (g?zduirea virtual?), care const? în posibilitatea de a g?zdui mai multe situri simultan pe acela?i server.[sursa wikipedia]Sa trecem la ... treaba.PEntru APACHE2In primul rand ascundem ce varianta de Linux se foloseste : Intram aici : /etc/apache2/apache2.conf [ sau httpd.conf]si adaugam la sfarsit : ServerSignature OffServerTokens ProdApoi dam un disable la listarea directoarelor : <Directory /var/www/html> Options -Indexes</Directory>, adaugam tot in .conf.Dezinstalam modulele care nu ne intereseaza : spre exemplu : mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex , cu urmatoarea comanda : a2dismod ...Instalam mod security : sudo apt-get install libapache2-mod-securitysudo a2enmod mod-securityservice apache2 restartAm vrut sa folosesc mod evasive, dar voi arata in .htaccess cum sa previi bruteforce Apoi turnoff la symlinks : Options -FollowSymLinks, putem include aceasta treaba in apache.conf sau in .htaccessPunem o limita pentru upload, din partea userilor in conf : <Directory "/var/www/myweb1/user_uploads"> LimitRequestBody 210000</Directory>--------------------------------------------------------------------------------Apoi facem un folder, denumit de exemplu : members, in /var/www/AuthName "Login Intro Exemplu." AuthType Basic AuthUserFile /var/www/member/.htpasswd AuthGroupFile /dev/null require user name-of-userTot in cd/var/www/members, facem si un login pentru acces: htpasswd -c .htpasswd name-utilizatorDam un chmod doar pentru access din interior si gata : chown root:root .htpasswordApoi sa trecem la MYSQLIn primul rand, RECOMAND sa nu se foloseasca PHPMYADMIN.Sunt multe vulnerabilitati care le gasiti in phpmyadmin,explituri etc.. mai bine lucrati totul manual. Sa schimbam parola de la root : Intram in mysql : mysql -u root -p; , apoi use mysql; , apoi SET PASSWORD FOR 'root'@'localhost' = PASSWORD('PAROLA-BRE'); ,ExecutamFLUSH PRIVILEGES; si gata, am schimbat parola. Sa puneti o parola formata din !%@%%@##FD , peste 13 caractere recomand...Sa fim siguri , schimbam si numele de la root..Ca sa prevenim citirea fisierelor locale, in my.cnf , adaugam : set-variable=local-infile=0 , my este aflat in /etc/mysql/...*Dam un remove la default users : mysql: drop database test; mysql: use mysql; mysql: delete from db; mysql: delete from user where not (host="localhost" and user="root"); mysql: flush privileges; Schimbam numele root-ului, sau a adminului .. : mysql: update user set user="sleedSCHEMALE" where user="root";mysql> flush privileges;Dam un remove la istoric : cat /dev/null > ~/.mysql_historyCam atat cu mySQL, sa trecem la PHP : PHPSa avem grija ca nu avem : rm /etc/php5/sqlite3.ini instalat.Sau poti verifica cu : whereis sqlite3Apoi : expose_php=Offdisplay_errors=Offlog_errors=Onerror_log=/var/log/httpd/php_scripts_error.logfile_uploads=Off [sau daca vreti ca utilizatorii sa foloseasca modulul pentru a avea acces la upload, folosim asa :file_uploads=On#utilizatorii pot incarca doar 1Mupload_max_filesize=1Mallow_url_fopen=Offallow_url_include=Offsql.safe_mode=Onmagic_quotes_gpc=Offpost_max_size=100Kmax_execution_time = 30max_input_time = 30memory_limit = 60MDam disable la cateva module periculoase : disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_sourceAnti backdooring : /etc/php5/security.ini si adaugam : cgi.force_redirect=OnDam un restrict la fisiere si la access: chown -R apache:apache /var/www/site.../chmod -R 0444 /var/www/site../PHPIDS (PHP-Intrusion Detection System) se poate instala ,sa verificam problemele din site...Apoi si cu .htaccess se poate modifica sa nu avem vulnerabilitati sql injection : ServerSignature OffOptions -IndexesRewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]RewriteRule ^(.*)$ - [F,L]RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwwwperl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner[.completati cu alte scannere......]) [NC,OR]RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]RewriteCond %{QUERY_STRING} ftp\: [NC,OR]RewriteCond %{QUERY_STRING} http\: [NC,OR]RewriteCond %{QUERY_STRING} https\: [NC,OR]RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]RewriteCond %{QUERY_STRING} (sp_executesql) [NC]RewriteRule ^(.*)$ - [F,L]Acest .htaccess se poate folosi si impotriva la SQL INJECTION si XSS Trebuie sa precizez ca puteti folosi SELinux pentru o buna securitate a sistemului, dupa cum ma invatat un maestru in asa ceva..Voi veni cu precizari si mai multe.Daca aveti ceva completari va rog , nu ezitati sa le adresati sau sa sesizati.Astept sa propuneti imbunatatiri, sa fac un tutorial complex de la A LA Z despre securitatea unui server.Acum ma dedic unei variante de Linux, sleenux se numeste si vreau sa fie doar pentru server, acum testez Debian 7 cum se comporta pe distro-ul meu, dar astept cu nerabdare 8 sa pot sa ma joc cum vreau cu el, sa fac un server foarte securizat.Va fi varianta Desktop.In fine, sper ca va placut, o seara buna. 1 1 Quote Link to comment Share on other sites More sharing options...
