Mike Sheinberg on 1 Feb 2011 05:27:51 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] apache security

@Lazin - I have a collection of custom PHP scripts and a joomla instance. The joomla piece I got down fine, I've been burned in the past there so now I'm always on top of security updates + akeeba backups. 

I've heard about Nessus before but never played with it. I'll give it a shot and see if it's worth it in our environment.

Thanks for all the help guys! This is a good start to work with.

On Mon, Jan 31, 2011 at 8:04 PM, <mdecheser@comcast.net> wrote:
Mike, I recommend two things:

1) Nessus - Not sure if you've ever used it, but it's a great baseline vulnerability scanner.  Depending on what PHP stuff you're running (Lazin suggested CMSs), you can configure Nessus to perform authenticated scans.  The reports generated from those scans go from general (PHP version x.x is detected, please upgrade) to specific (phpBB version x.x contains a known security risk, please upgrade).

2. mod_security - Highly recommended in the context of file uploads.  You can configure mod_security to jail uploads.  Used in conjunction with some creative scripting, you can configure a file upload to trigger the running of a script which egreps through the file upload and checks for known language preambles (<?php, /bin/bash, /usr/bin/perl, etc) and trashes them.  That will probably catch 98% of the script kids out there.

There's a ton of other things to consider, but those two could keep you busy for a while. :)


----- Mike Sheinberg <m.sheiny@gmail.com> wrote:
> Was hoping I could also squeeze some apache security advice out of some you
> this fine evening :) Last question today... Promise! *Fingers crossed*
> I am tasked with rebuilding a LAMP web-server that previously had security
> issues. The problem is there is a lot of php code and frankly it's a bit
> daunting to pour over it all and try to sanitize it 100% before putting the
> server live again. I don't think it's all bad code but some of the forms are
> definitely suspect as I sift through it. So my thoughts were to try and
> throw the system back up slowly after reviewing the most obvious flaws and
> fixing them (there are multiple web sites on the same box) .... try to use
> some type of containment, and lock down the crap out of apache. I don't know
> if I have the time to go through each and every PHP script but I am trying
> to only throw up the bare essentials needed, very slowly so I can watch and
> monitor the situation. I know I'll get a lot of flack from some off the list
> for not combing the code 100% - but I just want to make the assumption that
> even if I scrape all the code that something insecure will make it through.
> I've been looking into security modules for Apache (stuff like mod_chroot
> and mod_security) but there seem to be some drawbacks for each one (either
> compatibility, complexity, or some loophole).  Has anyone had any experience
> with mod_chroot specifically - was it a worthwhile install?
> FYI - I don't have physical access to this server and it is public facing
> (hence all my earlier ip tables questions). I run integrity checkers daily
> on the file-system so I can see whenever files are modified anywhere - and I
> also plan on taking good backups and using plenty of logging. So with all
> that mind, is there any good apache security tips that someone can recommend
> or that have really helped you guys out? I plan to run about 10 sites on
> this box, utilizing mostly php and python scripts. I have also been pouring
> over php.ini security tips as well and I realize now that someone previously
> set register_globals to 'on' which I've read is a huge no-no.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug