3

I have a client with a lot (read several thousand) websites in several old cms solutions that are no longer maintained. Now moving all of them to a maintained solution isn't really an option at this point. So I'm thinking about ways to secure the solutions without patching them.

The solutions are mostly joomla 1.0/1.5 and wordpress. What I'm thinking is something like this:

  • mod_suexec to lock everyone into their own home directory
  • apparmor to deny any and all file writes by default. (exclude by default, include things like "images" directories).
  • use htaccess to prevent anything in writable directories from being executed. (aka disable php_engine for images/ directory).
  • mysql triggers to check the "users" tables to prevent adding new admins/superadmins.

Does this make sense? Is it viable? Am I missing something obvious?

//Edit: Yes, I know it's a horrible idea. I know it can't be made secure. I've informed the client about this VERY clearly. What I'm looking for is a way to setup a temporary solution until these clients can be phased out. The alternative (that he's already doing today) is to wait until individual sites get hacked, restoring them from backup and upgrading them manually.

//Edit2: Alternate idea : Take every php script on the site as per today, and setup apparmor so php can execute them, but nothing else. If I at the same time make them read only that should lock the sites down pretty well.

neuron
  • 131
  • 1
  • 5
    Securing it without patching the security holes? Unplug the network cable. That's about the only way you can be sure. – Michael Hampton Aug 29 '12 at 09:08
  • 2
    Does it make sense? Absolutely not! Yes you have missed the obvious - patch them. Inheriting an unpatched system is one thing. Leaving it that way to save a little work is something else altogether. –  Aug 29 '12 at 09:46
  • Fully aware that this is a horrible idea. And I'm not trying to save myself time, I'm trying to offer the client a temporary solution until he can phase out these clients. –  Aug 30 '12 at 08:37

2 Answers2

2

Beside the fact that you should realy upgrade to a non vulnurable system/cms, have a look at mod_security - http://www.modsecurity.org/

  • Might be a good option, I can hand setup rules and allow only wanted requests. Wasn't aware of that module :) –  Aug 30 '12 at 08:45
  • 2
    True, but considering how insecure these systems seem to be, I would go for a stronger, standalone WAF (web application firewall). You need the isolation here, whereas modsecurity runs inside the webserver. Also, there are stronger, more robust, more capable products out there (but more expensive, too). – AviD Aug 30 '12 at 09:38
  • +1 mod_sec2 in a (transparent?) proxy in front of the whole server farm could, with some tuning, protect against most common attack techniques. – adric Aug 30 '12 at 12:14
-1

If you are trying to save yourself the effort, there's not much I can do to help you.

If the issue is resources, I would suggest looking for vulnerabilities and report them to the management. In the worst case scenario, when you aren't allowed to upgrade, you have at least covered yourself.

Bob Ortiz
  • 6,665
  • 11
  • 50
  • 96
  • I've made it CRYSTAL clear that it's not a matter of IF the sites get hacked, it's a matter of WHEN. –  Aug 30 '12 at 08:45