[pmwiki-devel] Slightly OT: Experiences protecting server against attacks
ThomasP
pmwiki at sigproc.de
Thu Mar 27 12:41:12 CDT 2008
On Thu, March 27, 2008 3:35 pm, pmwiki at 911networks.com wrote:
>
> A. You haven't told us what's your setup.
> B. You haven't told us how they broke in.
>
Correct, I "forgetfully" omitted this. It's an Debian etch 4.0, running
with a 2.6.18 linux kernel. How the break-in happened is not yet clear,
but that the machine was compromised at all was noted by an outgoing DDoS
attack. [This was seen in the process list as "./s <ip-address> 80" forked
from a /usr/sbin/httpd process, even though there is no httpd file on the
machine, at least not anymore.]
I'm relatively sure that the compromise did not follow over a PHP/PmWiki
route. Register_globals are off, and I have been cautious with all
dealings of ini-files etc. (I'm running an apache btw, together with a
FastCGI version of PHP and suExec.) Critical in my view could be
old-versioned components, but this is a problem that will always persist.
(The software is always only up to date until the next bugfix is made.)
> 1. The OS must be properly configured either MS, Linux or BSDs, and
> yes they can be configured to be very secured.
> 2. For Pmwiki take a look at:
> http://www.pmwiki.org/wiki/PmWiki/Security as a starting point.
>
>> At this opportunity the idea of having a centralized blacklist
>> server for attacking IPs (similar to the spam blacklists, but
>> also with their disadvantages) came once again to my mind. Would
>> there be an interest/ does it make sense to have something like
>> this realized?
>
> Not really. A good server and good implementation MUST survive in
> the wild by itself.
>
> Actually, I doubt that it was 1 person that attacked you, unless
> you have some personal enemies. It's much more likely that it was
> a bot, and for those the IP addresses are useless, because they
> infect other computers/IPs.
>
Well, I would not agree with this. No matter whether it is a human, bot or
a pile of bots, in the end there has to be one machine (having one IP
address) that actually breaks in (=gains root access). It does not matter
in this regard whether that machine was itself only used as "proxy" by the
real attacker, one would nevertheless prefer to mark it as bad.
Thomas
More information about the pmwiki-devel
mailing list