カテゴリー: Security

[vagrant@localhost app]$ ab -n 10 -c 10 http://www.hpscript.com/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking www.hpscript.com (be patient)…..done

Server Software: nginx
Server Hostname: www.hpscript.com
Server Port: 80

Document Path: /
Document Length: 0 bytes

Concurrency Level: 10
Time taken for tests: 3.639 seconds
Complete requests: 10
Failed requests: 2
(Connect: 0, Receive: 0, Length: 2, Exceptions: 0)
Write errors: 0
Non-2xx responses: 10
Total transferred: 3040 bytes
HTML transferred: 1066 bytes
Requests per second: 2.75 [#/sec] (mean)
Time per request: 3638.692 [ms] (mean)
Time per request: 363.869 [ms] (mean, across all concurrent requests)
Transfer rate: 0.82 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 55 62 4.8 64 69
Processing: 732 2269 694.0 2483 2801
Waiting: 717 2256 690.2 2479 2787
Total: 787 2331 695.1 2538 2865

Percentage of the requests served within a certain time (ms)
50% 2538
66% 2754
75% 2792
80% 2855
90% 2865
95% 2865
98% 2865
99% 2865
100% 2865 (longest request)

以下が時間ですな。
Time per request: 3638.692 [ms] (mean)
Time per request: 363.869 [ms] (mean, across all concurrent requests)

これは結構使えるかも。

<Files app_a.php>
AuthUserFile .htpasswd
AuthType Basic
AuthName "Web access"
Require valid-user
</Files>

<Files app_b.php>
AuthUserFile .htpasswd
AuthType Basic
AuthName "Web access"
Require valid-user
</Files>

htpasswd用パス作成ツール
http://phpspot.net/php/pghtpasswd%E7%94%A8%E3%83%91%E3%82%B9%E4%BD%9C%E6%88%90%E3%83%84%E3%83%BC%E3%83%AB.html

初期
.htaccess
192.168.33.11と192.168.33.12をアクセスdenyしています。

.htaccessの行数をカウントし、2行目から、最終行の前までをfgetsで1行ずつ取得し、新たに制限するipを追加して、file_put_contentsします。

$count = count(file(".htaccess"));

$file = fopen(".htaccess", "r");
$body = "<Files ~ \"^form\.php$\">\n";
$i = 0;
if($file){
  while ($line = fgets($file)) {
  	$i++;
  	if($i < $count and $i !== 1){
  		$body .= $line;
  	}
  }
}
$ip = "192.168.33.13";
$body .= "deny from ".$ip."\n";
$body .= "</Files>";
file_put_contents('.htaccess', $body);

.htaccessに、新たにdeny fromが追加されました。

iptables とは、Linux に実装されたパケットフィルタリング型のファイアウォール機能
ファイヤーウォールは本読むと絶対でてきますよね。

さて、iptable
etc/sysconfig/にある

ip6tables-config
iptables-config

機能
1.パケットフィルタリング
送られてきたパケットを検査して設定した条件に該当する場合、設定したアクション（通過、遮断、転送）を実行

2.アドレス変換
送られてきたパケットを検査して設定した条件に該当する場合、パケットの宛先アドレスや送信元アドレスを別のアドレスに書き換え

テーブル
filter パケットのフィルタリングに使用
nat アドレス変換に使用
mangle パケットをNAT以外の目的で置き換えるときに使用

チェイン
INPUT 入力（受信）パケットのチェイン
OUTPUT 出力（送信）パケットのチェイン
FORWARD 転送パケットのチェイン
PREROUTING 受信時に変換するチェイン
POSTROUTING 送信時に変換するチェイン

IPv4とIPv6
IPv6の特徴
-グローバルIPアドレスの数が多い
-セキュリティ機能を標準で装備している
-エンドユーザーの設定が簡単

なるほど、ここまで来たか

allo from で指定したipアドレスからのアクセスを許可する

.htaccess

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

なるほど！

localなどに置くのが普通とのことですが、

<Files ~ "hoge.php">
Order allow,deny
Deny from all
</Files>

confidentiality, integrity, availability

The security of a system, application, or protocol is always relative to:
– a set of desired properties
– an adversary with specific capabilities

Control systems
sensor, system, actuator, controller

Open – loop
Desired output response -> controller -> actuator -> process -> output

closed – loop
Desired output response -> error -> controller -> actuator -> process -> output

BAN, LAN, MAN and WAN

Ring Topology, star, extended star

OSI Model
Application, presentation, session, transport, network, datalink, physical

Application:to allow access to network resource, FTP, http
Presentation: to translate, encrypt, & compress data
Session: to establish, manage, and terminate sessions
Transport: reliable process-to-process msg delivery, tcp, udp
network: packet transport and internetworking
data link: bits -> frames, hop-to-hop delivery
physical: transmit bits over a medium

Each layer communicate logically with intermediate node.

RTT: Round Trip Time
WAN is much greater than that of LAN.
TCP flow control -> Three way handshake,

On demand self service
Broad or wide network access
Resource pooling or sharing
Measured service
Rapid elasticity

SaaS, PaaS, IaaS
Software as a servicd: use the provider’s applications running on a cloud infrastructure
Platform as a service: consumer-created applications using programming languages and tools supported by the provider
Infrastructure as a service: Capability provided to the consumer to provision processing, storage, networks, and other fundamental computing resources

Key Issues:
Trust, multi-tenancy, encryption, compliance
Clouds are massively complex systems
Simple primitives and common functional units

Cloud security challenges
– trusting vendor’s security model
– Customer inability to respond to audit findings
– Obtaining support for investigations
– Indirect administrator accountability
– Proprietary implementations can’t be examined
– Loss of physical control

Primary Technology
-Virtualization
-Grid technology
-Service Oriented Architectures
-Distributed Computing
-Broadband Networks

Hypervisor has higher privilege than guest kernel
Security VM is separated from User VM

User = application + data (encrypt)

Frequency Analysis Attack
connect data with public information
Optimization Attack