Académique Documents
Professionnel Documents
Culture Documents
Purpose:
ThisdocumentisintendedforsystemadministratorswhowanttodeploytheirMuraCMS,Railo,Tomcat,andJRE
stackinasecurebuteasytofollowmanner.Thisdocumentisnotintendedtoguaranteefoolproofsecurity,but
ratherserveasasetofguidelinesforcommonsecuritymindedbestpractices.Itisimportantforthereaderto
understandthatnosystem,nomatterhowwellprotected,willeverbe100%guaranteedsecurehowever,by
followingthesesimpleguidelinesthereadercanensurethattheirsystemswilldeterthevastmajorityofcommon
intrusiontechniques.
Thisdocumentwillassumethatyou,thereader,willhavebasicknowledgeofinstallingCentOSLinuxandediting
fileswithinitusingtheeditorofyourchoice.
PreparingYourServer
1. StartWithaBlankSlate
ItisrecommendedthatyourbeginbyinstallingafreshcopyofCentOS6ontoyourserver.Thefreshcopy
oftheOperatingSystemwillensurethattherearenolingeringabnormalitiesinthesystemyou'llbe
installingyourRailostackonto.
ItisalsorecommendedthatyouperformaminimalinstallofCentOS,asitwillmeanthatonlythebare
minimumwillbeinstalledinitially.Anythingthatyouneedtoaddyoucanaddmanually.Thisalsomeans
thatyouwon'thaveanysuperfluousprogramsrunningorevenavailableontheserveritself,andagainit
willminimizetheinitialattackvectorsavailableonyourserver.
2. StartWithaVeryMinimalandRestrictiveFirewall
Duringtheinstallationprocess,theCentOSinstallerwillpromptyouifyouwanttoconfigureanyinitial
firewallrules.Itisrecommendedthatyoubothenablethefirewall,andonlyallowthemostbasicfirewall
exceptions,suchasSSHaccess(port21)andHTTPaccess(port80).Again,thiswillminimizetheattack
vectorsthatanattackercouldexploit.
Oncetheinitialminimalfirewallisconfiguredbytheinstallationprocess,youshouldonlyaddrulesas
absolutelynecessaryandifyoucan,addincomingIPAddressrestrictionsonthemsothatonly
connectionscomingfromapprovedrangeswillbeabletoconnect.Forexample,thefollowingrule(added
byeditingthe/etc/sysconfig/iptablesfilewhichwascreatedbytheinstallprocess)wouldrestrictwhocan
connecttoyourSSHporttoonlyaspecificClassCrangeofIPAddresses:
ARHFirewall1INPUTmstatestateNEWmtcpptcpdport22s192.168.254.0/24jACCEPT
Notethelineabove,thedportorDestinationPortisport22,whichisthedefaultSSHport.Next,note
theIPrangeweusedasanexamplehere,whichis192.168.254.0averycommoninternalnetwork
range.PleaseadjusttheallowedIPrangesasnecessaryforyournetwork.
Onceyou'veaddedoreditedthelinefortheSSHport22,don'tforgettorestarttheiptablesfirewallwiththe
followingcommand:
#/etc/init.d/iptablesrestart
or...
#serviceiptablesrestart
Whicheveryouprefer.
3. InstallAllAvailablePatches
Itisimportanttoinstallallavailablepatchesassoonaspossibleonyournewsystem.Youcanpatchthe
systemmanuallywiththefollowingcommands:
#yumyupgradeyum
#yumyupgrade
AslongasyoursystemhasaccesstotheInternetandisabletodownloadfilesfrompublicrepositories,
YUMwillgodownloadallthelatestpatchesthatareavailableforyoursystem.
ThefirstcommandupdatestheYUMprogramitself.ThenextlinetellsYUMtograballotheravailable
updates.BecauseYUMitselfwasjustupdated,itshouldhavethemostrecentpatchinginformation
availabletoit.
4. ConfigureAutomaticOSPatching
Nowthatthesystemisallpatchedup,weneedtoconfigureaprocessthatwillrunthosesameupdates
onaregularbasis.Iwouldrecommendnightlyforthemostuptodatepatching.Also,ifyourunnightly,
chancesaregoodthatthepatchdownloadwillbequickandsmalleverytime.
Todothis,wefirstneedtocreateashellscriptusingthetexteditorofourchoice.Let'scallit
yumupdate.sh.Now,weneedtoaddthefollowingcommandstoit:
#!/bin/bash
/usr/bin/yumyupgradeyum
/usr/bin/yumyupgrade
Onceyou'veaddedthoselines,savethefileandplaceitineitherofthefollowingdirectories:
/etc/cron.daily/yumupdate.sh
/etc/cron.weekly/yumupdate.sh
Justtobeclear,filesplacedincron.dailywillberuneveryday,andfilesplacedincron.weeklywillberun
eachweek.Theexacttimethateachareexecutediscontrolledbythe/etc/crontabfile,whichyoucanalso
customizeasneeded.
InstallMinimalApacheModules
AsApachewillmostlikelybeyourmostprominentandmostimportantpublicfacingserver,itisagood
ideatokeepitassimpleaspossibletokeepattackvectorsataminimum.Don'tinstallmodulesthat
you'renotsureyou'lluse,suchasPHP,userdirectorysupport,orCGIBINsupport.
HideApacheVersionNumber
YoucantellApachetohideitsversionnumberbymodifyingtheServerTokensattributeinthemain
Apacheconfigfile(httpd.confinRHEL/CentOSorapache2.confinDebian/Ubuntu):
ServerTokensProd
SettingthisvaluewillcauseApachesimplytoreportApacheandnotincludeaversionnumber.
Youcanalsodisabletheserversignature,whichisdeisplayedatthebottomofanyerrormessages
Apachegenerates,byusingthefollowingparameter:
ServerSignatureOff
5. AdditionalSuggestionsfortheSecurityMinded
a. RunSSHonanonstandardport(insteadofport22)
b. LeaveSELinuxenabledandcreaterulestoallowRailotofunctionthroughit(PeteFreitag/
FoundeocanprovideadditionalassistanceingettingSELinuxworkingwithRailo)
UsingtheRailoInstaller
1. ConsideraNonStandardInstallationDirectory
ThestandardinstallationdirectoryforRailois/opt/railo/.Ifanattackerknowsthistheycancraftattacks
basedoffthatinformation.Forexample,attackswhichuseparentdirectorytraversalmechanisms,such
as../../opt/railo/intheURLs.Anonstandardinstallationdirectorywillsimplymakeyourserverless
vulnerabletocustomizedattacks.Maybesomethingunpredictablelike/railo042178/or
/opt/cfml/server/railorocks/
Thedownsideofthisisthatdocumentationisoftenwrittenwiththedefaultsinmind,andmanyexamples
arebasedonthedefaults.Asareader,youwillberequiredtointerpolatethedefaultdocumentationfor
yourownspecificenvironment.
2. BeCreativeWithYourDedicatedRailoSystemUser
Itisfarmoredifficulttobruteforceausernameandpasswordcombinationifanattackerhasnoidea
wheretobeginwithausername.Tothatend,becreativewhenyoupickausernameforyournewRailo
installation.Donotuseobvioususernamessuchasadminorrailo,butstillkeepitrecognisableand
memorable.Forexample,youcouldcallyournewRailousertheflash,afterthespeedybutfictional
superherocharacter.Youknow...becauseherunsfast.
3. ConsiderUsingaPhraseasaPassword
Usingphrasesaspasswordsisnotanewidea,butitispossibletodowithRailoandisaprovenmethod
foraddressingbruteforcepasswordbreakinsaswellasmakesiteasytorememberaspecific
password.Forexample,considerthefollowingpassphrase:
Ialwaysthoughtaboutgetting1butIneverdid!
Thisphrasemakesanexcellentpassword.Asfarasnumberofcharactersgoes,it'sawhopping49
characterslong.Itcontainsamixofupperandlowercaseletters,numbers,andspecialcharacters.Inthe
worldofpasswords,thiseasytorememberphraseisabehemoth,andveryunlikelytobebruteforced
unlesssomeoneknewyouwereusingaphraseandspecificallytargetedthatkindofapassphrase.At
thetimeofthiswriting,mostbruteforceattacksdonotspecificallytargetfullphrases.
Evenifyoudon'tdecidetouseaphraseasapassword,it'sagoodideatouseasmanycharactersas
youcanrememberandmixitupwithletters(mixedcase),numbers,andspecialcharacters.
LockingDownYourRailoStack
1. OpenPort8888OnlytoaSpecificIPPort8888inadefaultRailoInstallerconfigurationistheTomcat
webserverport.ThisportisusedasthedefaultaccesspointfortheRailoServerAdministrator.Asthe
serveradministrator,youwilllikelyaccessthisURLinordertoimplementserverwidepolicyforyourRailo
server.
RestrictaccesstothisporttoonlyasingleIPviatheCentOSfirewallbyeditingthe/etc/sysconfig/iptables
fileandaddingalinesimilartothefollowing:
ARHFirewall1INPUTmstatestateNEWmtcpptcpdport8888s192.168.254.250jACCEPT
Asbefore,editthesourceIPaddressbychanging192.168.254.250towhateverisappropriateforyour
network.
2. DoNotOpenPorts8005(Shutdown)or8009(AJP)tothePublic
TheRailo4BETA3andnewerinstallerswillusemod_proxy_htmlbydefault,sotheAJPport8009,while
available,isnotusedbydefault.IfyouneedtoopentheAJPporttoanexternalwebserverinorderto
connecttoitfrommod_proxy_ajpormod_jk,thenitisrecommendyouonlyopenport8009totheIP
addressofthewebserverthatneedstoconnecttoit.Youcanuseafirewalllinesimilartotheexample
aboveandchangetheportandIPtomatchyournetwork.
TheTomcatShutdownport8005bydefaultshouldnotbeopentothepublic.Itisrecommendedthat
youonlyinitiateTomcatshutdowncommandsfromthelocalconsole.
3. BlockAccesstoRailoAdministratorsThroughApache
InyourApachehostconfigurationforthesiteorsitesyouwillbeservingthroughApacheandRailo,you
canaddthefollowinginordertodenyaccesstoallbutapprovedIP's:
<Location/railocontext/admin>
Orderdeny,allow
Denyfromall
Allowfrom192.168.254.250
Allowfrom127.0.0.1
</Location>
ThissameconceptcanbeimplementedtodenyaccesstotheMuraAdministrator.Ifassetsinthe
railocontextarenotneeded(egcfformjavascript),thenyoumayblocktheentire/railocontext/insteadof
justtheadministrator.
4. LockdownApacheandRailoUsers
TheuseraccountsthatRailoandApacherunasshouldberestrictedsuchthattheyonlyhavetheabilityto
dowhattheapplicationrequiresandnothingmore.Thedefaultshellshouldbespecifiedto
/sbin/nologinpreventloginoverssh.
Filesystempermissionsshouldberestrictedaswell,ApacheorRailowilltypicallyonlyneedread
permissionformostfilesinthewebroot.Theexecutepermissionmayberequiredondirectories.
RailoandApacheshouldnotbesetuptorunundertherootaccount.
5. EnsuretheJVMisuptodate
EnsurethattheJVMversionyouareusingcontainsallknownsecuritypatches.
6. AdditionalSuggestionsfortheSecurityMinded:
a. CreateanadditionalApachebasedpassword(.htpasswd)forsensitiveareas.
b. ForcetheuseofSSLwhenaccessingtheAdministrators
c. DisguiseRailobyeitherusingfullSESURL'sorbyreplacingtheextensiontosomethingother
thenaCFMLrelatedextension.IE:renameyour.cfmfilesto.phpandpass.phpfilesofftoRailo
forprocessing.
d. EnsurethattheumaskhasbeenspecifiedappropriatelyintheTomcat/Railostartupscriptto
preventitfromcreatingfileswithmorepermissionthannecessary.
e. Considersettingupauditingwithauditd
f. IftheTomcat/ApacheAJPconnectorisusedspecifyasharedsecret.
g. Removeanyservlet/filtermappingsfromweb.xmlthatarenotrequired.
LockingDownRailoServer
1. DisablePublicDebuggingErrorOutput
TodisabledetailederrormessagesinRailo,logintotheRailoserveradministratorandgotoSettings
Errorandselecterrorpublic.cfmfromthedropdownoptions.Thiswillonlydisplayanextremely
genericanduninformativeerrormessagetotheendusers.
Ifyoulike,youcancustomisetheseerrortemplatestosendanemailofftoyourdevelopmentteam,
informingthemthatanerroroccurredandpossiblygivingthemmoredetailsabouttheerror.
2. EnsureAllAdministratorsforAllContextsHavePasswordsAssignedandUseCaptcha
IntheRailoServerAdministrator,gotoSecurityPassword.Fromthisscreenyoucansetthe
passwordsofallexistingwebcontextsandenablecaptchastopreventbruteforcingpasswordbreaking
attemptsonyourRailoServer&WebAdministrators
3. ReduceRequestTimeoutsasLowasPossible
TochangetheRequestTimeoutvalue,logintotheRailoserveradministratorandgotoSettings
ApplicationRequestTimout.Itisrecommendedyouchangeitfrom50secondstoabout10orso.
Experimentwiththistomakesuretherequesttimeoutsdonoteffectneededfunctionalitythatmayexistin
yourapplication.
4. EnsureRailo'sScriptProtectfeatureisenabled
Railo'sbuiltinScriptProtectfeatureisdesignedtoprotectyoursitefromcrosssitescriptingattacks.
ScriptProtectwillautomaticallyfilterdangeroustagsinincomingvariablescopeslikeCGI,cookie,form,
andURLscopes.
ToensureRailo'sScriptProtectfeatureisenabled,logintotheRailoserveradministratorandgoto
SettingsApplicationScriptProtectandensureit'ssettoall.
Note:Thissettingdoesnotprovidecomprehensivecrosssitescriptingprevention,additionalstepsmust
betakeninyourcustomsourcecodetoalleviaterisk.
5. AvoidUsingSystemHeavyClientVariables
Instead,trytokeepasmanyvariablesaspossiblesessionbased,sotheyexpireandareremovedwhen
thesessionexpires.
6. SetSessionTimeoutstoasLowasPossible
ThishelpsfreeupRAMandpreventssomeformsofDoSattacks.Youcanconfiguresessiontimeout
valuesgloballyintheRailoServerAdministratorSettingsApplicationscreen.
7. KeepDatasourcePermissionsSimple
Ifyoucan,onlyenableSELECT,INSERT,UPDATE,andDELETEpermissions.Thiswillalmostnullify
SQLinjectionattacks.WhatcommandsareacceptedbyRailoisconfigurableforeachDSN,andis
controlledwhenyoucreateoreditaDSN.
8. UseaSeparateDBUserforEachDSN
IsolatingyourDatabaseuserswillhelpmitigateattacksshouldasitebefoundvulnerable.Forexample
shouldaSQLinjectionattackoccurinonesite,theattackerwillonlyhavegainedthepowersofthesingle
Databaseuseraccountandwouldonlyhaveaccesstothesitesanddataforthatsitenotanyothersites
thatmaybepresentonthesystem.
9. ConsiderUsingaWebApplicationFirewall(likeFuseGuard)
WebApplicationFirewallsareexcellentatdetectinganddeterringattacksonasystem.HighqualityWeb
ApplicationFirewallsalsohavetheabilitytologattackstoletyouknowwhatkindofattacksarebeing
directedatyourservers,soyoucanbetterprepareyourdefenses.WebApplicationFirewallsarewell
worththeirinitialinvestment.
AdditionalinformationonFuseGuardcanbefoundatthisURL:
http://foundeo.com/security/
Thisdocumentpreparedby::
JordanMichaels(jordan@getrailo.org)
PeteFreitag(pete@foundeo.com)
MattLevine(matt@blueriver.com)