Satpam part 2

| Thursday, September 27, 2007

Satpam 1

| Wednesday, September 26, 2007

Security professionals break the term security into three parts: confidentiality, integrity, and availability.
1. confidentiality (rahasia)
Confidentiality is all about determining the appropriate level of access to information. Hak akses u/ data/file/folder.

2. Integrity (keutuhan)
Tidak adanya kehilangan data (data tetap utuh tanpa ada modifikasi).

3. Availability (ketersediaan)
Ketersediaan data yg akan diakses, menuju pada pemikiran back up data or system

Identifikasi Resiko
1. Attack
An attack against a system is an intentional attempt to bypass system security controls or organizational policies to affect the operation of the system (active attack) or gain access to information (passive attack). Attacks can be classified into insider attacks in which someone from within an organization who is authorized to access a system uses it in an unauthorized way, or outsider attacks, which originate outside of the organization's security perimeter, perhaps on the Internet at large
In order for active and passive attacks to succeed, something must be at fault. Attacks necessarily leverage fundamental behavioral problems in software, improper configuration and use of software, or both. In this chapter, we examine these classes of attacks including the special-case denial of service (DoS) attack.

2. Problem software
2.1 Buffer OverFlow
2.2 Injeksi SQL
There are, of course, ways to defend against SQL injection attacks from within web applications. One common approach is to parse every value provided by the user. Make sure it doesn't contain any undesirable characters like backticks, quotes, semi-colons, and so on. Also ensure that the valid characters are appropriate for the value being returned. To get around the problem completely, developers may be able to use stored procedures and avoid dynamically creating SQL.
2.3 Software problem lain

Proteksi :

Being aware of vulnerabilities is a good first step.
Installah 3rd party soft. yang jelas minim bugnya.
Rajin mengkuti mailing list
Selalu lakukan patch

3. DOS ATTACK
DoS attacks are active—they seek to consume system resources and deny the availability of your systems to legitimate users. The root cause of a system or network being vulnerable to a DoS attack may be based on a software vulnerability, as a result of improper configuration and use, or both. DoS attacks can be devastating, and depending on how they are carried out, it can be very difficult to find the source. DoS attacks have a diverse list of possible targets.

Target: physical
DoS attacks can occur at the physical layer. In an 802.11 wireless network, an attacker can flood the network by transmitting garbage in the same frequency band as the 802.11 radios.

Target: network
At the data link and network layers, traffic saturation can interfere with legitimate communications. Flooding a network with illegitimate and constantly changing arp requests can place an extreme burden on networking devices and confuse hosts. Attempting to push a gigabit of data per second through a 100 Mbps pipe will effectively overrun any legitimate network traffic. Too much traffic is perhaps the quintessential example of a DoS attack

Target: application
These DoS attacks generally use up some finite resource on a host such as CPU, memory, or disk I/O. An attacker may send several application requests to a single host in order to cause the application to consume an excessive amount of system resources.
She may simply exploit a bug in code once that causes the application to spiral out of control or simply crash. Some services that fork daemons at every new connection may be subject to a DoS if tens or hundreds of thousands of connections are made within a short period of time

Proteksi :
Physical -> lakukan load balancer
Network -> IDS hosts may be used to help detect these kinds of attacks and automatically update firewall or router configurations to drop the traffic
Application -> secure architecture and build, controlled maintenance, and monitoring logs.

4. Konfigurasi yang kurang sip.
4.1. Konfigurasi yang ceroboh
4.2 Acccount access.
permission file , setuid (memberikan akses hanya pada id, bukan pada nama user).
-r-sr-xr-x 1 root wheel 23392 Jun 4 21:57 traceroute

To find setuid and setgid files on your BSD system, run the following command:

% find / -type f \( -perm -2000 -o -perm -4000 \) -print

Securing apache part 2

| Thursday, September 20, 2007

1. Listen port
Jika ada bbrp ip maka lakukan spesifikasi dgn Listen : IPV4:80

TimeOut 300 seconds bisa dikecilkan (issue dos attack)
KeepAliveTimeout 5 seconds bisa dikecilkan tapi jgn didisable.
LimitRequestBody 0 bytes (unlimited) Restricts the total size of the HTTP request body sent from the client. If DoS attacks are occurring as a result of large requests, limit request size.
LimitRequestFields 100 fields Limits the number of HTTP request header fields that will be accepted from the client. If DoS attacks are occurring as a result of too many HTTP request headers, lower this number.
LimitRequestFieldSize 8190 bytes Limits the size of the HTTP request header allowed from the client.
LimitRequestLine 8190 bytes This directive sets the number of bytes that will be allowed on the HTTP request-line.
MaxClients 256 requests Sets the limit on the number of simultaneous requests that will be served.

Securing apache

|

Cara securing apache part 1 :
1. Pastikan install security patch terbaru.
2. Sembunyikan informasi mengenai server dgn menambahkan baris berikut di httpd.conf
ServerSignature Off
ServerTokens Prod
3. Jangan jalankan apache dgn user administratif, buat saja user n group lain, misal www group www.
4. Untuk memblok agar apache tidak bisa mengakses selain document rootnya, lakukan sbb :

Order Deny,Allow
Deny from all
Options None
AllowOverride None


Order Allow,Deny
Allow from all



Untuk disable directory browsing, tambahkan berikut pada tag setelah
Options -Indexes

Untuk disable server side includes tambahkan berikut pada tag setelah
Options -Includes

Bisa juga spt ini : Options -ExecCGI -FollowSymLinks -Indexes
Atau jika ingin mendisable langsung aja Options None.

5. Mematikan support u/ .htaccess files
Tambahkan AllowOverride None pada tag setelah

Note :
Jika menggunakan pilihan Overrides pastikan file .htaccess tdk bisa didownloaded atau ubah namanya selain .htaccess. Misal, bisa kita ubah ke .httpdoverride dan block smua akses agar tdk bisa mendownload files start with .ht dgn cara sbb :

AccessFileName .httpdoverride

Order allow,deny
Deny from all
Satisfy All


6. Disable module yang tidak diperlukan :
grep LoadModule httpd.conf
mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex
Modul² tersebut biasaya jarang diperlukan.

7. Pastikan hanya root yang bisa mempunyai hak akses binary dan config filenya
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

8. Kurangi TimeOut valuenya untuk menghindari DOS Attack
Timeout 60

9. Limiting large requests
LimitRequestBody 1048576 (akan melimit upload hanya sampai 1MB)

10. Limiting Concurrency
Apache mempunyai bbrp konfigurasi u/ menangani request berjamaah :P.
MaxClients : adl max. child proses yg akan dicreate u/ memenuhi request. Jangan diset terlalu tinggi jika memori anda ecek2.

Perintah yg lain adl MaxSpareServers, MaxRequestsPerChild, ThreadsPerChild, ServerLimit, MaxSpareThreads. Sesuaikan pilihan tersebut dgn OS dan hardware sistem.

11. Membatasi akses web dari IP / Network tertentu

Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

12. KeepAlive setting
Defaultnya on. Bisa diubah ke MaxKeepAliveRequests 100, and the KeepAliveTimeout 15. Lihat log dan sesuaikan kebutuhan.

13. Jika sudah biasa menggunakan chroot atau jail maka lebih sip :P.

Sumpah ini bukan hasil oprekan saya :P, ini adalah kumpulan hasil gugling n coba² :P.

Ngeblok MAC address

| Thursday, September 06, 2007

Tambahkan baris berikut di sysctl.conf (u/ mengaktifkan filtering pada layer 2)
# sysctl net.link.ether.ipfw=1

Contoh :
# ipfw -q add 2 deny mac 00:21:E8:21:A4:BD any
Deny from any source MAC address to destination MAC address 00:21:E8:21:A4:BD.
Sebagaimana dijelaskan di manualnya...
{ MAC | mac } dst-mac src-mac.

Lengkapnya check this out! : http://www.hmug.org/man/8/ipfw.php