Nginx securiy problem
steeeeeveee at gmx.net
Sun Dec 6 05:06:47 MSK 2009
-------- Original-Nachricht --------
> Datum: Sat, 5 Dec 2009 19:30:27 -0500
> Von: "egerci" <nginx-forum at nginx.us>
> An: nginx at sysoev.ru
> Betreff: Re: Nginx securiy problem
> mike Wrote:
> > Actually, SoftLayer is quite security-focused. I
> > am a customer and
> > have been quite happy with them.
> > They are doing the standard "fix your servers or
> > we'll cut you off" -
> > they're not saying security is a "tool" - they're
> > telling him that he
> > needs to hire someone they trust to fix his
> > servers up as he does not
> > seem to be equipped to, or they will shut him off.
> > It's not worth the
> > overhead they have to take on to have people who
> > don't know how to
> > manage their own servers.
> Yes It happened as you said. They ask me to hire that they trust.
> And then third party company make a report about my server : it is clean.
> And in their report ; they hardenned and optimized my apache and mysql
> In that server no apache and no my sql server.
> I had already used tools like rootkit tools, csf firewall etc.
> They re-install this tools and attach these tools' result to their report.
> ( I have used last version but they didn't)
> I had already done and make these steps.
> I have used Softlayer for years and I am also happy with them.
> The problem is giving trust/certificate to company that behave or take
> action like me!
> This show SL's understanding of Security.
> But it is not the topic...
> As you see that I am still working with softlayer.But not with SMC.
> > FYI: I run 0.8.x. I run the latest possible
> > version Igor puts out
> > whenever I have time to update.
> > As someone once told me, "Igor's betas are more
> > stable than most
> > people's stable versions" and I would have to
> > agree.
> Thanks for your comment. Up to now, I have used last beta versions. I
> heard something like that sentence before .
> But this time I decide to use stable version. Maybe later I will upgrade..
Since your attack vector does not seem to be the HTTPD I would suggest that you first start to harden your PHP installation. You said that an external company has hardened your PHP installation. Could you post your PHP configuration here? Or post a link to it?
The basic hardening stuff from PHP is not that hard. A small guide scratching the most important things can be found here:
A well configured PHP and additionally something like Suhosin (http://www.hardened-php.net/suhosin/) could be a good starting point. Have a look at the configuration options -> http://www.hardened-php.net/suhosin/configuration.html <- and install it if you can. Enable for some days the simulation mode "suhosin.simulation=On" and look closely at the logs to identify potential problems and solve them before activating Suhoshin. Activate at least the basic stuff (your distro should already distribute a pre made configuration that you should use):
For PHP you should disable some dangerous functions. Please look up the documentation about each of them before disabling them. In your case I would at least close down the following ones:
disable_functions = "exec, passthru, pclose, popen, readfile, shell_exec, show_source, system, virtual"
If you are ultra paranoid then consider adding more of those functions that are well known to be used in malicious ways (beside the one mentioned already above)(and again here: please read in the documentation what they do before you disable them):
If you don't need to include/read external files then close down that functionality in PHP:
allow_url_fopen = Off
allow_url_include = Off
If you don't need upload functions then disable it:
file_uploads = Off
If you need upload functions then at least put the temporary directory for the upload into a partition that you have mounted with "nodev,nosuid,noexec":
upload_tmp_dir = /path/to/php/upload
I would as well limit the include path to be inside your web root:
open_basedir = /path/to/web/root
You probably use something like FCGI to run your PHP. Try chrooting your PHP and/or try to run it with limited uid/gid.
Implementing at least a bunch of those options should already make it much harder to exploit your setup. Read again: Harder! Not impossible!
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://nginx.org/mailman/listinfo/nginx
> Jim Ohlstein Wrote:
> > I would agree. Softlayer is an excellent host
> > which I have used on and
> > off over the years for different needs. I think
> > this is their reaction
> > to a customer for whom they cannot provide hand
> > holding services.
> Yes, You are right. SL is excellent host. Because of this I am still
> custommer of SL.
> But when I ask to them about my attack. They just replied me that it is
> not their job please hire third party management company.
> As I said above it is not the topic
> Thank you all
> Posted at Nginx Forum:
> nginx mailing list
> nginx at nginx.org
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
More information about the nginx