Categories
Berita PDSI

Unsecret Tai Chi Techniques on Apache2 and PHP FPM: UNISA Yogyakarta Style

Maybe you’ve watched a kung fu movie with Tai Chi techniques, how a warrior uses the opponent’s strength to counterattack. We can apply the same tricks to hardening the security of Apache2 and PHP FPM based server.

Notes:

  • This article divided into two section. First section is in English and second section is in Bahasa Indonesia.
  • This article based on UNISA Yogyakarta experience use Ubuntu server

Table of Content

Tai Chi’s Techniques

Void is the beginning of Tai Chi and synchronization is the basic movement of Tai Chi. We will use both to hardening the security of Apache2 and PHP FPM based server

— Unsecret Tai Chi Techniques on Apache2 and PHP FPM: UNISA Yogyakarta Style
https://bptsi.unisayogya.ac.id/unsecret-tai-chi-techniques-on-apache2-and-php-fpm-unisa-yogyakarta-style/ 2022-04-18 13:51:53

First Technique: Stances

Write clean and secure code

Clean code can be read, and enhanced by a developer other than its original author. It has unit and acceptance tests. It has meaningful names. It provides one way rather than many ways for doing one thing. It has minimal dependencies, which are explicitly defined, and provides a clear and minimal API. Code should be literate since depending on the language, not all necessary information can be expressed clearly in code alone.

— “Big” Dave Thomas, founder of OTI, godfather of the Eclipse strategy
from Clean Code A Handbook of Agile Software Craftsmanship (Robert C. Martin)

To write a secure code, you can follow coding principles described in OWASP Secure Coding Guidelines:

  1. Input Validation
  2. Output Encoding
  3. Authentication and Password Management (includes secure handling of credentials by external services/scripts)
  4. Session Management
  5. Access Control
  6. Cryptographic Practices
  7. Error Handling and Logging
  8. Data Protection
  9. Communication Security
  10. System Configuration
  11. Database Security
  12. File Management
  13. Memory Management
  14. General Coding Practices

Second Technique: Being Void

Hide as much as possible as if can do a little things

  1. Make a zoning strategy for public and private areas
    • Create users and groups where apache2 is not included in the group
    • Give minimum permissions for private area
      Permission of Public Files: 0644
      Permission of Public Directories: 0711, or 0755 (WordPress need 0755)
      Permission of Configurations/Index PHP Files: 0400
      Permission of All PHP Files: 0600
      Permission of Private Directories: 0711
  2. Do directory isolation
    • Owner of root directory is root with permission 0755
    • Owner of web root directories (under root directory) is user and group where apache2 is not included in the group with permission 0711
    • Move root directory of www-data to new folder under the default with root as the owner and permission 0755
    • Activate jail
      • Apache2: DocumentRoot
      • PHP: open_basedir
  3. Turn Off allow_url_include in php.ini
    allow_url_include = Off
  4. Remove execution ability in temporary folder, upload dir, and other risky folders
    • Create image for PHP’s temporary
    • Mount temporary folder of PHP, upload dir, and other risky folders with noexec option, /etc/fstab
      #mount PHP's temporary image
      /var/imagetmp.img /temporaryphp tmpfs nosuid,nodev,noatime,noexec,mode=1777 0 0
      #mount other folders
      #...
    • Change temporary folder setting in php.ini point to new folder
    • Add this in apache’s configuration file:
      Alias "/var/www/rootdir/webrootdir/uploads" "/temporaryphp"
      #... other risky folders
      <Directory "/temporaryphp">
      Options -ExecCGI
      AddHandler cgi-script .php .pl .py .jsp .asp .htm .html
      </Directory>

Example

#Create users and groups where apache2 is not included in the group
 addgroup newgroup
 adduser --no-create-home --ingroup newgroup newuser
#after enter password
usermod -a -G newgroup newuser

#Do directory isolation: Owner of root directory is root with permission 0755
mkdir /var/www/rootdir
chown root:root /var/www/rootdir
chmod 0755 /var/www/rootdir

#Do directory isolation: Owner of web root directories (under root directory) is user and group where apache2 is not included in the group
mkdir /var/www/rootdir/webrootdir
chown newgroup:newuser -R /var/www/rootdir/webrootdir
chmod 0711 /var/www/rootdir/webrootdir

#Do directory isolation: Move root directory of www-data to new folder under the default with root as the owner and permission 0755
mkdir /var/www/000-default
chown root:root /var/www/000-default
chmod 0755 /var/www/000-default
#then you can change /var/www to /var/www/000-default in /etc/apache2/sites-enabled/000-default.conf file configuration

#Permission of Public Files: 0644
find /var/www/rootdir/webrootdir -type f -exec chmod 0644 {} +

#Permission of Private Directories: 0711
find /var/www/rootdir/webrootdir/* -type d -exec chmod 0711 {} +

#Permission of Public Directories: 0711, or 0755 (WordPress need 0755)
chmod 0755 /var/www/rootdir/webrootdir/uploads && chmod 0755 /var/www/rootdir/webrootdir/cache
find /var/www/rootdir/webrootdir/uploads -type d -exec chmod 0755 {} + && find /var/www/rootdir/webrootdir/cache -type d -exec chmod 0755 {} +

#Permission of Configurations/Index PHP Files: 0400
chmod 0400 db.php && chmod 0400 config.php && chmod 0400 index.php

#Permission of All PHP Files: 0600
find /var/www/rootdir/webrootdir -type f -name ""*.php"" -exec chmod 0600 {} +
#website setting in /etc/php/x.y/fpm/pool.d/example-site.conf
[newsubdomain]
user = newuser
group = newgroup
listen = /run/php/phpx.y-fpm-wp1.sock
listen.owner = newuser
listen.group = www-data
listen.mode = 0660
php_admin_value[open_basedir] = /var/www/rootdir/webrootdir:/temporaryphp

Third Technique: Synchronize with Attack

Understand the attack, use minimum force (resource) to reflow the attack to void areas

  1. Use experience or record (log) to understand the attack
    • Use RewriteCond %{REQUEST_URI} and RewriteCond %{QUERY_STRING} to reflow the attack and give immediate respond
    • Reflow unneeded method to forbidden page
  2. Don’t hold the attack, but drop the attack or reflow attack to dummy resource (void)
    • Turn Off PHP on Apache
      a2dismod phpx.y
    • Send PHP scripts with .php extension in public directory to unlistened PHP-FPM’s socket with no waiting time (timeout 1ms)
    • Send PHP scripts with .php extension to listened PHP-FPM’s socket

Example

#website setting in /etc/apache2/sites-enabled/example-site.conf
#for example: path traversal attack in log
<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerAdmin webmaster@localhost
    #Isolation
    DocumentRoot /var/www/rootdir/webrootdir
    ServerName newsubdomain.example.org
    ErrorLog ${APACHE_LOG_DIR}/newsubdomain_error.log
    CustomLog ${APACHE_LOG_DIR}/newsubdomain_access.log combined
    <Directory "/var/www/rootdir/webrootdir">
      #reflow path traversal
      RewriteCond %{REQUEST_URI} (?:%252E%252E%252F) [OR]
      RewriteCond %{QUERY_STRING} (?:%252E%252E%252F) [OR]
      RewriteCond %{REQUEST_URI} (?:\.\./) [OR]
      RewriteCond %{QUERY_STRING} (?:\.\./)
      RewriteRule .* trap.html [L]
      #reflow unneeded method to Forbidden page
      RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|PATCH|TRACK|OPTIONS) 
      RewriteRule .* - [F]
      #other settings
    </Directory>
    #Send PHP scripts in public directory to unlistened PHP-FPM's socket with no waiting time (timeout 1ms)
    ProxyPassMatch ^(.*((/temporaryphp/)|(uploads/)|(cache/)))(.*\.php(/.*)?)*$ unix:/run/php/phpx.y-fpm-newsubdomain-forbid.sock|fcgi://localhostnewsubdomain_forbid timeout=1ms
    #Send PHP scripts with .php extension to listened PHP-FPM's socket
    <FilesMatch "\.php$">
        <If "-f %{REQUEST_FILENAME}">
            SetHandler "proxy:unix:/run/php/phpx.y-fpm-newsubdomain.sock|fcgi://localhost/"
        </If>
    </FilesMatch>
    #other settings
  </VirtualHost>
</IfModule>

By basit

Biro Pengembangan Teknologi Dan Sistem Informasi

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.