Peter Keel a écrit :
Morning
I just about agree with Jeroen.
- on the Wed, Sep 16, 2009 at 10:38:21AM +0200, Jeroen Massar wrote:
As you say 'webhosting' your biggest worry though won't be that, it will be all the great php/perl/whatever scripts written by people who haven't figured out what security means causing great things as SQL injections or just simple remote file inclusions. (aka, enable php error logging in full to a file, and see what junk you get, and you might want to consider running PHP with Suhosin.
That's not enough, by far. You might consider to use mod_security.
Beware of default mod_security filters. It first disabled phpmyadmin on a cluster (long time ago) but it's generaly a good protection against XSS et SQL injections (and w00tw00t-like).
Nevertheless, iptables can take care of most of the junk.
Yes, I'd recommed to do just that. Filter out any junk with iptables; block any ports you're not using for services from the outside (so any user on your machine running a daemon can't have connections to it from the outside), and limit outgoing connections. I personally also like to rate-limit ICMP.
Yeah, I prefer rate limiting with monitoring when packets becomes refused so you can follow your bandwidth/pps progression. I also rate-limit UDP (after an UDP flood from a hacked server, inside) and rate-limit TCP sessions establishment.
I'm doing this with OpenBSD's pf on our BGP routers. We don't have much traffic (~ 20 Mbps) so it's working like a charm.
But all this doesn't protect from DDoS. I don't know how to block these without big traffic analysis with a lot of probabilities and other mathematical functions.
But don't be over-zealous, especially not where ICMP is concerned: http://portal.acm.org/citation.cfm?id=1050542
I recently saw a customer who couldn't steam any video correctly because his (previous) hoster was blocking some types of ICMP. rate-limit is far better in my opinion but must be maintained to be sure the rate is adequate.
Julien Escario