On Thu, 09 Jan 2014 23:36:01 +0000, tsu2 wrote:
> Thx Jim,
> First, I want to congratulate the people who undoubtedly worked really
> hard to get the Forums back up. I know that if something doesn’t work
> properly, it can be a really difficult job to overcome obstacles.
> A few ideas/opinions… Possibly things to consider preparing for
> similar future issues…
> - I’m guessing from the new URLs that the “new” forums are simply
> deployed as a new Virtual Webserver (the path denotes the new and
> different virtual webserver).
Actually, the SEO plugin, as I understand it, creates URLs from the
existing content that is there - so the “new” URLs are actually the “old”
URLs, but what was exposed were the SEO URLs so Google and other search
engines could crawl the content.
> - Although I haven’t explored its use, there <is> an Apache module that
> can re-write the URLs to conform with the old path. Yes, it will put an
> additional load on the machine, unknown what the actual impact would be.
You probably just haven’t seen my other post, but they got it working,
and I assume it’s with a rewrite rule.
> - From all appearances, it looks like the webserver may be “naked” –
> There are benefits to putting it behind a Web Application Proxy. Squid
> probably should be fine although I don’t have experience with it… I’ve
> used commercial Web Application proxies (aka Reverse Proxy and Web
> Accelerators) which should have similar functionality and do everything
> I describe below well.
> - If you deploy a Web Application Proxy - It should be able to filter
> any potential Injection type attacks(I assume that’s the type of attack
> your SEO plugin was vulnerable to). The proxy looks like the webserver
> to the client,
> but it doesn’t have the same full functionality so is difficult to
> exploit - Depending on how you deploy, it can offload load from the
> webserver. - It might perform IDS and maybe even IPS
> Usually for both above re-direct implementations, it’s a simple file
> that contains only the few rules (my guess less than 5) necessary to
> define a new Virtual Server.
I’ll leave the specifics of the installation (reverse proxy/not a reverse
proxy) to the guys who manage the data center. They’ve got tons of
experience with this - I believe there’s a reverse proxy in play, but I
could be wrong about that.
My opinion, though, is that AppArmor could be used to help prevent this
type of attack - that’s what it’s designed to do.
> Congrats again to all the hard work that went into getting the Forums
> back up!
Will make sure the guys doing the work know about it. Even with no
passwords compromised, they got the system back up much faster than
others who have been hit with various exploits.
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C