lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AF21EA1C-4404-4368-A3F8-998D4941A417@frii.com>
Date: Mon, 19 Jun 2006 11:07:33 -0600
From: Neil Neely <neil@...i.com>
To: Darren Reed <avalon@...igula.anu.edu.au>
Cc: bugtraq@...urityfocus.com
Subject: Re: PHP security (or the lack thereof)



On Jun 16, 2006, at 5:21 AM, Darren Reed wrote:

[Funny commentary picking on PHP deleted]

For those of us that have to administer shared hosting servers where  
customers can and do build/install very poorly written web  
applications it can be a full time job trying to protect your  
server.  The fact that the majority of these target PHP is  
interesting, but frankly not really relevant to those of us that need  
to maintain the environment.  Due to the aggressive attempts to  
exploit these web applications we found we needed to do something  
more, and we found an excellent tool that helps out a lot with this,  
at least on servers running apache:

http://www.modsecurity.org/

It is essentially an application layer firewall that blocks certain  
known bad patterns from being passed through to the underlying web  
applications.  This is in no way a substitute for good security  
policies on your web servers and ultimately fixing the underlying  
security problems of the web applications.  When tuned well it can be  
a useful additional layer to help defend your server.  It won't stop  
the underlying application from having terrible logic that is  
exploitable, but as you tune your modsecurity setup over time you can  
at least mitigate some of it.

I just wanted to pass this on in case any admins reading this list  
didn't know about it.  It's really saved us a lot of time and energy.

Cheers,
	Neil





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ