Thursday, May 04, 2017

HOWTO : OwnCloud 10.0.0 and Hiawatha 10.6 on Ubuntu 16.04 LTS

Step 1 - Update Ubuntu :

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get autoclean
sudo apt-get --purge autoremove


Step 2 - Hiawatha Installation :

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget https://cmake.org/files/v3.5/cmake-3.8.1.tar.gz
tar -xvzf cmake-3.8.1.tar.gz
cd cmake-3.8.1
./configure
make
sudo make install


wget https://github.com/hsleisink/hiawatha/archive/v10.6.tar.gz
tar -xzvf v10.6.tar.gz
cd hiawatha-10.6/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_10.6_amd64.deb


sudo mkdir /etc/hiawatha/enable-sites

sudo nano /etc/hiawatha/hiawatha.conf

Add "SocketSendTimeout" just before "Binding Setting" :

SocketSendTimeout = 240

Add "MaxRequestSize" to "Binding Settings" :

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
    Port = 80
    # MaxRequestSize is 100GB
    MaxRequestSize = 104857600
    MaxUploadSize = 2047
    TimeForRequest = 24,100
    MaxKeepAlive = 72000000
}


Append the following line at the end of the file :

Include /etc/hiawatha/enable-sites/

Create "owncloud" file at /etc/hiawatha/enable-sites :

sudo nano /etc/hiawatha/enable-sites/owncloud

VirtualHost {
    Hostname = [your domain or IP address here]
    WebsiteRoot = /var/www/owncloud
    StartFile = index.php
    AccessLogfile = /var/log/hiawatha/owncloud-access.log
    ErrorLogfile = /var/log/hiawatha/owncloud-error.log
    TimeForCGI = 72000000
    WebDAVapp = yes
    UseFastCGI = PHP70
    UseToolkit = denyData
    EnablePathInfo = yes
    AllowDotFiels = yes
    HTTPAuthToCGI = yes
}

UrlToolkit {
    ToolkitID = denyData
    Match ^/data DenyAccess
}

FastCGIserver {
    FastCGIid = PHP70
    ConnectTo = /var/run/php/php7.0-fpm.sock
    Extension = php
    SessionTimeout = 72000000
}


sudo nano /etc/php/7.0/fpm/php-fpm.conf

Append the following lines at the end of the file :

; for OwnCloud
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

[www]
pm=dynamic
pm.max_children=1000
pm.start_servers=50
pm.min_spare_servers=25
pm.max_spare_servers=75


Step 3 - MySQL Setting :

sudo mysql -u root -p

create database owncloud;
GRANT ALL ON owncloud.* TO owncloud@'127.0.0.1' IDENTIFIED BY '[your password here]';
flush privileges;
quit


Step 4 - OwnCloud Installation :

wget -nv https://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.key -O Release.key
sudo apt-key add - < Release.key

rm Release.key

sudo sh -c "echo 'deb http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/ /' >> /etc/apt/sources.list.d/owncloud.list"
sudo apt-get update
sudo apt-get install owncloud-files


sudo apt-get install exim4 exim4-base exim4-config exim4-daemon-light libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 s-nail php-common php7.0-cli php7.0-common php7.0-curl php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-readline php7.0-xml php7.0-zip php7.0-pgsql php7.0-sqlite3 php7.0-fpm php-apcu mysql-server mysql-client php7.0-cgi php7.0-mbstring

sudo nano /var/www/owncloud/.user.ini

The content of the file may looking like this one :

upload_max_filesize=100G
post_max_size=100G
memory_limit=12G
mbstring.func_overload=0
always_populate_raw_post_data=-1
default_charset='UTF-8'
output_buffering=0
max_input_time=3600
max_execution_time=3600
upload_tmp_dir='/tmp/'
max_file_upload=5000

Open browser and point to http://[your owncloud server IP] and create your admin user and password. Then select database on the same page. Otherwise, it will use SQLite by default.

After that, do the following :

sudo nano /var/www/owncloud/config/config.php

Insert the following line into the end of the block of the code :

'memcache.local' => '\OC\Memcache\APCu',

To restart OwnCloud and Hiawatha services :

sudo systemctl restart php7.0-fpm
sudo systemctl restart hiawatha
sudo systemctl enable php7.0-fpm
sudo systemctl enable hiawatha


Then, you can install the desktop sync client to sync your desktop to ownCloud.

Remarks :

If you want to have https connection, you need to generate the private SSL certificate or purchase one. You can also use Let's Encrypt when necessary. If so, the "binding settings" at Hiawatha should be "Port 443".

That's all! See you.

Wednesday, May 03, 2017

[RESEARCH] How Secure of HSBC and DBS Web Sites Are?

Last year, I wrote an article about the SSL certificate grading of banks in Hong Kong. This time, I would like to choose DBS and HSBC for the research. It is because DBS was the highest SSL certificate grading at that time - Grade A while HSBC is the largest bank in Hong Kong even it was Grade C.

The Research

Since pentesting a target without written authorization is illegal, this research is only done on recon phase only. Therefore, it is an incomplete research. Be keep in mind that it is for reference only.

I have written an article about security headers of a web site, such as HSTS, HPKP and XSS Protection. You can refer to it if you do not know what securty headers are. The control web site for this research is my personal site which is consider to be secured.

DBS Bank (Hong Kong) 星展銀行(香港)

The ebanking login page (https://internet-banking.hk.dbs.com/IB/Welcome) is tested and find out that it is upgraded from A to A+ as HSTS security header is set properly this time. The cookie is also set to be secured. Meanwhile, it is still protected by Akamai (WAF/DDoS).

However, HPKP and XSS protection security headers are missing and setting not properly respectively. The site may be vulnerable to XSS and Man-In-The-Middle (MiTM) attack even HSTS is enforced.

Hongkong and Shanghai Banking Corporation (HSBC) 滙豐銀行

The ebanking login page (https://www.ebanking.hsbc.com.hk/1/2/logon?LANGTAG=en&COUNTRYTAG=US) is tested and find out that the grading is remained unchange - Grade C as TLS 1.2 is not set and RC4 cipher is used for older protocols as well as the VeriSign, Inc / Class 3 Public Primary Certification Authority is not set properly.

Meanwhile, HSTS, HPKP and XSS protection security headers are missing. Cookie is not security set properly. Therefore, it may be vulnerable to MiTM and XSS attacks.

Conclusion

If not set properly, HPKP will cause error when browsing. Therefore, most webmasters will not touch it in order to prevent the downtime. HSTS and XSS protection security headers as well as cookie secure settings are not difficult and there is no side effect. However, most webmasters are ignored those settings due to misconcept.

In my opinion, ebanking sites should be very secured in order to prevent the attacks.

Reference

Qualys SSL Labs
Security Headers
[RESEARCH] SSL Certificate Grading of Banks in Hong Kong
HOWTO : Secure Surfing
Green PadLock is Safe?

That's all! See you.


HOWTO : Highest Secured Hiawatha Web Server 10.6 on Ubuntu Server 16.04 LTS

(A) Introduction

Hiawatha Web Server is designed with security in mind. It already built-in some security features to protect common attacks, such as SQLi, XSS, CSRF. Meanwhile, it can be configured to prevent scanning from vulnerability scanners too.

Hiawatha is a light weight and fast as well as secure web server in the market. Hiawatha is working well with PHP and MySQL. The following guide is showing how to configure Hiawatha in a very high secure way on Ubuntu Server LTS.

(B) Software Prerequisite

The current version as at the time of this writing :
(1) Ubuntu Server 16.04.2 LTS
(2) CMake 3.8.1
(3) Hiawatha 10.6

(C) Installation of PHP7.0 and MySQL

sudo apt-get install php7.0-cgi php7.0 php7.0-cli php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php7.0-imap php7.0-mcrypt php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl apache2-utils php7.0-fpm php-memcache php-imagick php-cache mysql-server mysql-client php7.0-mbstring

(D) Installation of Hiawatha

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

(a) Install CMake

wget https://cmake.org/files/v3.8/cmake-3.8.1.tar.gz
tar -xvzf cmake-3.8.1.tar.gz
cd cmake-3.8.1
./configure
make
sudo make install


(b) Install Hiawatha

wget https://github.com/hsleisink/hiawatha/archive/v10.6.tar.gz
tar -xzvf v10.6.tar.gz

cd hiawatha-10.6/extra

./make_debian_package

cd ..

sudo dpkg -i hiawatha_10.6_amd64.deb


(E) Configuration of PHP7.0

sudo nano /etc/php/7.0/fpm/php.ini

Make changes as is.

allow_url_fopen = Off
session.cookie_httponly = 1
disable_functions = [EXIST_FUNCTION],system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,


* [EXIST_FUNCTION] is the functions that already at "disable_functions" of php.ini

(F) Let's Encrypt on Hiawatha

(a) Configuration of Hiawatha

sudo mkdir -p /etc/hiawatha/enable-sites
sudo mkdir -p /etc/hiawatha/disable-sites


Edit "cgi-wrapper.conf".

sudo nano /etc/hiawatha/cgi-wrapper.conf

Change the following as is.

CGIhandler = /usr/bin/perl
CGIhandler = /usr/sbin/php7.0-fpm
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data


Change the ownership of the log files.

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log


Change the ownership of the web application files.

cd /var/www/mysite
sudo chown -R root:root *


The following are examples of "hiawatha.conf" and "mysite.com".

/etc/hiawatha/hiawatha.conf example :


/etc/hiawatha/enable-sites/mysite.com example :


sudo systemctl restart php7.0-fpm
sudo systemctl restart hiawatha
sudo systemctl enable php7.0-fpm
sudo systemctl enable hiawatha


(b) Self Signed SSL Certificate Generation

To generate SSL certificate for the web root.

openssl genrsa -out default.pem 4096
openssl req -new -x509 -days 3650 -key default.pem -out server.crt
echo "" >> default.pem
cat server.crt >> default.pem
echo "" >> default.pem
rm -f server.crt
sudo mkdir -p /etc/hiawatha/tls
sudo cp default.pem /etc/hiawatha/tls
sudo chown root:root /etc/hiawatha/tls/default.pem
sudo chmod 600 /etc/hiawatha/tls/default.pem
sudo chmod 600 -R /etc/hiawatha/tls


(c) Let's Encrypt Generation and Configuration

(1) First time install Let's Encrypt :

Make sure port 80 is workable as Let's Encrypt script will use it to generate the SSL/TLS certificates.

Change ~/hiawatha-10.6/extra/letsencrypt/letsencrypt.conf :

nano ~/hiawatha-10.6/extra/letsencrypt/letsencrypt.conf

Change "ACCOUNT_EMAIL_ADDRESS" to your email address. Let's Encrypt will alert you when the SSL/TLS certificate is going to expire via this email address.

ACCOUNT_EMAIL_ADDRESS = samiux@gmail.com

Change "CERTIFICATE_RSA_KEY_SIZE" to 4096.

CERTIFICATE_RSA_KEY_SIZE = 4096

Change "RENEWAL_REUSE_KEY" to true. The server private key/public key will be used for the SSL/TLS certificate renewal.

RENEWAL_REUSE_KEY = true

Comment out the "Testing" LE_CA_HOSTNAME and uncomment "Production" LE_CA_HOSTNAME.

LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org # Production
#LE_CA_HOSTNAME = acme-staging.api.letsencrypt.org # Testing


Run the Hiawatha 10.6 letsencrypt script to generate server private key and server certificate as well as Let's Encrypt X3 certificate :

cd ~/hiawatha-10.6/extra/letsencrypt
sudo ./letsencrypt register


A "account.key" will be generated at the ~/hiawatha-10.6/extra/letsencrypt. Make sure keep this "account.key" in a safe space.

Then generate the SSL/TLS certificate of your server :

sudo ./letsencrypt www.mysite.com

A "www.mysite.com.pem" will be generated at /etc/hiawatha/tls/.

Rename the generated file :

sudo -sH
cd /etc/hiawatha/tls
mv www.mysite.com.pem www.mysite.com-privkey.pem
cp www.mysite.com-privkey.pem www.mysite.com.pem


Make sure keep the private key file in a safe space and generate the server public key :

openssl rsa -in www.mysite.com-privkey.pem -pubout -out pubkey.pem

Replace pubkey.pem content to the first block of code "PRIVATE KEY" at www.mysite.com.pem.

Insert Let's Encrypt X4 certificate :

wget https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt
echo "" >> www.mysite.com.pem
cat lets-encrypt-x4-cross-signed.pem.txt >> www.mysite.com.pem


chmod 600 www.mysite.com.pem
chmod 600 www.mysite.com-privkey.pem


Then configure VirtualHost at /etc/hiawatha/enable-sites/mysite.com.

Add the following to the VirtualHost at /etc/hiawatha/enable-sites/mysite.com :

RequireTLS = yes, 180d; includeSubDomains; preload
TLScertFile = /etc/hiawatha/tls/www.mysite.com-privkey.pem
PublicKeyPins = /etc/hiawatha/tls/www.mysite.com.pem,60d


Make sure to delete the private key at www.mysite.com.pem file

sudo cp /etc/hiawatha/tls/www.mysite.com.pem /etc/hiawatha/tls/www.mysite.com.pem-BACKUP
sudo sed '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/d' /etc/hiawatha/tls/www.mysite.com.pem


sudo systemctl restart hiawatha

(2) Renew SSL/TLS certificate :

Make sure your proxy setting is not set and port 80 can be accessed. Meanwhile, make sure disable TLS related setting before renew. You need to reset the TLS setting back after the renew.

cd ~/hiawatha-10.6/extra/letsencrypt
sudo ./letsencrypt renew


Make sure to delete the private key at www.mysite.com.pem file

sudo cp /etc/hiawatha/tls/www.mysite.com.pem /etc/hiawatha/tls/www.mysite.com.pem-BACKUP
sudo sed '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/d' /etc/hiawatha/tls/www.mysite.com.pem


sudo systemctl restart hiawatha

* You can consider to write an auto renew script on cronjob for automatically update.

(3) Revoke SSL/TLS certificate : (Optional)

cd ~/hiawatha-10.6/extra/letsencrypt
sudo ./letsencrypt revoke /etc/hiawatha/tls/www.mysite.com.pem


sudo systemctl restart php7.0-fpm
sudo systemctl restart hiawatha/code>

(G) Hardening of Ubuntu Server

(a) sysctl

sudo nano /etc/sysctl.d/60-hiawatha.conf



sudo sysctl /etc/sysctl.d/60-hiawatha.conf -p

(b) Apparmor

sudo apt-get install apparmor-profiles apparmor-utils
sudo nano /etc/apparmor.d/usr.sbin.hiawatha




sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha


If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha


Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha


It is because the captioned usr.sbin.hiawatha may not 100% work for you.

(c) Linux Malware Detect (Optional)

Linux Malware Detect Installation

* the captioned link may be out-dated and it is for your reference only

(d) MySQL

Create Normal User on MySQL

(e) fail2ban

sudo apt-get install fail2ban

Change the setting at /etc/fail2ban/jail.conf when necessary.

(H) Storage Performance Tuning

It is recommended to use SSD for the storage instead of hard drive for the excellent performance.

(a) SSD

Verify TRIM is supported :

sudo hdparm -I /dev/sda | grep TRIM

If the output is similar to the below which is supported :

* Data Set Management TRIM supported (limit 1 block)

If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :

cat /etc/lvm/lvm.conf | grep issue_discards

If the output is similar to the below which is enabled :

issue_discards = 1

Then set the following to "deadline" if it is not done yet.

cat /sys/block/sda/queue/scheduler

noop [deadline] cfq

If not, set it :

sudo nano /etc/rc.local
Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(b) Hard Drive

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(I) Redis for PHP Session

The PHP sessions are stored in the memory will increase the speed of a web site.

sudo apt-get install php-redis redis-server

sudo nano /etc/php/7.0/fpm/php.ini

Change to following to :

session.save_handler = redis
session.save_path = "tcp://127.0.0.1:6379"


To restart Hiawatha and PHP :

sudo systemctl restart hiawatha
sudo systemctl restart php7.0-fpm


To confirm if it is working or not :

redis-cli
127.0.0.1:6379> keys *


The result will be similar to :

1) "PHPREDIS_SESSION:038gl83953j9bfnf02ksts52q5"
2) "PHPREDIS_SESSION:p53j1t43mbdp49cvaq1nv37o97"
3) "PHPREDIS_SESSION:kuop27qq6g6q265gu29000ee21"
4) "PHPREDIS_SESSION:84n96cba8colp73td8mslnjgq2"

Type "quit" to exit.

(J) Optional

To further hardening Ubuntu Server, you may consider to set up firewall (UFW/iptables) and place the Ubuntu Server behind Unified Threats Management System (UTM) or Intrusion Prevention System (IPS).

Reference
Qualys SSL Labs
High-Tech Bridge
securityheaders.io
URL Rewrite for Hiawatha

That's all! See you.