[ZendTo] Antwort: Re: Hardening Zendto

Wed May 25 15:16:36 BST 2011

Hi Jules,

Point 3 is only for paranoid persons like me (IT-Security specialist). You
need this to prevent issues which you haven't thought about or
programming / configuration errors or vulnerabilities of used OS

Mit freundlichen Grüßen / Best regards

Patrick Gaikowski
Tel:     +49 7132 94 3568
Fax:    +49 7132 94 73568
E-Mail: patrick.gaikowski at kaufland.com
KI 967800 IT International / Infrastruktur
Office:
Lindichstrasse 11
D-74189 Weinsberg

http://www.kaufland.de
Wir sind die Nr. 1:
Kaufland ist "Bester Lebensmittelmarkt 2011"!

Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74149 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Amtsgericht Stuttgart HRA 104163

   Jules <Jules at zend.to>                                                   
   Gesendet von:                                                           
   zendto-bounces at zend.to                                                  
                                       ZendTo Users <zendto at zend.to>       

   25.05.2011 13:55                                                        
                                                                     Thema 
                                       [ZendTo] Re: Hardening Zendto       
   Bitte antworten an                                                      
   ZendTo Users                                                            
   <zendto at zend.to>                                                        

On 24/05/2011 21:52, patrick.gaikowski at kaufland.com wrote:

      Hi,

      i'm preparing Zendto for Penetration Test and used some Scanner like
      Paros, Nikto ...

      1.) deactivate X-Powered-By (Server sends exact PHP-Version to
      client)

      in php.ini --> expose_php = Off

      2.) deactivate HTTP TRACE (used by Security Scanner for XSS)

      http://www.ducea.com/2007/10/22/apache-tips-disable-the-http-trace-method/

Thanks for those two. I will try to make sure they get into the 4.02 (or is
it 4.03?) release of the ZendTo VM images.

      3.) using mod_security as module for apache

Do I need this? It adds another level of complexity to things, unless there
are yum and apt packages of it that I can just include. Do you know if
there are?

Many thanks,
Jules.

      Mod_Security is an open source Web application firewall with a lot of
      preconfigured rulesets. Mod_Security prevents Injections, XSS,
      Commands ... I played with mod_security and add an sample (not
      complete)

      # Prevents Path disclosure for PHP Fatal Error
      SecRule RESPONSE_BODY "Fatal Error:"
      "deny,status:500,log,auditlog,msg:'PHP Fatal Error blocked'"
      ErrorDocument 500 /security-error.php

      #Prevent Security Scanner from Scanning the WebApplication"
      SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|
      etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|
      essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|Paro)s|internet
      explorer|webinspect|\.nasl)" \
      "deny,log,msg:'Request Indicates a Security Scanner Scanned the
      Site',,status:500,phase:2"

      SecDefaultAction
      phase:2,redirect:/security-error.php,status:509,log,auditlog

      #Hides the Webserver signature (IIS, Apache ...)
      SecServerSignature "Hotzenplotz"

      #Root-Path
      SecRule REQUEST_URI "^/$" "log,allow,phase:2"

      #needed for ReCaptcha
      SecRule REQUEST_URI "https://www.google.com/recaptcha/api/image$"
      "log,allow,phase:2"

      #PHP-Sites
      SecRule REQUEST_FILENAME "^/security-error.php$" "log,allow,phase:2"
      SecRule REQUEST_FILENAME "^/about.php$" "log,allow,phase:2"
      SecRule REQUEST_FILENAME "^/verify.php$" "log,allow,phase:2"
      ....

      The sample is not complete ...

      Mit freundlichen Grüßen / Best regards

      Patrick Gaikowski
      Tel:     +49 7132 94 3568
      Fax:    +49 7132 94 73568
      E-Mail: patrick.gaikowski at kaufland.com
      KI 967800 IT International / Infrastruktur
      Office:
      Lindichstrasse 11
      D-74189 Weinsberg

      http://www.kaufland.de
      Wir sind die Nr. 1:
      Kaufland ist "Bester Lebensmittelmarkt 2011"!

      Kaufland Informationssysteme GmbH & Co. KG
      Postfach 12 53 - 74149 Neckarsulm
      Kommanditgesellschaft
      Sitz: Neckarsulm
      Registergericht: Amtsgericht Stuttgart HRA 104163

      _______________________________________________
      ZendTo mailing list
      ZendTo at zend.to
      http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

--
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
'All programs have a desire to be useful' - Tron, 1982
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110525/cb1984ff/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110525/cb1984ff/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110525/cb1984ff/attachment-0003.gif 