cliff at develix.com
Sat Apr 12 21:06:31 MSD 2008
On Sat, 2008-04-12 at 11:48 +0100, Ed W wrote:
> > The way I see it, if a system's primary purpose (VPS
> > or otherwise) is to provide a website, then if this service is
> > compromised then the attacker has won. Whether or not they also setup an
> > IRC bot isn't too relevant (and this is something I usually deal with at
> > the gateway level anyway
> We have different fears I think. You are (please excuse the
> mis-summary) mainly interested in something like "defacing" websites, ie
> breaking them enough to fiddle with the DB in some way, perhaps an SQL
> injection attack or the like.
> I'm more worried about them breaking in and getting a shell and NOT
> being able to detect that for some time... They could be on that machine
> and using it to attack other machines and information they learn on that
> system might let them escalate access elsewhere.
True and this is a real concern that I shouldn't have dismissed. On the
plus side, it's pretty difficult to get shell via a web application
(except for web applications such as hosting panels that specifically
open security holes.. ahem, I mean "services").
> As an aside. If you are largely worried about web "breakins", there is
> a tool for Apache called mod_security which is fantastic. It's kind of
> like pfsense for webservers. A few broadbrush rules on that make it
> VERY much harder to break into a typical webapp. There is at least one
> source of regularly updated rules to try and patch holes in common web
> applications (although that's tricky given you can install them with
> varying URLs, but it's a good crack at the problem)
I'll take a look at that. I don't use Apache myself anymore (except for
a couple legacy mod_svn sites), but I know a few people who could use
> Would be interesting to try and do something similar with nginx perhaps..?
> > I'm inclined to think of virtualization as a primary defense and
> > security frameworks second, mostly for the recovery abilities I outlined
> > above, but also because the security frameworks require much more
> > thought and time to implement properly (and often you won't realize
> > mistakes until it's too late).
> Agreed. Although I think defense is the wrong word because to my mind
> the VPS provides only a little "defense" and more it provides easier
> cleanup after the event
I'll concede that.
More information about the nginx