About Me

• CEO of Inversoft

• Software Developer for 16 years

• I’ve had multiple servers hacked

• I’ve had root kits installed

• I’ve had applications hacked

LinkedIn hack releases 167 million accounts.

Milwaukee Bucks organization accidentally leaks player financials onto the Internet.

4.8 Million V-Tech customer's data stolen.

Hacking group leaked more than 25 gigabytes of Ashley Madison data, including user details.

We Must Stop the Madness!

Server Security

Application Security

Server Security

• Architecture

• Password Security

• Remote Access

• Two-Factor Authentication

• Firewall

• Intrusion Detection

FYI: Most everything in this section is for Linux

Application Security

• Run-As User

• SSL

• Password Security

• SQL Injection

• Configuration

• Database Security

Architecture

ApplicationServer Database

Server

FIREWALl

Architecture Explained

• Application server has public IP

• Database server has private IP

• Firewall controls access to database server

Password Security

• Force users not to pick crappy passwords

• Use the libpam-cracklib module

• Modify /etc/pam.d/common-password

DEMO

password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

Only allow 3 tries to type the password twice

Minimum length is 10

Must be different that last password by 3 characters

Must have 1 uppercase character

Must have 2 lowercase character

Must have 1 digit character

Must have 2 “other” character

Super User Access

• Disable password login as root– usermod -p '*' root

• Disable password-less sudo– Remove exempt_groups

– %sudo ALL=(ALL:ALL) ALL

DEMO

Remote Access

• Use key based login

• Lock down SSH

SSH Keys

• Run keygen (with a passphrase)– ssh-keygen -t rsa -b 2048 –f ~/.ssh/id_demo

• Create a user– useradd -m -G sudo -s /bin/bash bpontarelli

– passwd bpontarelli

• Install public key– scp ~/.ssh/id_demo.pub bpontarelli@192.168.42.2:/home/your-username

– ssh bpontarelli@192.168.42.2

– mkdir .ssh

– mv id_demo.pub .ssh/authorized_keys

– chmod 600 .ssh/authorized_keys

• Bask in password-less login glory– ssh –i ~/.ssh/id_demo bpontarelli@192.168.42.2

• Don’t forget an agent– alias ssh='ssh -A'

DEMO

SSH Server Config

• Disable root login– PermitRootLogin no

• Disable password login– PasswordAuthentication no

• Restart SSH– service ssh restart

DEMO

Two-Factor Authentication

• Use the libpam-google-authenticator module– auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok

• Update the SSH configuration– ChallengeResponseAuthentication yes

– AuthenticationMethods publickey,keyboard-interactive

• Install NTP– apt-get install ntp

• Restart SSH– service ssh restart

• Generate the two-factor key– google-authenticator -l ’bpontarelli@Application Server'

DEMO

Firewall

• Persistent iptables– apt-get install iptables-persistent

• Create tables and rules

• Restart the service– service netfilter-persistent reload

• Lock down as much as possible

– Database servers can listen only on specific interfaces and for specific IPs

• Be careful!

DEMO

Intrusion Detection

• Install Monit (there are others as well)– apt-get install monit

• Edit /etc/monit/conf.d/ssh-logins

• Edit /etc/monit/monitrc

• Create Slack or Pushover integration script

• Restart the service– service monit restart

DEMO

Application Security

Run-As User

• Never run your apps as root

• Create an unprivileged user instead– useradd -M -s /bin/false application

• Use sudo (or something like it) to run your app– sudo -u application nodejs /usr/local/application/app.js

SSL

• Always use SSL for your websites

• SSL certificates are easy to get

– And cheap

• https://letsencrypt.org/

Password Validation

• Simple to code

• Let’s see some code!

Password Encryption

• SHA

• MD5

• Bcrypt

• PBKDF2HMACSHA256

Yes that’s a real thing!

Large bitcoin rigs can do 1,000 Tera-hashes per second.

Assuming passwords normally contain up to 100 characters…

That’s 1e18 possible passwords (for up to 9 character passwords)

Generating every possible hash for these passwords would take 1e3 seconds

Also known as 16 minutes

If you stop at 8 characters, it can take less than one minute

Complexity

• Encryption is about complexity

• Slow algorithms mean good security

• SHA and MD5 have iterations, Bcrypt has a load factor

• More iterations = good

• More load = good

ScaleN

um

ber

of

Serv

ers

Number of Logins & Registrations per Second

Salting

• Add a large piece of garbage before the password

• Then hash that!

[{16e49f4f-fd87-41b9-8013-57ed3b0403d8}]Ksie923kd-A291kndj

Salting

• This prevents lookups

• Lookups are large tables of common password hashes

http://www.my-application.com/some-data?sort=first_name+desc

select * from users order by first_name desc

http://www.my-application.com/some-data?sort=(select%20CAST((select concat(email,':',password) from users limit 1) as date))+desc

"admin@inversoft.com:173ad94aa37d140a5aab46795b14cef88efe8be76930b90460b5da60f4cff76e" is not a Date

SQL Injections

• Use prepared statements when possible

• Avoid string concatenation

• Use code for parameters

http://www.my-application.com/some-data?sort=first_name_DOWN

if (sort == SortEnum.firstName_DOWN) {

orderBy = "first_name desc";

}

select * from users where name = ?

select * from users where name = '\';select concat(email,\':\',password) from users limit 1;'

Configuration

• Put all secure information in configuration files

– (never in code)

• Ensure configuration files are NOT world readable

– Only the application user should have access

• Ensure the directory configuration files are stored in is NOT world readable or executable

– Only the application user should have access

$ chown -R application:application /usr/local/application/config

$ chmod 700 /usr/local/application/config

$ chmod 400 /usr/local/application/config/*

Database Security

• Lock access by user and server

mysql> create user 'inversoft'@'192.168.42.3' identified by 'super-strong-password';mysql> grant insert, select, update, delete on my_database.* to 'inversoft'@'192.168.42.3'