Support

grniyce · #41 04-25-2009, 09:34 AM

Here is php.ini showing functions disabled:

Here is suhosin section added in php.ini:

...and here is the /usr/local/lsws/conf/httpd_config.xml:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<httpServerConfig>
  <serverName>server.legithost.net</serverName>
  <user>nobody</user>
  <group>nobody</group>
  <priority>-19</priority>
  <chrootPath>/</chrootPath>
  <enableChroot>0</enableChroot>
  <inMemBufSize>60M</inMemBufSize>
  <swappingDir>/tmp/lshttpd/swap</swappingDir>
  <autoRestart>1</autoRestart>
  <autoFix503>1</autoFix503>
  <loadApacheConf>1</loadApacheConf>
  <autoReloadApacheConf>2</autoReloadApacheConf>
  <apacheBinPath>/usr/local/apache/bin/httpd</apacheBinPath>
  <apacheConfFile>/usr/local/apache/conf/httpd.conf</apacheConfFile>
  <apachePortOffset>0</apachePortOffset>
  <apacheIpOffset>0</apacheIpOffset>
  <apacheHandledContent></apacheHandledContent>
  <phpSuExec>1</phpSuExec>
  <phpSuExecMaxConn>10</phpSuExecMaxConn>
  <apacheEnableFP>1</apacheEnableFP>
  <mime>$SERVER_ROOT/conf/mime.properties</mime>
  <disableInitLogRotation>1</disableInitLogRotation>
  <showVersionNumber>0</showVersionNumber>
  <enableIpGeo></enableIpGeo>
  <useIpInProxyHeader></useIpInProxyHeader>
  <autoUpdateInterval>86400</autoUpdateInterval>
  <autoUpdateDownloadPkg>1</autoUpdateDownloadPkg>
  <adminEmails>grniyce@gmail.com</adminEmails>
  <adminRoot>$SERVER_ROOT/admin/</adminRoot>
  <logging>
    <log>
      <fileName>/usr/local/apache/logs/error_log</fileName>
      <logLevel>DEBUG</logLevel>
      <debugLevel>0</debugLevel>
      <rollingSize>2000M</rollingSize>
      <enableStderrLog>0</enableStderrLog>
    </log>
    <accessLog>
      <fileName>$SERVER_ROOT/logs/access.log</fileName>
      <rollingSize>2000M</rollingSize>
      <keepDays>30</keepDays>
      <compressArchive>0</compressArchive>
    </accessLog>
  </logging>
  <indexFiles>index.html, index.php, index.php5, index.htm</indexFiles>
  <autoIndex></autoIndex>
  <autoIndexURI></autoIndexURI>
  <htAccess>
    <allowOverride>31</allowOverride>
    <accessFileName>.htaccess</accessFileName>
  </htAccess>
  <expires>
    <enableExpires>1</enableExpires>
    <expiresByType>image/*=A604800, text/css=A604800, application/x-javascript=A604800</expiresByType>
  </expires>
  <tuning>
    <maxConnections>650</maxConnections>
    <maxSSLConnections>50</maxSSLConnections>
    <connTimeout>60</connTimeout>
    <maxKeepAliveReq>90</maxKeepAliveReq>
    <smartKeepAlive>1</smartKeepAlive>
    <keepAliveTimeout>3</keepAliveTimeout>
    <sndBufSize>0</sndBufSize>
    <rcvBufSize>0</rcvBufSize>
    <eventDispatcher>best</eventDispatcher>
    <maxCachedFileSize>4096</maxCachedFileSize>
    <totalInMemCacheSize>20M</totalInMemCacheSize>
    <maxMMapFileSize>256K</maxMMapFileSize>
    <totalMMapCacheSize>40M</totalMMapCacheSize>
    <useSendfile>1</useSendfile>
    <etagNoInode>1</etagNoInode>
    <SSLCryptoDevice>null</SSLCryptoDevice>
    <maxReqURLLen>8192</maxReqURLLen>
    <maxReqHeaderSize>16380</maxReqHeaderSize>
    <maxReqBodySize>10M</maxReqBodySize>
    <maxDynRespHeaderSize>4K</maxDynRespHeaderSize>
    <maxDynRespSize>10M</maxDynRespSize>
    <enableGzipCompress>1</enableGzipCompress>
    <enableDynGzipCompress>1</enableDynGzipCompress>
    <gzipCompressLevel>1</gzipCompressLevel>
    <compressibleTypes>text/*, application/x-javascript, application/xml</compressibleTypes>
    <gzipAutoUpdateStatic>1</gzipAutoUpdateStatic>
    <gzipCacheDir></gzipCacheDir>
    <gzipStaticCompressLevel>1</gzipStaticCompressLevel>
    <gzipMaxFileSize>1M</gzipMaxFileSize>
    <gzipMinFileSize>300</gzipMinFileSize>
  </tuning>
  <security>
    <fileAccessControl>
      <followSymbolLink>1</followSymbolLink>
      <checkSymbolLink>0</checkSymbolLink>
      <requiredPermissionMask>000</requiredPermissionMask>
      <restrictedPermissionMask>000</restrictedPermissionMask>
    </fileAccessControl>
    <perClientConnLimit>
      <staticReqPerSec>25</staticReqPerSec>
      <dynReqPerSec>10</dynReqPerSec>
      <outBandwidth>0</outBandwidth>
      <inBandwidth>0</inBandwidth>
      <softLimit>400</softLimit>
      <hardLimit>500</hardLimit>
      <gracePeriod>15</gracePeriod>
      <banPeriod>300</banPeriod>
    </perClientConnLimit>
    <CGIRLimit>
      <maxCGIInstances>20</maxCGIInstances>
      <minUID>11</minUID>
      <minGID>10</minGID>
      <priority>0</priority>
      <CPUSoftLimit>60</CPUSoftLimit>
      <CPUHardLimit>120</CPUHardLimit>
      <memSoftLimit>250M</memSoftLimit>
      <memHardLimit>300M</memHardLimit>
      <procSoftLimit>400</procSoftLimit>
      <procHardLimit>450</procHardLimit>
    </CGIRLimit>
    <censorshipControl>
      <enableCensorship>1</enableCensorship>
      <logLevel>1</logLevel>
      <defaultAction>deny,log,status:403</defaultAction>
      <scanPOST>1</scanPOST>
    </censorshipControl>
    <accessDenyDir>
      <dir>/</dir>
      <dir>/etc/*</dir>
      <dir>/dev/*</dir>
      <dir>$SERVER_ROOT/conf/*</dir>
      <dir>$SERVER_ROOT/admin/conf/*</dir>
    </accessDenyDir>
    <accessControl>
      <allow>ALL</allow>
      <deny></deny>
    </accessControl>
  </security>
  <extProcessorList>
    <extProcessor>
      <type>lsapi</type>
      <name>lsphp5</name>
      <address>uds://tmp/lshttpd/lsphp5.sock</address>
      <note></note>
      <maxConns>35</maxConns>
      <env>PHP_LSAPI_MAX_REQUESTS=500</env>
      <env>PHP_LSAPI_CHILDREN=35</env>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <persistConn>1</persistConn>
      <pcKeepAliveTimeout></pcKeepAliveTimeout>
      <respBuffer>0</respBuffer>
      <autoStart>1</autoStart>
      <path>$SERVER_ROOT/fcgi-bin/lsphp5</path>
      <backlog>100</backlog>
      <instances>1</instances>
      <runOnStartUp></runOnStartUp>
      <extMaxIdleTime></extMaxIdleTime>
      <priority>0</priority>
      <memSoftLimit>450M</memSoftLimit>
      <memHardLimit>500M</memHardLimit>
      <procSoftLimit>200</procSoftLimit>
      <procHardLimit>200</procHardLimit>
    </extProcessor>
    <extProcessor>
      <type>lsapi</type>
      <name>lsphp4</name>
      <address>uds://tmp/lshttpd/lsphp4.sock</address>
      <note></note>
      <maxConns>35</maxConns>
      <env>PHP_LSAPI_MAX_REQUESTS=500</env>
      <env>PHP_LSAPI_CHILDREN=35</env>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <persistConn>1</persistConn>
      <pcKeepAliveTimeout></pcKeepAliveTimeout>
      <respBuffer>0</respBuffer>
      <autoStart>1</autoStart>
      <path>$SERVER_ROOT/fcgi-bin/lsphp4</path>
      <backlog>100</backlog>
      <instances>1</instances>
      <runOnStartUp></runOnStartUp>
      <extMaxIdleTime></extMaxIdleTime>
      <priority>0</priority>
      <memSoftLimit>450M</memSoftLimit>
      <memHardLimit>500M</memHardLimit>
      <procSoftLimit>200</procSoftLimit>
      <procHardLimit>200</procHardLimit>
    </extProcessor>
    <extProcessor>
      <type>proxy</type>
      <name>127.0.0.1:2082</name>
      <address>127.0.0.1:2082</address>
      <note>for cPanel backend</note>
      <maxConns>100</maxConns>
      <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <respBuffer>0</respBuffer>
    </extProcessor>
    <extProcessor>
      <type>proxy</type>
      <name>127.0.0.1:2095</name>
      <address>127.0.0.1:2095</address>
      <note>for webmail backend</note>
      <maxConns>100</maxConns>
      <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <respBuffer>0</respBuffer>
    </extProcessor>
    <extProcessor>
      <type>proxy</type>
      <name>127.0.0.1:2086</name>
      <address>127.0.0.1:2086</address>
      <note>for WHM backend</note>
      <maxConns>100</maxConns>
      <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <respBuffer>0</respBuffer>
    </extProcessor>
    <extProcessor>
      <type>proxy</type>
      <name>127.0.0.1:2077</name>
      <address>127.0.0.1:2077</address>
      <note>for webdisk backend</note>
      <maxConns>100</maxConns>
      <pcKeepAliveTimeout>0</pcKeepAliveTimeout>
      <initTimeout>60</initTimeout>
      <retryTimeout>0</retryTimeout>
      <respBuffer>0</respBuffer>
    </extProcessor>
  </extProcessorList>
  <scriptHandlerList>
    <scriptHandler>
      <suffix>php</suffix>
      <type>lsapi</type>
      <handler>lsphp5</handler>
    </scriptHandler>
    <scriptHandler>
      <suffix>php4</suffix>
      <type>lsapi</type>
      <handler>lsphp4</handler>
    </scriptHandler>
    <scriptHandler>
      <suffix>php5</suffix>
      <type>lsapi</type>
      <handler>lsphp5</handler>
      <note></note>
    </scriptHandler>
  </scriptHandlerList>
  <railsDefaults>
    <rubyBin></rubyBin>
    <railsEnv>1</railsEnv>
    <maxConns>5</maxConns>
    <env>LSAPI_MAX_REQS=1000</env>
    <env>LSAPI_MAX_IDLE=60</env>
    <initTimeout>60</initTimeout>
    <retryTimeout>0</retryTimeout>
    <pcKeepAliveTimeout>60</pcKeepAliveTimeout>
    <respBuffer>0</respBuffer>
    <backlog>50</backlog>
    <runOnStartUp>1</runOnStartUp>
    <extMaxIdleTime>300</extMaxIdleTime>
    <priority>3</priority>
    <memSoftLimit>450M</memSoftLimit>
    <memHardLimit>500M</memHardLimit>
    <procSoftLimit>200</procSoftLimit>
    <procHardLimit>300</procHardLimit>
  </railsDefaults>
</httpServerConfig>

DraCoola · #42 04-25-2009, 09:40 AM

Perhaps you should add the mod_sec rules first? Or it have been missing?
The path for mode_sec was on /usr/local/apache/conf/

Btw some of C99 has succesfully made them self "disappear" from ClamAV.
ClamAV cannot recognize that special C99 as a trojan/virus.
So ClamAV will be unused on that case.

Mod_Sec is just only as the first gate with their rules.
If, sometimes, php shells can get through over it, so the last defend is phpSuexec (Suphp is better) and php disable_functions.
And ofcourse suhosin.

The most important thing is how to prevent that script to read/write all files and directories on our servers.
It can be made by php_disable functions and php priveledge as per user.
Are you sure that php.ini that being used (disable_functions edited) is the right php.ini for all web users?

grniyce · #43 04-25-2009, 10:01 AM

Both the php.ini's are identical, so I am positive all the disable functions are effective now.

grniyce · #44 05-12-2009, 09:09 PM

As an update, everything is working beautifully and I thank everyone that has contributed to this thread!

auser · #45 05-12-2009, 11:47 PM

Quote:

Originally Posted by grniyce

Now I went to the scripts site and had to turn off my pc antivirus, and then I downloaded a handful of the scripts there, uploaded them thru ftp to a mock domain on my server, and relabled them like c99.php, r57.php etc etc. I accessed each one of them just like regular pages, and they let me navigate my server. It is my understanding that these scripts should have been stopped by ClamAV, as well as ModSecurity and CSF, but none of them have. ALL of the php.ini functions suggested above have been disabled also, and devshm has been remounted also. I'm totally confused. This isn't working....

(

I'd like to download 1 of the scripts, to try on my local box, see if LSWS can stop it, or how to stop it. Can you tell the location of the scripts site, and point out 1 which looks most troublesome? This will break down big issues into smaller ones, and help resolve them finally.

grniyce · #46 05-14-2009, 09:51 AM

NOTE: VERY IMPORTANT THAT THE BELOW SITE IS TO BE USED BY INDIVIDUALS WHOM KNOW EXACTLY WHAT THEY ARE DOING IN EFFORT(S) TO TEST THE SECURITY OF YOUR SERVER. REALIZE THAT LEAVING -ANY- OF THESE SHELLS CAN PLACE YOUR SERVER AT SEVERE RISK IF YOU DO NOT KNOW WHAT YOU ARE DOING!

common phpshells are available here: www.shellci.biz

nixell · #47 06-22-2009, 08:32 PM

If php function disable, is whmcs or other script still can't run?

grniyce · #48 06-22-2009, 11:31 PM

Yes WHMCS works fine with the php functions mentioned disabled. Most if not 99% of the time you will run into ini_set errors (not on whmcs but on various other scripts). If you simply edit out the ini_set from the configuration files or have someone knowledgable do it you won't run into any errors.

To directly answer your question, "you will have no issues running whmcs and most other scripts with all of the above recommendations".

My server runs vBulletin, IPB, PHPbb, WHMSonic, WHMCS, Shoutcast, and many other scripts without any flaws.

Nokki · #49 02-24-2010, 11:24 PM

thanks for the guide

onisoc · #50 05-04-2010, 01:57 AM

I'm using cPanel and apache for server shared hosting. I'm planning transfer to use LSWS + cPanel, but i have some question:
1. .htaccess : is LSWS compatible with cPanel users ?
2. I have some configs in httpd.conf like:

Quote:

<Directory "/home/">
Options Indexes -Includes IncludesNOEXEC -FollowSymLinks -SymLinksifOwnerMatch ExecCGI
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,ExecCGI
</Directory>

<Directory "/usr/local/apache/htdocs">
Options IncludesNOEXEC Indexes -FollowSymLinks +SymLinksIfOwnerMatch -ExecCGI
AllowOverride None
Order allow,deny
Allow from all

</Directory>

for anti phpshell, cgishell effect symlink.
May i use it with LSWS ?

I hope you can advise me smt.