How to setup Litespeed LSWS for a shared environment?

Discussion in 'General' started by grniyce, Mar 27, 2009.

  1. grniyce

    grniyce New Member

    Is there a subject matter expert that can guide me on how to setup LSWS for a secure shared webserver. I know that is a blind request, but let me explain what happened in the past. I host some friends and so forth. We one friend shared his cpanel with his partner whom had his identity stolen. Then this unknown decided to upload some script which allowed him to gain access to the root of the server, and virtually deleted everthing; leaving me with a ton of refunds and headaches for over a month. I was using LSWS at the time, however I don't know why mod_security didn't catch the script.

    Please tell me what you need to know to give me the information I need, and I will provide it.
  2. IrPr

    IrPr New Member

    mod_security defects some malicious scripts but there is a lot of CGI/PHP shells which mod_security couldnt detect, r57 phpshell for example

    to secure your shared hosting you have to secure php in parallel of webserver/mod_security

    all php shells are based on some malicious functions such as exec, system, passthru, shell, shell_exe, ... which should be disabled for security reasons, so all phpshells would be killed on your server

    open_basedir is one of most important options should be set for each VHost which will jail php functions into VH's documentroot, so functions such as fopen, readdir and another file functions would be restricted just to the same VH and not available to another VHs

    safe_mode and suhosin are another tricks to increase php security
    Last edited: Mar 28, 2009
  3. IrPr

    IrPr New Member

    Just want to mention that its very hard to escalate nobody prvileges to root using PHP, indeed most of local privilege escalation to root need suitable shell environment such as bash/bin, so you should disable shell access too

    i suggest you install http://www.configserver.com/cp/csf.html firewall which is a powerfull firewall compatible with mod_security audits with a lot of security measures
    after you installed CSF go and Check your server security, it will tell you your security score and how to increase your server security to highest level
    Last edited: Mar 28, 2009
  4. grniyce

    grniyce New Member

    I have mod_security installed and referenced in httpd.conf.
    I also have Enable Request Filtering set to Yes In LSWS.
    I have CSF installed and configured with a score of 111 out of 117.

    IrPr, you stated php in parallel of webserver/mod_security. If the above is true, would I be meeting that goal?

    Also... you stated the malicious functions. Can you explain to me which ones I should apply, and if they go in php.ini disable_functions=blah, blah, blah?

    I do have open_basedir turned off in WHM.
    Safe_mode gives some errors with the bulletin boards that I run, as does suhosin.

    Any other suggestions?
  5. IrPr

    IrPr New Member

    For PHP there are some security measures in CSF Server security check such as open_basedir, disable_functions, enable_dl

    What mod_security rules are you using? you can find some up2date rules from http://www.gotroot.com/tiki-index.php?page=mod_security rules

    Mod_security audit_log has been implemented in LSWS 4.0 also, you can set your audit_log path in CSF and check for security logs there which is very userfriendly, or set LFD rules in your CSF configuration to block attackers automatically

    Yes, using disable_functions directive in php.ini

    I disabled these functions on my shared servers:
    Code:
    fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,shell_exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid
    various functions disabled but it kills all of phpshells/exploits and all of my scripts are working as well, you may remove some functions if it breaks your scripts

    you can disable posix functions in php configure script using '--disable-posix' too
    turned off? you mean open_basedir protection has been enabled in WHM -> Security Center -> Tweak PHP open_basedir Security ?

    You can turn safe_mode on globally and turn if off individually for each VH using php_admin_value safe_mode 0 directive in VirtualHost section in httpd.conf

    for suhosin i use this values in php.ini:
    Code:
    [suhosin]
    extension=suhosin.so
    suhosin.post.max_vars = 1024
    suhosin.request.max_vars = 1024
    suhosin.get.max_value_length = 1024
    
    We know Litespeed is awesome in performances, but there is alot of security features in LSWS either!

    To increase your CGI security you may re-install LSWS with chroot enabled but it may break some scripts, however its working like a charm for me

    Also you can secure your server for DDoS attacks, check this out: http://www.litespeedtech.com/library/howto/#qa_dos

    I suggest you restrict your SSH and WHM daemons only to your own IP addresses if its static, or to your range if dynamic in WHM -> Security Center -> Host Access Control
    If you allow your own IP addresses and DENY ALL no one can access into your server even with root pw!

    Also upgrade to mysql5 if you are on mysql4, there are vulnerabilities in mysql4 which attacker can bypass open_basedir and access files out of its home, there is a lot of performances in mysql5 either

    Now you may upload some phpshells and make sure they are fully killed
    common phpshells are available here: www[dot]shellci[dot]biz

    Good luck ;)
    Last edited: Mar 29, 2009
  6. grniyce

    grniyce New Member

    I did everything you said and then I had a friend find some of the most common scripts that cause trouble, and we uploaded them to a mock site we setup and they were stopped dead in their tracks. Furthermore, CSF blocked the ip's automatically via LFD. I am truly amazed and overwhelmingly thankful for your help!

    The only question I have is:

    I signed up on that site, but how would I import/apply these rules? I have WHM and the latest CSF.
    http://downloads.prometheus-group.com/delayed/rules/modsec-2.5-free-latest.tar.gz

    Thank you once again for your contribution. I cannot say how thankful I am in words.

    Sincerely blessed from receiving your help,

    Anthony Jordan
  7. DraCoola

    DraCoola Member

    Still no luck.
    Because fantastico need php_uname, shell_exec, and system are enable on php.ini.
    So the c99 can ls, ls -al, and cat accross to other vhost again :(
  8. Tony

    Tony Member


    Fantastico should be using cPanel's PHP not the system one. So you should not have to enable those functions for fantastico to work properly. If it's using the system PHP you should run /scripts/makecpphp and it'll rebuild the cpanel php.
  9. IrPr

    IrPr New Member

    Welcome dude

    About mod_sec rules im using JIT and rootkit right now, but i think Tony is more familar with those rules

    Fantastico uses the main php.ini file located /usr/local/lib/php.ini while LS uses LSPATH/lsphpx/lib/php.ini by default

    PS: I strongly suggest disabling Fantastico if you can because of lots of vulnerabilities
    Examples: http://www.milw0rm.com/exploits/6461 or http://www.milw0rm.com/exploits/6897
    Last edited: Apr 1, 2009
  10. DraCoola

    DraCoola Member

    Thank you for explanation.
    Could you told me the path for system php.ini?
  11. DraCoola

    DraCoola Member

    got that!
    thanks :)
  12. Tony

    Tony Member

    If the user is using cPanel and used the build matching PHP they'd use /usr/local/lib/php.ini which matches the CLI built by cPanel.

    cPanel's PHP which would be used by Fantastico since the installer runs within the cPanel system would be /usr/local/cpanel/3rdparty/etc/php.ini . The cPanel PHP can be found at /usr/local/cpanel/3rdparty/bin/php and is used by anything PHP related ran within WHM or cPanel.
  13. DraCoola

    DraCoola Member

    But... after I edit /usr/local/lib/php.ini, it always changed for the phpinfo() value on /home/user/public_html/phpinfo.php
    Is there something wrong with my installation?
    I am still using the old php 5.2.8 from cpanel.
  14. IrPr

    IrPr New Member

    right, thanks for correction

    i always build lsphp myself
  15. IrPr

    IrPr New Member

    ls -als /usr/local/lib/php.ini /usr/lib/php.ini /opt/lsws/lsphp5/lib/php.ini
    i thinks its linked into lsphp's php.ini or vv
    Last edited: Apr 1, 2009
  16. IrPr

    IrPr New Member

  17. DraCoola

    DraCoola Member

    I check for /usr/local/cpanel/3rdparty/etc/php.ini and found that disable_functions are totally empty there.



    @IrPr :

    root@xxxxx [/home]# ls -als /usr/local/lib/php.ini /usr/lib/php.ini /opt/lsws/lsphp5/lib/php.ini
    /bin/ls: /opt/lsws/lsphp5/lib/php.ini: No such file or directory
    0 lrwxrwxrwx 1 root root 22 Feb 15 12:07 /usr/lib/php.ini -> /usr/local/lib/php.ini
    40 -rw-r--r-- 1 root root 40218 Apr 1 08:21 /usr/local/lib/php.ini
  18. IrPr

    IrPr New Member

    Using lsws? whats your loaded php.ini path in phpinfo() ?
  19. DraCoola

    DraCoola Member

    /usr/local/lib/php.ini

    But it is super worked now after running /scripts/makecpphp
    Thank you for your all of disable_functions values :)
  20. DraCoola

    DraCoola Member

    But still curious on how to enable the pure phpsuexec to this LS-Cpanel.
    Because I think the security of LS will totally null if any user still can walk around to other users teritories.

    It is just as the same as php-DSO (nobody), which username means nothing to php security.

Share This Page