Ruby on Rails bottom up security – daily server check

Reading Time: 2 minutes

TL;DR

This is next post in series about Ruby on Rails security. In previous post I explained how to harden other servers. This time I will explain daily security check for CentOS servers.

After you securely set up your Ruby on Rails servers, you need to take care about their security on daily basis. Because time is the ultimate attack vector for all web applications.

Monitor Common Vulnerabilities and Exposures (CVE)

You need to create a collection of web pages that announce CVE advisories for components of your web application. Here is one typical Ruby On Rails application stack.

Next, check security logs that you had set up during the hardening phase.

Logwatch
logwatch | less
Fail2ban
fail2ban-client status
Selinux
less /var/log/audit/audit.log | grep AVC | less
Nginx log
log/nginx.access.log-YYYYMMDD*

This is where your application knowledge is important. In that file, I look for hacker patterns. First, I filter out regular application url paths, so what is left are robot scripts that are probing for known security issues for various applications.

For example:

zless /home/deploy/apps/betterdoc/current/log/nginx.access.log-YYYYMMDD* | egrep -v  'assets|images|favicon.ico|robots.txt|fonts

Note that I use zless, which is less for compressed files.

Do I need to restart servers?

There is a myth that you do not need to restart Linux servers after application update. Linux will not force you to do that, because running application would happily run with previous version. Which is bad if previous version has security issue. Remember, you set up automatic daily update for all server components. With command:

lsof -n | grep DEL | less

you will get a list of applications that still use in memory libraries that had been deleted from the server. If that command returns any list(DEL), you need to restart whole server (easier) or just the application that is listed.

In next post, I will describe security audit for Ruby on Rails application code.

 

 

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

It is Testival 2017 time!

Reading Time: 2 minutes

TL;DR

In this post I announce a software tester event, Testival 2017.

Testival is one day software testing gathering in unconference format:

""Typically at an unconference, the agenda is created by the attendees at the beginning of the meeting. Anyone who wants to initiate a discussion on a topic can claim a time and a space. Unconferences typically feature open discussions rather than having a single speaker at the front of the room giving a talk, although any format is permitted. This form of conference is particularly useful when the attendees generally have a high level of expertise or knowledge in the field the conference convenes to discuss."""[Wikipedia]

Why is for me this format better than regular conference?

As tester I ask a lot of questions, which is not possible at regular conference. Here is scenario: after the speaking slot, there is usually questions time slot, up to 15 minutes. This is time for the whole audience to ask questions. When this time is up, moderator usually announce that you can ask speaker more questions. But speaker is usually  followed by “groupies”, family or conference friends. It is very crowded and noisy, and usually I lost my question momentum force.

On unconference, there is no one-way-speaking part. Topic author gives introduction and initial questions/thoughts. And then discussion emerges. If it is not for you, use the power of two feet and move to another discussion topic (another room).

As an example, after the TestBash Brighton 2017 there was Open Space event. At the end of this event, I had fruitful discussion with Paul Holland and other participants about testing heuristics. He teaches Rapid Software testing and software testing heuristics are part of that class.

Bottom line is that in unconference format you are in control of discussions and you have a chance to shot much more questions!

Testival 2017 is in two weeks in lovely Zadar, Croatia.

We are starting on 1st of September, Friday at 18.00 by proposing discussion topics. Next day, on Saturday, we will execute those discussions divided into slots and across different rooms. Prior those discussions, we will have opening keynote by Alex Rodionov, one of the Watir contributors!

Location is Zadar innovation center. You can apply using this form and admission is free.

All relevant information could be found on conference page: www.testival.eu.

See you in Zadar!

 

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

The Black Swan event

Reading Time: 2 minutes

TL;DR

Yesterday I experienced negative Black Swan event. I will described it along with explanation what is Black Swan event.

This is explained in the book “The Black Swan (Taleb book) which is on my reading list. Every influenced software tester will recommend it.

“””The book focuses on the extreme impact of certain kinds of rare and unpredictable events (outliers) and humans’ tendency to find simplistic explanations for these events retrospectively. This theory has since become known as the black swan theory.”””[Wikipedia]

Yesterday I arrived home with combination of olive and engine oil on my sneakers. The risk: this significantly lowered traction between my shoes and ground, so there was high probability of fall.

I was in grocery store. There was funny smell in the grocery store. Then I heard crashing sound. One lady dropped a bottle of olive oil at the store entrance. I was in a hurry and did not wait for employee to clean this.

A few minutes later in public garage next to the place where I parked there was a car with big oil spill. Car owners were tourists.

My simplistic explanation (thinking about this event for five minutes).

It is highly probable that people drop things in this grocery store because they get sick with funny smell.

Yearly increase of tourist visitors in Zagreb is on average 10%. It is highly probable that you will meet tourist with broken car.

To conclude.

“””The main idea in Taleb’s book is not to attempt to predict Black Swan events, but to build robustness to negative ones that occur and to be able to exploit positive ones. Taleb contends that banks and trading firms are very vulnerable to hazardous Black Swan events and are exposed to losses beyond those that are predicted by their defective financial models.

The book’s position is that a Black Swan event depends on the observer—using a simple example, what may be a Black Swan surprise for a turkey is not a Black Swan surprise for its butcher—hence the objective should be to “avoid being the turkey” by identifying areas of vulnerability in order to “turn the Black Swans white””” [Wikipedia].

My robustness in this context. For last year of so, I pay extra attention to my shoes. They must have Goretex or similar technology, and advanced sole technology. Currently I am using Columbia Men’s Ventfreak Outdry Multisport Mesh Athletic Sneakers with Omni-Grip™ non-marking traction rubber outsole. The reason is my back pain and when I am wearing those shoes, I do not have back pain. By keeping attention to my back problem I also enhanced my robustness to explained Black Swan event.

Hmm, how can I apply that to my software testing?

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Ruby on Rails bottom up security – other servers

Reading Time: 1 minute

TL;DR

In previous post I described how to do security hardening for your Ruby on Rails web server. In this post I will talk about other servers: database, openvpn, cache and job.

Database server holds web application data so hacker will definitely try to get direct access to it.

You first need to do basic server hardening explained in my previous post. After that you need to be sure:

  1. that other servers port is not publically available
  2. access to other server is properly securely configured

One is resolved by putting your servers behind firewall. Second depends which server do you use. Here is example for postgres database server. Here is you strategy. When you know you database server, Google for its security settings and apply official guidelines that you will found.

How to securely connect directly to your servers? You can publically expose ssh port, but this is not good strategy. You need to use vpn connection.

OpenVPN

Simply explained, openvpn is ssh that uses certificate (public/private) authentication.  It will make hacker job much harder. You need one dedicate box with openvpn server.  Also, you will need openvpn client. So after VPN is set up, here is how you connect to your servers:

  • establish open vpn connection
  • connect using ssh to your servers that now have ip address from VPN network range

In next post I will explain how to do daily security check for servers and their software components.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather