lists at wildgooses.com
Sat Apr 12 14:48:24 MSD 2008
> The way I see it, if a system's primary purpose (VPS
> or otherwise) is to provide a website, then if this service is
> compromised then the attacker has won. Whether or not they also setup an
> IRC bot isn't too relevant (and this is something I usually deal with at
> the gateway level anyway
We have different fears I think. You are (please excuse the
mis-summary) mainly interested in something like "defacing" websites, ie
breaking them enough to fiddle with the DB in some way, perhaps an SQL
injection attack or the like.
I'm more worried about them breaking in and getting a shell and NOT
being able to detect that for some time... They could be on that machine
and using it to attack other machines and information they learn on that
system might let them escalate access elsewhere.
As an aside. If you are largely worried about web "breakins", there is
a tool for Apache called mod_security which is fantastic. It's kind of
like pfsense for webservers. A few broadbrush rules on that make it
VERY much harder to break into a typical webapp. There is at least one
source of regularly updated rules to try and patch holes in common web
applications (although that's tricky given you can install them with
varying URLs, but it's a good crack at the problem)
Would be interesting to try and do something similar with nginx perhaps..?
> I'm inclined to think of virtualization as a primary defense and
> security frameworks second, mostly for the recovery abilities I outlined
> above, but also because the security frameworks require much more
> thought and time to implement properly (and often you won't realize
> mistakes until it's too late).
Agreed. Although I think defense is the wrong word because to my mind
the VPS provides only a little "defense" and more it provides easier
cleanup after the event
More information about the nginx