Nginx securiy problem
nginx-forum at nginx.us
Sat Dec 5 22:01:19 MSK 2009
> Fix your application (vbulletin). If you can't do
> that then go back to your Apache setup and use
> something like mod_security
> (http://www.modsecurity.org/) with it or any other
> WAF. Harden your PHP since it seems that all your
> attacks where introduced by something tunneled
> over vbulletin (which is PHP) into your system and
> then executed/triggered from/by within PHP. I
> would say that one of your users has uploaded some
> kind of scanning toolkit on your server and then
> misusing your server to scan other systems. Don't
> allow the user that is running PHP to execute
> tools that a normal PHP setup does not need. Nail
> down your file system (for example: mount your
> temporary directories with "noexec" and do the
> same for your upload directory, etc). Use
> something like SELinux / RBAC / grsecurity / etc
> to prevent your PHP interpreter to go wild. Add an
> IDS / NIDS / PIDS / etc and act as soon as
> possible if something strange is going on. Use
> something like Fail2Ban to parse logs and act on
> significant issues. Use something like PSAD to
> prevent idiots scanning your system. Use a
> firewall / IPtables / etc to prevent your system
> making strange connections to the outside world.
> If you are not familiar with IPtables then use
> something like Shorewall and install it on your
> system and don't just check inbound but do check
> outbound as well. Close every not needed port or
> application on your system. Double secure your
> logins from external (don't allow root to log into
> ssh, use AllowGroups/AllowUsers to limit who can
> log in, use unprivileged user to log into ssh and
> su to root, etc). If you are still staying on
> Apache then use something like mod_evasive to
> prevent one single system from outside to bring
> your Apache down. If you are still staying on
> Apache then use something recent that is not such
> a big security issue as the older Apache versions
> (look up the therm "Slowloris" if you need a good
> example what I mean). etc, etc, etc... Just do the
> normal things every good sysadmin/hoster would do.
> I am pretty sure that nginx is not your problem.
> But I understand if you say that with Apache you
> don't have those issues. It's normal human
> behavior to think in pictures (I have problems
> with my page. Hmmm.... I use nginx. Hmmm. Format
> system, install fresh OS, install Apache. Hmm...
> No problem so far. Okay! I got it! It's nginx.)
> instead of taking the time to understand what the
> problem is and THINK on the problem and solution.
> But hey! It's your install. If you think that it
> is nginx then it MUST be nginx. I would not be
> surprised if in some days you would come back here
> and tell us the same story has happened with
> Apache as HTTPD.
Thanks very much for you advise.
I have switched back to last stable version nginx 0.7.64.
Do you suggest me to use 0.8.** version?
I am not the system specialist. I will do your advises step bu step.
But fisrtly I have to check them because I am not sure is it possible to install these applicaiton for my side.
Thanks you again for your suggestion.
> Oh! And one last advice: Do not trust anybody! If
> a security company is telling you that YOUR system
> is secure then fine and dandy but it's you that
> need to guarantee and understand the security of
> your system. Not any one else. You need to
> UNDERSTAND what is going on with your system and
> YOU need to KNOW that and why your system is
> secure. Some one telling you that is secure is not
> going to take away that responsibility from you. A
> drug dealer will always ensure that what you buy
> from him is 100% risk free and and and... but it's
> you that is going to consume that stuff and it's
> you that is risking to die. Not him. So don't just
> blindly trust. Turn on the gears in your head and
> THINK and ACT but don't just follow blindly. You
> are not a sheep!
Sure I am not
Softlayer has forced me to apply one of the 6 servermanagment company these are trusted and certified from Sofltlayer, or close my network.
They said me "If they report that your server is clean it is ok" So I had have to go one of them.
Nevermind, I close my relation with Server Managemnt Comp. and reinstall nginx. And I look ahead
> Sarah Kreuz, die DSDS-Siegerin der Herzen, mit
> ihrem eindrucksvollen
> Debütalbum "One Moment in Time".
> nginx mailing list
> nginx at nginx.org
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,27636,28256#msg-28256
More information about the nginx