security question.

Ed W lists at wildgooses.com
Sat Apr 12 14:48:24 MSD 2008


Hi

> The way I see it, if a system's primary purpose (VPS
> or otherwise) is to provide a website, then if this service is
> compromised then the attacker has won. Whether or not they also setup an
> IRC bot isn't too relevant (and this is something I usually deal with at
> the gateway level anyway 

We have different fears I think.  You are (please excuse the 
mis-summary) mainly interested in something like "defacing" websites, ie 
breaking them enough to fiddle with the DB in some way, perhaps an SQL 
injection attack or the like.

I'm more worried about them breaking in and getting a shell and NOT 
being able to detect that for some time... They could be on that machine 
and using it to attack other machines and information they learn on that 
system might let them escalate access elsewhere.

As an aside.  If you are largely worried about web "breakins", there is 
a tool for Apache called mod_security which is fantastic.  It's kind of 
like pfsense for webservers.  A few broadbrush rules on that make it 
VERY much harder to break into a typical webapp.  There is at least one 
source of regularly updated rules to try and patch holes in common web 
applications (although that's tricky given you can install them with 
varying URLs, but it's a good crack at the problem)

Would be interesting to try and do something similar with nginx perhaps..?

> I'm inclined to think of virtualization as a primary defense and
> security frameworks second, mostly for the recovery abilities I outlined
> above, but also because the security frameworks require much more
> thought and time to implement properly (and often you won't realize
> mistakes until it's too late).
>   

Agreed.  Although I think defense is the wrong word because to my mind 
the VPS provides only a little "defense" and more it provides easier 
cleanup after the event



Ed W





More information about the nginx mailing list