« Exec Shield: Buffer overflow protect
Metasploit on CentOS »

Four lines of defence

February 18, 2009 by hejian

How we will protect out client’s web site? We call it “Fore lines of defence”:

1st line of defence: Script code

The PHP code on a website is the 1st line of defence. Programmer writing codes to provide website features. The code is always has vulnerability because the coder are not a security expert. So we have to check every lines of these code to ensure it does not have security issue.

There has so many check points on these code. These three are the most important:
1. Local/Remote File Inclusion
All these files need check:

grep -r include .
grep -r require .

2. SQL Injection
At least these files need check:

grep -ir REQUEST .
grep -ir GET .
grep -ir POST .

3. Dynamic Evaluation
4. Remote File Disclosure

2nd line of defence: Apache + PHP + MySQL system

Even we struggled to build the 1rs line of defence, but the scripts on the website will always have vulnerability by some ways: Perhaps the greedy administer installed a 3rd party modules with security issue, or perhaps the programmer developed a new script on the site. All these will cause security issue before we have time to check every line of these code. So we have to build the 2nd line of defence.

What if we has lost the 1st line of defence with SQL Injection or Remove File Inclusion? So we build the 2nd line of defence.

The duties of the 2st line of defence is: Do not allow malicious hackers access the system resources through web server: Apache + PHP + MySQL, there has some example:

Chrooting the server:

chroot /chroot/httpd /usr/sbin/httpd

Do not allow PHP scripts running system command:

disable_functions = system,shell_exec,exec,passthru,posix_getpwuid,popen

Do not allow PHP scripts include remote files
Do not allow MySQL read/create system files
Do not display error messages including system informations
……

3rd line of defence: The linux system

After the 1st and 2nd lines of defence has been broken, the hacker can access the system with limited access permissions, now he want to take a linux account. Let’s build the 3rd line of defence to stop him:
Do not allow the hacker access the file system, read more…
Check all the open ports:

netstat -an | grep -i listen

Check suid files:

find . -type f -perm -04000 -ls

Check sgid files:

find . -type f -perm -02000 -ls

Check writable files:

find . type f -perm -00002 -ls

4th line of defence: The linux kernel

The linux kernel is the last line of defence for prevent hacker got the root account. We will read every lines of the linux kernel, kernel modules… and try to found out all the vulnerabilities.

Tags: , ,

Uncategorized
RSS 2.0
trackback

Leave a Reply

You must be logged in to post a comment.

Wordpress template made by HeJian