Support

anewday · #31 04-05-2009, 05:43 PM

Does it have to be PHP suExec?

grniyce · #32 04-05-2009, 10:59 PM

usr/local/lib/ php.ini

masood_y · #33 04-06-2009, 03:00 AM

Quote:

Originally Posted by mistwang

If you got some spare memory in your server not being actively used, there is one tip to improve PHP and overall server performance.

Requirements:

* there are enough free memory to spare.
* /dev/shm/ should be mounted as tmpfs.

Install eaccelerator with PHP suEXEC, set disk cache storage to /dev/shm/eaccelerator/ instead of /tmp/eaccelerator/, then add a cron job to clean the cache directory every 5-10 minutes, so cache files not being used frequently will not fill up the precious shared memory storage.

Noticed that the server load going down from 4.x to 1.x on one client's server.

How can do it?

* there are enough free memory to spare.
* /dev/shm/ should be mounted as tmpfs.

mistwang · #34 04-06-2009, 11:47 AM

df shows that you already have it. check /etc/fstab for configuration.

anewday · #35 04-06-2009, 12:35 PM

Quote:

Originally Posted by anewday

Does Litespeed have to be using PHP suEXEC?

George, could you answer this?

Michael.Terence · #36 04-07-2009, 11:39 AM

Quote:

Originally Posted by anewday

George, could you answer this?

I'm not george but I'll take a stab - this portion of the thread is mostly about eaccelerator and /dev/shm - so if your question was whether or not you can use eaccelerator, and place the cache files in /dev/shm while not using PHP suEXEC the answer is yes, just be sure the user php is running as has access to the directory.

mistwang · #37 04-08-2009, 06:41 PM

it benefit PHP suEXEC most as each PHP process use its own in memory cache, this way, just like we share a global in-memory cache.

grniyce · #38 04-24-2009, 07:56 PM

Quote:

Originally Posted by IrPr

For PHP there are some security measures in CSF Server security check such as open_basedir, disable_functions, enable_dl

What mod_security rules are you using? you can find some up2date rules from http://www.gotroot.com/tiki-index.ph...security+rules

Mod_security audit_log has been implemented in LSWS 4.0 also, you can set your audit_log path in CSF and check for security logs there which is very userfriendly, or set LFD rules in your CSF configuration to block attackers automatically

Yes, using disable_functions directive in php.ini

I disabled these functions on my shared servers:

Code:

fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,shell_exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid

various functions disabled but it kills all of phpshells/exploits and all of my scripts are working as well, you may remove some functions if it breaks your scripts

you can disable posix functions in php configure script using '--disable-posix' too

turned off? you mean open_basedir protection has been enabled in WHM -> Security Center -> Tweak PHP open_basedir Security ?

You can turn safe_mode on globally and turn if off individually for each VH using php_admin_value safe_mode 0 directive in VirtualHost section in httpd.conf

for suhosin i use this values in php.ini:

Code:

[suhosin]
extension=suhosin.so
suhosin.post.max_vars = 1024
suhosin.request.max_vars = 1024
suhosin.get.max_value_length = 1024

We know Litespeed is awesome in performances, but there is alot of security features in LSWS either!

To increase your CGI security you may re-install LSWS with chroot enabled but it may break some scripts, however its working like a charm for me

Also you can secure your server for DDoS attacks, check this out: http://www.litespeedtech.com/library/howto/#qa_dos

I suggest you restrict your SSH and WHM daemons only to your own IP addresses if its static, or to your range if dynamic in WHM -> Security Center -> Host Access Control
If you allow your own IP addresses and DENY ALL no one can access into your server even with root pw!

Also upgrade to mysql5 if you are on mysql4, there are vulnerabilities in mysql4 which attacker can bypass open_basedir and access files out of its home, there is a lot of performances in mysql5 either

Now you may upload some phpshells and make sure they are fully killed
common phpshells are available here: www[dot]shellci[dot]biz

Good luck

I have done most of the above, however I don't know how to get the mod_security logs and so forth to work with csf and litespeed. I think I need to specify the paths and so forth.

I uploaded a couple scripts to the server and after disabling all of the functions and everything above, they still ran.

I'm confused and might need to hire someone to help me make sure my server is secure against these attacks, because a lot of my associates are experiencing these attacks, and I myself have unfortunately lost an entire server due to an attack about 4 months ago.

Please help.

DraCoola · #39 04-25-2009, 06:45 AM

Quote:

Originally Posted by grniyce

I have done most of the above, however I don't know how to get the mod_security logs and so forth to work with csf and litespeed. I think I need to specify the paths and so forth.

I uploaded a couple scripts to the server and after disabling all of the functions and everything above, they still ran.

I'm confused and might need to hire someone to help me make sure my server is secure against these attacks, because a lot of my associates are experiencing these attacks, and I myself have unfortunately lost an entire server due to an attack about 4 months ago.

Please help.

They still can run on XSS way?
On my server, I have put all of those php disable_function, except php_uname, and I try my self for some of shell scripts can not execute any important command to hack to another account.

grniyce · #40 04-25-2009, 09:21 AM

Quote:

Originally Posted by DraCoola

They still can run on XSS way?
On my server, I have put all of those php disable_function, except php_uname, and I try my self for some of shell scripts can not execute any important command to hack to another account.

I added the commands, and rebuilt apache with modsecurity, suhosin, php 5.2.9, ea accelerator, zend optimizer, and then I added the suhosin suggestion above to php.ini and added the includes line to httpd.conf for mod security at the bottom. I also have ClamAv installed.

I then built matching php, and I reinstalled LSWS most recent with the chroot on and set it to /usr/local/lsws

Now I went to the scripts site and had to turn off my pc antivirus, and then I downloaded a handful of the scripts there, uploaded them thru ftp to a mock domain on my server, and relabled them like c99.php, r57.php etc etc. I accessed each one of them just like regular pages, and they let me navigate my server. It is my understanding that these scripts should have been stopped by ClamAV, as well as ModSecurity and CSF, but none of them have. ALL of the php.ini functions suggested above have been disabled also, and devshm has been remounted also. I'm totally confused. This isn't working....

(

However, when I go to view modsecurity log in CSF here is what I get:

So, I am assuming I need to redefine somewhere in the server where the log should be found? How can I setup LSWS and WHM and CSF to all collaborate with the modsecurity log?