Support

grniyce · #1 03-26-2009, 10:17 PM

Is there a subject matter expert that can guide me on how to setup LSWS for a secure shared webserver. I know that is a blind request, but let me explain what happened in the past. I host some friends and so forth. We one friend shared his cpanel with his partner whom had his identity stolen. Then this unknown decided to upload some script which allowed him to gain access to the root of the server, and virtually deleted everthing; leaving me with a ton of refunds and headaches for over a month. I was using LSWS at the time, however I don't know why mod_security didn't catch the script.

Please tell me what you need to know to give me the information I need, and I will provide it.

IrPr · #2 03-28-2009, 06:17 AM

Quote:

Originally Posted by grniyce

Is there a subject matter expert that can guide me on how to setup LSWS for a secure shared webserver. I know that is a blind request, but let me explain what happened in the past. I host some friends and so forth. We one friend shared his cpanel with his partner whom had his identity stolen. Then this unknown decided to upload some script which allowed him to gain access to the root of the server, and virtually deleted everthing; leaving me with a ton of refunds and headaches for over a month. I was using LSWS at the time, however I don't know why mod_security didn't catch the script.

Please tell me what you need to know to give me the information I need, and I will provide it.

mod_security defects some malicious scripts but there is a lot of CGI/PHP shells which mod_security couldnt detect, r57 phpshell for example

to secure your shared hosting you have to secure php in parallel of webserver/mod_security

all php shells are based on some malicious functions such as exec, system, passthru, shell, shell_exe, ... which should be disabled for security reasons, so all phpshells would be killed on your server

open_basedir is one of most important options should be set for each VHost which will jail php functions into VH's documentroot, so functions such as fopen, readdir and another file functions would be restricted just to the same VH and not available to another VHs

safe_mode and suhosin are another tricks to increase php security

IrPr · #3 03-28-2009, 06:27 AM

Quote:

Originally Posted by IrPr

mod_security defects some malicious scripts but there is a lot of CGI/PHP shells which mod_security couldnt detect, r57 phpshell for example

to secure your shared hosting you have to secure php in parallel of webserver/mod_security

all php shells are based on some malicious functions such as exec, system, passthru, shell, shell_exe, ... which should be disabled for security reasons, so all phpshells would be killed on your server

open_basedir is one of most important options should be set for each VHost which will jail php functions into VH's documentroot, so functions such as fopen, readdir and another file functions would be restricted just to the same VH and not available to another VHs

safe_mode and suhosin are another tricks to increase php security

Just want to mention that its very hard to escalate nobody prvileges to root using PHP, indeed most of local privilege escalation to root need suitable shell environment such as bash/bin, so you should disable shell access too

i suggest you install http://www.configserver.com/cp/csf.html firewall which is a powerfull firewall compatible with mod_security audits with a lot of security measures
after you installed CSF go and Check your server security, it will tell you your security score and how to increase your server security to highest level

grniyce · #4 03-28-2009, 03:47 PM

I have mod_security installed and referenced in httpd.conf.
I also have Enable Request Filtering set to Yes In LSWS.
I have CSF installed and configured with a score of 111 out of 117.

IrPr, you stated php in parallel of webserver/mod_security. If the above is true, would I be meeting that goal?

Also... you stated the malicious functions. Can you explain to me which ones I should apply, and if they go in php.ini disable_functions=blah, blah, blah?

I do have open_basedir turned off in WHM.
Safe_mode gives some errors with the bulletin boards that I run, as does suhosin.

Any other suggestions?

IrPr · #5 03-28-2009, 05:18 PM

Quote:

Originally Posted by grniyce

IrPr, you stated php in parallel of webserver/mod_security. If the above is true, would I be meeting that goal?

For PHP there are some security measures in CSF Server security check such as open_basedir, disable_functions, enable_dl

What mod_security rules are you using? you can find some up2date rules from http://www.gotroot.com/tiki-index.ph...security+rules

Mod_security audit_log has been implemented in LSWS 4.0 also, you can set your audit_log path in CSF and check for security logs there which is very userfriendly, or set LFD rules in your CSF configuration to block attackers automatically

Quote:

Originally Posted by grniyce

Also... you stated the malicious functions. Can you explain to me which ones I should apply, and if they go in php.ini disable_functions=blah, blah, blah?

Yes, using disable_functions directive in php.ini

I disabled these functions on my shared servers:

Code:

fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,shell_exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid

various functions disabled but it kills all of phpshells/exploits and all of my scripts are working as well, you may remove some functions if it breaks your scripts

you can disable posix functions in php configure script using '--disable-posix' too

Quote:

Originally Posted by grniyce

I do have open_basedir turned off in WHM.

turned off? you mean open_basedir protection has been enabled in WHM -> Security Center -> Tweak PHP open_basedir Security ?

Quote:

Originally Posted by grniyce

Safe_mode gives some errors with the bulletin boards that I run, as does suhosin.

You can turn safe_mode on globally and turn if off individually for each VH using php_admin_value safe_mode 0 directive in VirtualHost section in httpd.conf

for suhosin i use this values in php.ini:

Code:

[suhosin]
extension=suhosin.so
suhosin.post.max_vars = 1024
suhosin.request.max_vars = 1024
suhosin.get.max_value_length = 1024

Quote:

Originally Posted by grniyce

Any other suggestions?

We know Litespeed is awesome in performances, but there is alot of security features in LSWS either!

To increase your CGI security you may re-install LSWS with chroot enabled but it may break some scripts, however its working like a charm for me

Also you can secure your server for DDoS attacks, check this out: http://www.litespeedtech.com/library/howto/#qa_dos

I suggest you restrict your SSH and WHM daemons only to your own IP addresses if its static, or to your range if dynamic in WHM -> Security Center -> Host Access Control
If you allow your own IP addresses and DENY ALL no one can access into your server even with root pw!

Also upgrade to mysql5 if you are on mysql4, there are vulnerabilities in mysql4 which attacker can bypass open_basedir and access files out of its home, there is a lot of performances in mysql5 either

Now you may upload some phpshells and make sure they are fully killed
common phpshells are available here: www[dot]shellci[dot]biz

Good luck

grniyce · #6 03-29-2009, 12:28 PM

I did everything you said and then I had a friend find some of the most common scripts that cause trouble, and we uploaded them to a mock site we setup and they were stopped dead in their tracks. Furthermore, CSF blocked the ip's automatically via LFD. I am truly amazed and overwhelmingly thankful for your help!

The only question I have is:

I signed up on that site, but how would I import/apply these rules? I have WHM and the latest CSF.
http://downloads.prometheus-group.co...-latest.tar.gz

Thank you once again for your contribution. I cannot say how thankful I am in words.

Sincerely blessed from receiving your help,

Anthony Jordan

DraCoola · #7 03-31-2009, 05:38 PM

Still no luck.
Because fantastico need php_uname, shell_exec, and system are enable on php.ini.
So the c99 can ls, ls -al, and cat accross to other vhost again

Tony · #8 03-31-2009, 06:06 PM

Quote:

Originally Posted by DraCoola

Still no luck.
Because fantastico need php_uname, shell_exec, and system are enable on php.ini.
So the c99 can ls, ls -al, and cat accross to other vhost again

Fantastico should be using cPanel's PHP not the system one. So you should not have to enable those functions for fantastico to work properly. If it's using the system PHP you should run /scripts/makecpphp and it'll rebuild the cpanel php.

IrPr · #9 03-31-2009, 06:20 PM

Quote:

Originally Posted by grniyce

I did everything you said and then I had a friend find some of the most common scripts that cause trouble, and we uploaded them to a mock site we setup and they were stopped dead in their tracks. Furthermore, CSF blocked the ip's automatically via LFD. I am truly amazed and overwhelmingly thankful for your help!

The only question I have is:

I signed up on that site, but how would I import/apply these rules? I have WHM and the latest CSF.
http://downloads.prometheus-group.co...-latest.tar.gz

Thank you once again for your contribution. I cannot say how thankful I am in words.

Sincerely blessed from receiving your help,

Anthony Jordan

Welcome dude

About mod_sec rules im using JIT and rootkit right now, but i think Tony is more familar with those rules

Quote:

Originally Posted by DraCoola

Still no luck.
Because fantastico need php_uname, shell_exec, and system are enable on php.ini.
So the c99 can ls, ls -al, and cat accross to other vhost again

Quote:

Originally Posted by Tony

Fantastico should be using cPanel's PHP not the system one. So you should not have to enable those functions for fantastico to work properly. If it's using the system PHP you should run /scripts/makecpphp and it'll rebuild the cpanel php.

Fantastico uses the main php.ini file located /usr/local/lib/php.ini while LS uses LSPATH/lsphpx/lib/php.ini by default

PS: I strongly suggest disabling Fantastico if you can because of lots of vulnerabilities
Examples: http://www.milw0rm.com/exploits/6461 or http://www.milw0rm.com/exploits/6897

DraCoola · #10 03-31-2009, 06:22 PM

Quote:

Originally Posted by Tony

Fantastico should be using cPanel's PHP not the system one. So you should not have to enable those functions for fantastico to work properly. If it's using the system PHP you should run /scripts/makecpphp and it'll rebuild the cpanel php.

Thank you for explanation.
Could you told me the path for system php.ini?