Nginx securiy problem

Michael Shadle mike503 at gmail.com
Sun Dec 6 05:25:28 MSK 2009


On Sat, Dec 5, 2009 at 4:30 PM, egerci <nginx-forum at nginx.us> wrote:

> The problem is giving  trust/certificate to company that behave or take action like me!
> This show SL's understanding of Security.

who would you believe more:

a) your friend of 3 years
b) someone off the street

you're the one who originally got exploited. why would they trust you
more than someone who they've certified/authorized to be a server
administration consultant? :)

forgive me if you already mentioned this, but is this a shared hosting
server (do you have multiple clients on it) or is it just yourself?

if it is yourself, i wouldn't bother with all the locking down of php
using disable_functions and such.

i would examine the code for exploits. hire someone to do it for you.
you probably have a lot of holes, it's very easy in php. one of my
clients back when i used to do virtual hosting kept getting exploited
over and over. one of them racked up a $2000 bandwidth bill because
the exploit downloaded an XDCC bot sending out pirated movies on IRC.
i was able to talk the provider down some and collect some money from
the kid but i never got it all back. i'm so glad i'm out of that game
now.

i am not sure that suhosin nor php's safe mode or disable_functions
behavior would have fixed that either. i don't think i had suhosin in
the mix back then, nowadays i run a suhosin patched php and the
suhosin module too. although i am not sure they help; they wind up
being so restrictive i have to set a bunch of high boundaries so
common things work properly.



More information about the nginx mailing list