Hi, firstly i would like to say that in a clean fresh install of a cpanel every dedicated server is at high risk from shell's, who cna gain access over your clients database and other stuff.
But i have the solution and it really works TESTED.
----------------------------------------------------------------
I will explain this in 4 Simple STEPS.

STEP 1 - APACHE

You need to rebuild apache, and in one of the apache steps you need to chose the "File Security" this addon will chmod the directories as we will see in the configuration of the other steps.

Then after doing this go to Apache Config in cpanel and uncheck this to


ExecCGI
FollowSymLinks


STEP 2 - CHMOD'ING

Now Enter into your VPS thru Filezilla, or whatever software you feel comfortable to chmod some files.

CHMOD THIS FILES AS EXPLAINED BELOW.


# chmod 0700 /bin/ln
# chmod 0700 /bin/cat
# chmod 0700 /bin/pwd
# chmod 0700 /bin/kill
# chmod 0644 /bin/umount
# chmod 0700 /bin/doexec
# chmod 0700 /bin/link
# chmod 0700 /bin/chmod
# chmod 0700 /bin/netstat
# chmod 0500 /bin/ps
# chmod 0700 /bin/df
# chmod 0700 /usr/bin/lynx
# chmod 0700 /usr/bin/gcc
# chmod 0700 /usr/bin/nc
# chmod 0700 /usr/bin/wget
# chmod 0700 /usr/bin/scp
# chmod 0700 /usr/bin/cvs
# chmod 0700 /usr/bin/telnet
# chmod 0700 /usr/bin/symlinks
# chmod 0700 /usr/bin/tail
# chmod 0700 /usr/bin/tailf
# chmod 0700 /usr/bin/du



STEP 3 - PHP.INI
Now its time to add some security to the PHP.INI

go to the folder where the php.ini is located open it with a notepad(++, my favorite :) )

And do the following:

1. safe_mode_gid = On
2. safe_mode_exec_dir = "/nonexec"
3. open_basedir = "/home/:/home3/:/usr/lib/php:/usr/local/lib/:/tmp:/usr/local/Zend/etc/" (Now depends on where your home directory is change it as you need it)
4. disable_functions = "disk_total_space, diskfreespace, apache_note, apache_setenv, closelog, debugger_off, debugger_on, define_syslog_variables, escapeshellarg, escapeshellcmd, ini_restore, openlog, passthru, pclose, pcntl_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, url_exec, base64_encodem, phpinfo, readlink, eval, root, symlink"

STEP 4 - httpd.conf

Now we need to go to httpd.conf (the file is located on apache folder)

And edit it, and find "AllowOverride" and Replace it with "AllowOverride AuthConfig FileInfo Indexes Limit Options=Includes,Indexes,MultiViews"

And if you wana increase your security more, just chmod the home directory to 751 or 711.

----------------------------------------------------------------

Comments, reviews, ideas, Are apreciated.

Thankyou.

I hope this will help you as it did with me :)

Don't forget to mention that you will need to replace FollowSymLinks in .htaccess to SymLinksIfOwnerMatch or you will have broken sites / internal server errors.

We patch apache at the source level to prevent the symlink 'workaround' from allowing users to read other users files.

Alot of hosts should do this as a handfull im not going to say, have no security. I also would recomend mod_security with a decent ruleset. Hey presto :D

- Ashton

You realize that safe_mode is deprecated and will be removed from the next PHP release? And it's a dirty workaround, not a good security feature.

You realize that safe_mode is deprecated and will be removed from the next PHP release? And it's a dirty workaround, not a good security feature.

Hi,

Yes but in the next release of php6, but for now this is a temporary solution for new hosting companies for not getting hacked.

:)

chmod 0700 /bin/ln
chmod 0700 /bin/cat
chmod 0700 /bin/pwd
chmod 0700 /bin/kill
chmod 0644 /bin/umount
chmod 0700 /bin/doexec
chmod 0700 /bin/link
chmod 0700 /bin/chmod
chmod 0700 /bin/netstat
chmod 0500 /bin/ps
chmod 0700 /bin/df
chmod 0700 /usr/bin/lynx
chmod 0700 /usr/bin/gcc
chmod 0700 /usr/bin/nc
chmod 0700 /usr/bin/wget
chmod 0700 /usr/bin/scp
chmod 0700 /usr/bin/cvs
chmod 0700 /usr/bin/telnet
chmod 0700 /usr/bin/symlinks
chmod 0700 /usr/bin/tail
chmod 0700 /usr/bin/tailf
chmod 0700 /usr/bin/du


What about this chmod in cPanel server? If I will chmod 700 for example /bin/ln, would it break anything on cPanel/WHM?

What about this chmod in cPanel server? If I will chmod 700 for example /bin/ln, would it break anything on cPanel/WHM?

As i know (i used this method) this did not break anything in cPanel.

ln method is a high risk command and its used by the shell to get the map of your root.

Anyway i have used this and it helped me a loot.

You are free to decide to use it or not :)

Hello ,

We got problem with several sites which are using CMS sites and specially .js files , they are unable to write , plz assist me ,

If you follow this, you don't deserve to own a server. Don't follow this.

ln method is a high risk command and its used by the shell to get the map of your root

hahahaha

Really though, pointless, deprecated, won't accomplish anything but piss off legitimate users and does absolutely NOTHING to prevent unauthorised access.

He's recommending safe_mode, what did you expect? :D

Anyone who recommends safe_mode nowadays is a moron. It offers no protection against real threats, and merely limits and annoys legit users. The better solution is to use something like SuPHP and SuEXEC. You lose some performance, but gain a fair bit in overall security (much more than safe_mode)

As i know (i used this method) this did not break anything in cPanel.

ln method is a high risk command and its used by the shell to get the map of your root.

Anyway i have used this and it helped me a loot.

You are free to decide to use it or not :)

People RARELY use the actual binary. They use the symlink function in either perl or php which is not affected by the binary.

Nice, that chmod part is what have i have been looking for lately. Thanks man :)

Nice, that chmod part is what have i have been looking for lately. Thanks man :)
have you read the rest of the thread..

He's recommending safe_mode, what did you expect? :D

Anyone who recommends safe_mode nowadays is a moron. It offers no protection against real threats, and merely limits and annoys legit users. The better solution is to use something like SuPHP and SuEXEC. You lose some performance, but gain a fair bit in overall security (much more than safe_mode)

I have to agree with both of these
#1: safe_mode does nothing, and I do mean nothing for security nowadays.
#2: Limiting functionality does nothing but piss off legitimate users.
#3: Chmodding binaries (get, etc) doesn't keep the server MORE secure, it just keeps them from getting accessed by users who actually WANT to use them for legitimate reasons.
#4: There is no CSF/APF option here, and believe me without one of these two, you're just a sitting duck. Not saying you HAVE to have one of these, but if you don't, well, you better be smart enough to not follow the advice in this thread and create your own alternative.
#5: no mod_security . You need to have modsec and a valid ruleset to prevent injection, and god knows whatever else.
#6: No suhosin:
Suhosin isn't perfect, but it, along with suphp/phpsuexec WILL help prevent against things. You just need to make sure the rules are tweaked, and you're not using the default ruleset.

Yet another classic example of why you need to take everything you read on the internet with a grain of salt. The OP is NOT an'ultimate shell security tutorial', it's a joke and a half.

Safe Mode can be bypassed anyways, generally it causes more problems than anything else, suhosin, mod_security CSF are all essentials in this day and age.. below is pretty effective at blocking most important aspects of shells:

Disable these function in PHP.ini:

disable_functions = dl , exec , passthru , pcntl_exec , pfsockopen , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , leak , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source , escapeshellcmd,

Add this rule to Mod_Security:

SecRule REQUEST_URI "\.php\?act=(ls|chmod|cd|sql|chown|mkdir|chdir|mv|cp|ln|rm|touch|processes|tools)" "deny,log,status:406"

Go ahead and trial a php shell - they will not function.

PS. Another good way to delete shells as soon as they appear is to use the mod_clamav for proftpd - works a treat !

Fantastic tutorial, are you available for hire?

Fantastic tutorial, are you available for hire?

I can't tell if this is serious

I can't tell if this is serious

I doubt it. Nobody is that foolish :)

Hi,

Look i didn't do this for hearing people complains, this tutorial saved my face when some "hackers" tried to hack the room.

Btw this is the full tutorial: http://feniksi.com/administrim-serverash/linux/shmangja-e-problemeve-te-sigurise-nga-symlinks/

Its on an albanian website so just use google translate.

As i said, this is giving a limited access to symlinks.

Again, if you think this is useless dont use it i am not forcing but i am telling this is really useful to stop shells. For me it worked.

Anyway i am glad i helped someone. If i helped :)

Hi,

Look i didn't do this for hearing people complains, this tutorial saved my face when some "hackers" tried to hack the room.

Btw this is the full tutorial: http://feniksi.com/administrim-serverash/linux/shmangja-e-problemeve-te-sigurise-nga-symlinks/

Its on an albanian website so just use google translate.

As i said, this is giving a limited access to symlinks.

Again, if you think this is useless dont use it i am not forcing but i am telling this is really useful to stop shells. For me it worked.

Anyway i am glad i helped someone. If i helped :)

Nobody is complaining. We are all just pointing out that you are giving out incorrect information. You may have gotten lucky that it stopped one particular type of shell, but I can assure you there are many others that could easily bypass your recommendations.

As well, it only accounts for PHP. Perl and others can be used for shells as well.

The best start is to make sure any PHP or other script is running as the least privileged user possible: the web site's own user name. This can be achieved using SuEXEC and SuPHP.

most of the descripted above in thread starter is incompatible with Cpanel VPS servers, as it locks all functionalities of the cpanel as well it is not all security methods to secure the server from hackers