Top Banner
BUILDING SECURE SERVER SWISS BELLIN - KARAWANG Minggu 12 November 2017 Budi Komarudin Backbox Indonesia
46

Building Secure Server

Jan 21, 2018

Download

Technology

Budi Komarudin
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Building Secure Server

00000

BUILDING SECURE SERVERSWISS BELLIN - KARAWANG

Minggu12 November 2017

Budi KomarudinBackbox Indonesia

Page 2: Building Secure Server

PERKENALAN

– Pengajar Cyber Security di Pusdikhub TNI

Angkatan Darat, Cimahi, Bandung.

– Penggerak/Developer Open Source di

Backbox Indonesia.

– Kontributor di National Cyber Security

Defence.

– Server developer di Bnet Karawang.

Budi Komarudin

Page 3: Building Secure Server

MATERI

• Pengamanan System Operasi

• Pengamanan Webserver

• Pengamanan SSH

• Pengamanan Database

• Pengamanan Web Application

• Tips Mengamankan Server

Page 4: Building Secure Server

PENGAMANAN SYSTEM

OPERASI

• Tentukan system operasi yang menurut kita

lebih baik

• Update & upgrade paket yang terinstall di

server

• Bedakan password antara akun satu dengan

akun yang lain

• Cek log aktivitas di dalam system operasi

• Blok Ip yang mempunyai request terbanyak

• Install antivirus pada server

Page 5: Building Secure Server

Review tentang System

Operasi Server

Page 6: Building Secure Server

Arch-Kecepatan transfer sangat besar-Arsip exploitasi publik sangat sedikit-Repository database aplikasi ter up to date-Penggunaan resource sangat sedikit-Konfigurasi aplikasi terseting aman secara default

Review tentang System

Operasi Server

Page 7: Building Secure Server

OpenBSD-Bisa meminimalisir serangan ddos-Konfigurasi aplikasi terseting lebih aman-Penggunaan disk sangat kecil

Review tentang System

Operasi Server

Page 8: Building Secure Server

Review tentang System

Operasi Server

Fedora-Bisa meminimalisir serangan ddos-Repository database aplikasi ter up to date-Punya fitur anti jumping server

Page 9: Building Secure Server

Update System

Ubuntu/Debian$ apt update$ apt upgrade

Centos/Fedora$ yum update$ yum upgrade

Slackware$ slackpkg update$ slackpkg upgrade

Arch LInux$ pacman -Syu

OpenBSD$ pkg_add -u

FreeBSD$ pkg update$ pkg upgrade

Page 10: Building Secure Server

Kasus Tidak Membedakan

Password

Page 11: Building Secure Server

Cek Aktivitas Server

$ lastlog$ history$ tailf -f /var/log/apache2/access.log$ sysdig -c spy_users$ logwatch$ watch netstat --inet$ netstat -ntulp

Page 12: Building Secure Server

Cek Aktivitas Port

Instal tsusen$ apt-get install git python-pip python-pcapy screen$ pip install python-geoip python-geoip-geolite2$ git clone https://github.com/stamparm/tsusen

Cara eksekusi$ screen$ cd tsusen$ python tsusen.py

Page 13: Building Secure Server

Cek Aktivitas Port

Page 14: Building Secure Server

Blok IP Attacker

$ ufw insert 1 deny from 8.8.8.8 to any$ iptables -A INPUT -s 8.8.8.8 -j DROP

Page 15: Building Secure Server

Pasang Antivirus

• maldet• clamav• rkhunter• chkrootkit

Page 16: Building Secure Server

Pasang Antivirus

$ wget http://www.backboxindonesia.or.id/tmp/maldetect-current.tar.gz$ tar -xf maldetect-current.tar.gz$ cd maldetect-1.6.2/$ bash install.sh$ maldet -a

$ apt install clamav$ clamscan

$ apt install rkhunter$ rkhunter --check

$ apt install chkrootkit$ chkrootkit

Page 17: Building Secure Server

PENGAMANAN WEBSERVER

• Sembunyikan versi web server

• Non aktifkan directory listing

• Batasi trafik masuk di setingan web server

Page 18: Building Secure Server

Sembunyikan Versi

Aplikasi

Page 19: Building Secure Server

$ nano /etc/apache2/conf-available/security.confSet jadi:-ServerToken Prod-ServerSignature Off

Restart apache/etc/init.d/apache2 restart

Sembunyikan Versi

Aplikasi

Page 20: Building Secure Server

Sembunyikan Versi

Aplikasi

Page 21: Building Secure Server

Nonaktifkan Directory Listing

Page 22: Building Secure Server

Hapus script Indexes pada configurasi apache

$ nano /etc/apache2/apache2.confSet jadi:<Directory /var/www/>

Options FollowSymLinksAllowOverride None Require all granted

</Directory>

Nonaktifkan Directory Listing

Page 23: Building Secure Server

Nonaktifkan Directory Listing

Page 24: Building Secure Server

Batasi Trafic Masuk

$ nano /etc/apache2/apache2.confSet variable pada system-TimeOut 300-MaxClients 100-KeepAliveTimeout 60-LimitRequestFieldSize 500000

$ iptables -I INPUT -p icmp -j DROP

Page 25: Building Secure Server

PENGAMANAN SSH

• Rubah port default menjadi port acak

• Jangan set password untuk user root

• Batasi hak akses setiap user saat

menginputkan password yang salah

Page 26: Building Secure Server

Ganti Port SSH

$ nano /etc/ssh/sshd_configTambah script:-Port 45012

Restart service ssh/etc/init.d/ssh restart

Page 27: Building Secure Server

Batasi Input Password

$ nano /etc/ssh/sshd_configTambah script:-MaxAuthTries 5

Restart service ssh/etc/init.d/ssh restart

Page 28: Building Secure Server

SECURING DATABASE

• Gunakan firewall database

• Non aktifkan remote database

• Gunakan password saat mengakses halaman

phpmyadmin

Page 29: Building Secure Server

Firewall Database

Installasi$ wget http://www.backboxindonesia.or.id/tmp/dbshield_1-2_amd64.deb$ dpkg -i dbshield_1-2_amd64.deb

$ DBShield

Rubah konfigurasi database yang tadinya port 3306 menjadi port 5000

Page 30: Building Secure Server

Firewall Database

DEMO SESSION

Page 31: Building Secure Server

Nonaktifkan Remote Database

$ nano /etc/mysql/mysql.conf.d/mysqld.cnf Gantibind-address = 127.0.0.1$ /etc/init.d/mysql restart

Page 32: Building Secure Server

Nonaktifkan Remote Database

Page 33: Building Secure Server

Password di PHPMyAdmin

$ nano /usr/share/phpmyadmin/index.phpTambahkan script ini:<?php$valid_passwords = array ("jangan" => "diheked");$valid_users = array_keys($valid_passwords);$user = $_SERVER['PHP_AUTH_USER'];$pass = $_SERVER['PHP_AUTH_PW'];$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);

if (!$validated) {header('WWW-Authenticate: Basic realm="My Realm"');header('HTTP/1.0 401 Unauthorized');die ("Mau ngapain hayooo...");

}

Page 34: Building Secure Server

Password di PHPMyAdmin

Page 35: Building Secure Server

SECURING WEB APPLICATION

• Pasang SSL di web server

• Buat halaman login palsu

• Rubah alamat admin login menjadi halaman

acak

• Buat rule user agent di halaman admin

Page 36: Building Secure Server

Pasang SSL di Server

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

Page 37: Building Secure Server

Pasang SSL di Server

DEMO SESSION

Page 38: Building Secure Server

Halaman Login Palsu

Page 39: Building Secure Server

Halaman Login Palsu

Page 40: Building Secure Server

Alamat url Admin Acak

Page 41: Building Secure Server

Rule User Agent

$ nano /var/www/html/admin/index.phpTambahkan script ini:<?php$ua=$_SERVER['HTTP_USER_AGENT'];if($ua == 'secret'):else:echo "Mau ngapain hayoo..";die();endif;

Page 42: Building Secure Server

TIPS MENGAMANKAN SERVER

• Bikin rule port yg di buka di firewall

• Nonaktifkan shell pada user yang aktif

• Hack back attacker

Page 43: Building Secure Server

Rule Port Firewall

$ ufw enable$ ufw allow 80$ ufw allow 22$ ufw allow 21

Page 44: Building Secure Server

Nonaktifkan Shell

$ usermod user -s /bin/falseatau$ usermod user -s /bin/jk_shell

Page 45: Building Secure Server

Hack Back Attacker

Page 46: Building Secure Server

SEKIAN......