2

I have few Unicorn servers running on Ubuntu 12.04 and I am looking to secure them against exploits which give remote shell.

My main concern is, if it makes sense to deploy ModSecurity?

Another thing is, that I have seen Unicorn typically runs from port 8080, and it's forwarded to Apache/NginX server port 80 which serves as reverse-proxy.

I was thinking that I could employ the following:

  • ModSecurity on Apache
  • Apache as worker (threaded) with mod_qos, to prevent excessive no of requests from any host
  • Run unicorn server from designated user and isolate it thru AppArmor or SELinux if it's Redhat/Centos

I would like to know, if there is another hardening framework / patch for RoR like PHP Suhosin.

Andrew Smith
  • 1,123
  • 13
  • 23
  • ps. Session might not be the best example, as this can be solved with object storage and random and encrypted token. However anything to make it safe for remote shell scenario is highly desired :-) – Andrew Smith Sep 21 '12 at 01:10

1 Answers1

8

I would start with Ruby On Rails Security Guide.

I am looking to secure them against exploits which give remote shell.

Pay attention to the File Uploads section.

  • Make sure file uploads don't overwrite important files
  • Validate file name
  • Use plugins: attachment_fu or paperclip
  • Never to allow users to upload: .php, .cgi,...
  • Set apropriate Centent-Type HTTP header
  • Put file uploads outside of /public directory

You can also scan your Rails code for vulnerabilities using Brakeman:

gem list -d brakeman

*** LOCAL GEMS ***

brakeman (1.8.0)
    Author: Justin Collins
    Homepage: http://brakemanscanner.org
    Installed at: /usr/lib/ruby/gems/1.8

    Security vulnerability scanner for Ruby on Rails.
quanta
  • 50,327
  • 19
  • 152
  • 213
  • Thank you very much! I'll leave it until next Wednesday or something. – Andrew Smith Sep 21 '12 at 09:14
  • Hi! I have read the manual, I would say it's not comprehensive and very simplistic and not always correct. OWASP projects are giving much better alternative to this and with this I am familiar a bit. The files I am controlling on the operating system level. There is OS system wide policy for files, so every file, which is written by the Unicorn user is filtered by at least anti-virus (clamav), anti-spam (modsecurity) as well Apache/NginX URL filtering. However automated approach to code security seems to be OK, but it doesnt solve the problem of data and code isolation. – Andrew Smith Sep 21 '12 at 21:06
  • And I try to avoid ModSecurity, because it's too slow for the job, so I want to have it secure even with the remote shell, so with either multi-user mechanism, server wide security policy for data and code and logging of these, so I can produce rules the easy way. – Andrew Smith Sep 21 '12 at 21:14