[wp-hackers] [OT] Resources for Defending Against Blog Attacks

Alex Günsche ag.ml2007 at zirona.com
Wed Aug 8 19:21:49 GMT 2007

On Wed, 2007-08-08 at 09:20 -0700, Chris Williams wrote:
> I'm in the process of setting up a new machine on a better host and I need
> advice from the experts here.  I am surely going to run all the requisite
> performance tuning goodies, but I'm looking for more security related help.
> Are there good resources, check-lists, etc. that you know of that will help
> me insure that this new server will not suffer the same fate?  Even better
> would be some form of audit program that would point out my machine's holes
> and weaknesses.  I'd even be willing to hire a bright star on a contingent
> basis to help in this effort.

Some good advices came from Jacob already, I think I'll also add my 2

* Set up the firewall properly. "Drop" policy for all not required
ports. Take measures against flooding. Set up and maintain blacklists
(although this might render useless with certain sorts of DDOS).
Good tutorials on advanced firewall configuration:
 - http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls
 - http://forums.gentoo.org/viewtopic-t-159710.html
If you don't want to maintain your IPtables rulesets manually, I can
recommend Firehol (also a CLI tool, but very easy and quick to use).

* Fail2ban (http://www.fail2ban.org) is a good tool against DDOS
attacks. It will automatically ban users for a certain time who violate
your policy, and add them to a temporary blacklist.

* Use a dedicated mail server or service (simply set the DNS MX record
for the other machine and let that one handle mail). This way, massive
spam surges won't affect your main server.

* Don't install software you don't need. I've seen people running X on a
webserver, but even too many Apache modules can be a risk.

* Talking about Apache: Consider using mod_security and mod_bwshare.
These are basicly firewalls too, but on a higher network layer.

* Again Apache: Chose the right MPM for your purpose. (Also depends on
the question if you need multithreading.)

* As for PHP: Also use only modules you need, and use open_basedir
restrictions. Safe Mode is rubbish, but open_basedir can really protect
your system if there's a leak in a PHP application. (When setting up
open_basedir restrictions, set them per vHost, and put the tmp path into
the same folder. No global /tmp for webapps.)

* As for MySQL: Of course, no network access for MySQL. But you can also
try to set up MySQL recourses in a fashion that a DOS attack doesn't
render your system unusuable because of MySQL bottlenecks. If you can,
increase the query and table caches.

* Possibly decrease logging: Heavy logging can decrease your harddisk's
performance. Sometimes it can be better to log less. Btw, MySQL by
default creates binlogs. They can be useful, but mostly they do nothing
but eating harddisk space and performance, so switch them off in my.cnf.

* If you're really paranoid, compile your kernel with only support for
stuff you need, and deactivate loadable modules in the kernel
configuration. Recent attack vectors don't use userspace rootkits, but
kernel rootkids loaded as modules.

* And a non-tech note, if you know these guys: Sue them.



Alex Günsche, Zirona OpenSource-Consulting
Blogs: http://www.zirona.com/ | http://www.regularimpressions.net
PubKey for this address: http://www.zirona.com/misc/ag.ml2007.asc

More information about the wp-hackers mailing list