[wp-hackers] [OT] Resources for Defending Against Blog Attacks
iacobs at m0n5t3r.info
Wed Aug 8 20:30:37 GMT 2007
Alex Günsche wrote:
> Some good advices came from Jacob already, I think I'll also add my 2
> * Set up the firewall properly. "Drop" policy for all not required
> ports. Take measures against flooding. Set up and maintain blacklists
> (although this might render useless with certain sorts of DDOS).
> Good tutorials on advanced firewall configuration:
> - http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls
> - http://forums.gentoo.org/viewtopic-t-159710.html
> If you don't want to maintain your IPtables rulesets manually, I can
> recommend Firehol (also a CLI tool, but very easy and quick to use).
* default "drop" policy is risky (you can lock yourself out if you're
not creful), you'll be better off with a drop rule at the end of the
* the gentoo initscripts make managing firewalls easy without other
software; I think the Fedora/Centos init scripts do a similar job (they
use iptables-save and iptables-restore); otherwise, you'll need some
configuration tool (I ound the firewall managing initscripts from Suse
horrible, for instance, and Debian has no such thing, AFAIK)
> * Fail2ban (http://www.fail2ban.org) is a good tool against DDOS
> attacks. It will automatically ban users for a certain time who violate
> your policy, and add them to a temporary blacklist.
DDOS can't really be mitigated at the server level; you'll need an ISP
that responds quickly for this (the attacker's goal is usually to fill
your pipe, which makes filtering at the server level useless)
> * Use a dedicated mail server or service (simply set the DNS MX record
> for the other machine and let that one handle mail). This way, massive
> spam surges won't affect your main server.
good suggestion... also, you may want to use tmda or a similar tool
(whitelist-based) instead of the usual SpamAssassin / bayesian filtering
> * Don't install software you don't need. I've seen people running X on a
> webserver, but even too many Apache modules can be a risk.
especially avoid development tools, if using a compiled distribution
> * As for PHP: Also use only modules you need, and use open_basedir
> restrictions. Safe Mode is rubbish, but open_basedir can really protect
> your system if there's a leak in a PHP application. (When setting up
> open_basedir restrictions, set them per vHost, and put the tmp path into
> the same folder. No global /tmp for webapps.)
/me should do this, too
> * As for MySQL: Of course, no network access for MySQL. But you can also
> try to set up MySQL recourses in a fashion that a DOS attack doesn't
> render your system unusuable because of MySQL bottlenecks. If you can,
> increase the query and table caches.
if you have control over the hardware you can do some more: give mysql
its own hard drive and plenty of RAM
> * Possibly decrease logging: Heavy logging can decrease your harddisk's
> performance. Sometimes it can be better to log less. Btw, MySQL by
> default creates binlogs. They can be useful, but mostly they do nothing
> but eating harddisk space and performance, so switch them off in my.cnf.
... and/or don't serve files off the same harddisk which holds the logs
> * If you're really paranoid, compile your kernel with only support for
> stuff you need, and deactivate loadable modules in the kernel
> configuration. Recent attack vectors don't use userspace rootkits, but
> kernel rootkids loaded as modules.
if an attacker has root access, he can always write to /proc/kcore and
hide anything he likes, even without modules
> * And a non-tech note, if you know these guys: Sue them.
I would add:
* use linux-vserver; it's chroot on steroids ;)
More information about the wp-hackers