Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : The ULTIMATE Shell Security Tutorial !

[DotAL]

Hi, firstly i would like to say that in a clean fresh install of a cpanel every dedicated server is at high risk from shell's, who cna gain access over your clients database and other stuff.
But i have the solution and it really works TESTED.
----------------------------------------------------------------
I will explain this in 4 Simple STEPS.

STEP 1 - APACHE

You need to rebuild apache, and in one of the apache steps you need to chose the "File Security" this addon will chmod the directories as we will see in the configuration of the other steps.

Then after doing this go to Apache Config in cpanel and uncheck this to

• ExecCGI
• FollowSymLinks

STEP 2 - CHMOD'ING

Now Enter into your VPS thru Filezilla, or whatever software you feel comfortable to chmod some files.

CHMOD THIS FILES AS EXPLAINED BELOW.

1. # chmod 0700 /bin/ln
2. # chmod 0700 /bin/cat
3. # chmod 0700 /bin/pwd
4. # chmod 0700 /bin/kill
5. # chmod 0644 /bin/umount
6. # chmod 0700 /bin/doexec
7. # chmod 0700 /bin/link
8. # chmod 0700 /bin/chmod
9. # chmod 0700 /bin/netstat
10. # chmod 0500 /bin/ps
11. # chmod 0700 /bin/df
12. # chmod 0700 /usr/bin/lynx
13. # chmod 0700 /usr/bin/gcc
14. # chmod 0700 /usr/bin/nc
15. # chmod 0700 /usr/bin/wget
16. # chmod 0700 /usr/bin/scp
17. # chmod 0700 /usr/bin/cvs
18. # chmod 0700 /usr/bin/telnet
19. # chmod 0700 /usr/bin/symlinks
20. # chmod 0700 /usr/bin/tail
21. # chmod 0700 /usr/bin/tailf
22. # chmod 0700 /usr/bin/du

STEP 3 - PHP.INI
Now its time to add some security to the PHP.INI

go to the folder where the php.ini is located open it with a notepad(++, my favorite )

And do the following:

1. safe_mode_gid = On
2. safe_mode_exec_dir = "/nonexec"
3.

Code:

open_basedir = "/home/:/home3/:/usr/lib/php:/usr/local/lib/:/tmp:/usr/local/Zend/etc/"

(Now depends on where your home directory is change it as you need it)
4.

Code:

disable_functions = "disk_total_space, diskfreespace, apache_note, apache_setenv, closelog, debugger_off, debugger_on, define_syslog_variables, escapeshellarg, escapeshellcmd, ini_restore, openlog, passthru, pclose, pcntl_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, url_exec, base64_encodem, phpinfo, readlink, eval, root, symlink"

STEP 4 - httpd.conf

Now we need to go to httpd.conf (the file is located on apache folder)

And edit it, and find "AllowOverride" and Replace it with "AllowOverride AuthConfig FileInfo Indexes Limit Options=Includes,Indexes,MultiViews"

And if you wana increase your security more, just chmod the home directory to 751 or 711.

----------------------------------------------------------------

Comments, reviews, ideas, Are apreciated.

Thankyou.

I hope this will help you as it did with me

[Steven]

Don't forget to mention that you will need to replace FollowSymLinks in .htaccess to SymLinksIfOwnerMatch or you will have broken sites / internal server errors.

We patch apache at the source level to prevent the symlink 'workaround' from allowing users to read other users files.

[iLoveHosting-UK]

Alot of hosts should do this as a handfull im not going to say, have no security. I also would recomend mod_security with a decent ruleset. Hey presto

- Ashton

[Harzem]

You realize that safe_mode is deprecated and will be removed from the next PHP release? And it's a dirty workaround, not a good security feature.

[DotAL]

Quote:

Originally Posted by Harzem

You realize that safe_mode is deprecated and will be removed from the next PHP release? And it's a dirty workaround, not a good security feature.

Hi,

Yes but in the next release of php6, but for now this is a temporary solution for new hosting companies for not getting hacked.

[bloodyman]

Quote:

Originally Posted by sady92

chmod 0700 /bin/ln
chmod 0700 /bin/cat
chmod 0700 /bin/pwd
chmod 0700 /bin/kill
chmod 0644 /bin/umount
chmod 0700 /bin/doexec
chmod 0700 /bin/link
chmod 0700 /bin/chmod
chmod 0700 /bin/netstat
chmod 0500 /bin/ps
chmod 0700 /bin/df
chmod 0700 /usr/bin/lynx
chmod 0700 /usr/bin/gcc
chmod 0700 /usr/bin/nc
chmod 0700 /usr/bin/wget
chmod 0700 /usr/bin/scp
chmod 0700 /usr/bin/cvs
chmod 0700 /usr/bin/telnet
chmod 0700 /usr/bin/symlinks
chmod 0700 /usr/bin/tail
chmod 0700 /usr/bin/tailf
chmod 0700 /usr/bin/du

What about this chmod in cPanel server? If I will chmod 700 for example /bin/ln, would it break anything on cPanel/WHM?

[DotAL]

Quote:

Originally Posted by bloodyman

What about this chmod in cPanel server? If I will chmod 700 for example /bin/ln, would it break anything on cPanel/WHM?

As i know (i used this method) this did not break anything in cPanel.

ln method is a high risk command and its used by the shell to get the map of your root.

Anyway i have used this and it helped me a loot.

You are free to decide to use it or not

[monitor2000com]

Hello ,

We got problem with several sites which are using CMS sites and specially .js files , they are unable to write , plz assist me ,

[quantumphysics]

If you follow this, you don't deserve to own a server. Don't follow this.

Quote:

ln method is a high risk command and its used by the shell to get the map of your root

hahahaha

Really though, pointless, deprecated, won't accomplish anything but piss off legitimate users and does absolutely NOTHING to prevent unauthorised access.

[Harzem]

He's recommending safe_mode, what did you expect?

[larwilliams]

Anyone who recommends safe_mode nowadays is a moron. It offers no protection against real threats, and merely limits and annoys legit users. The better solution is to use something like SuPHP and SuEXEC. You lose some performance, but gain a fair bit in overall security (much more than safe_mode)

[Steven]

Quote:

Originally Posted by sady92

As i know (i used this method) this did not break anything in cPanel.

ln method is a high risk command and its used by the shell to get the map of your root.

Anyway i have used this and it helped me a loot.

You are free to decide to use it or not

People RARELY use the actual binary. They use the symlink function in either perl or php which is not affected by the binary.

[Sarushan]

Nice, that chmod part is what have i have been looking for lately. Thanks man

[quantumphysics]

Quote:

Originally Posted by Sarushan

Nice, that chmod part is what have i have been looking for lately. Thanks man

have you read the rest of the thread..

[linux-tech]

Quote:

Originally Posted by Harzem

He's recommending safe_mode, what did you expect?

Quote:

Originally Posted by larwilliams

Anyone who recommends safe_mode nowadays is a moron. It offers no protection against real threats, and merely limits and annoys legit users. The better solution is to use something like SuPHP and SuEXEC. You lose some performance, but gain a fair bit in overall security (much more than safe_mode)

I have to agree with both of these
#1: safe_mode does nothing, and I do mean nothing for security nowadays.
#2: Limiting functionality does nothing but piss off legitimate users.
#3: Chmodding binaries (get, etc) doesn't keep the server MORE secure, it just keeps them from getting accessed by users who actually WANT to use them for legitimate reasons.
#4: There is no CSF/APF option here, and believe me without one of these two, you're just a sitting duck. Not saying you HAVE to have one of these, but if you don't, well, you better be smart enough to not follow the advice in this thread and create your own alternative.
#5: no mod_security . You need to have modsec and a valid ruleset to prevent injection, and god knows whatever else.
#6: No suhosin:
Suhosin isn't perfect, but it, along with suphp/phpsuexec WILL help prevent against things. You just need to make sure the rules are tweaked, and you're not using the default ruleset.

Yet another classic example of why you need to take everything you read on the internet with a grain of salt. The OP is NOT an'ultimate shell security tutorial', it's a joke and a half.