security question.

Cliff Wells cliff at develix.com
Sat Apr 12 21:06:31 MSD 2008 

On Sat, 2008-04-12 at 11:48 +0100, Ed W wrote:
> Hi
> 
> > The way I see it, if a system's primary purpose (VPS
> > or otherwise) is to provide a website, then if this service is
> > compromised then the attacker has won. Whether or not they also setup an
> > IRC bot isn't too relevant (and this is something I usually deal with at
> > the gateway level anyway 
> 
> We have different fears I think.  You are (please excuse the 
> mis-summary) mainly interested in something like "defacing" websites, ie 
> breaking them enough to fiddle with the DB in some way, perhaps an SQL 
> injection attack or the like.
> 
> I'm more worried about them breaking in and getting a shell and NOT 
> being able to detect that for some time... They could be on that machine 
> and using it to attack other machines and information they learn on that 
> system might let them escalate access elsewhere.

True and this is a real concern that I shouldn't have dismissed.  On the
plus side, it's pretty difficult to get shell via a web application
(except for web applications such as hosting panels that specifically
open security holes.. ahem, I mean "services").  

> As an aside.  If you are largely worried about web "breakins", there is 
> a tool for Apache called mod_security which is fantastic.  It's kind of 
> like pfsense for webservers.  A few broadbrush rules on that make it 
> VERY much harder to break into a typical webapp.  There is at least one 
> source of regularly updated rules to try and patch holes in common web 
> applications (although that's tricky given you can install them with 
> varying URLs, but it's a good crack at the problem)

I'll take a look at that.  I don't use Apache myself anymore (except for
a couple legacy mod_svn sites), but I know a few people who could use
it.

> Would be interesting to try and do something similar with nginx perhaps..?
> 
> > I'm inclined to think of virtualization as a primary defense and
> > security frameworks second, mostly for the recovery abilities I outlined
> > above, but also because the security frameworks require much more
> > thought and time to implement properly (and often you won't realize
> > mistakes until it's too late).
> >   
> 
> Agreed.  Although I think defense is the wrong word because to my mind 
> the VPS provides only a little "defense" and more it provides easier 
> cleanup after the event

I'll concede that.

Cliff

More information about the nginx mailing list