Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I got hacked with a wordpress XSS a couple of days ago and didn't know it. My ISP notified me and my host was briefly, a node in a botnet. The thread is a "lessons learned" thread so maybe other can learn from my dumb mistakes.
I'm a sysadmin by trade and have been running a couple of different servers on the same host at home for maybe 10 years at this point without a second thought. I should know better but did not take the time to do it right.
If my shortcuts below don't make sense, then let me know I'll define them better.
1. Harden PHP.ini.
I'm a Debian user from way back and assumed the php.ini was tight. It's not particularly tight. Google "php.ini hardening" and the results are mostly the same information.
2.Set documentRoot to a readonly partion.
I did it by making a disk image and mounting it via loop.
Code:
dd if=/dev/zero of=disk.img bs=1k count=2048
nano /etc/modprobe.d/loop.conf option loop max_part=2
modprobe -r loop
modprobe loop -v
losetup /dev/loop0 /path/to/disk.img
fdisk /dev/loop0 (you should know the rest)
mount example: mount /dev/loop0p1 /mnt/disk.img -t ext4 -Onodev,nosuid,noexec,ro
There's more to do here as you need to script the disk image getting mounted on reboot.
Ok, the readonly partition is ready.
3. Repoint/reconfigure Apache to use the read only partition.
4. Check Files and Apache config
Files in documentRoot are never owned by the apache user.
Limit .htaccess. Hopefully forbid it in the Apache config.
If you need a writable directory, that needs to be separate and some apache configs are needed to tighten up the writing.
Code:
(Options None, SetHandler none),
no .htaccesss allowed (AllowOverride None)
PHP.ini write configs needs similar consideration
Giving Apache write access has to be thought about carefully and definitely separated from the document root.
MONITORING
You need to install something to check that files don't get written to your http service directory. Debian has a package called tiger that's tripwire and some other apps glued together. Tripwire is very nice and worth the time to learn. You need warnings emailed to you!
Clamscan!
NO EXCUSES
I needed to track wordpress releases and deploy them in a timely manner.
Last edited by throwaway_questions; 09-06-2015 at 09:56 AM.
I got hacked with a wordpress XSS a couple of days ago and didn't know it. My ISP notified me and my host was briefly, a node in a botnet. The thread is a "lessons learned" thread so maybe other can learn from my dumb mistakes. I'm a sysadmin by trade and have been running a couple of different servers on the same host at home for maybe 10 years at this point without a second thought. I should know better but did not take the time to do it right.
Thanks for posting frankly about the mistakes you made. Especially the "did not take the time to do it right" (plus the common "I don't have the knowledge to" / "I did not know I had to") is something a lot of servers suffer from in terms of hardening, being maintained, audited and kept up to date.
Quote:
Originally Posted by throwaway_questions
1. Harden PHP.ini.
I'm sorry but that's not the first thing to address. For years Linux distributions have offered extensive user, admin and security documentation for any new and seasoned Linux user alike to become familiar with. Next to that SANS ISC, OWASP, Cisecurity and others have offered HOWTOs, benchmarks and advice to not only change peoples mindset about security but be practically able to audit security. Because security is a continuous process of auditing and adjusting. On top of that applications offer security guidelines themselves and WordPress is no different. Its Codex offers quite usable advice on hardening WordPress any WP user should read (regularly) and act on. Like the Codex points out you should start with server hardening as that's the foundation to enable applications on. If the platform itself doesn't do user and network ACLs, file system and traffic rate limiting / monitoring / scrubbing, auditing and reporting then that is something to correct first. (It probably should not hurt to ask specific questions in the LQ Linux Security forum should you need more guidance.)
Funny, correct, but unfortunately still only one aspect of what needs addressing IMNSHO.
UnSpawn, if only it were so easy. Again, no excuses, but I assumed Debian was delivering a tight php.ini and I was wrong. It's not the Debian maintainer's fault either. As someone that admins selinux machines, that too can be poorly configured.
If you are relatively new to Apache configs, then that becomes it's own learning curve where most people stop at "I got it working."
I agree with you in practice and principal, but, the reality is so much less than that.
Last edited by throwaway_questions; 09-06-2015 at 09:53 AM.
The "I got hacked" lesson that I learned was: "don't use Plesk." Don't use the "convenient" mechanisms provided by a VPS provider. Start with a bare-Linux, change its root-password within seconds, and then build it by hand.
I, too, got careless once, and the system was hacked by penetrating the Plesk management-software, which I had been lazy enough to use. Once.
...Don't use the "convenient" mechanisms provided by a VPS provider. Start with a bare-Linux, change its root-password within seconds, and then build it by hand.
Absolutely! Build it by hand, manage it by secure shell, write your own firewall rules - expose NOTHING that you do not know how to install, configure, monitor and control - or don't run on a VPS!
My friend's wordpress site got hacked by ISIS or some other terrorists last year. I had a public facing server for a while and I admittedly don't know enough about security. My main security was running fail2ban on Debian. I didn't get hacked in the few months the server was on line (that I know of) but the logs certainly showed constant attempts to log into SSH like 10 times every second. I'm just starting to get very interested in learning about network security and every day I learn about some little thing that I should be doing on my home network that I didn't know about and I'm sure 99 of the people with internet and a router don't know. It's a crazy world on the web
Couple of different things occurred to me after reading this. First was the realization that the plumber's house always has broken plumbing or the electrician's house always needs a rewiring. In this case the sysadmin's server always needs more attention. The plumber got done with a whole day of plumbing so why would they want to do more at home.
The other one that I thought of was that realization when you're watching a movie and the entire premise of the movie relies on one thing happening. Putting gas in the car or locking the screen door or making a copy of a document. That one little thing gets done and the movie's over.
Anyway what I am saying is that if you were hosting your stuff at a good ISP you wouldn't have to worry about any of that. I know, I know hosting your own is ideal for a lot of reasons. But the good ISPs live and breath protecting their network and you.
I would never install Apache(crap) with an application like Wordpress. If You would like to properly protect You environment, think about Nginx and Naxsi module.
Quote:
Originally Posted by throwaway_questions
I got hacked with a wordpress XSS a couple of days ago and didn't know it. My ISP notified me and my host was briefly, a node in a botnet. The thread is a "lessons learned" thread so maybe other can learn from my dumb mistakes.
I'm a sysadmin by trade and have been running a couple of different servers on the same host at home for maybe 10 years at this point without a second thought. I should know better but did not take the time to do it right.
If my shortcuts below don't make sense, then let me know I'll define them better.
1. Harden PHP.ini.
I'm a Debian user from way back and assumed the php.ini was tight. It's not particularly tight. Google "php.ini hardening" and the results are mostly the same information.
2.Set documentRoot to a readonly partion.
I did it by making a disk image and mounting it via loop.
Code:
dd if=/dev/zero of=disk.img bs=1k count=2048
nano /etc/modprobe.d/loop.conf option loop max_part=2
modprobe -r loop
modprobe loop -v
losetup /dev/loop0 /path/to/disk.img
fdisk /dev/loop0 (you should know the rest)
mount example: mount /dev/loop0p1 /mnt/disk.img -t ext4 -Onodev,nosuid,noexec,ro
There's more to do here as you need to script the disk image getting mounted on reboot.
Ok, the readonly partition is ready.
3. Repoint/reconfigure Apache to use the read only partition.
4. Check Files and Apache config
Files in documentRoot are never owned by the apache user.
Limit .htaccess. Hopefully forbid it in the Apache config.
If you need a writable directory, that needs to be separate and some apache configs are needed to tighten up the writing.
Code:
(Options None, SetHandler none),
no .htaccesss allowed (AllowOverride None)
PHP.ini write configs needs similar consideration
Giving Apache write access has to be thought about carefully and definitely separated from the document root.
MONITORING
You need to install something to check that files don't get written to your http service directory. Debian has a package called tiger that's tripwire and some other apps glued together. Tripwire is very nice and worth the time to learn. You need warnings emailed to you!
Clamscan!
NO EXCUSES
I needed to track wordpress releases and deploy them in a timely manner.
Words like "crap" only convey an opinion, not technically sound reasons why. So instead please describe why and in detail. *And while I wasn't aware of the WAF called "Naxsi" (thanks for that) I doubt you'll be "properly protecting an environment" without requiring modification of web server config, headers, loaded modules, etc, etc...
Well with a name like naxsi, does it keep out all intruders or just certain minorities. I am confident apache is not as crap as you state otherwise nginx would have taken the lead ages ago and would have been the default choice. Wonder why big comercial distros and smaller ones still rely on crap...
Words like "crap" only convey an opinion, not technically sound reasons why. So instead please describe why and in detail. *And while I wasn't aware of the WAF called "Naxsi" (thanks for that) I doubt you'll be "properly protecting an environment" without requiring modification of web server config, headers, loaded modules, etc, etc...
You have right, maybe I was too ... saying "crap". Anyhow this is my opinion about Apache and its architecture which compare to nginx is old and not efficient. A specially in the security layer. At the moment I dont see any reason to put Apache in front of the internet (Even with mod_security). Apache should stay behind something more secure and more flexible to manage incoming traffic. The best solution is in my opinion F5 or Nginx/Naxsi or some kind of caching server (varnish). Another thing is software... Wordpress with 1000 modules written with focus on the functionality and not security.
Ofcourse You need to modify Your system. I didnt say that You shouldnt do it. If You would like to build something secure I suggest to compile complete environment and customize it. First thing which I`m usually doing, I`m preparing Nginx. After compilation, server header, response, and complete HTTP communication looks like an Apache or some other server. Exploiting starting to be much harder if You dont know what You exactly attacking. Naxsi... basic naxsi rules block in my opinion 90% of the attacks. Its quite efficient system much more practical than mod_security where You really needs to know, what needs to be blocked.
Its quite long topic... To wordpress I suggest to use what wordpress.org using - nginx.
Well with a name like naxsi, does it keep out all intruders or just certain minorities. I am confident apache is not as crap as you state otherwise nginx would have taken the lead ages ago and would have been the default choice. Wonder why big comercial distros and smaller ones still rely on crap...
Nginx has one big problem... doesnt support Java applications. That`s why is not so high.
But look on the PHP environment... here You cannot compare Apache with nginx .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.