Results 1 to 25 of 41
-
11-15-2013, 09:41 PM #1Junior Guru
- Join Date
- Feb 2013
- Posts
- 181
prevent shell scripts from running..
Hi,
how can I prevent shell scripts and malicious files from exploiting the server if I couldn't detect them?
would these modifications to the php.ini file be enough to prevent shell scripts from running:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen=Off
allow_url_include=Off
is there anything else can be done?
-
11-16-2013, 02:29 AM #2Web Hosting Master
- Join Date
- May 2004
- Posts
- 1,667
ini_set seems to be missing. Disabling curl is a bit of a strange step in most circumstances, as is disabling parse_ini_file (you probably meant ini_set here).
-
11-16-2013, 03:53 AM #3Web Hosting Master
- Join Date
- Mar 2009
- Location
- Gods Own Country
- Posts
- 681
parse_ini_file is not a dangerous function. It is a required function if web application's ini files ( not php.ini ) needs to be parsed. This function has nothing to do with the php.ini file and doesn't pose any security threats.
█ Fabin Mundattil @ Xieles Support
█ High Quality Server Management | support @ xieles.com
█ https://xieles.com
-
11-16-2013, 05:04 AM #4Aspiring Evangelist
- Join Date
- Jun 2009
- Location
- /
- Posts
- 370
ConfigServer eXploit Scanner can help in this regard. http://configserver.com/cp/cxs.html
BD Web Services Since 2009
cPanel and Plesk | CloudLinux | Node.JS | SSD Server | Daily Remote Backup | North America and Europe | Money Back Guarantee
USA | Canada | Germany
-
11-16-2013, 05:11 PM #5Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
the securing PHP is good but not enough, you should do a range of security action on your server to secure it against shell and virus.
-
11-16-2013, 05:16 PM #6Junior Guru
- Join Date
- Feb 2013
- Posts
- 181
-
11-16-2013, 05:22 PM #7Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
enable_dl = off in php
disabled function: show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, dl, symlink, proc_nice, openlog, posix_getpwuid, proc_close, link
install CSF
install CXS
install AV(based on your OS)
Disabled symlink in apache (-FollowSymlink)
run php using suPHP or Suhosin
install Mod_security (it can help you more)
-
11-16-2013, 05:30 PM #8Junior Guru
- Join Date
- Feb 2013
- Posts
- 181
Thanks a million
but about cxs, I have a dedicated server with openVZ virtualization containing 12 VPS server .. all the files in all vps servers are in this directory in the main server: /vz
can I buy cxs for the dedicated server and it will scan the vps servers' files, or does it depend on the configuration files of apache and php.. etc so it has to be installed on each server separately??
in other words, is it a file-based scanner or also a server configuration scanner?
Thanks..
-
11-16-2013, 05:33 PM #9Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
If you want to prevent shell scripts from running, then you need to disable:
1. SSH
2. Cron
3. PHP
4. Perl
5. Python
The reality is, there are many ways to run "scripts" and exploits against your server. The best offence, is a good defense in the sense that you keep everything up to date. You want to minimize all risks, but all of the advise thrown in this thread isn't going to do much... it might stop the 12 year old script kiddie, but not someone who is determined with a little bit of know how.RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
11-16-2013, 05:36 PM #10Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
i think you can't install it on vps node. check:
Product requirements:
cPanel/WHM
Redhat/CentOS/CloudLinux Linux v5/6
Apache v2+
ClamAV daemon process, for virus scanning
ModSecurity v2+, to enable upload script scanning (not supported for litespeed, nginx, etc. - only Apache v2+)
Pure-ftpd, compiled with --with-uploadscript for ftp upload scanning
csf, if you want pure-ftpd IP address blocking
-
11-16-2013, 05:38 PM #11Junior Guru
- Join Date
- Feb 2013
- Posts
- 181
-
11-16-2013, 05:38 PM #12Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
-
11-16-2013, 05:48 PM #13Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
Not really.
Exploits don't work without a security vulnerability. Running something like CloudLinux will certainly protect you from a lot of zero day exploits in user land since it removes the ability of setuid/setgid to escalate to root... but the best advice I can give anyone is to just make sure you stay on top of security updates.RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
11-16-2013, 05:55 PM #14Junior Guru
- Join Date
- Feb 2013
- Posts
- 181
ok here's the situation:
each server has the following security measures:
1- installed csf
2- installed script to detect failed plesk logins and block them using csf
3- change SSH and FTP ports
4- turned off plesk and ssh services
5- did the following modifications to php.ini to prevent shell scripts to run:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen=Off
allow_url_include=Off
6- I also disabled php upload and set max file uploads and max upload size to 0 so they would never be able to upload any files..
would this be enough??
Thanks..
-
11-16-2013, 06:21 PM #15Junior Guru
- Join Date
- Feb 2013
- Posts
- 181
-
11-16-2013, 06:23 PM #16Web Hosting Guru
- Join Date
- Jul 2013
- Posts
- 296
put ini_set in disabled function list.
-
11-17-2013, 12:31 PM #17Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
All of these php.ini settings being thrown around in this thread can be evaded.
If the attacker can upload something (this includes compromising a wordpress admin login, using the theme editor to write to a file) they can use things that are NOT PHP to run shell commands.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-17-2013, 12:33 PM #18Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Mr. Leader in Hosting Security
Please explain the reasoning behind running either suphp or suhosin? They have completely different functions.
Not sure how you can rationalize grouping them in the same category.
Bare in mind, suphp is no longer developed and suhosin is not really developed either.. no official release for php 5.4 either.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-17-2013, 12:36 PM #19Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Also,
Stopping these php functions will not really do anything because someone can overwrite them unless you configure php not to allow it (its in easyapache).
Doesn't cover any cPanel plugin related exploits (yes there has been LOTS of exploits in cPanel plugins).
I can think of a dozen ways to evade the recommendations in this thread. We spend every day finding ways to break servers.
From reading your previous threads OP, you need a hell of alot more than just doing some server tweaks. Your accounts sound FILLED with malware. Neither maldet or cxs will detect it all and you will manually have to find some.Last edited by Steven; 11-17-2013 at 12:43 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-17-2013, 01:05 PM #20Newbie
- Join Date
- Feb 2007
- Posts
- 27
Securing your server is much more than just securing PHP, as others have already said. But, yes, getting PHP secured is a very good start, but there's much more. A few things off the top of my head, assuming this is a Linux OS:
1. As well as PHP itself, think about the applications you run. You are much more likely to get compromised by running poorly coded PHP applications or by not updating applications you have installed.
2. In your SSH config file /etc/ssh/sshd_config, disable logging in by root (PermitRootLogin no), and only specify 1 or 2 users allowed to login with AllowUsers config directive.
3. Make sure your firewall is running. Run iptables -L which should output a bunch of rules. Securing your server with iptables is beyond the scope of this post.
4. Mount the /tmp directory on your server with the noexec,nosuid options. That will stop a lot of malware dead in its tracks.
5. Stop any unneeded services that might be running.Last edited by manchestervps; 11-17-2013 at 01:06 PM. Reason: small typo
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Manchester VPS ║ UK KVM Virtualisation
Run your own kernel ║ manchestervps.co.uk
-
11-17-2013, 01:16 PM #21Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Only if it is binary, does not stop perl ( or other non binary languages) based malware. Perl attacks are incredibly common, especially with things like UDP flooders etc.
Code:attack@attacker.com [~]# /tmp/hax.pl bash: /tmp/hax.pl: Permission denied attack@attacker.com [~]# perl /tmp/hax.pl is hax? attack@attacker.com [~]#
Last edited by Steven; 11-17-2013 at 01:20 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
11-17-2013, 01:27 PM #22Newbie
- Join Date
- Feb 2007
- Posts
- 27
absolutely correct, it won't stop all attacks, I only said "a lot"
I've lost count of the amount of times I've logged into an infected client's machine to find malware dropped into /tmp with all kinds of binary executables and other crap. Simply not allowing stuff in there to execute would have stopped the malware from doing its dirty stuff. And before anyone says "but there might be legitimate stuff that needs to be able to run executables in /tmp", I have this setting on all of my servers and never encountered a single issue. If you do find something that needs to run stuff in/tmp, it should not be doing that!! Bad, bad software. Change it for something else as if it does that there are probably other things wrong with it.▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Manchester VPS ║ UK KVM Virtualisation
Run your own kernel ║ manchestervps.co.uk
-
11-17-2013, 01:34 PM #23Aspiring Evangelist
- Join Date
- Dec 2011
- Location
- Montreal
- Posts
- 431
I still believe (no related with this place) that between hackers and antihackers (audit, security etc companies) it is a really good relationship. If there is no hack there is no work for those companies, no?
The most important thing to secure your server it is to control what is uploaded to your server, if you control this than you are OK. I spent 6 years in free webhosting (where there is a paradise for hackers)and believe me I have seen everything, but I never was hacked (I had accounts hacked because of the user stupidity, but never a server was hacked, the damage was done only to user).
I don't really trust and security company to setup security on my servers.
Regards
-
11-17-2013, 03:55 PM #24Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
11-17-2013, 04:09 PM #25Aspiring Evangelist
- Join Date
- Dec 2011
- Location
- Montreal
- Posts
- 431
You are right, but I was thinking that updating software is a normal thing for a sysadmin, I didn't think that a sysadmin is not doing his default job.
Almost every website is using Wordpress, Joomla etc. It is like using the windows firewall:
http://turbo.paulstamatiou.com/uploa...ll_review1.jpg
Regards
Similar Threads
-
How to prevent shell scripts from viewing files outside of user's directory?
By ZKuJoe in forum Hosting Security and TechnologyReplies: 17Last Post: 10-16-2009, 11:49 AM -
UNIXy: On-demand custom Linux shell scripts. Get your script up and running today!
By UNIXy in forum Software & Scripts OffersReplies: 0Last Post: 09-26-2009, 02:50 PM -
Prevent users from executing shell commands?
By Chris` in forum Dedicated ServerReplies: 5Last Post: 01-31-2008, 11:29 AM -
prevent of execution trojan shell scripts, like r57shell and other?
By constantine in forum Hosting Security and TechnologyReplies: 23Last Post: 11-10-2006, 10:42 PM -
Shell jobs - continue running when shell closed?
By MattF in forum Hosting Security and TechnologyReplies: 7Last Post: 06-25-2002, 08:05 PM