Page 1 of 2 12 LastLast
Results 1 to 25 of 41
  1. #1

    prevent shell scripts from running..

    Hi,

    how can I prevent shell scripts and malicious files from exploiting the server if I couldn't detect them?

    would these modifications to the php.ini file be enough to prevent shell scripts from running:

    disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

    allow_url_fopen=Off
    allow_url_include=Off

    is there anything else can be done?

  2. #2
    Join Date
    May 2004
    Posts
    1,667
    ini_set seems to be missing. Disabling curl is a bit of a strange step in most circumstances, as is disabling parse_ini_file (you probably meant ini_set here).

  3. #3
    Join Date
    Mar 2009
    Location
    Gods Own Country
    Posts
    681
    parse_ini_file is not a dangerous function. It is a required function if web application's ini files ( not php.ini ) needs to be parsed. This function has nothing to do with the php.ini file and doesn't pose any security threats.
    Fabin Mundattil @ Xieles Support
    High Quality Server Management | support @ xieles.com
    https://xieles.com

  4. #4
    Join Date
    Jun 2009
    Location
    /
    Posts
    370
    ConfigServer eXploit Scanner can help in this regard. http://configserver.com/cp/cxs.html
    BD Web Services Since 2009
    cPanel and Plesk | CloudLinux | Node.JS | SSD Server | Daily Remote Backup | North America and Europe | Money Back Guarantee
    USA | Canada | Germany

  5. #5
    Join Date
    Jul 2013
    Posts
    296
    the securing PHP is good but not enough, you should do a range of security action on your server to secure it against shell and virus.

  6. #6
    Quote Originally Posted by Genius Guard View Post
    the securing PHP is good but not enough, you should do a range of security action on your server to secure it against shell and virus.
    like what?? could you please give more details??

    Thanks..

  7. #7
    Join Date
    Jul 2013
    Posts
    296
    enable_dl = off in php
    disabled function: show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, dl, symlink, proc_nice, openlog, posix_getpwuid, proc_close, link
    install CSF
    install CXS
    install AV(based on your OS)
    Disabled symlink in apache (-FollowSymlink)
    run php using suPHP or Suhosin
    install Mod_security (it can help you more)

  8. #8
    Quote Originally Posted by Genius Guard View Post
    enable_dl = off in php
    disabled function: show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, dl, symlink, proc_nice, openlog, posix_getpwuid, proc_close, link
    install CSF
    install CXS
    install AV(based on your OS)
    Disabled symlink in apache (-FollowSymlink)
    run php using suPHP or Suhosin
    install Mod_security (it can help you more)
    Thanks a million

    but about cxs, I have a dedicated server with openVZ virtualization containing 12 VPS server .. all the files in all vps servers are in this directory in the main server: /vz

    can I buy cxs for the dedicated server and it will scan the vps servers' files, or does it depend on the configuration files of apache and php.. etc so it has to be installed on each server separately??

    in other words, is it a file-based scanner or also a server configuration scanner?

    Thanks..

  9. #9
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    If you want to prevent shell scripts from running, then you need to disable:

    1. SSH
    2. Cron
    3. PHP
    4. Perl
    5. Python

    The reality is, there are many ways to run "scripts" and exploits against your server. The best offence, is a good defense in the sense that you keep everything up to date. You want to minimize all risks, but all of the advise thrown in this thread isn't going to do much... it might stop the 12 year old script kiddie, but not someone who is determined with a little bit of know how.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  10. #10
    Join Date
    Jul 2013
    Posts
    296
    i think you can't install it on vps node. check:

    Product requirements:

    cPanel/WHM
    Redhat/CentOS/CloudLinux Linux v5/6
    Apache v2+
    ClamAV daemon process, for virus scanning
    ModSecurity v2+, to enable upload script scanning (not supported for litespeed, nginx, etc. - only Apache v2+)
    Pure-ftpd, compiled with --with-uploadscript for ftp upload scanning
    csf, if you want pure-ftpd IP address blocking

  11. #11
    Quote Originally Posted by Patrick View Post
    but all of the advise thrown in this thread isn't going to do much... it might stop the 12 year old script kiddie, but not someone who is determined with a little bit of know how.
    if this is true then webhosting business should be obsolete by now! if you have a server with 100+ sites running all kinds of scripts and programs.. it would be impossible to maintain its security! no?

  12. #12
    Join Date
    Jul 2013
    Posts
    296
    Quote Originally Posted by Patrick View Post
    If you want to prevent shell scripts from running, then you need to disable:

    1. SSH
    2. Cron
    3. PHP
    4. Perl
    5. Python

    The reality is, there are many ways to run "scripts" and exploits against your server. The best offence, is a good defense in the sense that you keep everything up to date. You want to minimize all risks, but all of the advise thrown in this thread isn't going to do much... it might stop the 12 year old script kiddie, but not someone who is determined with a little bit of know how.

    it is good to disable something but he may need PHP or SSH or Cron or Perl. without these feature the server is actually nothing. However CXS has new feature that can detect old version of most script and notify you. if he can install it per vps, it may help him more.

  13. #13
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by ballighohosting View Post
    if this is true then webhosting business should be obsolete by now! if you have a server with 100+ sites running all kinds of scripts and programs.. it would be impossible to maintain its security! no?
    Not really.

    Exploits don't work without a security vulnerability. Running something like CloudLinux will certainly protect you from a lot of zero day exploits in user land since it removes the ability of setuid/setgid to escalate to root... but the best advice I can give anyone is to just make sure you stay on top of security updates.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  14. #14
    ok here's the situation:

    each server has the following security measures:


    1- installed csf
    2- installed script to detect failed plesk logins and block them using csf
    3- change SSH and FTP ports
    4- turned off plesk and ssh services
    5- did the following modifications to php.ini to prevent shell scripts to run:


    disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

    allow_url_fopen=Off
    allow_url_include=Off


    6- I also disabled php upload and set max file uploads and max upload size to 0 so they would never be able to upload any files..

    would this be enough??

    Thanks..

  15. #15
    Quote Originally Posted by Lev View Post
    ini_set seems to be missing. Disabling curl is a bit of a strange step in most circumstances, as is disabling parse_ini_file (you probably meant ini_set here).
    How can I set this ini_set? what should I write in php.ini?

  16. #16
    Join Date
    Jul 2013
    Posts
    296
    put ini_set in disabled function list.

  17. #17
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    All of these php.ini settings being thrown around in this thread can be evaded.
    If the attacker can upload something (this includes compromising a wordpress admin login, using the theme editor to write to a file) they can use things that are NOT PHP to run shell commands.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by Genius Guard View Post
    run php using suPHP or Suhosin
    Mr. Leader in Hosting Security
    Please explain the reasoning behind running either suphp or suhosin? They have completely different functions.
    Not sure how you can rationalize grouping them in the same category.

    Bare in mind, suphp is no longer developed and suhosin is not really developed either.. no official release for php 5.4 either.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  19. #19
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Also,
    Stopping these php functions will not really do anything because someone can overwrite them unless you configure php not to allow it (its in easyapache).

    Doesn't cover any cPanel plugin related exploits (yes there has been LOTS of exploits in cPanel plugins).

    I can think of a dozen ways to evade the recommendations in this thread. We spend every day finding ways to break servers.

    From reading your previous threads OP, you need a hell of alot more than just doing some server tweaks. Your accounts sound FILLED with malware. Neither maldet or cxs will detect it all and you will manually have to find some.
    Last edited by Steven; 11-17-2013 at 12:43 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  20. #20
    Securing your server is much more than just securing PHP, as others have already said. But, yes, getting PHP secured is a very good start, but there's much more. A few things off the top of my head, assuming this is a Linux OS:

    1. As well as PHP itself, think about the applications you run. You are much more likely to get compromised by running poorly coded PHP applications or by not updating applications you have installed.
    2. In your SSH config file /etc/ssh/sshd_config, disable logging in by root (PermitRootLogin no), and only specify 1 or 2 users allowed to login with AllowUsers config directive.
    3. Make sure your firewall is running. Run iptables -L which should output a bunch of rules. Securing your server with iptables is beyond the scope of this post.
    4. Mount the /tmp directory on your server with the noexec,nosuid options. That will stop a lot of malware dead in its tracks.
    5. Stop any unneeded services that might be running.
    Last edited by manchestervps; 11-17-2013 at 01:06 PM. Reason: small typo

    Manchester VPS ║ UK KVM Virtualisation
    Run your own kernel ║ manchestervps.co.uk

  21. #21
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by eddiec View Post
    4. Mount the /tmp directory on your server with the noexec,nosuid options. That will stop a lot of malware dead in its tracks.
    Only if it is binary, does not stop perl ( or other non binary languages) based malware. Perl attacks are incredibly common, especially with things like UDP flooders etc.

    Code:
    attack@attacker.com [~]# /tmp/hax.pl
    bash: /tmp/hax.pl: Permission denied
    attack@attacker.com [~]# perl /tmp/hax.pl
    is hax?
    attack@attacker.com [~]#
    Last edited by Steven; 11-17-2013 at 01:20 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  22. #22
    Quote Originally Posted by Steven View Post
    Only if it is binary, does not stop perl ( or other non binary languages) based malware.
    absolutely correct, it won't stop all attacks, I only said "a lot"

    I've lost count of the amount of times I've logged into an infected client's machine to find malware dropped into /tmp with all kinds of binary executables and other crap. Simply not allowing stuff in there to execute would have stopped the malware from doing its dirty stuff. And before anyone says "but there might be legitimate stuff that needs to be able to run executables in /tmp", I have this setting on all of my servers and never encountered a single issue. If you do find something that needs to run stuff in/tmp, it should not be doing that!! Bad, bad software. Change it for something else as if it does that there are probably other things wrong with it.

    Manchester VPS ║ UK KVM Virtualisation
    Run your own kernel ║ manchestervps.co.uk

  23. #23
    Join Date
    Dec 2011
    Location
    Montreal
    Posts
    431
    Quote Originally Posted by Steven View Post
    From reading your previous threads OP, you need a hell of alot more than just doing some server tweaks. Your accounts sound FILLED with malware. Neither maldet or cxs will detect it all and you will manually have to find some.
    I still believe (no related with this place) that between hackers and antihackers (audit, security etc companies) it is a really good relationship. If there is no hack there is no work for those companies, no?

    The most important thing to secure your server it is to control what is uploaded to your server, if you control this than you are OK. I spent 6 years in free webhosting (where there is a paradise for hackers)and believe me I have seen everything, but I never was hacked (I had accounts hacked because of the user stupidity, but never a server was hacked, the damage was done only to user).

    I don't really trust and security company to setup security on my servers.


    Regards
    George B. | ROWEBCA
    Web Hosting Services & Server Management
    Skype : rowebca

  24. #24
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by Rowebca View Post
    The most important thing to secure your server it is to control what is uploaded to your server, if you control this than you are OK. I spent 6 years in free webhosting (where there is a paradise for hackers)and believe me I have seen everything, but I never was hacked (I had accounts hacked because of the user stupidity, but never a server was hacked, the damage was done only to user)
    Keeping your software up to date is more important than controlling what can be uploaded.

    If there are no security vulnerabilities present, then the 'attackers' can upload everything in their arsenal and it's not going to do any good.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  25. #25
    Join Date
    Dec 2011
    Location
    Montreal
    Posts
    431
    Quote Originally Posted by Patrick View Post
    Keeping your software up to date is more important than controlling what can be uploaded.

    If there are no security vulnerabilities present, then the 'attackers' can upload everything in their arsenal and it's not going to do any good.
    You are right, but I was thinking that updating software is a normal thing for a sysadmin, I didn't think that a sysadmin is not doing his default job.

    Almost every website is using Wordpress, Joomla etc. It is like using the windows firewall:
    http://turbo.paulstamatiou.com/uploa...ll_review1.jpg


    Regards
    George B. | ROWEBCA
    Web Hosting Services & Server Management
    Skype : rowebca

Page 1 of 2 12 LastLast

Similar Threads

  1. How to prevent shell scripts from viewing files outside of user's directory?
    By ZKuJoe in forum Hosting Security and Technology
    Replies: 17
    Last Post: 10-16-2009, 11:49 AM
  2. Replies: 0
    Last Post: 09-26-2009, 02:50 PM
  3. Prevent users from executing shell commands?
    By Chris` in forum Dedicated Server
    Replies: 5
    Last Post: 01-31-2008, 11:29 AM
  4. prevent of execution trojan shell scripts, like r57shell and other?
    By constantine in forum Hosting Security and Technology
    Replies: 23
    Last Post: 11-10-2006, 10:42 PM
  5. Shell jobs - continue running when shell closed?
    By MattF in forum Hosting Security and Technology
    Replies: 7
    Last Post: 06-25-2002, 08:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •