You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by James Smallacombe <up...@3.am> on 2010/02/19 16:25:42 UTC

[users@httpd] Suhosin vs. mod_security

After a recent php compromise of the www user on my web server via the Zen 
Cart "record company" exploit, I installed the Suhosin extension (patch 
was already there).  Suhosin helped a great deal.  It enabled me to block 
certain php functions globally and re-enable them on a per-vhost basis, as 
needed.  Perhaps just as importantly, it logged violations, along with IP 
addresses, which not only enabled me to track down attackers, but also 
troubleshoot which vhosts needed which functions to work properly.

After having customers' content providers patch their respective Zen Carts 
and purging/disabling the several c99shells and other nasty scripts 
uploaded by kiddies, we found that the patched Zen carts wouldn't function 
properly and wasn't logging what part of Suhosin was blocking 
functionality. Neither Zen developers nor the Suhosin author responded to 
requests for a workaround for this.

Sadly, there doesn't appear to be any current development or support for 
the Suhosin extension, no forum or mailing list.  This leaves one 
wondering what the best way is to manage php (and other) security on the 
web server.  Does mod_security allow some of the same funtionality, and is 
there current support and development of it?  What's the best current 
practive WRT Apache and php security?

TIA,

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up@3.am							    http://3.am
=========================================================================

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Suhosin vs. mod_security

Posted by Mike Cardwell <ap...@lists.grepular.com>.

On 19/02/2010 15:25, James Smallacombe wrote:

> After a recent php compromise of the www user on my web server via the
> Zen Cart "record company" exploit, I installed the Suhosin extension
> (patch was already there). Suhosin helped a great deal. It enabled me to
> block certain php functions globally and re-enable them on a per-vhost
> basis, as needed. Perhaps just as importantly, it logged violations,
> along with IP addresses, which not only enabled me to track down
> attackers, but also troubleshoot which vhosts needed which functions to
> work properly.
>
> After having customers' content providers patch their respective Zen
> Carts and purging/disabling the several c99shells and other nasty
> scripts uploaded by kiddies, we found that the patched Zen carts
> wouldn't function properly and wasn't logging what part of Suhosin was
> blocking functionality. Neither Zen developers nor the Suhosin author
> responded to requests for a workaround for this.
>
> Sadly, there doesn't appear to be any current development or support for
> the Suhosin extension, no forum or mailing list. This leaves one
> wondering what the best way is to manage php (and other) security on the
> web server. Does mod_security allow some of the same funtionality, and
> is there current support and development of it? What's the best current
> practive WRT Apache and php security?

I don't know what Suhosin does so I can't compare its features to 
mod-security. However, I've been on the mod-security mailing list for 
quite a while now, and it's still under very active development. The 
latest version was released only 2 weeks ago and the core rules are 
being updated regularly. The level of support on the official mailing 
list is excellent as well.

-- 
Mike Cardwell    : UK based IT Consultant, Perl developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/       #06920226
Technical Blog   : Tech Blog  - https://secure.grepular.com/
Spamalyser       : Spam Tool  - http://spamalyser.com/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Suhosin vs. mod_security

Posted by Jim Jagielski <ji...@jaguNET.com>.

Suhosin is PHP specific and operates at that level (at the app level
and "protecting" PHP)... mod_security works at a higher level.

On Feb 19, 2010, at 10:25 AM, James Smallacombe wrote:

> 
> After a recent php compromise of the www user on my web server via the Zen Cart "record company" exploit, I installed the Suhosin extension (patch was already there).  Suhosin helped a great deal.  It enabled me to block certain php functions globally and re-enable them on a per-vhost basis, as needed.  Perhaps just as importantly, it logged violations, along with IP addresses, which not only enabled me to track down attackers, but also troubleshoot which vhosts needed which functions to work properly.
> 
> After having customers' content providers patch their respective Zen Carts and purging/disabling the several c99shells and other nasty scripts uploaded by kiddies, we found that the patched Zen carts wouldn't function properly and wasn't logging what part of Suhosin was blocking functionality. Neither Zen developers nor the Suhosin author responded to requests for a workaround for this.
> 
> Sadly, there doesn't appear to be any current development or support for the Suhosin extension, no forum or mailing list.  This leaves one wondering what the best way is to manage php (and other) security on the web server.  Does mod_security allow some of the same funtionality, and is there current support and development of it?  What's the best current practive WRT Apache and php security?
> 
> TIA,
> 
> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
> up@3.am							    http://3.am
> =========================================================================
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Suhosin vs. mod_security

Posted by Jerry K <ap...@oryx.us>.

Yep, I'm replying to a very old thread.

.......................................


OP, I am just wondering if you resolved your issue here, and if you are still 
using Suhosin?

If not, did you move to mod_security, as other repliers had suggested, or 
something else?

thank you,

Jerry



On 02/19/10 09:25 AM, James Smallacombe wrote:
>
> After a recent php compromise of the www user on my web server via the Zen Cart
> "record company" exploit, I installed the Suhosin extension (patch was already
> there).  Suhosin helped a great deal.  It enabled me to block certain php
> functions globally and re-enable them on a per-vhost basis, as needed.  Perhaps
> just as importantly, it logged violations, along with IP addresses, which not
> only enabled me to track down attackers, but also troubleshoot which vhosts
> needed which functions to work properly.
>
> After having customers' content providers patch their respective Zen Carts and
> purging/disabling the several c99shells and other nasty scripts uploaded by
> kiddies, we found that the patched Zen carts wouldn't function properly and
> wasn't logging what part of Suhosin was blocking functionality. Neither Zen
> developers nor the Suhosin author responded to requests for a workaround for this.
>
> Sadly, there doesn't appear to be any current development or support for the
> Suhosin extension, no forum or mailing list.  This leaves one wondering what the
> best way is to manage php (and other) security on the web server.  Does
> mod_security allow some of the same funtionality, and is there current support
> and development of it?  What's the best current practive WRT Apache and php
> security?
>
> TIA,
>
> James Smallacombe              PlantageNet, Inc. CEO and Janitor
> up@3.am                                http://3.am
> =========================================================================
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org