WordPress3 Ultimate Security - GBV · 2012-09-03 · NeXpose and Metasploit 55 Scanningfor...
Transcript of WordPress3 Ultimate Security - GBV · 2012-09-03 · NeXpose and Metasploit 55 Scanningfor...
WordPress 3 Ultimate Security
Protect your WordPress site and its network
Oily Connelly
[PUBLISHING
1 open sourceI community experience distilled
BIRMINGHAM - MUMBAI
Table of Contents
Preface 1
Chapter 1: So What's the Risk? 7
Calculated risk 8
An overview of our risk 9
Meet the hackers 10
White hat 10
Black hat 11
Botnets 11
Cybercriminals 11
Hacktivists 11
Scrapers 12
Script kiddies 12
Spammers 12
Misfits 12
Grey hat 12
Hackers and crackers 12
Physically hacked off 13
Social engineering 14
Phone calls 14
Walk-ins 14
Enticing URLs 15
Phishing 15
Social networking (and so on) 15
Protecting against social engineering 15
Weighing up Windows, Linux, and Mac OS X 16
The deny-by-default permission model 17
The open source advantage 17
System security summary 18
Table of Contents,
Malwares dissected 18
Blended threats 18
Crimeware 19
Dataloggers 19
At loggerheads with the loggers 20
Hoax virus 20
Rootkits 20
Spyware 20
Trojan horses 21
Viruses 21
Worms 21
Zero day 21
World wide worry 22
Old browser (and other app) versions 22
Unencrypted traffic 22
Dodgy sites, social engineering, and phish food 22
Infected public PCs 23
Sniffing out problems with wireless 23
Wireless hotspots 24
Evil twins 24
Ground zero 24
Overall risk to the site and server 24
Physical server vulnerabilities 25
Open ports with vulnerable services 25
Access and authentication issues 26
Buffer overflow attacks 26
Intercepting data with man-in-the-middle attacks 27
Cracking authentication with password attacks 27
The many dangers of cross-site scripting (XSS) 27
Assorted threats with cross-site request forgery (CSRF) 28
Accessible round-up 28
Lazy site and server administration 29
Vulnerable versions 29
Redundant files 30
Privilege escalation and jailbreak opportunities 30
Unchecked information leak 31
Content theft, SEO pillaging, and spam defacement 32
Scraping and media hotlinking 33
Damn spam, rants, and heart attacks 33
Summary 34
Chapter 2: Hack or Be Hacked 35
Introducing the hacker's methodology 36
Reconnaissance 36
Table of Contents
Scanning 37
Gain access 37
Secure access 37
Cover tracks 37Ethical hacking vs. doing time 38
The reconnaissance phase 39
What to look for 39
How to look for it 40
Google hacking 41
More on Google hacking 43
Scouting-assistive applications 43
Hacking Google hacking with SiteDigger 44
WHOIS whacking 44
Demystifying DNS 46
Resolving a web address 46
Domain name security 47
The scanning phase 47
Mapping out the network 48
Nmap: the Network Mapper 48
Secondary scanners 51
Scanning for server vulnerabilities 52
Nessus 52
OpenVAS 54
GFI Languard 55
Qualys 55
NeXpose and Metasploit 55
Scanning for web vulnerabilities 56
Wikto 56
Paros Proxy 57
HackerTarget 58
Alternative tools 58
Hack packs 58
Summary 59
Chapter 3: Securing the Local Box 61
Breaking Windows: considering alternatives 62
Windows security services 63
Security or Action Center 64
Windows Firewall 64
Windows Update 64
Internet Options 65
Windows Defender 65
Table of Contents
User Account Control 65
Configuring UAC in Vista 66
Configuring UAC in Windows 7 67
Disabling UAC at the registry (Vista and 7) 67
UAC problems with Vista Home and Premium 67
Proactive about anti-rnalware 68
The reactionary old guard: detection 68
Regular antivirus scanners 68
The proactive new guard: prevention 69
The almost perfect anti-malware solution 70
Comodo Internet Security (CIS) 71Comodo Firewall 72
Comodo Antivirus 72
Comodo Defense+ (HIPS) and sandbox 72
Pick 'n mix anti-malware modules 73
Firewall with ZoneAlarm 73
Antivirus with Avira AntiVir 74
HIPS + sandbox + firewall with DefenseWall 75
Behavior scanning with ThreatFire 75
Updating ThreatFire 75
Sensitivity Level 75
System Activity Monitor 76
Multiple sandboxes with Sandboxie 76
Advanced sandboxing (and more) with virtual machines 77
Rootkit detection with GMER and RootRepeal 78
Malware cleaning with Malwarebytes 78
Anti-malware product summary 78
Prevention models and user commitment 79
Windows user accounts 79
XP user accounts 80
Vista and Windows 7 user accounts 80
Managing passwords and sensitive data 81
Proper passphrase policy 81
Password and data managers 82Web browser data managers 82
Future-proofed data management 82
Why LastPass? 83
Setting up LastPass 83
Passed out? That's it! 86
Securing data and backup solutions 86
Have separate data drives 86
Encrypting hard drives 86
Table of Contents
Automated incremental backup 87
Registry backup 88
Programming a safer system 88
Patching the system and programs 88
Binning unwanted software 89
Disabling clutter and risky Windows services 89
Disabling XP's Simple File Sharing 90
Summary 91
Chapter 4: Surf Safe 93
Look (out), no wires 93
Alt: physical cable connection 94
The wireless management utility 94
Securing wireless 94
Router password 94
Changing the SSID 95
Hiding the SSID 95
WEP vs. WPA vs. WPA2 95
WPA2 with AES 95
AESvs. TKIP 96
Wireless authentication key 96
Optional: MAC address filtering 96
Summing up wireless 96
Network security re-routed 96
Swapping firmware 97
Using public computers - it can be done 98
Booting a Preinstalled Environment (PE) 98
Secure your browsing 99
Online applications 99
Portable applications 99
Advanced data management and authentication 100
Covering your tracks 100
Checking external media 101
Hotspotting Wi-Fi 101
Hardening the firewall 101
Quit sharing 101
Disabling automatic network detection 101
Alternative document storage 102
Encrypted tunnelling with a Virtual Private Network 102
E-mailing clients and webmail 102
Remote webmail clients (and other web applications) 102
Encrypted webmail 103
Checking your encryption type 104
Table of Contents
Better webmail solutions 104
Logging out 105
Local software clients 105
Keeping the client updated 105
Instant scanning 105
Sandboxing clients 105
Local and remote clients 106Plain text or HTML 106
E-mail encryption and digital signatures with PGP 106
Your e-mail addresses 107
Don't become phish food 107
Beware of spoof addresses 108
Damn spam 108
SpamAssassin Trainer 108
Browsers, don't lose your trousers 108
Latest versions 109
Internet Explorer (IE) 109
Isolating older browsers 109
Browsers and security 109
Chrome's USPs (for good and very bad) 110
Chrome outfoxed 110
Firefox security settings 111The password manager 111
Extending security 111
Ad and cookie cullers 112
FEBE* 112
LastPass* 113
Locationbar2 113
Lock The Text 113
Anti-scripting attacks 113
SSL certificate checks 113
Web of Trust (WOT)*
114
Anonymous browsing 114
Locally private browsing 114Online private browsing 115
Anonymous proxy server 115
Chained proxies 116
SSL proxies and Virtual Private Networks (VPNs) 116
Corporate and private VPNs 116
Private SOCKS proxy with SSH 117
Networking, friending, and info leak 117
Third party apps and short links 118
Summary 119
[vi]
Table ofContents
Chapter 5: Login Lock-Down 121
Sizing up connection options 122
Protocol soup 122
WordPress administration with SSL 124
SSL for shared hosts 124
Shared, server-wide certificates 124
Dedicated, domain-specific certificates 125
SSL for VPS and dedicated servers 126
Creating a self-signed certificate 127
Using a signed certificate 130
Testing SSL and insecure pages 130
SSL reference 131
SSL and login plugins 131
Locking down indirect access 131
Server login 132
Hushing it up with SSH 132
Shared hosting SSH request 132
Setting up the terminal locally 133
Securing the terminal 134
SFTP not FTP 137
SFTP from the command line 137
SFTP using S/FTP clients 137
Connecting up a client 137
phpMyAdmin login 138
Safer database administration 139
Control panel login 139
Apache modules 139
IP deny with mod_access 139
What is my IP? 140
IP spoofing 140
Password protect directories 140
cPanel's Password Protect Directories 141
Authentication with mod_auth 141
The htaccess file 142
The passwd file 143
Creating and editing password files 143
Creating group membership 144
Basically, it's basic 146
Better passwords with mod_auth_digest 146
Easily digestible groups 148
More authentication methods 148
mod_auth_db and mod_auth_dbm 148
mod_authjnysql 149
mod_auth_pg95 149
Table ofContents.
Yet more authentication methods 149
Summary ^5u
Chapter 6: 10 Must-Do WordPress Tasks 151
Locking it down 152
Backing up the lot I52
Prioritizing backup 152
Full, incremental and differential 153
How and where to backup 153
Backing up db + files on the web server 153
Backing up db + files by your web host 154
Backing up db to (web)mail 154
Backing up db and/or files to cloud storage 154
Backing up files for local Windows users 155
Backing up a database to local machines 160
Files and db backup for local Mac 'n Linux users 162
Backing up backup! 165
Updating shrewdly 165
Think, research, update 165
Dry run updates 166
Updating plugins, widgets and other code 166
The new update panel 166
Neutering the admin account 167
The problem with admin 167
Deleting admin 167
OK, don't delete admin! 167
Creating privileged accounts 168Private account names and nicknames 168
Least privilege users 168
Custom roles 169
Denying subscriptions 169
Correcting permissions creep 169
Pruning permissions at the terminal 170
Restyling perms with a control panel 170777 permissions 170
wp-config.php permissions 170
Hiding the WordPress version 171
Binning the readme 171
Cloaking the login page and the version 171
Silver bullets won't fly 173
Nuking the wp_ tables prefix 173
Backing up the database 174
Automated prefix change 174Manual prefix change 174
Table of Contents
Installing WordPress afresh 175
Setting up secret keys 175
Denying access to wp-config.php 176
Hardening wp-content and wp-includes 177
Extra rules for wp-include's htaccess 177
Extra rules for wp-content's htaccess 177
Summary 178
Chapter 7: Galvanizing WordPress 179
Fast installs with Fantastico...
but is it? 179
Considering a local development server 181
Using a virtual machine 181
Added protection for wp-config.php 182
Moving wp-config.php above the WordPress root 182
Less value for non-root installations 182
WordPress security by ultimate obscurity 183
Just get on with it 184
Introducing remove_actions 184
Blog client references 184
Feed references 185
Relational links 185
Linking relationships thingy 185
Stylesheet location 185
Renaming and migrating wp-content 185
The problem with plugins 186
The other problem with plugins 186
Yet another problem with those pesky plugins 187
Default jQuery files 187
Themes and things 188
"Just another WordPress blog" 188
Ultimate security by obscurity: worth it? 188
Revisiting the htaccess file 189
Blocking comment spam 189
Limiting file upload size 189
Hotlink protection 190
Protecting files 190
Hiding the server signature 191
Protecting the htaccess file 191
Hiding htaccess files 191
Ensuring correct permissions 191
Adding a deny rule 191
Table ofContents___ . _
Good bot, bad bot 191
Bot what? 192
Good bot 192
Bad bot 192
Bots blitzkrieg 193
Snaring the bots 193
Short circuiting bots with htaccess 193
Bots to trot 194
Honey pots 19^
Setting up an antimalware suite 196
Firewall 196
Antivirus 197
More login safeguards 197
Limit Login Attempts 197
Scuttle log-in errors 198
Concerning code 198
Deleting redundant code 198
Scrutinize widgets, plugins and third party code 199
Ditto for themes 199
Running malware scans and checking compatibility 200
Routing rogue plugins 200
Hiding your files 200
Summary 201
Chapter 8: Containing Content 203
Abused, fair use and user-friendly 204
Scraping and swearing 204The problem with scrapers 204
Fair play to fair use 204
Illegality vs. benefit 205A nice problem to have (or better still to manage) 206
Sharing and collaboration 207Sack lawyers, employ creative commons 207Site and feed licensing 208
Protecting content 208
Pre-emptive defense 209Backlink bar none 209Tweaking the title
209Linking lead content
209Reasserting with reference
209
Binning the bots210
Coining a copyright notice 210
Table of Contents
Fielding your feeds 210
Adding a digi-print footer 210
Showing only summaries 211
Preventing media hotlinks 211
Refusing right-clicks 212
Watermarking your media 212
Reactive response 212
Seeking out scrapers 212
Investigating the Dashboard 213
Investigating the site and server log 213
Online investigation 213
Pinpointing scrapers 216
Tackling offenders 217
The cordial approach 217The DMCA approach 219
The jugular approach 222
The legal approach 222
Finding the abuse department 222
Summary 223
Chapter 9: Serving Up Security 225
.com blogs vs .org sites 226
Host type analysis 226
Choices choices...
229
Querying support and community 230
Questions to ask hosting providers 230
Control panels and terminals 231
Safe server access 231
Understanding the terminal 232
Elevating to superuser permissions 233
Setting up a panel 233
Managing unmanaged with Webmin 233
Installing Webmin 234
Securing Webmin 234
Users, permissions, and dangers 235
Files and users 235
Ownership and permissions 236
Translating symbolic to octal notation 237
Using change mode to modify permissions 238
Using change owner to modify ownership 239
Sniffing out dangerous permissions 240
Suspect hidden files and directories 240
Protecting world-writable files 241
Table ofContents
Scrutinising SUID and SGID files (aka SxlD files) 241
Keeping track of changes with SXiD 242
CronningSXID 242
System users 243
Shared human accounts 243
Administrative accounts 243
Deleting user accounts 243
Home directory permissions 244
User access 244
Non-human accounts 244
Repositories, packages, and integrity 244
Verifying genuine software 245
MD5 checksums 245
GnuPG cryptographic signatures 245
Tracking suspect activity with logs 246
Reading the Common Log Format (CLF) 247
What visitor 248
What file 248
From where 249
What client 249
Exercising the logged data 249
Chicken and egg with togging plugins 249
Legwork for access logs 250
Logs and hosting types 250
Checking the authorization log 250
Securing and parsing logs 251
Enabling logs 251
Dynamic logs 251
Off-site logging 252
Log permissions 252
Summary 252
Chapter 10: Solidifying Unmanaged 253
Hardening the Secure Shell 254
Protocol 2 254
Port 22 254
PermitRootLogin yes 255
PasswordAuthentication yes 255
AllowUsers USERNAME 255
Reloading SSH 255
chrooted SFTP access with OpenSSH 256
Binning the FTP service and firewalling the port 258
Providing a secure workspace 258
Deleting users safely 259
Table ofContents
PHP's .ini mini guide 259
Locating your configuration options 259
Making .ini a meany 260
open_basedir 261
Patching PHP with Suhosin 261
Installing Suhosin 262
Isolating risk with SuPHP 262
Installing SuPHP 262
Alternatives to SuPHP 263
Containing MySQL databases 263
Checking for empty passwords 264
Deleting the test database 264
Remote db connections with an SSH tunnel 264
phpMyAdmin: friend or foe? 264
Did we mention backup? 265
Bricking up the doors 265
Ports 101 265
Fired up on firewalls 266
Bog-standard iptables firewall 266
Adding the firewall to the network 268
Quitting superuser 269
Reference for iptables 269
Enhancing usability with CSF 269
Installing CSF 269
CSF as a control panel module 270
Setting up the firewall 271
Error on stopping the firewall 271
CSF from the command line 272
Using CSF to scan for system vulnerabilities 272
Service or disservice? 273
Researching services with Netstat 273
Preparing to remove services 274
Researching services 274
inetd and xinetd super-servers 276
Service watch 276
Disabling services using a service manager 277
Using sysv-rc-conf 277
Deleting unsafe services with harden-servers 278
Closing the port 278
Gatekeeping with TCP wrappers 279
Stockier network stack 280
Summary 281
Table of Contents
Chapter 11: Defense in Depth 283
Hardening the kernel with grsecurity 284
Growling quietly with greater security 284
Controlling user access with RBAC 285
Memory protection with PaX 286
The multi-layered protection model 286
Debian grsecurity from repositories 286
Compiling grsecurity into a kernel 287
Integrity, logs, and alerts with OSSEC 295
Obtaining and verifying the source 295
The installation process 296
Using OSSEC 297
Updating OSSEC 298
Easing analysis with a GUI 298
OSSEC-WUI 298
Splunk 298
Slamming backdoors and rootkits 299
(D)DoS protection with mod_evasive 300
Sniffing out malformed packets with Snort 301
Installing the packages 302
Snort's installation options 302
Ruby on Rails dependencies 302
Creating the web interface 302
Creating a sub-domain using an A record 303
Setting up the virtual host file 303
Creating the database 304
Deploying Ruby on Rails with Passenger 305
Enabling everything 305
Browsing to Snorby 305
Hacking yourself 306
Configuring the network 306
Updating Snort's rule-base 307
Sourcefire Vulnerability Research Team (VRT) 307
Emerging Threats 307
Firewalling the web with ModSecurity 307
Installing mod-security, the Apache module 308
Applying a ruleset 308
Enabling CRS and logging 310
Tuning your ruleset 311
Rulesets and WordPress 311
Updating rulesets 312
ModSecurity resources 312
Summary 312
Table of Contents
Appendix A: Plugins for Paranoia 3_13Anti-malware 313
Backup 314
Content 315
Login 315
Spam 316
SSL 317
Users 317
Appendix B: Don't Panic! Disaster Recovery 319
Diagnosis vs. downtime 319
Securing your users 320
Considering maintenance mode 321
Using a plugin 321
Using a rewrite rule 321
Local problems 323
Server and file problems 323
WordPress problems 324
Incompatible plugins 324
Injected plugins 325
Widgets, third party code and theme problems 325
Fun 'n' frolics with files 326
Deep file scanning 327
Verifying uploads and shared areas 327
Checking htaccess files 328
Pruning hidden users 328
Reinstalling WordPress 329
Some provisos 329
Upload WordPress and plugins 330
Importing a database backup 331
Editing wp-config-sample.php 331
Setting least privileges 331
Sending the clean platform live 331
Changing your passwords 331
Checking your search engine results pages 333
Revisiting WordPress security 333
Appendix C: Security Policy 335
Security policy for somesite.com 335
Aim 336
Goals 336
Table of Contents
Roles and responsibilities 336
Security Manager (SM) 336
System Administrator 336
Site Administrator 336
Site Editors 337
Other roles 337
Network assets 337
PCs and media 337
Routing gear 338
Server 338
Website assets 338
Backup 338
Code updates 338
Database 338
Domain 338
Further policy considerations 339
Appendix D: Essential Reference 341
WordPress 3 Ultimate Security 341
Bloggers and zines 341
Forums 343
Hacking education 343
Linux 344
Macs and Windows 345
Organizations 345
Penetration testing 346
Server-side core documents 347
Toolkits 347
Web browsers 348
WordPress 349
Mailing lists 351
Non-official support 351
Index 353
[xvi]