Nginx securiy problem

Steve steeeeeveee at gmx.net
Sun Dec 6 00:58:11 MSK 2009


-------- Original-Nachricht --------
> Datum: Sat, 5 Dec 2009 14:01:19 -0500
> Von: "egerci" <nginx-forum at nginx.us>
> An: nginx at sysoev.ru
> Betreff: Re: Nginx securiy problem

Hallo egerci,


> Thanks very much for you advise.
> I have switched back to  last stable version nginx 0.7.64.
> Do you suggest me to use 0.8.** version?
> 
it's hard to say that. I am using 0.8.x version and have so far no issue doing that. But I think Igor is not having 0.7.x releases marked as stable for no reason. So if there is nothing in 0.8.x that you ABSOLUTELY need then don't go with 0.8.x. It will only add an additional *unsure* factor to your setup and currently what you need is STABILITY and PREDICTABILITY. And 0.7.x is exactly that.


> I am not the system specialist. I will do your advises step bu step.
> But fisrtly I have to check them because I am not sure is it possible to
> install these applicaiton for my side.
> 
I told you to not trust any one. That includes me as well. Please take your time to UNDERSTAND what is going on. If you don't know where you are (lets mark this as "STARTING POINT" or SP) then it does not help to know where you want to be (lets mark this as "TARGET POINT" or TP). Because the path from STARTING POINT to TARGET POINT is not possible to calculate, plan, influence, evaluate, whatever if you don't have a STARTING POINT. Do you understand what I mean?

Please try to solve the issue you are facing. And to do that you need to stay calm. If you have problems with your setup then analyze it and find out what the problem is. When you know the problem then you have that STARTING POINT and you already do have the TARGET POINT (which is: Not have the problem again in the future). So then you just need to look how to get from SP to TP. That's it.

And please don't just react. Plan the worst scenario and plan how to act when that case is happening. Lets assume that Apache is indeed a possible way for you to ease the attacks you have. Then set up an instance of Apache and make it ready that should your nginx setup again have some issue then you could switch in a bunch of minutes to your Apache instance and take the time to look more close at the issue you had with nginx and learn out of the problem and eliminate that problem for the future. Then when you have fixed your nginx setup, switch back again from Apache to nginx and let nginx handle everything. After some time your problem rate with nginx will slowly go down to zero and you will never need that Apache instance again. But having it will still allow you to sleep calm at home knowing that should anything happen you have at least one backup plan that could help.


> Thanks you again for your suggestion.
> 
Don't think that you are alone here. Every one doing serious web hosting stuff or things like that was burn by the one or other security issue some web applications have. Heck! I even was rooted. TWICE in a week. And just because I had SSHv1 in my OpenSSH (that was years, years, years ago).

It's not a shame to run into such issues. But it's a shame to not learn from them.

You have here on this ML a gazillion of people with combined knowledge that you alone probably will never have. So use that knowledge. Ask nginx related stuff here and learn. I am pretty sure no one will push you away if you have some nginx related question.


> Sure I am not
> Softlayer has forced me to apply one of the 6 servermanagment company
> these are trusted and certified from Sofltlayer, or close my network.
> They said me "If they report that your server is clean it is ok" So I had
> have to go one of them.
> 
Then Softlayer does not understand anything about security. Security is not a tool nor is it something you apply once and then forget about it. Security is a process. You need constantly to take care of it. Some time it is technical (hardware that can be installed, software that can be hardened, etc) and some time it is organizational (you have a check list to follow in case of security breach, you alert a security person in case of a security breach, you close your forum for X hours in case of a security breach/break, etc).


> Nevermind, I close my relation with Server Managemnt Comp. and reinstall
> nginx. And I look ahead
> 
That's the way to go! Think positive! It only can get better :)


> Best regards
> 
// Steve
-- 
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser



More information about the nginx mailing list