Re: [mod-security-users] Boink filter
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Boink filter
|
From: Jason H. <Jas...@tr...> - 2006-02-08 01:53:24
|
Tom Anderson wrote: > You need to search through the apache logs and find the query which > resulted in the compromise. That will tell you which software is > allowing the upload to /tmp, and it will give you some insight into > how to block that query. For instance, I know that AWStats does not > do proper sanitizing of some input because it once lead to a worm > compromising my machine. And this is why everyone who can should use the chroot feature... If your Website doesn't use CGI (i.e. it sticks to php), then sticking it in a chroot jail stops all this nonsense. I ran a (Redhat-5.0) Apache 1.X server for 4 years - unpatched - in a jail. Several Apache and OpenSSL exploits later and it NEVER got compromised (and there were a lot of attempts). I'm not saying it's a "silver bullet", but it ruins a lot of these sorts of automated attacks IMHO: Anyone running a Reverse proxy in a security role should be doing jails. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 |
