SlideShare ist ein Scribd-Unternehmen logo

Protecting TYPO3 With Suhosin And Modsecurity

Xavier Perseguers
Xavier Perseguers

How to protect TYPO3 and your Apache web server as a whole with Suhosin (for PHP) and ModSecurity (Apache module)

TechnologieBusiness
1 von 41
Downloaden Sie, um offline zu lesen
National Swiss-TUG Event Presentation by Xavier Perseguers Monday, January 26, 2009
Overview Introduction Suhosin ModSecurity Summary / Further Protection Monday, January 26, 2009
Introduction Monday, January 26, 2009
Introduction About me Senior Consultant / Developer @ ELCA Informatique SA Server administrator Using TYPO3 since 2005/2006 Actively developing for TYPO3 since 2008 Monday, January 26, 2009
Introduction The Problem Wide variety of threats Integration of popular software packages Server updates not installed SQL injection, XSS Unknown exploits Monday, January 26, 2009
Introduction The Problem (Big Picture) Input Validation SQL Error Injection Z Web Database Client Server + extensions Server R W X Command XSS Execution Filesystem File Privilege Disclosure Escalation Monday, January 26, 2009
Introduction Solutions Prompt patching and updating for server software Code quality in your extensions Developing extensions with security in mind Firewall / Server hardening Monday, January 26, 2009
Introduction Solution, is that all? Secure development practices? Firewall TCP/IP layer XSS, remote file inclusion, ... SSL encrypted traffic? Monday, January 26, 2009
Suhosin Monday, January 26, 2009
Suhosin What’s that? Advanced protection system for PHP (module / patch) Runtime protection: Transparent cookie / session encryption Function black- and whitelist ... With patch: Low-level protection (buffer overflow, ...) Monday, January 26, 2009
Suhosin Sample Code Very basic ACL check: Monday, January 26, 2009
Suhosin Sample Code (cont.) read Monday, January 26, 2009
Suhosin Sample Code (cont.) write Monday, January 26, 2009
Suhosin Sample Code (cont.) Monday, January 26, 2009
Suhosin Sample Code (cont.) TYPO3 does not have such code (hopefully) But the extensions you use? Let’s try Suhosin as PHP module Monday, January 26, 2009
Suhosin How To Install (Debian) Install as usual # apt-get install php5-suhosin Edit file /etc/php5/conf.d/suhosin.ini Activate any feature you wish Do not use characters {}[] and the like for cryptkeys Restart Apache Monday, January 26, 2009
Suhosin Sample Code (again) Monday, January 26, 2009
Suhosin Sample Code (again) Monday, January 26, 2009
Suhosin Sample Code (again) Monday, January 26, 2009
Suhosin (Some) Other Features Scanning uploaded files Use a script that outputs “1” if the file is valid. If not, $_FILES will be empty! Disallow script to change memory limit or force an upper bound when not using safe_mode Monday, January 26, 2009
ModSecurity Monday, January 26, 2009
ModSecurity Web Application Firewall Filtering requests with regular expressions Able to scan uploaded files (just as Suhosin does) Prevents JavaScript/SQL injection much more Application ModSecurity Monday, January 26, 2009
ModSecurity How To Install Compile from source or Use a package (available from official website) Debian, Fedora, FreeBSD, RedHat, ... Core rules included in distribution (more on this later) Monday, January 26, 2009
ModSecurity Let’s Start Blocking! Create file /etc/apache2/conf.d/mod-security2 Open your browser Monday, January 26, 2009
ModSecurity Let’s Start Blocking! Create file /etc/apache2/conf.d/mod-security2 Open your browser Monday, January 26, 2009
ModSecurity Let’s Start Blocking! --b1361a18-A-- [23/Jan/2009:10:27:01 +0100] SXmNY38AAQEAADmWkaQAAAAG 84.73.171.189 46474 193.33.30.197 80 GET /?attack HTTP/1.1 --b1361a18-B-- GET /?attack HTTP/1.1 Host: yoursite.com Host: yoursite.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: fe_typo_user=kCTZx3iDYyAZxRI2UWtEv4xZSTBM96VPknodB1dnx1OPzDcA0is0q8ewWvOb16XM --b1361a18-F-- HTTP/1.1 412 Precondition Failed Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 267 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Message: Access denied with code 412 (phase 2). --b1361a18-H-- Message: Access denied with code 412 (phase 2). Pattern match "attack" at REQUEST_LINE. [file "/etc/apache2/conf.d/mod-security2"] [line "7"] Action: Intercepted (phase 2) Pattern match "attack" at REQUEST_LINE. Stopwatch: 1232702819271014 2259647 (3639 3892 -) Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/). Server: Apache/2.2.9 (Debian) mod_gnutls/0.5.1 --b1361a18-Z-- Monday, January 26, 2009
ModSecurity What about real protection? Willing to write “real” set of SecRules yourself? # Validate request line # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}s+(?:w{3,7}?://[w-./]*(?::d+)?)?/[^?#]*(?:?[^#s]*)?(?:#[S]*)?|connect (?:d{1,3}.){3}d{1,3}.?(?::d+)?|options *)s+[w./]+|get /[^?#]*(?:?[^#s]*)?(?:#[S]*)?)$" "t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'" # HTTP Request Smuggling # SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'1'" # Block request with malformed content. # ModSecurity will not inspect these, but the server application might do so # SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'" # Accept only digits in content length # SecRule REQUEST_HEADERS:Content-Length "!^d+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'" # Do not accept GET or HEAD requests with bodies # HTTP standard allows GET requests to have a body but this # feature is not used in real life. Attackers could try to force # a request body on an unsuspecting web applications. # SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'" SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none # Require Content-Length to be provided with every POST request. # SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none # Don't accept transfer encodings we know we don't know how to handle # Monday, JanuaryModSecurity does not support chunked transfer encodings at # NOTE 26, 2009
ModSecurity What about real protection? Willing to write “real” set of SecRules yourself? I don’t! Monday, January 26, 2009
ModSecurity What about real protection? Core rules installed with Debian package /usr/share/doc/mod-security2-common/examples/rules/ Copy them to /var/lib/modsecurity2/core/ Edit your configuration Monday, January 26, 2009
ModSecurity What about real protection? Edit core rule file modsecurity_crs_10_config.conf Fit your needs Hint: modsecurity.conf-minimal (from package) Restart Apache Monday, January 26, 2009
ModSecurity Let’s Use TYPO3 Monday, January 26, 2009
ModSecurity TYPO3 needs some tuning... --1a422639-A-- [23/Jan/2009:16:08:59 +0100] SXndi38AAQEAADs5YUUAAAAB 84.73.171.189 37436 193.33.30.197 80 --1a422639-B-- POST /typo3/alt_doc.php POST /typo3/alt_doc.php?&returnUrl=%2Ftypo3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php%3Fid %3D12&edit[tt_content][12]=edit HTTP/1.1 ... ... ... --1a422639-H-- id “950001” Message: Access denied with code 412 (phase 2). Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b. {1,100}?bfrom|fromb.{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?: (?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at ARGS:data[tt_content][12] msg “SQL Injection Attack” [bodytext]. [file "/var/lib/modsecurity2/core/modsecurity_crs_40_generic_attacks.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data "insert into"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] Monday, January 26, 2009
ModSecurity Tuning for TYPO3 Add exceptions to /etc/apache2/conf.typo3.d/exceptions POST /typo3/alt_doc.php id “950001” msg “SQL Injection Attack” Monday, January 26, 2009
ModSecurity Tuning for TYPO3 Add exceptions to /etc/apache2/conf.typo3.d/exceptions Reference this file for TYPO3 virtual hosts Monday, January 26, 2009
ModSecurity Tuning for TYPO3 (cont.) Manual tuning with “common” extensions > 100 lines TYPO3 WAF project Ready set of rules for ModSecurity Lars Houmark and Lars E. D. Jensen "Our goals with TYPO3 WAF. To create a minimal (server performance wise) rule set for TYPO3 and extensions which address very generic methods of attacking and TYPO3/extension security holes." Monday, January 26, 2009
Summary & Further Protection Monday, January 26, 2009
Summary Suhosin Protects PHP and lock down the system ModSecurity Focused on Web protocols Can analyze SSL traffic Do not only rely on those systems Monday, January 26, 2009
Summary Be Proactive Think like the adversary What is wrong with my system? How can I exploit it? Never too late to add security Do not ignore risk but mitigate it Compartmentalize / Least privilege Fail safely w/o information disclosure Monday, January 26, 2009
Summary System Lock Down Fix filesystem permission Do not allow write unless needed (typo3conf, uploads, ...) Prevent file execution Use SSL whenever possible mod_ssl (dedicated ip / port) mod_gnutls (not well supported though) Reverse proxy (Apache, pound, nginx, ...) Monday, January 26, 2009
Summary Monitoring Know if you are compromised / attacked Offsite backups Recovery procedures Monday, January 26, 2009
Links Suhosin Website http://www.hardened-php.net/suhosin/ ModSecurity Website http://www.modsecurity.org Additional Ruleset for ModSecurity http://www.gotroot.com/mod_security+rules http://typo3.org/waf.txt WAF Project Newsgroup news://news.netfielders.de/typo3.projects.waf Monday, January 26, 2009

Empfohlen

Analysis of Scott Pilgrim vs the World
Analysis of Scott Pilgrim vs the WorldAnalysis of Scott Pilgrim vs the World
Analysis of Scott Pilgrim vs the Worldhaverstockmedia
 
Caderno do Plano Municipal do Livro da leitura e da Biblioteca de Salvador
Caderno do Plano Municipal do Livro da leitura e da Biblioteca de SalvadorCaderno do Plano Municipal do Livro da leitura e da Biblioteca de Salvador
Caderno do Plano Municipal do Livro da leitura e da Biblioteca de Salvadorredebcs01
 
Como hacaer la historieta1
Como hacaer la historieta1Como hacaer la historieta1
Como hacaer la historieta1Ínstitución Educativa La Frontera Saravena-Arauca
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1Hai Dinh Tuan
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in ScaleAlexey Sintsov
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application FirewallsOWASP (Open Web Application Security Project)
 

Empfohlen

Analysis of Scott Pilgrim vs the World
Analysis of Scott Pilgrim vs the WorldAnalysis of Scott Pilgrim vs the World
Analysis of Scott Pilgrim vs the Worldhaverstockmedia
 
Caderno do Plano Municipal do Livro da leitura e da Biblioteca de Salvador
Caderno do Plano Municipal do Livro da leitura e da Biblioteca de SalvadorCaderno do Plano Municipal do Livro da leitura e da Biblioteca de Salvador
Caderno do Plano Municipal do Livro da leitura e da Biblioteca de Salvadorredebcs01
 
Como hacaer la historieta1
Como hacaer la historieta1Como hacaer la historieta1
Como hacaer la historieta1Ínstitución Educativa La Frontera Saravena-Arauca
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1Hai Dinh Tuan
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in ScaleAlexey Sintsov
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application FirewallsOWASP (Open Web Application Security Project)
 
Nuxeo 5.2 Glassfish
Nuxeo 5.2 GlassfishNuxeo 5.2 Glassfish
Nuxeo 5.2 GlassfishEduardo Pelegri-Llopart
 
Performance Strategies
Performance StrategiesPerformance Strategies
Performance StrategiesAlexander Meindl
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Taming the Deployment Beast
Taming the Deployment BeastTaming the Deployment Beast
Taming the Deployment BeastChris Cornutt
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationThe Linux Foundation
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox ExtensionsRoberto Suggi Liverani
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odpRamana Yeruva
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
DEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksDEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksFelipe Prado
 
System Integrity
System IntegritySystem Integrity
System IntegrityVasily Sartakov
 
IBM Cloud SoftLayer Introduction & Hands-on 2016
IBM Cloud SoftLayer Introduction & Hands-on 2016IBM Cloud SoftLayer Introduction & Hands-on 2016
IBM Cloud SoftLayer Introduction & Hands-on 2016Atsumori Sasaki
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Deployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_applianceDeployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_applianceAlfredo Boiero Sanders
 
Osgi Webinar
Osgi WebinarOsgi Webinar
Osgi WebinarWSO2
 
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure BundlesSecurity in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure BundlesKai Hackbarth
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
 
Html5 apis
Html5 apisHtml5 apis
Html5 apisYnon Perek
 
Sjug aug 2010_cloud
Sjug aug 2010_cloudSjug aug 2010_cloud
Sjug aug 2010_cloudMichael Neale
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Weitere ähnliche Inhalte

Ähnlich wie Protecting TYPO3 With Suhosin And Modsecurity

Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Taming the Deployment Beast
Taming the Deployment BeastTaming the Deployment Beast
Taming the Deployment BeastChris Cornutt
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationThe Linux Foundation
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odpRamana Yeruva
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
DEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksDEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksFelipe Prado
 
IBM Cloud SoftLayer Introduction & Hands-on 2016
IBM Cloud SoftLayer Introduction & Hands-on 2016IBM Cloud SoftLayer Introduction & Hands-on 2016
IBM Cloud SoftLayer Introduction & Hands-on 2016Atsumori Sasaki
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Deployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_applianceDeployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_applianceAlfredo Boiero Sanders
 
Osgi Webinar
Osgi WebinarOsgi Webinar
Osgi WebinarWSO2
 
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure BundlesSecurity in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure BundlesKai Hackbarth
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
 

Ähnlich wie Protecting TYPO3 With Suhosin And Modsecurity (20)

Nuxeo 5.2 Glassfish
Nuxeo 5.2 GlassfishNuxeo 5.2 Glassfish
Nuxeo 5.2 Glassfish
 
Performance Strategies
Performance StrategiesPerformance Strategies
Performance Strategies
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Taming the Deployment Beast
Taming the Deployment BeastTaming the Deployment Beast
Taming the Deployment Beast
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odp
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical Sandboxing
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
DEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networksDEFCON 23 - Gregory Pickett - staying persistant in software defined networks
DEFCON 23 - Gregory Pickett - staying persistant in software defined networks
 
System Integrity
System IntegritySystem Integrity
System Integrity
 
IBM Cloud SoftLayer Introduction & Hands-on 2016
IBM Cloud SoftLayer Introduction & Hands-on 2016IBM Cloud SoftLayer Introduction & Hands-on 2016
IBM Cloud SoftLayer Introduction & Hands-on 2016
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Deployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_applianceDeployment of cisco_iron_portweb_security_appliance
Deployment of cisco_iron_portweb_security_appliance
 
Osgi Webinar
Osgi WebinarOsgi Webinar
Osgi Webinar
 
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure BundlesSecurity in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
 
Html5 apis
Html5 apisHtml5 apis
Html5 apis
 
Sjug aug 2010_cloud
Sjug aug 2010_cloudSjug aug 2010_cloud
Sjug aug 2010_cloud
 

Kürzlich hochgeladen

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Kürzlich hochgeladen (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Protecting TYPO3 With Suhosin And Modsecurity

  • 1. National Swiss-TUG Event Presentation by Xavier Perseguers Monday, January 26, 2009
  • 2. Overview Introduction Suhosin ModSecurity Summary / Further Protection Monday, January 26, 2009
  • 4. Introduction About me Senior Consultant / Developer @ ELCA Informatique SA Server administrator Using TYPO3 since 2005/2006 Actively developing for TYPO3 since 2008 Monday, January 26, 2009
  • 5. Introduction The Problem Wide variety of threats Integration of popular software packages Server updates not installed SQL injection, XSS Unknown exploits Monday, January 26, 2009
  • 6. Introduction The Problem (Big Picture) Input Validation SQL Error Injection Z Web Database Client Server + extensions Server R W X Command XSS Execution Filesystem File Privilege Disclosure Escalation Monday, January 26, 2009
  • 7. Introduction Solutions Prompt patching and updating for server software Code quality in your extensions Developing extensions with security in mind Firewall / Server hardening Monday, January 26, 2009
  • 8. Introduction Solution, is that all? Secure development practices? Firewall TCP/IP layer XSS, remote file inclusion, ... SSL encrypted traffic? Monday, January 26, 2009
  • 10. Suhosin What’s that? Advanced protection system for PHP (module / patch) Runtime protection: Transparent cookie / session encryption Function black- and whitelist ... With patch: Low-level protection (buffer overflow, ...) Monday, January 26, 2009
  • 11. Suhosin Sample Code Very basic ACL check: Monday, January 26, 2009
  • 12. Suhosin Sample Code (cont.) read Monday, January 26, 2009
  • 13. Suhosin Sample Code (cont.) write Monday, January 26, 2009
  • 14. Suhosin Sample Code (cont.) Monday, January 26, 2009
  • 15. Suhosin Sample Code (cont.) TYPO3 does not have such code (hopefully) But the extensions you use? Let’s try Suhosin as PHP module Monday, January 26, 2009
  • 16. Suhosin How To Install (Debian) Install as usual # apt-get install php5-suhosin Edit file /etc/php5/conf.d/suhosin.ini Activate any feature you wish Do not use characters {}[] and the like for cryptkeys Restart Apache Monday, January 26, 2009
  • 17. Suhosin Sample Code (again) Monday, January 26, 2009
  • 18. Suhosin Sample Code (again) Monday, January 26, 2009
  • 19. Suhosin Sample Code (again) Monday, January 26, 2009
  • 20. Suhosin (Some) Other Features Scanning uploaded files Use a script that outputs “1” if the file is valid. If not, $_FILES will be empty! Disallow script to change memory limit or force an upper bound when not using safe_mode Monday, January 26, 2009
  • 22. ModSecurity Web Application Firewall Filtering requests with regular expressions Able to scan uploaded files (just as Suhosin does) Prevents JavaScript/SQL injection much more Application ModSecurity Monday, January 26, 2009
  • 23. ModSecurity How To Install Compile from source or Use a package (available from official website) Debian, Fedora, FreeBSD, RedHat, ... Core rules included in distribution (more on this later) Monday, January 26, 2009
  • 24. ModSecurity Let’s Start Blocking! Create file /etc/apache2/conf.d/mod-security2 Open your browser Monday, January 26, 2009
  • 25. ModSecurity Let’s Start Blocking! Create file /etc/apache2/conf.d/mod-security2 Open your browser Monday, January 26, 2009
  • 26. ModSecurity Let’s Start Blocking! --b1361a18-A-- [23/Jan/2009:10:27:01 +0100] SXmNY38AAQEAADmWkaQAAAAG 84.73.171.189 46474 193.33.30.197 80 GET /?attack HTTP/1.1 --b1361a18-B-- GET /?attack HTTP/1.1 Host: yoursite.com Host: yoursite.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: fe_typo_user=kCTZx3iDYyAZxRI2UWtEv4xZSTBM96VPknodB1dnx1OPzDcA0is0q8ewWvOb16XM --b1361a18-F-- HTTP/1.1 412 Precondition Failed Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 267 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Message: Access denied with code 412 (phase 2). --b1361a18-H-- Message: Access denied with code 412 (phase 2). Pattern match "attack" at REQUEST_LINE. [file "/etc/apache2/conf.d/mod-security2"] [line "7"] Action: Intercepted (phase 2) Pattern match "attack" at REQUEST_LINE. Stopwatch: 1232702819271014 2259647 (3639 3892 -) Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/). Server: Apache/2.2.9 (Debian) mod_gnutls/0.5.1 --b1361a18-Z-- Monday, January 26, 2009
  • 27. ModSecurity What about real protection? Willing to write “real” set of SecRules yourself? # Validate request line # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}s+(?:w{3,7}?://[w-./]*(?::d+)?)?/[^?#]*(?:?[^#s]*)?(?:#[S]*)?|connect (?:d{1,3}.){3}d{1,3}.?(?::d+)?|options *)s+[w./]+|get /[^?#]*(?:?[^#s]*)?(?:#[S]*)?)$" "t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'" # HTTP Request Smuggling # SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'1'" # Block request with malformed content. # ModSecurity will not inspect these, but the server application might do so # SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'" # Accept only digits in content length # SecRule REQUEST_HEADERS:Content-Length "!^d+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'" # Do not accept GET or HEAD requests with bodies # HTTP standard allows GET requests to have a body but this # feature is not used in real life. Attackers could try to force # a request body on an unsuspecting web applications. # SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'" SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none # Require Content-Length to be provided with every POST request. # SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none # Don't accept transfer encodings we know we don't know how to handle # Monday, JanuaryModSecurity does not support chunked transfer encodings at # NOTE 26, 2009
  • 28. ModSecurity What about real protection? Willing to write “real” set of SecRules yourself? I don’t! Monday, January 26, 2009
  • 29. ModSecurity What about real protection? Core rules installed with Debian package /usr/share/doc/mod-security2-common/examples/rules/ Copy them to /var/lib/modsecurity2/core/ Edit your configuration Monday, January 26, 2009
  • 30. ModSecurity What about real protection? Edit core rule file modsecurity_crs_10_config.conf Fit your needs Hint: modsecurity.conf-minimal (from package) Restart Apache Monday, January 26, 2009
  • 31. ModSecurity Let’s Use TYPO3 Monday, January 26, 2009
  • 32. ModSecurity TYPO3 needs some tuning... --1a422639-A-- [23/Jan/2009:16:08:59 +0100] SXndi38AAQEAADs5YUUAAAAB 84.73.171.189 37436 193.33.30.197 80 --1a422639-B-- POST /typo3/alt_doc.php POST /typo3/alt_doc.php?&returnUrl=%2Ftypo3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php%3Fid %3D12&edit[tt_content][12]=edit HTTP/1.1 ... ... ... --1a422639-H-- id “950001” Message: Access denied with code 412 (phase 2). Pattern match "(?:b(?:(?:s(?:electb(?:.{1,100}?b(?:(?:length|count|top)b. {1,100}?bfrom|fromb.{1,100}?bwhere)|.*?b(?:d(?:umpb.*bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?: (?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at ARGS:data[tt_content][12] msg “SQL Injection Attack” [bodytext]. [file "/var/lib/modsecurity2/core/modsecurity_crs_40_generic_attacks.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data "insert into"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] Monday, January 26, 2009
  • 33. ModSecurity Tuning for TYPO3 Add exceptions to /etc/apache2/conf.typo3.d/exceptions POST /typo3/alt_doc.php id “950001” msg “SQL Injection Attack” Monday, January 26, 2009
  • 34. ModSecurity Tuning for TYPO3 Add exceptions to /etc/apache2/conf.typo3.d/exceptions Reference this file for TYPO3 virtual hosts Monday, January 26, 2009
  • 35. ModSecurity Tuning for TYPO3 (cont.) Manual tuning with “common” extensions > 100 lines TYPO3 WAF project Ready set of rules for ModSecurity Lars Houmark and Lars E. D. Jensen "Our goals with TYPO3 WAF. To create a minimal (server performance wise) rule set for TYPO3 and extensions which address very generic methods of attacking and TYPO3/extension security holes." Monday, January 26, 2009
  • 36. Summary & Further Protection Monday, January 26, 2009
  • 37. Summary Suhosin Protects PHP and lock down the system ModSecurity Focused on Web protocols Can analyze SSL traffic Do not only rely on those systems Monday, January 26, 2009
  • 38. Summary Be Proactive Think like the adversary What is wrong with my system? How can I exploit it? Never too late to add security Do not ignore risk but mitigate it Compartmentalize / Least privilege Fail safely w/o information disclosure Monday, January 26, 2009
  • 39. Summary System Lock Down Fix filesystem permission Do not allow write unless needed (typo3conf, uploads, ...) Prevent file execution Use SSL whenever possible mod_ssl (dedicated ip / port) mod_gnutls (not well supported though) Reverse proxy (Apache, pound, nginx, ...) Monday, January 26, 2009
  • 40. Summary Monitoring Know if you are compromised / attacked Offsite backups Recovery procedures Monday, January 26, 2009
  • 41. Links Suhosin Website http://www.hardened-php.net/suhosin/ ModSecurity Website http://www.modsecurity.org Additional Ruleset for ModSecurity http://www.gotroot.com/mod_security+rules http://typo3.org/waf.txt WAF Project Newsgroup news://news.netfielders.de/typo3.projects.waf Monday, January 26, 2009