Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : cPanel / WHM - Client's Run Applications Under Linux Account Nobody

[TomBoy123]

Hello,

As you have probably already guessed, I am in a bit of a snag, and confused at the same time. First I would like to mention that I run the cPanel / WHM suit on my own servers for webhosting. I have just recently noticed that a client, has been able to run a full out shoutcast radio server with his webhosting.

Would the only way to block this would be to close all ports (incoming + outgoing) except for the ones that are used? I am sure there must be a way to disable this other than that.

I see this as a potential security risk, and I seek your help. I have already searched, and came up empty handed. Any help is appreciated.

Regards,
TomBoy123

[IPv6]

how is he running it? do you offer ssh? do you not restrict shell commands being passed by php/

[hosting_we3cares]

If you have given shell access, just make it as jailshell access. I believe, if you install CSF then it will close all ports expect the one which is mentioned in the configuration.

[TomBoy123]

Hello, He has no SSH access. He runs it via a PHP script, a shoutcast control panel of some sort. And that run's the application. Any ideas?

[Jumba]

Quote:

Originally Posted by TomBoy123

Hello, He has no SSH access. He runs it via a PHP script, a shoutcast control panel of some sort. And that run's the application. Any ideas?

Tell him to shut it down or suspend his account?

[TomBoy123]

Hey. Already did. But if he can do it, all client's can. cPanel must have a option to disable this, but I cannot find it.

[FS - Mike]

You could try suPHP (which you select in PHP Configuration). The other option is to manually edit the php configuration and disable any functions which relate to SSH.

I would highly recommend you install CSF.

Mike

[Patrick]

Wait, was this process running in the background as a daemon or was it occasionally running only when accessed via the website? I mean if you did a ps aux via SSH, did it show their process and if so what was it called - if you remember?

You mentioned it was running as nobody, if you're looking for an easier way to identify who's running what, consider using EasyApache to upgrade to suPHP but be warned that some scripts may require different permissions and will not function until they are manually fixed. It can be a major pain in the arse to upgrade a server with many accounts to suPHP, but I think it's worth it from a security / accountability standpoint. Of course running something like Suhosin (alternative to suPHP) may provide better security, but I still prefer suPHP at the end of the day.

As for stopping it, are you even sure he was streaming from your server and that this wasn't just a control panel?

[linux-tech]

Using suphp is a pretty lame answer to this problem, as is disabling php functionality.

There are a few ways to address this:

Firstly, you can insist that the client obtain a dedicated IP address, if the only thing you're worried about is bandwidth. Once that's done, let them start it up normally (through SSH).

Secondly, you can install and manage a firewall. This will block access on ports which are not directly approved by yourself.

Thirdly, you can put in suhosin, which will stop most attacks on your server. This won't exactly stop this, but it will stop nasty stuff from getting in your server.

In the end, there's nothing wrong with running shoutcast, as long as the bandwidth used is accounted for. This is why option #1 is the recommended route. Let them use up their bandwidth, make more $ from them when they have, it's a win/win situation.