[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: phpBB vulnerability exploited

Francesco P. Lovergine said:

> I run apache using dchroot to avoid the most common problems.
> Breaking a chroot is possible, but not so easy and it's more
> difficult within dchroot which _should_ drops privileges properly AFAIK.
> I do that commonly for hosting services where users can run their own
> php and cgi scripts. That cannot avoid creating shells services, surely
> but avoid password cracking, use of cron, access to kernel modules
> and log files, and so on.

I had one of our machines cracked by this exploit.
Further Mitigation:
Running a security hardened kernel and a full input/output blocking
iptables script prevented further exploit.
I use both these options in a grsec vserver hardened kernelt to prevent
exploit and make it trivial to restore a system if it get's cracked.
Here is a sample iptables hardening script, for grins and giggles for a
 (see below...let me know if you see any obvious improvements.)
Run the bastille tmpsetter program to create a random tmp and temp
variable for each process in a subdirectory of /tmp, therefore preventing
another process even of the same user from accessing a file that was

Can you mount a directory such as /tmp with noexec or similar options if
it is not a seperate partition?

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -s ! adminhost -m state --state NEW -m tcp -p
tcp --dport 22 -j REJECT
iptables -A INPUT -i eth0 -s ! backuphost  -m state --state NEW  -m tcp -p
tcp --dport rsync -j REJECT

iptables -A INPUT -i eth0 -s DNS1 -m udp -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -d DNS1 -m udp -p udp --dport 53 -j ACCEPT

iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80:443 -j ACCEPT

iptables -A INPUT -i eth0  -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -o eth0  -j REJECT --reject-with icmp-port-unreachable
#include outgoing web traffic to apt-proxy server for apt-get updates...

--Luke CS Sysadmin, Montana State University-Bozeman

Reply to: