On Sat, Jun 1, 2013 at 7:23 AM, Eric Shubert
<ejs@shubes.net> wrote:
On 05/31/2013 05:41 PM, Lisa Kachold wrote:
Nginx has some pretty serious security issues, so be sure that you
implement it with all the patches and complete recommendations:
http://nginx.org/en/security_advisories.htmlÂ
The current version in CentOS4 is not susceptible to any of these vulnerabilities. Good to check though.
Yes, Shubes! Don't even blink! Every day another exploit is announced! excerpts:
Anonymous hackers behind the Cdorked malware that targets Apache servers now have extended their exploit to infect open-source Nginx and Lighttpd server software.
Nginx Tuesday announced the release of nginx-1.4.1 -- as well as "development version" nginx-1.5.0 -- to fix a buffer-overflow vulnerability that attackers could exploit to execute arbitrary code on a Ngnix server and completely compromise it. In a security advisory issued Tuesday, Nginx said the bug is present in Nginx versions 1.3.9 and 1.4.0. "The problem is fixed in nginx 1.5.0 [and] 1.4.1," it said.
Yes, installing from repo (with Redhat/CentOs/Fedora and uBuntu) means that if a vulnerability exists with a patch available, the Nginx installed is going to include that security fix.
CentOs/Redhat (and Ubuntu) are so fast with fixing vulnerabilities ( and the Nginx security issues are all the standard browser stack vulns (stack smash, XSS, remote code execution, escalated privs). Of course there are also a few implementation security issues - that seem like nice hacks on the front side until - well, your site is defaced:
http://www.theadminzone.com/forums/showthread.php?t=99536
It's really rather outrageous that Apache has dominated this space for so long, when slimmed down httpd servers and reverse proxies do the job so much better, especially in 3/4 tiered environments with J2EE, is it not?
Nginx:
I personally still favor the custom compiled Apache2 with vastly scaled down binary size (dynamic module stripping) and custom server signature [replacing "Apache2 $version" with "$customstring $version" which IS allowed under the Apache2 license] (to reduce fingerprinting - and therefore also limit script kiddies - if we can't mitigate everything let's obfuscate!.