dip your toes in the sea of security (phpday 2016)
TRANSCRIPT
![Page 1: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/1.jpg)
@asgrim
Dip Your Toesin the Sea of Security
James TitcumbphpDay 2016
![Page 2: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/2.jpg)
@asgrim
James Titcumbwww.jamestitcumb.comwww.roave.comwww.phphants.co.ukwww.phpsouthcoast.co.uk
Who is this guy?
![Page 3: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/3.jpg)
@asgrim
Some simple code...
<?php
$a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT);
$b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT);
$result = $a + $b;
printf('The answer is %d', $result);
![Page 4: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/4.jpg)
@asgrim
![Page 5: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/5.jpg)
@asgrim
The Golden Rules
![Page 6: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/6.jpg)
@asgrim
The Golden Rules(my made up golden rules)
![Page 7: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/7.jpg)
@asgrim
1. Keep it simple
![Page 8: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/8.jpg)
@asgrim
2. Know the risks
![Page 9: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/9.jpg)
@asgrim
3. Fail securely
![Page 10: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/10.jpg)
@asgrim
4. Don’t reinvent the wheel
![Page 11: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/11.jpg)
@asgrim
5. Never trust anything
![Page 12: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/12.jpg)
@asgrim
OWASP& the OWASP Top 10
https://www.owasp.org/
![Page 13: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/13.jpg)
@asgrim
Application Security(mainly PHP applications)
![Page 14: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/14.jpg)
@asgrim
Always remember…
Filter InputEscape Output
![Page 15: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/15.jpg)
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
SQL Injection (#1)
![Page 17: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/17.jpg)
@asgrim
SQL Injection (#1)
1. Use PDO / mysqli2. Use prepared / parameterized statements
![Page 18: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/18.jpg)
@asgrim
SQL Injection (#1)<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = {$user_id}";
$db->execute($sql); ✘
![Page 19: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/19.jpg)
@asgrim
SQL Injection (#1)<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();✓
![Page 20: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/20.jpg)
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
![Page 21: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/21.jpg)
@asgrim
exec($_GET)https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
![Page 22: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/22.jpg)
@asgrim
eval()https://github.com/search?q=eval%28%24_GET&type=Code&ref=searchresults
![Page 23: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/23.jpg)
@asgrim
Cross-Site Scripting / XSS (#3)© 2003 Disney/Pixar. All Rights Reserved.
![Page 24: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/24.jpg)
@asgrim
Cross-Site Scripting / XSS (#3)
● Escape output<?php
$unfilteredInput = '<script type="text/javascript">...</script>';
// Unescaped - JS will run :'(
echo $unfilteredInput;
// Escaped - JS will not run :)
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
![Page 25: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/25.jpg)
@asgrim
Cross-Site Request Forgery / CSRF (#8)
http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html
![Page 26: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/26.jpg)
@asgrim
Cross-Site Request Forgery / CSRF (#8)<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
![Page 27: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/27.jpg)
@asgrim
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)
![Page 28: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/28.jpg)
@asgrim
Cross-Site Request Forgery / CSRF (#8)<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
![Page 29: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/29.jpg)
@asgrim
Timing attacks
From zend_is_identical:return (Z_STR_P(op1) == Z_STR_P(op2) ||
(Z_STRLEN_P(op1) == Z_STRLEN_P(op2) &&
memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));
![Page 30: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/30.jpg)
@asgrim
Timing attacks
Actual string: “foobar”● a (0.00001)● aa (0.00001)● aaa (0.00001)● aaaa (0.00001)● aaaaa (0.00001)● aaaaaa (0.00002) ← success!● aaaaaaa (0.00001)● aaaaaaaa (0.00001)● aaaaaaaaa (0.00001)
![Page 31: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/31.jpg)
@asgrim
Timing attacks 1 int memcmp(const void* s1, const void* s2,size_t n)
2 {
3 const unsigned char *p1 = s1, *p2 = s2;
4 while(n--)
5 if( *p1 != *p2 )
6 return *p1 - *p2;
7 else
8 p1++,p2++;
9 return 0;
10 }http://clc-wiki.net/wiki/C_standard_library:string.h:memcmp#Implementation
![Page 32: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/32.jpg)
@asgrim
Timing attacks
Actual string: “foobar”● “aaaaaa” (0.00001)● “baaaaa” (0.00001) ● …● “faaaaa” (0.00002) ← success!● “fbaaaa” (0.00002)● “fcaaaa” (0.00002)● …● “foaaaa” (0.00003) ← success!
![Page 33: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/33.jpg)
@asgrim
Sensitive Data Exposure (#6)© 2003 Disney/Pixar. All Rights Reserved.
![Page 34: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/34.jpg)
@asgrim
Sensitive Data Exposure (#6)
![Page 35: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/35.jpg)
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
![Page 36: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/36.jpg)
@asgrim
curl + https<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
✘
![Page 37: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/37.jpg)
@asgrim
curl + https<?php
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate");
✓
![Page 38: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/38.jpg)
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
![Page 39: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/39.jpg)
@asgrim
Third Party Code
![Page 40: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/40.jpg)
@asgrim
Third Party Code!!! WARNING !!!
![Page 41: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/41.jpg)
@asgrim
Third Party Code github.com/ /SecurityAdvisories
!!! WARNING !!!
![Page 42: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/42.jpg)
@asgrim
![Page 43: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/43.jpg)
@asgrim
We are not allsecurity experts!
![Page 44: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/44.jpg)
@asgrim
We are not allsecurity experts!
… but we CAN write secure code
![Page 45: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/45.jpg)
@asgrim
Hack your own system!
© 2003 Disney/Pixar. All Rights Reserved.
![Page 46: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/46.jpg)
@asgrim
What do you want?
Think like a hacker
![Page 47: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/47.jpg)
@asgrim
How do you get it?
Think Differently
![Page 48: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/48.jpg)
@asgrim
Threat ModellingD.R.E.A.D.
© Buena Vista Pictures
![Page 49: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/49.jpg)
@asgrim
Threat Modelling
DamageREAD
© Buena Vista Pictures
![Page 50: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/50.jpg)
@asgrim
Threat Modelling
DamageReproducibilityEAD
© Buena Vista Pictures
![Page 51: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/51.jpg)
@asgrim
Threat Modelling
DamageReproducibilityExploitabilityAD
© Buena Vista Pictures
![Page 52: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/52.jpg)
@asgrim
Threat Modelling
DamageReproducibilityExploitabilityAffected usersD
© Buena Vista Pictures
![Page 53: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/53.jpg)
@asgrim
Threat Modelling
DamageReproducibilityExploitabilityAffected usersDiscoverability
© Buena Vista Pictures
![Page 54: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/54.jpg)
@asgrim
Rank them in orderAnd fix them!
© Buena Vista Pictures
![Page 55: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/55.jpg)
@asgrim
Authentication& Authorization
![Page 56: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/56.jpg)
@asgrim
AuthenticationVerifying Identity
![Page 57: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/57.jpg)
@asgrim
Case Study: Custom Authentication
We thought about doing this…
![Page 58: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/58.jpg)
@asgrim
Case Study: Custom Authentication
We thought about doing this…
![Page 59: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/59.jpg)
@asgrim
Case Study: Custom Authentication
We thought about doing this…
✘
![Page 60: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/60.jpg)
@asgrim
Password Hashingpassword_hash()
![Page 61: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/61.jpg)
@asgrim
AuthorizationVerifying Access
![Page 62: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/62.jpg)
@asgrim
CRYPTOGRAPHYIS
HARD
![Page 63: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/63.jpg)
@asgrim
![Page 64: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/64.jpg)
@asgrim
CRYPTOGRAPHYIS
HARDNEVER EVER “ROLL YOUR OWN”
![Page 65: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/65.jpg)
@asgrim
CRYPTOGRAPHYIS
HARDNEVER EVER “ROLL YOUR OWN”
EVER!!!
![Page 66: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/66.jpg)
@asgrim
How to encrypt then?
![Page 67: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/67.jpg)
@asgrim
I’ve got some great ideas for encryption...
Image: The Guardian (http://goo.gl/pUkyvO)
![Page 68: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/68.jpg)
@asgrim
How to encrypt then?libsodium PECL package
![Page 69: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/69.jpg)
@asgrim
Linux Server Security
![Page 70: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/70.jpg)
@asgrim
Create an SSH Fortress
![Page 71: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/71.jpg)
@asgrim
Firewalls
![Page 72: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/72.jpg)
@asgrim
iptables#!/bin/bash
IPT="/sbin/iptables"
$IPT --flush
$IPT --delete-chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# Loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Inbound traffic
$IPT -A INPUT -p tcp --dport ssh -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
# Outbound traffic
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
![Page 73: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/73.jpg)
@asgrim
ufwsudo ufw enable
sudo ufw allow 22
sudo ufw allow 80
![Page 74: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/74.jpg)
@asgrim
Mitigate Brute Force Attacks
![Page 75: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/75.jpg)
@asgrim
Install OnlyWhat You Need
![Page 76: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/76.jpg)
@asgrim© 2003 Disney/Pixar. All Rights Reserved.
![Page 77: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/77.jpg)
@asgrim
+
![Page 78: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/78.jpg)
@asgrim
Case Study: Be Minimal
Internets
Postfix
Squid Proxy(badly configured)
hacker
spam
![Page 79: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/79.jpg)
@asgrim
Resources
● http://securingphp.com/● https://www.owasp.org/● http://blog.ircmaxell.com/● https://github.com/paragonie/random_compat● https://github.com/ircmaxell/password_compat● https://paragonie.com/blog● https://websec.io/resources.php
![Page 80: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/80.jpg)
@asgrim
The Golden Rules
1. Keep it simple2. Know the risks3. Fail securely4. Don’t reinvent the wheel5. Never trust anything / anyone
![Page 81: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/81.jpg)
@asgrim
If you follow all this, you get...
![Page 82: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/82.jpg)
@asgrim
If you follow all this, you get...
![Page 83: Dip Your Toes in the Sea of Security (phpDay 2016)](https://reader034.vdocuments.net/reader034/viewer/2022042907/588a02c21a28ab0f388b6db9/html5/thumbnails/83.jpg)
@asgrim
Any questions? :)
https://joind.in/talk/fc2dcJames Titcumb