Nginx securiy problem

[Steve]

-------- Original-Nachricht --------
> Datum: Sat, 5 Dec 2009 19:30:27 -0500
> Von: "egerci" <nginx-forum at nginx.us>
> An: nginx at sysoev.ru
> Betreff: Re: Nginx securiy problem

> mike Wrote:
> -------------------------------------------------------
>  
> > Actually, SoftLayer is quite security-focused. I
> > am a customer and
> > have been quite happy with them.
> > 
> > They are doing the standard "fix your servers or
> > we'll cut you off" -
> > they're not saying security is a "tool" - they're
> > telling him that he
> > needs to hire someone they trust to fix his
> > servers up as he does not
> > seem to be equipped to, or they will shut him off.
> > It's not worth the
> > overhead they have to take on to have people who
> > don't know how to
> > manage their own servers.
> 
> Yes It happened as you said. They ask me to hire that they trust.
> 
> And then third party company make a report about my server : it is clean.
> 
> And in their report ; they hardenned and optimized  my apache and mysql
> server???
> In that server no apache and no my sql server.
> I had already used tools like rootkit tools, csf firewall etc.
> They re-install this tools and attach these tools' result to their report.
> ( I have used last version but they didn't)
> 
> I had already done and make these steps.
> 
> I have used Softlayer for years and I am also happy with them.
> 
> The problem is giving  trust/certificate to company that behave or take
> action like me!
> This show SL's understanding of Security.
> 
> But it is not the topic...
> 
> As you see that I am still working with softlayer.But not with SMC.
> 
> > FYI: I run 0.8.x. I run the latest possible
> > version Igor puts out
> > whenever I have time to update.
> 
> > As someone once told me, "Igor's betas are more
> > stable than most
> > people's stable versions" and I would have to
> > agree.
> 
> Thanks for your comment. Up to now, I have used last beta versions. I
> heard something like that sentence before .
> But this time I decide to use stable version. Maybe later I will upgrade..
> 
Since your attack vector does not seem to be the HTTPD I would suggest that you first start to harden your PHP installation. You said that an external company has hardened your PHP installation. Could you post your PHP configuration here? Or post a link to it?

The basic hardening stuff from PHP is not that hard. A small guide scratching the most important things can be found here:
http://www.madirish.net/?article=229

A well configured PHP and additionally something like Suhosin (http://www.hardened-php.net/suhosin/) could be a good starting point. Have a look at the configuration options -> http://www.hardened-php.net/suhosin/configuration.html <- and install it if you can. Enable for some days the simulation mode "suhosin.simulation=On" and look closely at the logs to identify potential problems and solve them before activating Suhoshin. Activate at least the basic stuff (your distro should already distribute a pre made configuration that you should use):
suhosin.simulation=On
suhosin.session.encrypt=Off
suhosin.log.syslog=511
suhosin.executor.include.max_traversal=4
suhosin.executor.disable_eval=On
suhosin.executor.disable_emodifier=On
suhosin.mail.protect=2
suhosin.sql.bailout_on_error=On

For PHP you should disable some dangerous functions. Please look up the documentation about each of them before disabling them. In your case I would at least close down the following ones:
disable_functions = "exec, passthru, pclose, popen, readfile, shell_exec, show_source, system, virtual"

If you are ultra paranoid then consider adding more of those functions that are well known to be used in malicious ways (beside the one mentioned already above)(and again here: please read in the documentation what they do before you disable them):
apache_child_terminate
apache_setenv
define_syslog_variables
escapeshellarg
escapeshellcmd
eval
fp
fput
ftp_connect
ftp_exec
ftp_get
ftp_login
ftp_nb_fput
ftp_put
ftp_raw
ftp_rawlist
highlight_file
ini_alter
ini_restore
inject_code
mysql_pconnect
openlog
phpAds_XmlRpc
phpAds_remoteInfo
phpAds_xmlrpcDecode
phpAds_xmlrpcEncode
posix_getpwuid
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
posix_uname
proc_close
proc_get_status
proc_nice
proc_open
proc_terminate
syslog
xmlrpc_entity_decode

If you don't need to include/read external files then close down that functionality in PHP:
allow_url_fopen = Off
allow_url_include = Off

If you don't need upload functions then disable it:
file_uploads = Off

If you need upload functions then at least put the temporary directory for the upload into a partition that you have mounted with "nodev,nosuid,noexec":
upload_tmp_dir = /path/to/php/upload

I would as well limit the include path to be inside your web root:
open_basedir = /path/to/web/root

You probably use something like FCGI to run your PHP. Try chrooting your PHP and/or try to run it with limited uid/gid.

Implementing at least a bunch of those options should already make it much harder to exploit your setup. Read again: Harder! Not impossible!


> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://nginx.org/mailman/listinfo/nginx
> 
> Jim Ohlstein Wrote:
> -------------------------------------------------------
> > I would agree. Softlayer is an excellent host
> > which I have used on and 
> > off over the years for different needs. I think
> > this is their reaction 
> > to a customer for whom they cannot provide hand
> > holding services.
> 
> Yes, You are right. SL is excellent host. Because of this I am still
> custommer of SL.
> But when I ask to them about my attack. They just replied me that it is
> not their job please hire third party management company.
> 
> As I said above it is not the topic
> 
> Thank you all
> 
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,27636,28300#msg-28300
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx

-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01