Protection against shell scripts ?
Posted by bin_asc, 09-14-2007, 12:24 PM I was wondering how do you guys protect your servers against users running shell scripts on their account. I mean, in case they upload some and start mingling on your server. Also, some solutions without disabling php_functions and safemode = on ... Regards, Adrian
Posted by Patrick, 09-14-2007, 12:40 PM That's quite a broad question. There's really no sure fire way to stop people from executing shell scripts or other commands that would allow them to "mingle" around. People can always run the same command through SSH, PHP, Perl, Python, etc... you get the idea. A better question is, what exactly are you trying to prevent people from doing?
Posted by pmabraham, 09-14-2007, 01:30 PM Greetings: Security on the Internet, for those who are security conscious, must be a way of life. Security needs to be in layers to have the greatest impact with no single layer being treated like a golden calf. The general layers of security cover operating system security, any hosting automation security, the security services themselves, and application security. Some layers you may want to consider is mod_security from http://www.modsecurity.org/ (if you run the Apache web server), along with a good set of rules (what works best may depend on what automation system, if any, is used), disabling PHP functions, and making sure operating system components have the lest permissions and ownership necessary for them to work with the applications. End users should also be educated, and encouraged on a regular basis to keep their applications up to date. Thank you.
Posted by zacharooni, 09-14-2007, 01:38 PM Apply appropriate group/chmod permissions on the right binaries.
Posted by dynawebd, 09-14-2007, 03:12 PM There is nothing like a good mod_security ruleset.
Posted by bin_asc, 09-14-2007, 06:29 PM Ok, I agree too all of you. But it seems with open_basedir + suhosin you still can`t stop people looking through other users accounts. Is it good to go for grsec for the kernel ?
Posted by zacharooni, 09-14-2007, 07:01 PM Yes, this will enforce /proc and /dev restrictions, especially if you train it beforehand with learning config.
Posted by Patrick, 09-14-2007, 07:18 PM With suPHP (PHP suEXEC) and open_basedir protection enabled, people should not be able to access other users home directories. I'm curious, how are you verifying that they can? Even from a normal non-restricted SSH account, people still should still not be able to access other users home directories...
Posted by bin_asc, 09-14-2007, 08:01 PM What are limitations to suPHP ? I tried to compile it and it gave all my pages on the server 500 internal errors.
Posted by bin_asc, 09-14-2007, 08:02 PM I think * that it allows only a max 755 chmod on a file ...
Posted by Patrick, 09-14-2007, 08:48 PM The only "limitation" I have found by using suPHP / PHP suEXEC is that it appears to use a little bit more CPU and RAM. Personally, I don't mind a little extra load given the added security and the time it'll save by tracking down who's running a malicious "nobody" process. When you first enable suPHP / PHP suEXEC there will be a lot of scripts producing 500 internal errors, but it's a very quick fix for the most part. Go into each /home/user/public_html directory and run the following: Those two chmod settings will work for almost all scripts, but there will be the odd script that requires a different chmod value...
Posted by bin_asc, 09-14-2007, 08:54 PM And files that need chmod 0777 ? what will happen to those ?
Posted by Patrick, 09-14-2007, 09:08 PM They'll work fine with either 644 or 755... or both.
Posted by bin_asc, 09-14-2007, 09:26 PM Good. Now I`m off to bed
Posted by jon-f, 09-14-2007, 11:09 PM mod security of course , I also noticed since running php5.2x with allow_url_include disabled it cuts waaay down on shells on your boxes, prevents remote file inclusions, remote command execs, etc. They can still upload shells through poorly coded upload scripts or ftp though. And if you dont mind the heavier resource usage suphp is the best for server security as a whole. With individual users, they can have their sites deleted if someone gets a shell on it though but without url include they would have to use ftp or upload forms, and if they are in their ftp theyre hacked anyway.
Posted by brianoz, 09-15-2007, 05:34 AM CSF works well here in notifying you of long-running scripts that may be problems.
Posted by bin_asc, 09-15-2007, 02:09 PM What really leaves me clueless is that open_basedir protected me once against users reading /etc/passwd and I recently tested it, and it doesn`t no more. Last edited by bin_asc; 09-15-2007 at 02:14 PM.
Posted by bin_asc, 09-15-2007, 02:19 PM I`m talking here more about protection from malware and so on, not memory consuming
Posted by orchidinc, 09-16-2007, 04:21 AM same here...