How to setup Litespeed LSWS for a shared environment?

grniyce

Well-Known Member
#1
Is there a subject matter expert that can guide me on how to setup LSWS for a secure shared webserver. I know that is a blind request, but let me explain what happened in the past. I host some friends and so forth. We one friend shared his cpanel with his partner whom had his identity stolen. Then this unknown decided to upload some script which allowed him to gain access to the root of the server, and virtually deleted everthing; leaving me with a ton of refunds and headaches for over a month. I was using LSWS at the time, however I don't know why mod_security didn't catch the script.

Please tell me what you need to know to give me the information I need, and I will provide it.
 

IrPr

Well-Known Member
#2
Is there a subject matter expert that can guide me on how to setup LSWS for a secure shared webserver. I know that is a blind request, but let me explain what happened in the past. I host some friends and so forth. We one friend shared his cpanel with his partner whom had his identity stolen. Then this unknown decided to upload some script which allowed him to gain access to the root of the server, and virtually deleted everthing; leaving me with a ton of refunds and headaches for over a month. I was using LSWS at the time, however I don't know why mod_security didn't catch the script.

Please tell me what you need to know to give me the information I need, and I will provide it.
mod_security defects some malicious scripts but there is a lot of CGI/PHP shells which mod_security couldnt detect, r57 phpshell for example

to secure your shared hosting you have to secure php in parallel of webserver/mod_security

all php shells are based on some malicious functions such as exec, system, passthru, shell, shell_exe, ... which should be disabled for security reasons, so all phpshells would be killed on your server

open_basedir is one of most important options should be set for each VHost which will jail php functions into VH's documentroot, so functions such as fopen, readdir and another file functions would be restricted just to the same VH and not available to another VHs

safe_mode and suhosin are another tricks to increase php security
 
Last edited:

IrPr

Well-Known Member
#3
mod_security defects some malicious scripts but there is a lot of CGI/PHP shells which mod_security couldnt detect, r57 phpshell for example

to secure your shared hosting you have to secure php in parallel of webserver/mod_security

all php shells are based on some malicious functions such as exec, system, passthru, shell, shell_exe, ... which should be disabled for security reasons, so all phpshells would be killed on your server

open_basedir is one of most important options should be set for each VHost which will jail php functions into VH's documentroot, so functions such as fopen, readdir and another file functions would be restricted just to the same VH and not available to another VHs

safe_mode and suhosin are another tricks to increase php security
Just want to mention that its very hard to escalate nobody prvileges to root using PHP, indeed most of local privilege escalation to root need suitable shell environment such as bash/bin, so you should disable shell access too

i suggest you install http://www.configserver.com/cp/csf.html firewall which is a powerfull firewall compatible with mod_security audits with a lot of security measures
after you installed CSF go and Check your server security, it will tell you your security score and how to increase your server security to highest level
 
Last edited:

grniyce

Well-Known Member
#4
I have mod_security installed and referenced in httpd.conf.
I also have Enable Request Filtering set to Yes In LSWS.
I have CSF installed and configured with a score of 111 out of 117.

IrPr, you stated php in parallel of webserver/mod_security. If the above is true, would I be meeting that goal?

Also... you stated the malicious functions. Can you explain to me which ones I should apply, and if they go in php.ini disable_functions=blah, blah, blah?

I do have open_basedir turned off in WHM.
Safe_mode gives some errors with the bulletin boards that I run, as does suhosin.

Any other suggestions?
 

IrPr

Well-Known Member
#5
IrPr, you stated php in parallel of webserver/mod_security. If the above is true, would I be meeting that goal?
For PHP there are some security measures in CSF Server security check such as open_basedir, disable_functions, enable_dl

What mod_security rules are you using? you can find some up2date rules from http://www.gotroot.com/tiki-index.php?page=mod_security+rules

Mod_security audit_log has been implemented in LSWS 4.0 also, you can set your audit_log path in CSF and check for security logs there which is very userfriendly, or set LFD rules in your CSF configuration to block attackers automatically

Also... you stated the malicious functions. Can you explain to me which ones I should apply, and if they go in php.ini disable_functions=blah, blah, blah?
Yes, using disable_functions directive in php.ini

I disabled these functions on my shared servers:
Code:
fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,shell_exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid
various functions disabled but it kills all of phpshells/exploits and all of my scripts are working as well, you may remove some functions if it breaks your scripts

you can disable posix functions in php configure script using '--disable-posix' too
I do have open_basedir turned off in WHM.
turned off? you mean open_basedir protection has been enabled in WHM -> Security Center -> Tweak PHP open_basedir Security ?

Safe_mode gives some errors with the bulletin boards that I run, as does suhosin.
You can turn safe_mode on globally and turn if off individually for each VH using php_admin_value safe_mode 0 directive in VirtualHost section in httpd.conf

for suhosin i use this values in php.ini:
Code:
[suhosin]
extension=suhosin.so
suhosin.post.max_vars = 1024
suhosin.request.max_vars = 1024
suhosin.get.max_value_length = 1024
Any other suggestions?
We know Litespeed is awesome in performances, but there is alot of security features in LSWS either!

To increase your CGI security you may re-install LSWS with chroot enabled but it may break some scripts, however its working like a charm for me

Also you can secure your server for DDoS attacks, check this out: http://www.litespeedtech.com/library/howto/#qa_dos

I suggest you restrict your SSH and WHM daemons only to your own IP addresses if its static, or to your range if dynamic in WHM -> Security Center -> Host Access Control
If you allow your own IP addresses and DENY ALL no one can access into your server even with root pw!

Also upgrade to mysql5 if you are on mysql4, there are vulnerabilities in mysql4 which attacker can bypass open_basedir and access files out of its home, there is a lot of performances in mysql5 either

Now you may upload some phpshells and make sure they are fully killed
common phpshells are available here: www[dot]shellci[dot]biz

Good luck ;)
 
Last edited:

grniyce

Well-Known Member
#6
I did everything you said and then I had a friend find some of the most common scripts that cause trouble, and we uploaded them to a mock site we setup and they were stopped dead in their tracks. Furthermore, CSF blocked the ip's automatically via LFD. I am truly amazed and overwhelmingly thankful for your help!

The only question I have is:

I signed up on that site, but how would I import/apply these rules? I have WHM and the latest CSF.
http://downloads.prometheus-group.com/delayed/rules/modsec-2.5-free-latest.tar.gz

Thank you once again for your contribution. I cannot say how thankful I am in words.

Sincerely blessed from receiving your help,

Anthony Jordan
 

DraCoola

Well-Known Member
#7
Still no luck.
Because fantastico need php_uname, shell_exec, and system are enable on php.ini.
So the c99 can ls, ls -al, and cat accross to other vhost again :(
 

Tony

Well-Known Member
#8
Still no luck.
Because fantastico need php_uname, shell_exec, and system are enable on php.ini.
So the c99 can ls, ls -al, and cat accross to other vhost again :(

Fantastico should be using cPanel's PHP not the system one. So you should not have to enable those functions for fantastico to work properly. If it's using the system PHP you should run /scripts/makecpphp and it'll rebuild the cpanel php.
 

IrPr

Well-Known Member
#9
I did everything you said and then I had a friend find some of the most common scripts that cause trouble, and we uploaded them to a mock site we setup and they were stopped dead in their tracks. Furthermore, CSF blocked the ip's automatically via LFD. I am truly amazed and overwhelmingly thankful for your help!

The only question I have is:

I signed up on that site, but how would I import/apply these rules? I have WHM and the latest CSF.
http://downloads.prometheus-group.com/delayed/rules/modsec-2.5-free-latest.tar.gz

Thank you once again for your contribution. I cannot say how thankful I am in words.

Sincerely blessed from receiving your help,

Anthony Jordan
Welcome dude

About mod_sec rules im using JIT and rootkit right now, but i think Tony is more familar with those rules

Still no luck.
Because fantastico need php_uname, shell_exec, and system are enable on php.ini.
So the c99 can ls, ls -al, and cat accross to other vhost again :(
Fantastico should be using cPanel's PHP not the system one. So you should not have to enable those functions for fantastico to work properly. If it's using the system PHP you should run /scripts/makecpphp and it'll rebuild the cpanel php.
Fantastico uses the main php.ini file located /usr/local/lib/php.ini while LS uses LSPATH/lsphpx/lib/php.ini by default

PS: I strongly suggest disabling Fantastico if you can because of lots of vulnerabilities
Examples: http://www.milw0rm.com/exploits/6461 or http://www.milw0rm.com/exploits/6897
 
Last edited:

DraCoola

Well-Known Member
#10
Fantastico should be using cPanel's PHP not the system one. So you should not have to enable those functions for fantastico to work properly. If it's using the system PHP you should run /scripts/makecpphp and it'll rebuild the cpanel php.
Thank you for explanation.
Could you told me the path for system php.ini?
 

DraCoola

Well-Known Member
#11

Tony

Well-Known Member
#12
Fantastico uses the main php.ini file located /usr/local/lib/php.ini while LS uses LSPATH/lsphpx/lib/php.ini by default
If the user is using cPanel and used the build matching PHP they'd use /usr/local/lib/php.ini which matches the CLI built by cPanel.

cPanel's PHP which would be used by Fantastico since the installer runs within the cPanel system would be /usr/local/cpanel/3rdparty/etc/php.ini . The cPanel PHP can be found at /usr/local/cpanel/3rdparty/bin/php and is used by anything PHP related ran within WHM or cPanel.
 

DraCoola

Well-Known Member
#13
But... after I edit /usr/local/lib/php.ini, it always changed for the phpinfo() value on /home/user/public_html/phpinfo.php
Is there something wrong with my installation?
I am still using the old php 5.2.8 from cpanel.
 

IrPr

Well-Known Member
#14
If the user is using cPanel and used the build matching PHP they'd use /usr/local/lib/php.ini which matches the CLI built by cPanel.

cPanel's PHP which would be used by Fantastico since the installer runs within the cPanel system would be /usr/local/cpanel/3rdparty/etc/php.ini . The cPanel PHP can be found at /usr/local/cpanel/3rdparty/bin/php and is used by anything PHP related ran within WHM or cPanel.
right, thanks for correction

i always build lsphp myself
 

IrPr

Well-Known Member
#15
But... after I edit /usr/local/lib/php.ini, it always changed for the phpinfo() value on /home/user/public_html/phpinfo.php
Is there something wrong with my installation?
I am still using the old php 5.2.8 from cpanel.
ls -als /usr/local/lib/php.ini /usr/lib/php.ini /opt/lsws/lsphp5/lib/php.ini
i thinks its linked into lsphp's php.ini or vv
 
Last edited:

DraCoola

Well-Known Member
#17
If the user is using cPanel and used the build matching PHP they'd use /usr/local/lib/php.ini which matches the CLI built by cPanel.

cPanel's PHP which would be used by Fantastico since the installer runs within the cPanel system would be /usr/local/cpanel/3rdparty/etc/php.ini . The cPanel PHP can be found at /usr/local/cpanel/3rdparty/bin/php and is used by anything PHP related ran within WHM or cPanel.
I check for /usr/local/cpanel/3rdparty/etc/php.ini and found that disable_functions are totally empty there.



@IrPr :

root@xxxxx [/home]# ls -als /usr/local/lib/php.ini /usr/lib/php.ini /opt/lsws/lsphp5/lib/php.ini
/bin/ls: /opt/lsws/lsphp5/lib/php.ini: No such file or directory
0 lrwxrwxrwx 1 root root 22 Feb 15 12:07 /usr/lib/php.ini -> /usr/local/lib/php.ini
40 -rw-r--r-- 1 root root 40218 Apr 1 08:21 /usr/local/lib/php.ini
 

IrPr

Well-Known Member
#18
I check for /usr/local/cpanel/3rdparty/etc/php.ini and found that disable_functions are totally empty there.



@IrPr :

root@xxxxx [/home]# ls -als /usr/local/lib/php.ini /usr/lib/php.ini /opt/lsws/lsphp5/lib/php.ini
/bin/ls: /opt/lsws/lsphp5/lib/php.ini: No such file or directory
0 lrwxrwxrwx 1 root root 22 Feb 15 12:07 /usr/lib/php.ini -> /usr/local/lib/php.ini
40 -rw-r--r-- 1 root root 40218 Apr 1 08:21 /usr/local/lib/php.ini
Using lsws? whats your loaded php.ini path in phpinfo() ?
 

DraCoola

Well-Known Member
#20
But still curious on how to enable the pure phpsuexec to this LS-Cpanel.
Because I think the security of LS will totally null if any user still can walk around to other users teritories.

It is just as the same as php-DSO (nobody), which username means nothing to php security.
 
Top