Security¶
Protect internal services¶
Vse a VPN, or check out oauth2_proxy or similar services.
Django¶
(django-secure appears to be abandoned. Last change was in 2014, and it doesn’t load under Django 1.11/Python 3.6.)
-Best practice: install django-secure
and run manage.py checksecure
to make sure all the right settings are enabled.-
See also OWASP.
Admin¶
Don’t leave it externally accessible, even with a password.
SSH¶
Two important settings in /etc/sshd_config
:
Disable root login:
PermitRootLogin no
Disable password auth:
PasswordAuthentication no
Also consider changing to some port other than 22.
SSL¶
SEE ALSO NGINX and Django docs on SSL and https.
Basically, make sure nginx is setting X-Forwarded-Proto, then add to settings:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
Django security
djangocon 2011 Paul McMillan
http://subversivecode.com/talks/djangocon-us-2011
HSTS
django needs better password hash (SHA1 not broken but very fast)
OpenID much more secure against password cracking (because cracker won’t have passwords)
password reset strings can be eventually worked out with a timing attack (if you have a long time and a fast connection)
same for which userids exist on the site
you should do rate limiting:
mod_evasive (apache) HttpLimitReqModule (nginx)
do NOT use random.Random() for security functions, not cryptographically secure; use random.SystemRandom() instead e.g.:
from random import SystemRandom as random
xxxx random.choice(yyyy)...
Be very careful with pickle, it’ll execute anything in the pickled data when you unpickle it
BOOK: The web application hacker’s handbook (new version coming out soon (as of 9/8/2011))
SITE: lost.org? (not sure I heard that right)(no I didn’t)