[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: we were attacked

Michael Loftis wrote:
> --On April 7, 2006 10:57:22 PM +0100 Steve Kemp <skx@debian.org> wrote:
>>   That is an appalling approach to dealing with the problem, especially
>>  if you have an old kernel which could allow privilege escalation.
>>   There are several approaches to actually tracking down the source
>>  of the problem.  The most obvious is to use the mod_security
>>  module for Apache to log incoming payloads and ban requests containing
>>  strings such as 'wget', 'r0nin', '/tmp', etc.
>>   Another approach would be to install 'snoopy', or similar, to log
>>  *every* executed script upon a host and then walk backwards from the
>>  initial intrusion to the execution of the script.
> Another one is ti use mod_security from modsecurity.org.  This helps
> prevent stupid customers from getting your insecure system infected.
> Better still to use suphp or suexec so things don't run as www-data and
> run as their own users.

Running apache on a high port and using ProxyPass and ProxyPassReverse
accomplishes the same, correct?  I like that solution becuase then each
user can choose apache1.3 or apache2 and load/unload whatever modules
he/she likes.


Roberto C. Sanchez

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: