Webapp Security

Securing MySQL

Remove MySQL from network

By default, MySQL listens on port 3306. Stop it from listening on any TCP/IP port if you don't use it on network.

# vi /etc/my.cnf

Change
#skip-networking
to
skip-networking

Secure the user accounts

A default install of MySQL is somewhat lacking in security. To fix that we are going to do the following:

Wildcard SSL Certificates

To setup a wildcard certificate, use "*.yourdomain.com" as the Common Name when you generate the certificate signing request (CSR).

If you want to same certificate to work on "yourdomain.com" (without the subdomain), then add

subjectAltName=${ENV::SAN}

in the [ usr_crt ] section of your openssl.cnf file, and set the environment variable

export SAN='DNS:yourdomain.com'

before running the openssl commands to create the CSR.

Lighttpd Secure Configuration

Reference:

Google Ratproxy

Google released an open source tool called ratproxy, which aims for helping developers to audit Web application security. It is a non-disruptive tool designed for Web 2.0 and AJAX applications that produces an easy-to-read report of potential exploits.

Linux.com has a review on it today.

Hardening Apache

First, please check the Apache website for

http://xianshield.org/guides/apache2.0guide.html has some nice tips on how to harden your apache server. Especially, check your httpd.conf and make sure the configurations are fine.

Harden Your Drupal Websites

Note: This is still a work in progress. I will gradually add items to the list. You are welcome to contribute your points. Thanks.

To begin, we shall first follow Configuration steps for a more secure site. Then we can do the rest as listed below.

How to Find out Which Process is Issuing ICMP Requests

If your network admin complains that your computer is flooding the network with icmp requests, and if you are not aware of any program that need to do this, you should pay attention and find out what's going on.

To see a statistic report on your computer's icmp activities:

root# netstat -sp

This displays summary statistics for each protocol. Look under the section "Icmp:" for icmp related statistics report.

To see icmp traffic on your computer:

root# tcpdump icmp

Case Study of a Cracked Drupal Website

We recently examined a website built using Drupal CMS. Somehow it was hacked into and all PDF files in the website were replaced with the ones carrying viruses.

After some probing around, we found that it wasn't caused by any vulnerability inside the Drupal code. The hackers stole an admin account and changed the configuration, and then further altered the content.

The website had upload module (in core) enabled.