Security: suhosin / mod_spamhaus / mod_security / mod_evasive

How many of you are running Suhosin? That's if the answer is no.
Do you have an alternative mod that you prefer? Or do you run security checks on *everything* before letting it go live?

What about mod-spamhaus? mod_security? mod_evasive? These were at one point the trifecta for getting our clients' sites locked down quickly.

We don't install these 3 when we put sites behind Varnish, but we use Suhosin whenever we install WP and particularly WPMU.

  • drmike

    I had a srever tech tell me once that the more security you put in on a box, the more hackers will see it as a challenge. Also the more you put in the way for the server to work, the more likelyhood of something failing. I;ve always been iffy about that. I at least firewall our servers and have a built in firewall and monitoring service at the router level.

    All of our severs have mod_securiy as I think that's defaulted to in apache now. Plus with wp/wpmu, the rewrites are already here. I know we run a hardened version of php but I'm currently at a loss as to which one.

    As to the security checks, I look at everything before upgrading live installs. We've talked about doing 3rd part paid security checks in the past but seems like most platforms aren't interested in having this done for them. (Which is very very strange if you ask me.)

  • fuzu42

    One of our primary motivations for adding Varnish is the fact that most of what we run is virtualized. We virtualize because of cost, though the streamlined backup system that's made possible because of it is great. By running heavy caching we eat up a lot of memory, but our sites still blaze under social load spikes (eg. twitter) despite the fact that each is running on no more than 1/2 cpu.

    As you note, no system is unhackable, and pretending to be is often an invitation.

    So...what's on your list for checks before you upload, drmike?

  • drmike

    One of our primary motivations for adding Varnish is the fact that most of what we run is virtualized.

    You got me at a lost then on this stuff. We just run standard Direct Admin boxes on FreeBSD for the most part. We don;t get fancy. Really hasn;t been much call for it.

    So...what's on your list for checks before you upload, drmike?

    More of a basic scan through the files to see if input is escapped, tests for data leakage, XSS stuff, leaving directories open for viewing, etc. Most of our rollout packages are pretty much developed so most of the changes or upgrades are small. Like new designs, themes, plugins and modules.

    We have quietly paid for a few security checks over the years and had complete checks done if the software has had issues or we're concerned about something. One of the support techs at the support firm we use is working on his phd on programming security. I bounce stuff off of him from time to time.

    This is a good read for the stuff that I look for:

    We also look at the big picture stuff as well. Like wpmu and javascripts. We're not going to add something to our rollout packages that would override built in security measures like allowing javascripts.

    We also do silly simple stuff like change ssh ports to something non standard. Considering though all clients have ssh access (although less than 1% actually use it) that's an open secret.

    We have a fairly good firewall monitoring script that we've modified over the years. If someone or something sets off a flag, it'll block for 4 hours and start ringing bells with our monitoring service. We just modified that actually within the last few weeks to if a second or more IP address launches an attack from the same class c as another one that's currently blocked, it'll shut the whole class c out and go "from bells to alarms" as we've called it. Won;t stop a bot network but it'll stop that idiot we have out of Waco, Texas who's been going at us for about 9+ years now.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.