Quote:
But believing nginx is better in the security layer, can you explain how this will better serve to protect against a flaw in the code of wordpress and specially how the xss could have been prevented. I fail to see how the choice of webserver affects a flaw in the pages served from an unmaintained version of code.
|
First of all, I suggest You to read more about WAF and prevention process against common attacks.
Back to Naxsi, I really prefer the way Nginx with Naxsi works - "drop by default" rule is awesome. That means that any pattern in the POST or GET which is not recognized by Naxsi rules will be simply dropped. 99 of patterns used to common injection attacks are defined in the Naxsi rules (for example | or < are not allowed in the URL). Naxsi will block potential XSS attack even if the code has been written without any understanding of the security rules (for example missing proper escaping of the strings in the php code).
The same with SQL Injection... Blocking by default preventing also most of the new types of the attacks. In Apache You can protect system against "known" attacks but not new ones (not all of course, it could be always somebody which can find something new - there is always a risk)... this is the main difference. That`s why I`m saying that Apache never should be in front if You are taking care about the security.
DoS attack... its another story. Almost each standalone Apache server could be easily down... Till today I have never seen any sensible solution which will prevent Apache DoS attack.
Quote:
The other major problem I have is that everything it loads is done as cgi. Now I do not know about you guys but i think cgi is pretty dangerous. At least with apache I have no requirement to have anything work as cgi and I can setup selinux to not allow cgi execution. Just that step I think is already a step towards a safer system.
So essentially now we are fighting a war to prevent xss and cgi exploits. With apache i can sit back and forget about cgi.
|
CGI (also other things) is dangerous if You don`t know what You are doing. If You understand and You know how to properly protect CGI applications - it will work like the rest. Pretty dangerous is usually admin which doesnt understand what newly installed applications are doing on his server, so application security audit should be always done. The common mistake which I really love is bad protection of the upload folders. Another, off SELinux or wrong configured...
Return to word "crap" - its my personal opinion, I know I shouldn't use it here on the forum. I must go now... CU guys and have fun with Apache