Re: Security question concerning jail or virtualization

To: debian-user@lists.debian.org
Subject: Re: Security question concerning jail or virtualization
From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
Date: Fri, 14 Mar 2014 19:30:33 +1100
Message-id: <[🔎] 5322BE29.7010707@gmail.com>
In-reply-to: <[🔎] CAH_OBifPqLfdMFS13qoyHVfmFvkC38=w1254vKjmMPAt=1A18A@mail.gmail.com>
References: <[🔎] CAFNm86R87Tt6iHeQnwfgyTeShGAOuKTqmPKAZ1WiBzJ=Cm+fiQ@mail.gmail.com> <[🔎] CAH_OBicdw9f1ECmTKvUAcPwr02r_GKdcMwJVudfz3O9Z5TcX+A@mail.gmail.com> <[🔎] CAKmZw+Y7+XWxpD=YHQTzBW3NqZtmw37CC8jZSDO3F5+aiy1OPA@mail.gmail.com> <[🔎] CAH_OBifPqLfdMFS13qoyHVfmFvkC38=w1254vKjmMPAt=1A18A@mail.gmail.com>

On 14/03/14 15:51, shawn wilson wrote:
> 
> On Mar 14, 2014 12:13 AM, "Brad Alexander" <storm16@gmail.com
> <mailto:storm16@gmail.com>> wrote:
>>
> 
>>>>
>>>> Due to this experience I would like to know what the best way to
> limit such problems is, especially when hosting web servers for users
> who may or may not installed unsecure applications on the web server.
>>

Web server and system security is a big subject.
Regardless of the use case a systematic approach is the best, easiest,
and only practically implementable approach. Starting with the Debian
security guide. I've included a link at the bottom of this post.

>>
<snipped>
> 
> As for passwords,

The OP has stated that the server was cracked, not the users application
(though that is likely to have happened). That's consistent with web
shell attack.

It's an injection type attack that runs OS commands[*1]. The web shell
is able to execute a command/commands either as:-
; a result of insecure application or system (php) settings allowing an
uploaded script to be executed directly (file upload)
; unsanitized data - executed php code appended to a link or to file
upload URI

None of those methods are dependent on password access.

The attack can gain elevated permission due to insecure file permissions
or poor passwords. Password insecurity is not the means of ingress (it
is important though - but don't rely on it).

Password security for the server (as distinct from user web
applications) *should* be part of any webserver security. Debian
provides dnsiff and john the ripper which are used in industry best
practice password auditing.
By default Debian implements md5 and shadow which are the 'basis' of
best practice password security (auditing are other practices add to
those things).

<snipped>

As Brad has pointed out, in business we employ specialized personnel to
deal with security (or aspects of it). Please note my point about
security requiring a systemic approach. Paint by numbers and/or ad hoc
"security" is not security.

Kind regards

Useful references:-
https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html
http://httpd.apache.org/docs/current/misc/security_tips.html
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
https://phpbestpractices.org/
http://www.developphp.com/view.php?tid=772
http://demongin.org/blog/829/

Reply to:

Follow-Ups:
- Re: Security question concerning jail or virtualization
  - From: shawn wilson <ag4ve.us@gmail.com>

References:
- Security question concerning jail or virtualization
  - From: Martin Braun <yellowgoldmine@gmail.com>
- Re: Security question concerning jail or virtualization
  - From: shawn wilson <ag4ve.us@gmail.com>
- Re: Security question concerning jail or virtualization
  - From: Brad Alexander <storm16@gmail.com>
- Re: Security question concerning jail or virtualization
  - From: shawn wilson <ag4ve.us@gmail.com>

Prev by Date: Re: Debian + Dell + double screen
Next by Date: DPMS Xset Blank Screen
Previous by thread: Re: Security question concerning jail or virtualization
Next by thread: Re: Security question concerning jail or virtualization
Index(es):
- Date
- Thread