[AusNOG] Protecting Web Hosting environments - was Re: DDOS mitigation

Seamus Ryan s.ryan at uber.com.au
Tue May 14 10:36:59 EST 2013


>> I know F5 have a module for it on their BigIP kit (ASM), but you generally need to be load balancing the IP on the F5 itself, and also train it about the specific site to know what's valid and invalid data. 
>> This is all well and good if it's your site, but not if it's thousands of customers' sites which change all the time.

You don't have to be load balancing a site to protect it, a VS with no pool/node members will proxy (and inspect) traffic for just about anything. We are already doing this with a large portion of our shared hosting fleet. Simply turning on http profiling with a few simple irules can filter out a substantial amount of bad traffic. Like any security module, you do need to give it time to learn what type of traffic to expect. Apply it to a "clean" server and tweaking it over time allows you to build a profile of zyx hosting environment.

And if you are filtering in, why not filter outbound as well?


- Seamus

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of PRK
Sent: Monday, May 13, 2013 12:23 PM
To: ausnog at lists.ausnog.net
Subject: [AusNOG] Protecting Web Hosting environments - was Re: DDOS mitigation

Rather than scanning for known vulnerabilities, does anyone know if there's anything out there in the network security space which can detect the various exploit / scan attempts to an old WordPress / Joomla / Drupal /etc site, and block them?

It would need to be carrier / hosting provider targeted, for hundreds of IPs with thousands of sites, not an enterprise FW for a single site.

I know F5 have a module for it on their BigIP kit (ASM), but you generally need to be load balancing the IP on the F5 itself, and also train it about the specific site to know what's valid and invalid data. 
This is all well and good if it's your site, but not if it's thousands of customers' sites which change all the time.

I'd love to be able to put an L7 firewall in front of a hosting environment and have it automatically update its list of exploit definitions, then just be able to drop the various attempts to scan for or exploit older CMSs.

Less impact to our customers, less impact to our network, less impact to our ops staff, less impact to other networks (our customers sites stop being used in DDoS attackes), etc.

Or am I dreaming?

prk.

PS: If you're a vendor who sells something you think meets these criteria or I'd want, feel free to contact me off list to discuss, if you want to avoid an on-list sales pitch.


On 2013-05-12 23:23, Tim March wrote:
> I do a lot of work with hosting companies that operate the sort of 
> shared environments you're discussing here. They're invariably 
> littered with old Joomla and WordPress installs that are regularly 
> compromised. The biggest concern you have here is limiting how exposed 
> both the server itself and the other sites it hosts are to these 
> attacks.
> 
> Firstly, with regards to Joomla and WP there are two pretty reasonable 
> scanners under active development that can pick up known-bad plugins 
> and detect a number of known-bad configurations...
> 
> http://sourceforge.net/projects/joomscan/
> 
> http://wpscan.org/
> 
> ... If you're operating these CMS' they're a really good first-place 
> to start to get some baseline security info. I use them both regularly 
> on pentest and va jobs.
> 
> Secondly, if you're running cPanel (yea, yeah, everyone screams about 
> it being a POS but it's the defacto standard and actually works really
> well...) there are a couple of really useful software packages that 
> provide GUI-fied security configuration of the host...
> 
> 
> http://configserver.com/cp/csf.html
> 
> http://configserver.com/cp/cxs.html
> 
> The first provides easy access to a bunch of host based security 
> configuration like resource limits, more advanced brute-force 
> protection, firewall config, active email alerts etc.
> 
> It has a 'quick security scan' feature that checks about 130 baseline 
> security metrics and provides advice on locking the host down. This is 
> not absolute and there's a bunch of other stuff you should be looking 
> at to reach a baseline but it's great start.
> 
> The second is a host based IDS (of sorts...) that uses signatures to 
> detect malicious code running in client sites. It's great for 
> automagically picking up shells like C99/R57 etc. that are uploaded as 
> part of an intrusion. It has really configurable quarantine options 
> and will scan for symlinks etc. where open_basedir protection has been 
> broken.
> 
> As I said, there is a bunch of other stuff (moving PHP session dirs, 
> basedir patching apache, disabling potentially malicious php 
> functions, running suhosin yadda yadda yadda...) that should be done 
> here - BUT - In 100% of the cases where we implement these packages on 
> hosts they pick up loads of compromised accounts/code that wasn't 
> detected previously. They're a good start.
> 

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list