Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have concluded over the past year that the battle is already lost on this front and have been actively changing and adapting my own practices from that point of view.
I understand your attitude -- and it was the relentless spamming of our forum that led to us closing that feature -- but I just can't believe things are that bleak. Perhaps I'm just naive and doomed to have my optimism slowly ground out of me. That linuxquestions.org and various other forums still thrive suggests that it is in fact possible to win the battle -- at least win it enough to run a useful website.
I'm familiar with mod_security and seem to recall that it tends to result in puzzling request failures where it's hard to determine the reason for the failure unless you are aware that modsec is in your machine, rejecting any suspicious requests.
Your thoughts about changing the nature of your business are helpful. On my site, for instance, it's entirely safe to fail any request with the string 'concat' or %20union' or 'information_schema'. Indeed, I can even ban any IP that so much as bothers to attempt a request including such strings. Surely there are some general tactics like this in use?
...but I just can't believe things are that bleak.
Neither did I... until I finally did!
Quote:
Originally Posted by sneakyimp
Perhaps I'm just naive and doomed to have my optimism slowly ground out of me.
Any optimisim I had was ground to fine dust over the pas 12-18 months. But I do not believe my own experience was exceptional. It is just in the course of things I came into full frontal contact with the situation which irreversibly changed my outlook. I hope that you can keep some comfortable distance from it, but for most of us I think that distance is accidental at best and subject to rapid, terrifying change.
Quote:
Originally Posted by sneakyimp
That linuxquestions.org and various other forums still thrive suggests that it is in fact possible to win the battle -- at least win it enough to run a useful website.
I have no knowledge of how LQ manages things - they do a remarkable job of it! But in the end, I am sure they have already had great changes forced on them in the last few years, and that will continue.
If Jeremy is reading this thread I would like to solicit some general comments from Him on what it takes to keep the site going as it is, and trending of the slope of the cost and effort curve for the past few years.
Quote:
Originally Posted by sneakyimp
I'm familiar with mod_security and seem to recall that it tends to result in puzzling request failures where it's hard to determine the reason for the failure unless you are aware that modsec is in your machine, rejecting any suspicious requests.
It is a poweful tool, but it takes dedicated effort to understand how to use it effectively. It is definitely not an "install and forget, just works" kind of thing! It puts your hands on the throttle and flight controls, but you have to understand how to fly it! The only way to get out of the puzzling mode is to eat the book, write your own rules and watch the feedback channels closely.
And remember, it is only applicable to one part of a much larger picture.
Quote:
Originally Posted by sneakyimp
Your thoughts about changing the nature of your business are helpful. On my site, for instance, it's entirely safe to fail any request with the string 'concat' or %20union' or 'information_schema'. Indeed, I can even ban any IP that so much as bothers to attempt a request including such strings. Surely there are some general tactics like this in use?
Of course I know nothing of your own site, but SQL injections come in a bewildering variety, some of which do not look at all like SQL! If you look closer, I suspect that you will find these are only a subset of what is there.
In any event, good luck - I hope that your optimism prevails!
After reading into it a little bit it occurred to me that sql injection is similar to zero day exploit.
If you knew about the injection possibility, you would of probably fixed it. In the same way, it doesn't make a whole lot of sense of how to defend against sql injection attacks past "make sure code is securely written originally".
I did notice this if you use mariadb that has a firewall plugin you can use to define rules. It may be useful to minimize injection attacks, even if impossible to stop them entirely. Other mysql servers may have similar firewalls
Actually, in many cases "SQL injection vulnerability" is a fault of (early) PHP, which did not provide the ability to execute SQL queries that contained placeholders.
So I've been periodically scouring my access log for the past month or so. I feel like I might be winning. Server load is normal and obvious SQL injection hacks are getting shut down fairly effectively.
As a matter of curiosity, I'd like to know more about a really lengthy request in the access log recently. What is being attempted here? From my access log:
The attack appends an extremely large hex values that will decode to a "null" value
in the hopes of matching the correct number of columns in the table.
block the whole 255.255.0.0 subnet from those IP Addresses if you don't expect any visitors from those areas.
I know they might spoof the IP Address. On my case someone or some organization also tried to hack the FTP. We block the whole /16 subnet from known IPs that tried to hack.
Last edited by JJJCR; 12-08-2015 at 08:23 PM.
Reason: edit
Im a newb but found this interesting and wondering why use md5 instead of pbkdf2 with iterations? I think this makes it so that it keeps generating new hashes but at the cost of more computational power? Also does the overall security problem with everything lie in the UNIX system design? Like could one make a new os thats not based on unix and make it impossible to hack? Also if it helps PfSense has PFblocker which has country block.
Last edited by learnin2cocatinate; 12-10-2015 at 02:25 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.