TechGenix and SolarWinds have partnered to provide a fully-functional, free 21-day trial version of SolarWinds ipMonitor, the WindowsNetworking.com Readers' Choice Award Winner for monitoring applications, servers, and network devices to all visitors who join Security Forums. Sign up to Security Forums and get your copy today! Existing members can pick up a copy from the Members Area.
This is my first time in here, so hi to everyone, and sorry for my first post being to ask for help
I ama professional PHP developer and as such I can get by coding. What I'm not the best at is server admin.
I have a dedicated server which I use for clients, it got hacked a few months back via some little **** using an SQL injection attack on a site we had taken over from another company , stupidly we had not gone through and checked the code.
This meant we had to implement our hacking contingency plan, which includes nuking the server completely and rebuilding everything on it. (We had obviously backed everything up first so we could check logs/re-install sites afterwards)
We then re-installed our sites, and pored over the logs until we found the point-of-entry, which turned out to be an escalation of privileges attack. This was sorted out immediately and everything was scanned for other vulnerabilities. We also hardened up security by putting in place a script which searches for injection attempts and emails the admin when an injection attempt is detected.
This was months ago, we still get some 50-1000 of these emails a day, which is obviously a ridiculous situation to be in. Looking at the queries which are being run (they get emailed also), they're all very similar attacks (which fail BTW). My main concern now is that it can only be a matter of time before they discover another way in and we start all over again.
Is there a logical procedure to follow to stop what is obviously an automated and systematic attack on our server, or to track down the culprit (we think we may have already done so, but would like confirmation of this through other means.)
The first thing you might want to look at is mod_security, that removes most of the garbage being thrown at your server. But it needs some custom tweaking for each of your sites.
If it is possible to ban the whole network of repetting offenders helps to keep the mod_security log small.
I agree with Krugger, Mod Security is a great Web Application Firewall if you have the resources to put it together. I think however you that emailing the sysadmin every time someone tries a SQL injection is a little overboard. I certainly wouldn't want an email every time someone port scanned me. You will never stop people performing SQL injection the only you can do is put controls in to protect against it, like Mod Security, code reviews, IPS and controls to detect it like good log management and analysis, IDS.
Fire Ant
_________________ "Imagination is more important than knowledge." - Albert Einstein
Another interesting thing you might be interested as a PHP developer and hoster is nginx + PHP-FPM.
When you start hosting applications that are poorly written or you don't have time to model the mod_security rules or the developers are constantly changing the parameters, you need something different. With PHP-FPM you will be able to have each virtual host running as a different user with its own php.ini and chroot.
So you assume the poorly written PHP sites will be compromised, but at least it will not compromise up the remaining ones. At least in theory, have to actually deploy the solution to get a better understanding of the benefits and problems.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
