[AusNOG] Protecting Web Hosting environments - was Re: DDOS mitigation

PRK ausnog at digitaljunkie.net
Mon May 13 12:22:53 EST 2013


Rather than scanning for known vulnerabilities, does anyone know if 
there's anything out there in the network security space which can 
detect the various exploit / scan attempts to an old WordPress / Joomla 
/ Drupal /etc site, and block them?

It would need to be carrier / hosting provider targeted, for hundreds 
of IPs with thousands of sites, not an enterprise FW for a single site.

I know F5 have a module for it on their BigIP kit (ASM), but you 
generally need to be load balancing the IP on the F5 itself, and also 
train it about the specific site to know what's valid and invalid data. 
This is all well and good if it's your site, but not if it's thousands 
of customers' sites which change all the time.

I'd love to be able to put an L7 firewall in front of a hosting 
environment and have it automatically update its list of exploit 
definitions, then just be able to drop the various attempts to scan for 
or exploit older CMSs.

Less impact to our customers, less impact to our network, less impact 
to our ops staff, less impact to other networks (our customers sites 
stop being used in DDoS attackes), etc.

Or am I dreaming?

prk.

PS: If you're a vendor who sells something you think meets these 
criteria or I'd want, feel free to contact me off list to discuss, if 
you want to avoid an on-list sales pitch.


On 2013-05-12 23:23, Tim March wrote:
> I do a lot of work with hosting companies that operate the sort of
> shared environments you're discussing here. They're invariably
> littered with old Joomla and WordPress installs that are regularly
> compromised. The biggest concern you have here is limiting how exposed
> both the server itself and the other sites it hosts are to these
> attacks.
> 
> Firstly, with regards to Joomla and WP there are two pretty
> reasonable scanners under active development that can pick up
> known-bad plugins and detect a number of known-bad configurations...
> 
> http://sourceforge.net/projects/joomscan/
> 
> http://wpscan.org/
> 
> ... If you're operating these CMS' they're a really good first-place
> to start to get some baseline security info. I use them both regularly
> on pentest and va jobs.
> 
> Secondly, if you're running cPanel (yea, yeah, everyone screams about
> it being a POS but it's the defacto standard and actually works really
> well...) there are a couple of really useful software packages that
> provide GUI-fied security configuration of the host...
> 
> 
> http://configserver.com/cp/csf.html
> 
> http://configserver.com/cp/cxs.html
> 
> The first provides easy access to a bunch of host based security
> configuration like resource limits, more advanced brute-force
> protection, firewall config, active email alerts etc.
> 
> It has a 'quick security scan' feature that checks about 130 baseline
> security metrics and provides advice on locking the host down. This is
> not absolute and there's a bunch of other stuff you should be looking
> at to reach a baseline but it's great start.
> 
> The second is a host based IDS (of sorts...) that uses signatures to
> detect malicious code running in client sites. It's great for
> automagically picking up shells like C99/R57 etc. that are uploaded as
> part of an intrusion. It has really configurable quarantine options
> and will scan for symlinks etc. where open_basedir protection has been
> broken.
> 
> As I said, there is a bunch of other stuff (moving PHP session dirs,
> basedir patching apache, disabling potentially malicious php
> functions, running suhosin yadda yadda yadda...) that should be done
> here - BUT - In 100% of the cases where we implement these packages on
> hosts they pick up loads of compromised accounts/code that wasn't
> detected previously. They're a good start.
> 




More information about the AusNOG mailing list