Re: Server/Form/Language Exploits

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: Server/Form/Language Exploits
1) Web file integrity:

Run a job that informs you of web systems level file changes every day.

It's a simple one liner, find -R /var/www/htdocs/* -mtime 1day

Or run a diff between another backed up tree and current file system that
alerts you via email if one of the files has been changed.

With an if/then statement that matches only changed content and alerts you
when/if something changes via either a diff to a backed up tree in
/root/htdocs or /usr/local/src/htdocs

2) IDS/Snort
Run snort on your system to ensure known packet signatures are dropped.
This is generally needed for PHP/Mysql.

3) Create an initial dd iso of your build and restore it to three drives
during build. Every six months restore original dd iso drive. Requires 5
minutes downtime to replace the drive. Restore the drive you removed to dd
iso of original build so you always have at least two servers ready for DR
and one spare drive to swap in.

4) Run standard layered firewall that includes bottom up network protection.

5) Expect they will get it, so run different passwords on every system, be
ready to restore databases and web content quickly. It's easy really.

6) As soon as you see any evidence of exploit, take it offline immediately
and rebuild.

7) Take a list of every single version and platform you are using and
compare patch levels and versions against the CERT and OWASP exploit
databases. If there are no exploits for it, you are safer, some exploits
can be mitigated, but at the very least expect to patch your server
regularly. Don't just build it and forget it.
--
Office: (602)239-3392
AT&T: (503)754-4452
http://it-clowns.com <http://it-clowns.com/wiki/index.php?title=Obnosis>

“These capitalists generally act harmoniously and in concert, to fleece the
people” --Abraham Lincoln

On Tue, Sep 7, 2010 at 2:32 PM, James Mcphee <> wrote:

> Harden your server intelligently and keep it up to date with patches.
>
> Also, keep yourself informed. I'm sure people can suggest various
> resources that have all the latest exploit info, etc.
>
> On Tue, Sep 7, 2010 at 2:07 PM, keith smith <> wrote:
>
>>
>> I was just talking with the guy who manages our servers and he was telling
>> me about some exploits and some of the things he sees.
>>
>> He was telling me about one gang that might exploit a server and other
>> gang finds it and takes it over, fixes the exploit and them creates a back
>> door.
>>
>> How does one keep up on exploits and current security issues?
>>
>> Thanks!
>>
>> ------------------------
>> Keith Smith
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> James McPhee
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



1) Web file integrity:

Run a job that informs you of web systems level file changes every day.

It's a simple one liner, find -R /var/www/htdocs/* -mtime 1day

Or run a diff between another backed up tree and current file system that
alerts you via email if one of the files has been changed.

With an if/then statement that matches only changed content and alerts you
when/if something changes via either a diff to a backed up tree in
/root/htdocs or /usr/local/src/htdocs

2) IDS/Snort
Run snort on your system to ensure known packet signatures are dropped.
This is generally needed for PHP/Mysql.

3) Create an initial dd iso of your build and restore it to three drives
during build. Every six months restore original dd iso drive. Requires 5
minutes down
--
Office: (602)239-3392
AT&T: (503)754-4452
http://it-clowns.com <http://it-clowns.com/wiki/index.php?title=Obnosis>

“These capitalists generally act harmoniously and in concert, to fleece the
people” --Abraham Lincoln
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss