“Simple MYSQL commands” 2

Posted by Piyush Gupta on July 05, 2010

Here I shall be jotting down one by one simple SQL commands that we use .

Check the comments .

“Users and Passwords – Rails (Best Practices)” 2

Posted by Piyush Gupta on May 18, 2010

Last week I lost several productive hours resetting my ‘insecure’ password on several websites due to a security breach, if you’ve ever used that site, you’d be well advised to change your password pretty much everywhere. In order to prevent this happening in the future, I figured I’d write up a simple best practices article on handling passwords and authentication. There’s nothing particularly new here, but it’s always worthwhile revisiting the basics.

What Not to do?

Never store your users’ cleartext passwords in your database, no exceptions. The most important reasons is that if your site is compromised or your backup drive lost all your users will be in danger. The attacker will have access to a ready-made list of passwords and the related email addresses which they’ll be able to go off and cause havoc with other websites. The second risk is that any one of your staff members could steal that information and use it to attempt to access other systems where your users have used the same password.

While it’d be nice if users never reused a password, the reality is that nearly everyone does it. We need to be responsible and realistic, and take the necessary precautions to protect our users.

Instead what you should be storing is a hash of the user’s passwords. This will let you verify that the password provided matches the one on file, but will never let you recover that password.

Salting

But just storing a hash of the passwords isn’t enough, this would still leave you open to rainbow attacks where an attacker pre-calculates hashes of millions of passwords, then compares the hashes with the values they’ve stolen from your database. To prevent this you need to salt them. This means storing a small random value against each of your users and adding that to the password before you hash it.

Putting it Together.

So this leaves us with a user model with two relevant columns, salt and hashed_password, leaving us with a simple migration like:

create_table :users do |t|
  t.string :email
  t.string :hashed_password
  t.string :salt
end

We’ll also need two kinds of method on the model itself, hashing methods and verification methods. We’ll cover the hashing methods first:

require'digest/sha2'
  class User ActiveRecord::Base
    # Create two virtual (in memory only) attributes to hold the password and its confirmation.
    attr_accessor:new_password,:new_password_confirmation
    # We need to validate that the user has typed the same password twice
    # but we only want to do the validation if they've opted to change their password.
    validates_confirmation_of :new_password, :if => :password_changed?
    before_save :hash_new_password, :if => :password_changed?
    # By default the form_helpers will set new_password to "",
    # we don't want to go saving this as a password

   def password_changed?
     !@new_password.blank?
   end

   private # This is where the real work is done

   def hash_new_password
     # First reset the salt to a new random string.  You could choose a
     # longer string here but for a salt, 8 bytes of randomness is probably
     # fine.  Note this uses SecureRandom which will use your platform's secure
     # random number generator.
     self.salt = ActiveSupport::SecureRandom.base64(8)
    # Now calculate the hash of the password, with the salt prepended, store
    # store that in the database
    self.hashed_password = Digest::SHA2.hexdigest(self.salt + @new_password)
  end
end

Of note here is the salt, it’s set to a new random value every time the user changes his password, this will come in handy another day. The next method we need to implement is the authentication method.

Class User < ActiveRecord::Base
   # As is the 'standard' with rails apps we'll return the user record if the
   # password is correct and nil if it isn't.

   def self.authenticate(email, password)
      # Because we salt the passwords we can't do this query in one part, first
      # we need to fetch the potential user
      if user = find_by_email(email)
           # Then compare the provided password against the hashed one in the db.
            if user.hashed_password == Digest::SHA2.hexdigest(user.salt + password)
                   # If they match we return the user
            return user
            end
       end
    # If we get here it means either there's no user with that email, or the wrong
     # password was provided.  But we don't want to let an attacker know which.
    return nil
  end
end

Cleanse the Logs

Finally, you need to make sure that your user’s passwords don’t get logged either, thankfully this is built right in with rails.

  class ApplicationController < ActionController::Base
     filter_parameter_logging :password
  end

Wrap Up

All in all using secure password hashing takes around 15 lines of code so there’s no excuse for not doing it in your applications. It’s also relatively simple so I wouldn’t suggest using a plugin if all you want is simple secure login code, those plugins come with tonnes of additional features which you may not want. I’ll follow up next week with simple secure remember-me tokens which also don’t require anything fancy.

Finally a product plug, 1Password from AgileWebSolutions is a really useful tool for generating, storing and recalling secure passwords for the myriad of websites which require logins. It’s much simpler and more secure than re-using some ‘insecure’ password on dozens of websites. It also has the side benefit of being pretty-well immune to phishing attacks.

Technorati Tags: , , ,

“20 ways to Secure your Apache Configuration” 15

Posted by Piyush Gupta on May 10, 2010

Here are 20 things you can do to make your apache configuration more secure.

Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don’t think your server is necessarily secure after following these suggestions.

Additionally some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.

Hide the Apache Version number, and other sensitive information.

By default many Apache installations tell the world what version of Apache you’re running, what operating system/version you’re running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.

There are two directives that you need to add, or edit in your httpd.conf file:

ServerSignature Off
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

If you’re super paranoid you could change this to something other than “Apache” by editing the source code, or by using mod_security (see below).

Make sure apache is running under its own user account and group

Several apache installations have it run as the user nobody. So suppose both Apache, and your mail server were running as nobody an attack through Apache may allow the mail server to also be compromised, and vise versa.

User apache
Group apache

Ensure that files outside the web root are not served

We don’t want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory (we will call this /web), you would set it up as follows:

<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>

<Directory /web>
Order Allow,Deny
 Allow from all
</Directory>

Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.

Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Options -Indexes

Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -Includes

Turn off CGI execution

If you’re not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Options -ExecCGI

Don’t allow apache to follow symbolic links

This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks

Options -FollowSymLinks

Turning off multiple Options

If you want to turn off all Options simply use:

Options None

If you only want to turn off some separate each option with a space in your Options directive:

Options -ExecCGI -FollowSymLinks -Indexes

Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

AllowOverride None

If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:

AccessFileName .httpdoverride
<Files ~ "^\.ht">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

Run mod_security

mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O’Reilly press.

You can do the following with mod_security:

  • Simple filtering
  • Regular Expression based filtering
  • URL Encoding Validation
  • Unicode Encoding Validation
  • Auditing
  • Null byte attack prevention
  • Upload memory limits
  • Server identity masking
  • Built in Chroot support
  • And more

Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does. Many times you will find that you don’t need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line. To search for modules run:

grep LoadModule httpd.conf

Here are some modules that are typically enabled but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.

Make sure only root has read access to apache’s config and binaries

This can be done assuming your apache installation is located at /usr/local/apache as follows:

chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

Lower the Timeout value

By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.

Timeout 45

Limiting large requests

Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.

A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:

LimitRequestBody 1048576

If you’re not allowing file uploads you can set it even smaller.

Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine. These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs. See the documentation for more info.

Limiting the size of an XML Body

If you’re running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. The LimitXMLRequestBody directive is only available on Apache 2, and its default value is 1 million bytes (approx 1mb). Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you’re using WebDAV to upload large files, but if you’re simply using it for source control, you can probably get away with setting an upper bound, such as 10mb:

LimitXMLRequestBody 10485760

Limiting Concurrency

Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn’t have enough memory to handle a large number of concurrent requests.

Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads are important to adjust to match your operating system, and hardware.

Restricting Access by IP

If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 176.16 network:

<directory>
Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16
</directory>

Or by IP:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Adjusting KeepAlive settings

According to the Apache documentation using HTTP Keep Alive’s can improve client performance by as much as 50%, so be careful before changing these settings, you will be trading performance for a slight denial of service mitigation.

KeepAlive’s are turned on by default and you should leave them on, but you may consider changing the MaxKeepAliveRequests which defaults to 100, and the KeepAliveTimeout which defaults to 15. Analyze your log files to determine the appropriate values.

Run Apache in a Chroot environment

chroot allows you to run a program in its own isolated jail. This prevents a break in on one service from being able to effect anything else on the server.

It can be fairly tricky to set this up using chroot due to library dependencies. I mentioned above that the mod_security module has built in chroot support. It makes the process as simple as adding a mod_security directive to your configuration:

SecChrootDir /chroot/apache

There are however some caveats however, so check out the docs for more info.

Acknowledgments

I have found the book Apache Security to be a highly valuable resource for securing an apache web server. Some of the suggestions listed above were inspired by this book.

Technorati Tags: , ,

“Best Ruby on Rails Tutorials” 1

Posted by Piyush Gupta on May 03, 2010

Oh well! Now since people around me at Shine are using Rails, I thought I dive in as well. Learning has another name, that is web. There are so many useful resources on the web for RoR. I am sharing here a few that I found quite useful:

  1. Rolling with Ruby on Rails – Curtis Hibbs of ONLamp.com offers his first excellent introduction to Ruby on Rails. This is the article that got me really excited about RoR.
  2. Rolling with Ruby on Rails, Part 2 – The sequel to Curtis Hibbs excellent series of articles.
  3. Four Days on Rails (PDF) – a great tutorial that is broken down into simple tasks that you can do over a four day period. To be quite honest, this tutorial only takes about 2 hours, but nonetheless it is very well organized!
  4. Really Getting Started in Rails – Amy Hoy has a great tutorial that not only covers RoR, but also introduces the reader to many of the basic concepts of the very cool Ruby scripting language.
  5. Tutorial in Ruby on Rails – is a basic tutorial aimed at newbies.
  6. Fast-track your Web apps with Ruby on Rails – IBM jumps into the sandbox with an excellent (as usual) tutorial to get you on your feet fast.
  7. Ajax on Rails – Curtis Hibbs offers part 3 of his look at RoR
  8. Many to Many Tutorial for Rails (PDF) – is a nice document that begins to delve into some of the more complex parts of web application programming, but in fine Ruby on Rails manner, it’s really not too complicated!
  9. Distributing Rails Applications – A Tutorial – So now you’ve built your RoR application, how to you push it to a production server? This tutorial covers the bases.
  10. Installing Ruby on Rails with Lighttpd and MySQL on Fedora Core 4 – and of course this list wouldn’t be complete without a shameless bit of self-promotion, this tutorial promises what it says. Other install tutorials can be found here!

Technorati Tags: , , , ,

Install Sphinx Search on Ubuntu (Almost All) 10

Posted by Piyush Gupta on April 13, 2010

If you’ve graduated from using Ferret you may have heard of the joys of Sphinx Search. Regardless of which plugin you use (there are several) you’ll need to install Sphinx itself. If you’re running Ubuntu Intrepid Ibex then these instructions are for you. That said, this will work on Debian or Ubuntu Hardy as well.

1. Update and Grab dependencies. Run these commands in order to get the files you need to install Sphinx.

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install build-essential
sudo apt-get install libmysqlclient15-dev

2. Download Sphinx. You can download the latest code from their website.

3.Untar the source and prep. Here’s where it gets a bit complicated. You’ll need to extract the source, change into the directory and configure Sphinx. Do that with these commands.

tar xvzf sphinx-0.9.8.1.tar.gz<br />cd sphinx-0.9.8.1/<br />./configure --with-mysql-includes=/usr/include/mysql --with-mysql-libs=/usr/lib/mysql<br />

4. Make and Install Sphinx Run the standard linux commands to install Sphinx.

make<br />sudo make install<br />

That’s it! Now you can grab your plugins and start up the server.

Technorati Tags: , , , , , , , ,